Summary of audit findings and related issues

Interim audit results

1. The interim audit phase includes an assessment of the effectiveness of each entity’s internal controls as they relate to the risk of misstatement in the financial statements. At the completion of interim audits for the 27 entities included in this report, the key elements of internal control were assessed as operating effectively to support the preparation of financial statements free from material misstatement for 14 entities.

2. For 10 entities, the key elements of internal control were operating effectively to support the preparation of financial statements that are free from material misstatement, except for particular finding/s outlined in Chapter 3 of this report.

3. In three entities significant audit findings were identified reducing the level of confidence and assurance that could be placed on key elements of internal control. These significant audit findings mainly related to the IT control environment including IT security and change management. These entities were the Australian Taxation Office, Department of Defence and Services Australia (refer to paragraphs 1.9 to 1.15 and Chapter 3).

Interim audit findings

4. Total audit findings have increased compared with the 2022–23 interim audits. A total of 93 findings (2022–23: 76 findings) were reported to the entities included in this report at the conclusion of 2023–24 interim audits, comprising: 3 significant (2022–23: 0), 26 moderate (2022–23: 29), 64 minor (2022–23: 47). Seventy-eight per cent of audit findings reported at the 2023–24 interim phase were unresolved findings from prior audits. Entities should take action to address outstanding audit findings in a manner which is timely and commensurate with the level of risk identified (refer to paragraphs 1.127 to 1.203).

5. The ANAO’s audit findings indicate that entity IT control environments require improvement. Sixty-five per cent of all audit findings identified are related to this area (2022–23: 63 per cent). Seventy-five per cent of all findings related to the IT control environment related to IT security, including the removal of user access on termination, assignment of user access and monitoring of privileged user activities. There remains room for improvement across the sector to enhance governance processes supporting the design, implementation and operating effectiveness of IT security controls, including compliance with the Information Security Manual (refer to paragraphs to 1.141 to 1.173).

Key Management Personnel (KMP) turnover

6. From 1 July 2023 to 31 January 2024 there was a turnover of KMP in 85 per cent of entities. The average rate of turnover at these entities was 21 per cent. A higher rate of turnover of KMP could increase risks that can arise from gaps in corporate knowledge, gaps in project management or be indicative of underlying issues in the culture of an entity (refer to paragraphs 1.20 to 1.26).

Audit committee performance

7. Seventy-seven per cent of entities had undertaken a recent review of the effectiveness of their audit committee. These reviews mainly relied on self-assessments of committee performance by audit committee members which may limit their effectiveness. The majority of reviews did not address all of the considerations highlighted in guidance provided by the Department of Finance.

8. Entities could enhance the effectiveness of their review of audit committee performance by adopting a formal process of independently reviewing the performance of audit committees that more comprehensively considers the matters identified in the guidance issued by Finance (refer to paragraphs 1.27 to 1.35).

Fraud control

9. The Commonwealth Fraud Control Framework 2017 encourages entities to conduct fraud risk assessments at least every two years.All 27 entities included in this report had in place a fraud control plan. Twenty-five of the 27 entities had conducted a fraud risk assessment at the enterprise level which informed their plan (refer to paragraphs 1.43 to 1.47).

Internal audit recommendations

10. There were 4,186 internal audit recommendations made to entities included in this report during the period 1 July 2020 to 31 January 2024. At 31 January 2024 24 per cent of these findings remained open. Thirty-three per cent of entities had not established formal policies or procedures for implementing internal audit recommendations. For recommendations where a due date was assigned 69 per cent of internal audit recommendations during the period were addressed past their due date. The average delay in closing recommendations during this period was 91 days.

11. Entities could review and strengthen governance processes and oversight for implementation of internal audit recommendations to ensure that recommendations (and the associated risk identified) are addressed in a timely manner (refer to paragraphs 1.54 to 1.75).

Safeguarding data from cyber threats

12. The Protective Security Policy Framework contains the Essential Eight mitigation strategies and recommends controls intended to strengthen cyber resilience and the capacity of government to mitigate cyber threats. Seventy-seven per cent of entities did not meet all of the relevant requirements although the number of entities reporting compliance with the requirements has improved compared with 2022–23. There continues to be a risk of compromise to information relevant to the preparation of financial statements (refer to paragraphs 1.76 to 1.93).

Safeguarding personal information

13. Twenty-two of the 27 entities included in this report indicated that that they collected personal information and complied with requirements of the Privacy Act 1988 and the Australian Privacy Principles (APPs). Forty-one per cent of entities had not assessed their compliance with privacy requirements under the APPs. From July to December 2023 the Australian Government was included in the ‘top 5’ sectors reporting notifiable data breaches to the Australian Information Commissioner. It is important that entities have appropriate governance measures and controls in place supported by clear policies, procedures and practices that comply with the requirements of the principles (refer to paragraphs 1.94 to 1.104).

Delivery of computer software projects

14. At 31 January 2024 there were 717 distinct software projects underway at entities included in this report, which had a total budget (including capital and operating expenses) of $10.9 billion.

15. Twenty-five of the 27 entities had established a project management framework or policy. All entities had assigned responsibility for monitoring software projects to an executive or other committee embedded in the entity’s organisational structure. Thirteen entities did not provide reports to their audit committees on software projects. All entities has adopted one or more of the eight project assurance processes advised by the Digital Transformation Agency (DTA). One assurance process, internal audit, was adopted by the majority of entities.

16. The significance of the total value of projects under development, and the level of write offs of computer software over the period 2018–19 to 2022–23 create opportunities for entities to consider the effectiveness of governance of delivery of software projects. These include: increasing the oversight from entity audit committees and adopting a broader use of assurance arrangements recommended by the DTA (refer to paragraphs 1.105 to 1.126).

Reporting and auditing frameworks

Summary of developments

17. The development of a climate-related reporting framework and assurance regime in Australia is progressing. The ANAO is working with the Department of Finance (Finance) to establish an assurance regime for the Commonwealth Climate Disclosure (CCD) reform (refer to paragraphs 2.6 to 2.19).

18. Emerging technologies (including artificial intelligence) are increasingly being explored by entities for application in their operations and delivery of services. The ANAO intends to build consideration of risks relating to the use of emerging technologies into audit planning processes to provide Parliament with assurance regarding the efficient, effective, economical and ethical use of emerging technologies (refer to paragraphs 2.20 to 2.27).

Other matters

Completion of outstanding 2022–23 audits

19. The audits of the 2022–23 financial statements for the Bundanon Trust, Royal Australian Navy Central Canteens Board and Wreck Bay Aboriginal Community Council were delayed due to weaknesses in the financial statements preparation process or other internal controls at these entities. These audits have finalised by the ANAO (refer to Chapter 4).

Cost of this report

20. The cost to the ANAO of producing this report is approximately $320,000.

Introduction

1.1 The ANAO publishes an Annual Audit Work Program (AAWP) which reflects the ANAO’s strategy and deliverables for the forward year. The purpose of the AAWP is to inform the Parliament, the public and government sector entities of the ANAO’s planned audit coverage by way of financial statements, performance and performance statements audits and other assurance activities.

1.2 The financial statements audit coverage, as outlined in the AAWP, includes presenting two reports to the Parliament addressing the outcomes of the financial statements audits of entities and the Australian Government’s Consolidated Financial Statements (CFS). These reports provide Parliament with an independent examination of the financial accounting and reporting of Australian Government entities.

1.3 This report focuses on the results of the interim audits of 27 entities including an assessment of key internal controls supporting the 2023–24 financial statements. The assessment includes a review of the governance arrangements related to entities’ financial reporting responsibilities and the design and implementation of key internal controls relating to significant business processes. Where the auditor plans to rely upon key controls for assurance that financial statements are free from material misstatement, the controls are tested for operating effectiveness. Testing of controls during the interim audit phase allows us to form a conclusion on the operating effectiveness of those controls for the period up to the date of testing.

1.4 During the final phase of the 2023–24 financial statements audit, the ANAO completes testing over the operating effectiveness of those controls we intend to rely upon, and controls not assessed at interim. The second report presents the final results of the financial statements audits of the CFS and all Australian Government entities.

1.5 The entities included in this report are those entities that contribute significantly to the three sectors of the CFS: the General Government Sector (GGS), Public Non-Financial Corporation (PFNC) sector and Public Financial Corporation (PFC) sector. A listing of these entities is provided in Chapter 3.

1.6 The ANAO conducts its financial statements audits in four phases: planning; interim; final; and completion. Figure 1.1 outlines the key elements of each phase.

Figure 1.1: ANAO financial statements audit process

Source: ANAO data.

1.7 A central element of the ANAO’s financial statements audit methodology, and the focus of the planning phase of ANAO audits, is a sound understanding of an entity’s environment and internal controls relevant to assessing the risk of material misstatement in the financial statements. This understanding informs the ANAO’s audit approach, including the reliance that may be placed on entity systems to produce financial statements that are free from material misstatement.

1.8 In accordance with generally accepted auditing practice, the ANAO accepts a low level of risk that an audit will fail to detect that the financial statements are materially misstated. This low level of risk is accepted because it is too costly to perform an audit that is predicated on no level of risk. An understanding of the entity, its environment and its controls helps the ANAO design the required work and respond to risks that bear on financial reporting. The key areas of financial statements risks identified through this planning approach are discussed in Chapter 3 for each entity included in this report.

1.9 A key component of understanding the entity and its environment is to understand the governance arrangements established by its accountable authority.¹ Accountable authorities of all Commonwealth entities and companies subject to the Public Governance, Performance and Accountability Act 2013 (PGPA Act) are required to govern their entity in a way that promotes the proper use and management of public resources, the achievement of the purposes of the entity and the entity’s financial sustainability.

1.10 The development and implementation of effective corporate governance arrangements and internal controls should be designed to meet the individual circumstances of each entity. These processes also assist in the orderly and efficient conduct of the entity’s business and compliance with applicable legislative requirements, including the preparation of annual financial statements that present fairly the entity’s financial position, financial performance and cash flows.

Understanding the entity

1.11 The ANAO uses the framework in the Australian Auditing Standards (ASA) 315 Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and its Environment to consider the impact of different elements of an entity’s internal controls that support the preparation of financial statements. This approach provides a basis for designing and implementing the audit work program that reflects the ANAO’s assessment of the risk of material misstatement. Deficiencies in the internal control framework increase the requirement of the ANAO to perform additional audit work in the final audit phase. Figure 1.2 outlines these elements of internal control.

Figure 1.2: Elements of entity internal controls

Source: ASA 315 Identifying and assessing the risk of material misstatement through understanding the entity and its environment, paragraphs 21–26.

1.12 This chapter discusses each of these elements and outlines observations and findings based on the ANAO’s review of aspects of each entity’s internal controls, relevant to the risk of material misstatement to the financial statements, including the detailed results of the interim audits. An effective internal control framework provides a level of assurance that entities are able to prepare financial statements that are free from material misstatement.

What is the ANAO’s assessment of the effectiveness of internal controls supporting financial reporting at these entities?

Assessment of entities’ internal control environment supporting the preparation of financial statements

1.13 Table 1.1 details the assessment of the effectiveness of the elements of internal control at the conclusion of the interim audit for the entities included in this report. Further information on the results of interim audits at each entity is available in Chapter 3.

Table 1.1: Assessment of the effectiveness of the elements of internal control

Source: ANAO analysis.

1.14 At the completion of the 2023–24 interim audits at the 27 entities, the ANAO reported:

• three entities where deficiencies identified by the ANAO reduced the level of confidence in key elements of internal control that support the preparation of financial statements that are free from material misstatement due to the identification of significant audit findings. These entities were the Australian Taxation Office, Department of Defence and Services Australia;
• ten entities where, except for particular finding/s outlined in this chapter, key elements of internal control were operating effectively to provide reasonable assurance that the entities are able to prepare financial statements that are free from material misstatement. These entities are the Departments of: Climate Change, Energy, the Environment and Water; Education; Employment and Workplace Relations; Foreign Affairs and Trade; Health and Aged Care; Infrastructure, Transport, Regional Development, Communications and the Arts; the Prime Minister and Cabinet; Social Services; and Veterans’ Affairs, the National Disability Insurance Agency; and
• fourteen entities where key elements of internal control were operating effectively to provide reasonable assurance that the entities are able to prepare financial statements that are free from material misstatement.

1.15 The key elements of internal control for the full financial year will be assessed in conjunction with additional audit testing during 2023–24 final audits. As a result of the audit findings identified, the ANAO has designed further audit procedures to obtain reasonable assurance that the financial statements balances are not materially misstated.

Control environment

1.16 The PGPA Act sets out the requirements to establish and maintain systems relating to risk and control. Section 16 of the PGPA Act states that:

The accountable authority of a Commonwealth entity must establish and maintain:

(a) an appropriate system of risk oversight and management for the entity; and

(b) an appropriate system of internal control for the entity;

including by implementing measures directed at ensuring officials of the entity comply with finance law.^{2, 3}

1.17 An effective control environment is underpinned by a fit-for-purpose governance structure. Indicators of an effective governance structure include whether management has established frameworks and processes that promote positive attitudes, awareness and actions concerning the entity’s internal controls and their importance in the entity. The main elements reviewed included: governance structures relevant to the preparation of the financial statements; audit committee and assurance arrangements; systems of authorisation; and processes for recording financial transactions.

1.18 Clear lines of accountability and reporting are important in establishing a strong internal control environment for the purposes of preparing the financial statements. The involvement of those charged with governance is an important element of these structures. Just as important is ensuring that staff at all levels in an entity understand their own role in the control framework. This can be achieved through the issuance of accountable authority instructions and delegation instruments.

1.19 During 2023–24 the ANAO has focused on:

• risks arising from the turnover of key management personnel;
• establishment and performance of entity audit committees; and
• assignment and monitoring of responsibilities.

Turnover of key management personnel

1.20 ASA 315 requires that an auditor consider how an entity attracts, retains and develops competent individuals in alignment with its objectives, in order to form a view on the effectiveness of internal control. This includes considering the skills and experience of personnel responsible for leading and governing an entity, including those personnel who are Key Management Personnel (KMP).

1.21 A higher rate of turnover of KMP could increase risks that can arise from gaps in corporate knowledge or management of projects or be indicative of underlying issues in culture or performance of an entity.

1.22 KMP is a concept described in AASB 124 Related Party Disclosures. KMP are those persons having authority and responsibility for planning, directing and controlling the activities of the entity, directly or indirectly, including any director (whether executive or otherwise) of that entity. These individuals generally comprise senior executive management of an entity, and where in place, members of the board of directors. At 30 June 2023, there was an average of nine KMP positions per entity. This average comprised:

• non-corporate entities – 8 positions (with a range of one to 23 positions);
• corporate entities – 16 positions (with a range of eight to 20 positions); and
• companies – 14 positions.

1.23 A consideration in forming an assessment of the level competence, skills and experience of management is to also consider the turnover of personnel during the period. The ANAO analysed the turnover of KMP for the 27 entities included in this report for the period 1 July 2023 to 31 January 2024 and identified that:

• there were changes in KMP in 23 entities (85 per cent of entities);
• the average turnover rate of KMP at entities with turnover was 21 per cent; and
• the range of KMP positions per entity which had turned over was between 1 to 7 individuals.

1.24 Figure 1.3 demonstrates the range of turnover in KMP across entities where there were changes during the period 1 July 2023 to 31 January 2024.

Figure 1.3: Range of turnover of KMP from 1 July 2023 to 31 January 2024

Source: ANAO analysis.

1.25 The ANAO has analysed the changes in selected roles that support financial management and the system of internal control within entities: Chief Executive Officer (CEO) or accountable authority, Chief Financial Officer (CFO) and Chief Information Officer (CIO). The ANAO identified that in the period from 1 July 2023 to 31 January 2024 there were:

• eight newly appointed CEOs or accountable authorities (including board chairs). This represents 30 per cent of entities;
• six newly appointed CFOs. This represents 22 per cent of entities; and
• seven newly appointed CIOs. This represents 26 per cent of entities.

1.26 For the Department of Veterans’ Affairs there was a change in the accountable authority, CFO and CIO during the period.

Audit committees

1.27 The Department of Finance’s (Finance) Resource Management Guide (RMG) relating to audit committees, describe a committee’s role as supporting good governance of entities.⁴ The PGPA Act and Rule prescribe requirements for establishment, membership and functions of these committees. The ANAO’s analysis confirms that for all entities in this report:

• have established audit committees that meet the minimum requirements for audit committees as outlined in PGPA Rule section 17⁵ or 28⁶;
• committees consist of a majority of members which were assessed by the entity to be independent;
• all committee chairs were independent members; and
• an audit committee charter, that is consistent with their obligations under subsection 17(2) of the PGPA Rule, is in place.

1.28 The assessment of the performance of an entity’s audit committee is not mandated. Finance’s RMGs indicates that ‘it is good practice for an accountable authority to regularly review the audit committee’s performance and assess its conduct and deliverables against the committee charter’⁷. The RMG also indicates that in addition to an assessment by the accountable authority, ‘a well-functioning audit committee would regularly assess its own performance, with the findings reported to the accountable authority’.⁸

1.29 The ANAO has analysed whether the accountable authority of entities included in this report have conducted a review of audit committee performance and the extent of matters considered in the review. Seventy-seven per cent of entities advised the ANAO that the accountable authority had conducted a review. These reviews were delivered by:

• a self-assessment, such as a survey or questionnaire, being completed by the members of the committee, with the results shared with the accountable authority; or
• a review conducted by the accountable authority.

1.30 Of the entities which conducted a review, less than half (48 per cent) documented the outcomes of the accountable authority’s review in writing.

1.31 The RMG indicates that a self-assessment of performance by audit committee members would be an additional step to any process for an accountable authority to form a view on performance. Reliance on self-assessments by accountable authorities in forming a view on performance of audit committees may limit the objectivity and effectiveness of the review.

1.32 Finance’s RMG does not prescribe the interval at which assessments should be performed, but does indicate that this should be ‘regularly’ performed. Of the entities which completed reviews, 48 per cent were last completed during 2023–24; 43 per cent in 2022–23 and 9 per cent in 2021–22.

1.33 The RMG indicates that the following matters could be considered by accountable authorities in conducting a review:

• agreeing on criteria to be applied when assessing performance and including them in committee charters;
• effectiveness of advice provided to the accountable authority;
• assessing the performance of individual members;
• clarifying the process for implementing action plans; and
• reviewing the committees actions, including communication with the accountable authority and other stakeholders, preparedness and timeliness of the committee work plan and documentation of deliberations.⁹

1.34 Figure 1.4 demonstrates the range of matters considered by entities when undertaking these reviews. The majority of entities did not include all of the matters suggested in the RMG.

Figure 1.4: Matters considered in reviews of audit committee effectiveness

Source: ANAO analysis.

Assignment and monitoring of responsibilities

1.36 All 27 entities included in this report have established executive management committees and/or sub-committees that meet at least monthly, which support financial decision making at the strategic and operational levels.¹⁰

1.37 Financial and budgetary performance was included on the agendas of 25 entities’ executive committees. For the Departments of: Climate Change, Energy, the Environment and Water; and Home Affairs, the Chief Finance Officer provided monthly financial reports to the Secretary and other senior executives. The financial information provided to the entities’ executives was supplemented by non-financial operational information for all entities.

1.38 Clear lines of accountability and reporting are important in establishing a strong internal control environment for the purposes of preparing the financial statements. The involvement of those charged with governance is an important element of these structures. It is also important to ensure that staff at all levels understand their own role in the control framework. This can be achieved through the issuance of accountable authority instructions and delegation instruments. All entities have established accountable authority instructions and delegations reflecting current business arrangements.

Risk assessment processes

1.39 Section 16 of the PGPA Act sets out an accountable authority’s responsibilities regarding the establishment of appropriate risk oversight and management in an entity. An understanding of an entity’s process to identify and manage risk is essential to an effective and efficient financial statements audit. A review of this process is done to assist the ANAO to understand how entities identify and manage risks relating to financial statements and assess the risk of material misstatement to an entity’s financial statements.

1.40 In forming a view on the effectiveness of entity control environments, the ANAO has focused on:

• risk management processes; and
• fraud control arrangements.

Risk management

1.41 All entities included in this report have a process to develop and update risk management plans at the organisational and strategic risk levels. In addition, each entity has developed processes for the identification and notification of risks relevant to financial statements preparation either as part of the overall risk management plan, or through a targeted risk identification exercise.

1.42 The monitoring of risks, and the entities’ implementation of risk management strategies, was typically assigned to either an executive committee and/or the audit committee.

Fraud control arrangements

1.43 Section 10 of the PGPA Rule details the minimum standards for accountable authorities of Commonwealth entities for managing the risk and incidence of fraud. The accountable authority of an entity must take all reasonable measures to prevent, detect and deal with fraud relating to the entity. This includes conducting fraud risk assessments regularly and when there is a substantial change in the structure, functions or activities of the entity.¹¹ The Commonwealth Fraud Control Framework 2017, encourages entities to conduct fraud risk assessments at least every two years and entities responsible for activities with a high fraud risk may assess risk more frequently. ¹²

1.44 The ANAO analysed the extent to which the guidance and requirements of the Commonwealth Fraud Control Framework 2017 has been implemented by entities included in this report and¹³ identified that:

• all entities have developed and implemented a fraud control plan to prevent and detect fraud; and
• twenty-five entities have a fraud risk assessment at the entity level. For two entities (Department of Finance and Snowy Hydro Limited) fraud risk assessments have been undertaken at the activity level.

1.45 On 1 July 2024 the Commonwealth Fraud and Corruption Control Framework¹⁴ will come into effect. In addition to the existing requirements of the 2017 framework, the new framework requires that:

• accountable authorities also take steps to prevent, detect and deal with corrupt conduct, in addition to fraud;
• entities have in place governance structures and processes to oversee and manage risks of fraud and corruption;
• entities have in place officials who are responsible for managing risks of fraud and corruption; and
• entities must periodically review the effectiveness of their fraud and corruption controls.

1.46 Entities should plan and have in place a process to update their existing fraud control plans and risk assessments to take account of the requirements around corruption. It is important that these plans and risk assessments are reviewed and updated by the date of implementation to ensure compliance with the requirements of the framework and to prevent, detect and deal with fraud and corruption.

1.47 To assist entities with the implementation of the Framework, the Attorney-General’s Department’s Commonwealth Fraud Prevention Centre has:

• published a range of guidance for entities on key aspects of the Framework;
• developed a roadmap for entities to demonstrate a step by step approach to implementing the framework; and
• conducted webinars and direct training for entities about the new framework. The Centre offers Counter Fraud Practitioner Training Program for officials engaged in fraud and corruption control.¹⁵

Monitoring of controls

1.48 Entities undertake many types of activities as part of their monitoring of control processes, including external reviews, self-assessment processes, post-implementation reviews and internal audits. The level of review of these activities by the ANAO is determined through a risk assessment approach that takes into consideration the nature, extent and timing of each activity and the activities’ application to the preparation of the financial statements. All entities included in this report have an ongoing process for monitoring and evaluating internal controls.

1.49 During 2023–24 the ANAO has focused on the effectiveness of entities in addressing internal audit recommendations. Further information relating to these findings is available in paragraphs 1.54 to 1.75.

Information systems and communication

1.50 The information systems relevant to the preparation of the financial statements consists of activities and policies, and accounting and supporting records, designed and established to initiate, record and process entity transactions (as well as to capture, process and disclose information about events and conditions other than transactions).

1.51 Sixty audit findings have been reported to entities during 2023–24 interim audits relating to the IT control environment, accounting for 65 per cent of audit findings identified by the ANAO during 2023–24 audits. The most common findings identified related to weaknesses in: IT security (primarily removal of user access and management of privileged user access) and change management. Further information relating to these findings is available in paragraphs 1.139 to 1.168.

Control activities

1.52 The control activities component of an entities’ system of internal control are primarily direct controls which are designed to prevent, detect or correct misstatements.¹⁶ Auditors are required to evaluate the design of the controls and determine whether the controls have been implemented. Controls include authorisations and approvals, reconciliations, verifications (such as edit and validation checks or automated calculations), segregation of duties, and physical or logical controls, including those addressing safeguarding of assets.

1.53 Where the ANAO identifies one or more control deficiencies, the ANAO assesses whether, individually or in combination, the deficiencies constitute a significant deficiency and reports these to accountable authorities as audit findings. The ANAO applies professional judgement in determining whether a deficiency represents a significant control deficiency. Information relating to the audit findings identified by the ANAO during 2022–23 is available at paragraphs 1.127 to 1.203.

Do entities have robust processes for implementing internal audit recommendations?

1.54 The Institute of Internal Auditors (IIA) defines an internal audit function as being:

A department, division, team of consultants, or other practitioner(s) that provides independent, objective assurance and consulting services designed to add value and improve an organization’s operations. The internal audit activity helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.¹⁷

1.55 An appropriately designed and resourced internal audit can assist the accountable authority of an entity to obtain assurance over the design, implementation and operating effectiveness of the system of risk management and internal control within an entity. All entities included in this report had an internal audit function in place during 2023–24.

1.56 Auditor-General Report No. 9 2023–24 Audits of the Financial Statements of Australian Government Entities for the Period Ended 30 June 2023 focused on the effectiveness and role of internal audit functions within entities, including an analysis of the establishment, design, independence and coverage provided by internal audit across the sector. As a result of this analysis the ANAO identified that there was an opportunity for the Australian Government to consider whether additional guidance relating to the implementation and delivery of internal audit would be beneficial to enhance the Australian Government’s system of internal control.

1.57 In a continuation of this analysis during 2023–24 interim audits the ANAO has analysed the design and implementation of processes with entities relating to internal audit recommendations. The ANAO’s analysis has been undertaken with reference to the standards issued by the IIA¹⁸, best practice and guidance issued by other regulators and bodies within Australia. The IIA standards require that an entity’s chief audit executive must communicate the results of internal audit to appropriate parties within an entity to take appropriate action. These communications must include the scope and objective of the engagement, an overall conclusion, recommendations and action plans.¹⁹

1.58 The standards issued by the IIA are not mandated for application by entities. The purpose of the IIA standards is to establish principles and practices for internal audit, and a framework within which it can be performed.

1.59 The IIA released the Global Internal Audit Standards in January 2024. These 2024 Standards become effective in January 2025. The main changes in the 2024 Standards are:

• strengthening governance frameworks to improve responsiveness to rapidly changing business environments;
• guidance to assist internal auditors in the public sector and for small internal audit functions; and
• specific guidance and standards on critical areas like cybersecurity and environment, sustainability and governance domains.^20,21

Framework for implementing internal audit recommendations

1.60 The IIA standards require that an entity establish and maintain a system to monitor the disposition of results communicated to management, which includes implementing a process to monitor and ensure that recommendations have been effectively implemented or that management has accepted the risks of not taking action.²²

Policies and procedures

1.61 The ANAO has assessed entity conformance with this standard through inspection of policies and procedures established by entities. Seventy-seven per cent of entities had established a policy for the monitoring, tracking and resolution of internal audit recommendations. Where a policy was in place, the ANAO reviewed to understand the detail and scope of the policy.

• Thirty-three per cent of entities had developed a separate, comprehensive policy or process that details how internal audit recommendations are tracked and resolved. This included assignment of responsibility for monitoring of internal auditing recommendations and the process that would be undertaken to verify actions taken were implemented.
• Thirty-three per cent of entities had a policy and process established that was referenced in internal audit charters. These policies were briefer in nature and specified higher level requirements.

1.62 Thirteen per cent of entities policies did not establish policies or instructions with the timeframe for implementation of internal audit recommendations.

1.63 Thirty-three per cent of entities did not have a documented policy or procedure on how internal audit recommendations are tracked and resolved. Entities could improve the governance supporting the implementation of internal audit recommendations by establishing formal policies that detail an entity’s process for the closure of internal audit recommendations, that detail:

• the responsibility of management and the internal audit function for closure of these recommendations;
• the requirements for monitoring of internal audit recommendations and their timely resolution.

Audit committee involvement

1.64 The Department of Finance’s (Finance) Resource Management Guides (RMG) relating to audit committees describe the importance of internal audit, particularly: ‘the relationship between the audit committee and the managers of the internal audit function is central to enabling the audit committee to meet its responsibilities’.²³ Finance outlines that an audit committee should:

• have input into the internal audit work plan; and
• have access to internal audit reports in order to inform its advice to the accountable authority.²⁴

1.65 For each entity included in this report, the audit committee had an oversight role in relation to the implementation of internal audit recommendations with regular updates on recommendations being provided to the committee.

Closure of internal audit recommendations

1.66 The IIA standards require that an entity implement processes to ensure that recommendations are implemented effectively.²⁵ The ANAO analysed the process established by entities to agree to the closure of audit recommendations. All entities required that evidence to support the closure of the recommendation (that an action had been taken) was provided by the internal audit function.

1.67 Figure 1.5 provides an overview of the authority for acceptance of closure of internal audit recommendations in entities. The majority of entities had assigned responsibility for the review of the actions taken for closure of internal audit recommendations to their audit committee (informed by advice from the chief audit executive).

Figure 1.5: Assignment of responsibility to consider closed internal audit recommendations

Source: ANAO analysis.

Audit recommendations

1.68 The ANAO obtained copies of internal audit recommendations registers or monitoring documents used by entities to monitor internal audit recommendation status in order to analyse the number and timeliness of implementation of internal audit recommendations for the period 1 July 2020 to 31 January 2024. This analysis includes audit recommendations that were identified in internal audits that were conducted during the period, as well as recommendations that were unresolved relating to earlier periods.

1.69 There were 4,186 internal audit recommendations made to these entities during the period 1 July 2020 to 31 January 2024 (from 1,469 internal audits). At 31 January 2024, 24 per cent of these recommendations remained open.

1.70 Where entities agreed a due date for recommendations, 69 per cent of audit recommendations during this period were resolved after the initially agreed due date. Figure 1.6 provides an overview of the range of time taken to resolve internal audit recommendations with agreed due dates compared to the initially agreed due date.

Figure 1.6: Cumulative closure of internal audit recommendations with an agreed due date for the period 1 July 2020 to 31 January 2024

Source: ANAO analysis of entity recommendation closure (where due dates were agreed).

1.71 Figure 1.7 details the trend in the closure of audit recommendations in the period 2020–21 to 2023–24.

Figure 1.7: Trends in timeliness of audit recommendation closure where due dates were agreed 2020–21 to 2023–24

Source: ANAO analysis of entity recommendation closure (where due dates were set).

1.72 There was a decrease in audit recommendations being resolved on or before the due date from 2020–21 to 2023–24 (from 36 to 22 per cent). The average delay between the planned closure date and actual closure date during this period was 91 days, with a range of 1 to 1,538 days.

1.73 There are 11 entities where, on average, the time taken to resolve internal audit recommendations is greater than three months past the original agreed due date. These entities are the Attorney-General’s Department, Department’s of: Agriculture, Fisheries and Forestry; Defence; Foreign Affairs and Trade; Health and Aged Care; Home Affairs; Infrastructure, Transport, Regional Development, Communications and the Arts; the Treasury; and Veterans’ Affairs, the National Indigenous Australians Agency and Services Australia.

1.74 Internal audit recommendations provide advice to the accountable authority and management to strengthen an entity’s system of internal control. Internal audit recommendations which are not resolved within agreed timeframes could contribute to increases in business or other risks.

How are entities safeguarding data from cyber security threats?

1.76 The Protective Security Policy Framework (PSPF) requires non-corporate Commonwealth entities (NCE) to consider and implement the Australian Signals Directorate’s (ASD’s) Essential Eight mitigation strategies (Essential Eight). ²⁶ The initial requirements were defined in 2013 and are specified in PSPF Policy 10, “Safeguarding data from cyber threats” (Policy 10).²⁷ The Essential Eight is considered the baseline for cyber resilience within the Australian Government and provides advice on measures that entities can implement to mitigate cyber threats.²⁸

1.77 Policy 10 requires each NCE to:

• implement the following ASD Strategies to Mitigate Cyber Security Incidents:²⁹
  • application control ³⁰;
  • patching applications ³¹;
  • configure Microsoft Office macro settings ³²;
  • user application hardening ³³;
  • restricting administrative privileges ³⁴;
  • multi-factor authentication ³⁵; and
  • regular backups.³⁶
• consider which of the remaining mitigation Strategies from the Strategies to Mitigate Cyber Security Incidents³⁷ need to be implemented to protect the entity.³⁸

1.78 Since 2013, the ANAO has conducted a series of performance audits focussed on assessing entities’ implementation of the PSPF cyber security requirements. These performance audits continue to identify low levels of compliance with mandatory PSPF cyber security requirements and concerns in annual self-assessments by entities. The ANAO has previously reported concern that there is no evidence that the regulatory framework had driven sufficient improvement in entities mitigating their cyber security risks.

1.79 In 2023–24, the ANAO reviewed and analysed the 2022–23 Policy 10 annual self-assessments prepared by entities. The ANAO’s analysis focused on the protection of information relevant to the preparation of financial statements, specifically the Financial Management Information System (FMIS) and Human Resource Management Information Systems (HRMIS). Twenty-two of the 27 entities included in this report are required to report their compliance annually against the Policy 10 requirements.³⁹ The review was undertaken to assess the evidence supporting the self-assessment and reporting, and to identify cyber security risks that may impact on the preparation of financial statements. The review was based on the March 2022 Policy 10 requirements as these are the requirements that entities were required to implement for the majority of the 2022–23 reporting period.⁴⁰ The review consisted of analysis of policy and procedural documentation, testing of some Essential Eight mitigation strategies specific to the FMIS and HRMIS, review of results of security assessments and meetings with entity personnel.

1.80 Figure 1.8 shows ANAO’s analysis of the entities’ reported compliance with the PSPF Policy 10 requirements between 2020–21 and 2023–24. The Essential Eight mitigation strategies were mandatory from 1 July 2022 (the 2022–23 reporting period).

Figure 1.8: Reported compliance with the PSPF Policy 10 Requirements for the period 2021–22 to 2023–24

Source: ANAO data.

1.81 A higher number of entities reported improvements in Essential Eight maturity levels across the Essential Eight mitigation strategies when compared to 2022–23. Five entities met all Policy 10 requirements (23 per cent). The remaining entities were still progressing their development of the Essential Eight mitigation strategies.

1.82 Five of the 22 entities reported lower maturity levels since last year’s assessment. One entity reported that an external review of it’s self-assessment had required it to re-adjust it’s reported maturity level. Nine of the 22 entities reviewed engaged third parties to assist with their assessments and implementation of security controls. Most entities were still planning on achieving a ‘managing’ maturity level for Policy 10 with some entities reporting on the complexity of changes required.

1.83 The ANAO found that the reported maturity levels for some entities were still below the Policy 10 requirements. Of the 22 entities assessed, five (23 per cent) had self-assessed as achieving a Managing maturity level for Policy 10. Only two of the five entities were able to demonstrate evidence to support their self-assessments as required by the PSPF.

1.84 There were improvements this year when compared to 2022–23 across ‘Patching Applications’, ‘Multi-factor Authentication’, ‘Macro Settings’ and ‘User Application Hardening’.

1.85 Whilst there was improvement this year when compared to 2022–23, ‘Restricting Administrative Privileges’ was still reported by entities to be difficult as ICT systems continue to require unique identification, authentication and authorisation. Entities continue to differ in their maturity of addressing the associated risks. Some entities reported the implementation of a single-identity solution to ensure that administration controls would be consistently applied. Entities reported that investments in cyber security uplift programs would be needed to continue to assist in meeting requirements of Policy 10.

1.86 Ten of the 22 entities reviewed had reported achieving the ‘Macro Settings’ requirements, an improvement when compared to 2022–23. Of the ten entities that had reported achieving the requirements, three entities reported that these requirements were still being integrated into business practices. The remaining entities reported not achieving the requirements advised that this is being addressed through educating staff; migrating users to updated desktops; and investing in cyber security uplift programs.

1.87 The PSPF requires entities to identify and protect people, information and assets that are critical to the ongoing operation of their core business.⁴¹ Most entities advised the ANAO that they did not view the FMIS and HRMIS applications and financial information as separate critical assets to their computer networks. Those entities reported that their self-assessment was conducted at a system or environment level and did not assess the controls required to minimise cyber risks to their FMIS or HRMIS applications.

1.88 The majority of entities reviewed had advised the ANAO that they had information asset registers that identified critical and high-priority systems and information. One entity specified that the FMIS and HRMIS were assessed as high priority. Entities that had not implemented an information asset register used their disaster recovery plans as the basis for prioritising systems and information. Entities use these mechanisms along with broader business impact level assessments, IT investment priorities and operational requirements to help determine investment in cyber security.

1.89 The ANAO found that the number of assessed entities that reported a Maturity Level 1 or Maturity Level 2 rating had improved since the previous assessment. Compared to 2022–23, the number of entities that had reported as meeting the required Policy 10 Maturity Level 3 from 14 per cent to 23 per cent.

1.90 The PSPF cyber security requirements have been in place since 2013, with the March 2022 update requiring implementation of the Essential Eight mitigation strategies at Maturity Level Two. Since July 2022, the ASD’s Essential Eight Assessment Course has provided technical advice and assistance to entities who have been struggling to implement and maintain strong cyber security controls due to changing requirements.

1.91 Previous ANAO audits of entity compliance with PSPF cyber security requirements have not found a significant improvement over time. The work undertaken as part of this review indicates some improvements, but the trend of non-compliance continues.

1.92 Recommendations to strengthen arrangements for verifying self-assessment results and accountability for the implementation of mandatory cyber security requirements have been made by the Joint Committee of Public Accounts and Audit (JCPAA) and the ANAO in the following reports:

• JCPAA Report 485 Cyber Resilience (2020)⁴²;
• JCPAA Report 497 Inquiry into Commonwealth Financial Statements 2021–22⁴³;
• Auditor-General Report No. 53 2017–18 Cyber Resilience44;
• Auditor-General Report No. 32 2020–21 Cyber Security Strategies of Non-Corporate Commonwealth Entities⁴⁵; and
• Auditor-General Report No. 9 2022–23 Management of Cyber Security Supply Chain Risks⁴⁶.

1.93 Entities’ compliance with PSPF cyber security requirements across each of the Essential Eight mitigation strategies has improved when compared to 2022–23. Entities reported that these improvements were achieved through the establishment of taskforces, cyber investment and uplift programs as well as the commissioning of independent reviews. In addition, some entities have recently moved towards adopting a secure-by-design approach. There continues to be a risk of compromise to information relevant to the preparation of financial statements.

How are entities managing personal information?

1.94 The Privacy Act 1988 defines ‘personal information’ as ‘information, or an opinion, about an identified individual, or an individual who is reasonably identifiable’.⁴⁷Entities⁴⁸ who are subject to the provisions of the Privacy Act⁴⁹ are required to manage the personal information they hold by complying with the Australian Privacy Principles⁵⁰ (APPs) and any other relevant legislation or framework that imposes obligations in relation to personal information security. The APPs are principles-based, technology neutral and form the key privacy protection framework in the Privacy Act 1988.

1.95 The APPs require that entities must manage personal information in an open and transparent way through a ‘privacy by design’ approach and secure personal information throughout all stages of the personal information lifecycle.⁵¹ The stages of the personal information lifecycle are as follows: ⁵²

• Part 1 – Consideration of personal information privacy (APPs 1 and 2);
• Part 2 – Collection of personal information (APPs 3, 4 and 5);
• Part 3 – Dealing with personal information (APPs 6, 7, 8 and 9);
• Part 4 – Integrity of personal information (APPs 10 and 11); and
• Part 5 – Access to, and correction of, personal information (APPs 12 and 13).

1.96 The collection and use of personal information is part of most citizen-centred delivery of public services by the Australian Government entities, including in the administration of the taxation and social security programs.

1.97 In the reporting period from July to December 2023 the Australian Government was included in the ‘top 5’ sectors reporting notifiable data breaches to the Office of the Australian Information Commissioner.⁵³ Compliance with the Privacy Act and APPs to build trust, transparency and accountability in the use and security of personal information is an important consideration for entities.

1.98 The ANAO has analysed, for the entities included in this report, how they manage personal information. The ANAO obtained information used in this analysis through a survey of each entity. Twenty-two of the 27 entities included in this report indicated that that they collected personal information for the purposes of delivering public services.

1.99 Figure 1.9 outlines the ANAO’s analysis of how the 22 entities implemented the requirements of the APPs. Eighty-six per cent of these entities had conducted a privacy impact assessment as part of recognising the risks associated with the collection and storage of personal information.

Figure 1.9: Proportion of entities who reported implementing the requirements of the APPs

Source: ANAO analysis.

1.100 Seventy-seven per cent of these entities (17 entities) recognised risks associated with security of personal information or privacy obligations in their entity risk registers.

1.101 A data governance framework is a written document that defines the context for governing data within an entity.⁵⁴ For those entities which hold personal information, a framework would typically outline the approach for the collection, organisation, storage and use of personal information including any guidance on how the entity maintains or corrects the personal information. Eighty-two per cent of entities reported implementing a data governance framework.⁵⁵

1.102 Fifty-nine per cent (12 entities) advised the ANAO that they had implemented a centralised data register. The 10 entities that had not implemented a centralised data register advised the ANAO this was due to resource constraints or the process for development of a register was not yet complete, but underway.

• Of the entities that reported implementing a centralised data register, the centralised data register included details about the type of dataset, which contains personal information; a data owner; a data steward; data format; and any other information relevant to the effective management of an entity’s datasets.
• Two entities identified critical information assets and systems in their centralised data register.

1.103 Four entities advised the ANAO that they had reported data breaches to the Office of the Australian Information Commissioner. Two of the four entities reported multiple breaches. These entities have advised the ANAO that they were gaining assurance over the risks associated with data breaches by continuing to review and enhance monitoring controls.

1.104 Entities surveyed for this report indicated that they had implemented the requirements of the APPs, however there continues to be data breaches of personal information caused by malicious action, human error or negligence, or a failure in information handling or security systems. It is important that entities have implemented effective governance measures and controls in place supported by clear policies, procedures and practices that comply with the requirements of the APPs.

How are entities managing the delivery of software projects?

1.105 The Australian Government’s intangible assets comprise mainly internally developed or purchased computer software. As reported in the Australian Government’s Consolidated Financial Statements at 30 June 2023, the gross book value of computer software recognised by the Australian Government totalled $22.1 billion. Figure 1.10 provides an overview of the balance of computer software as reported in the CFS from 2018–19 to 2022–23.

Figure 1.10: Balance of Australian Government computer software for the period 2018–19 to 2022–23

Source: ANAO analysis of the 2018–19 to 2022–23 CFS.

1.106 Computer software developed by Commonwealth entities and Commonwealth companies is often unique to the Australian Government and related to the regulatory or public services delivered by those entities, for example, social security benefits, health benefits, trade facilitation and taxation administration. In Auditor-General Report No. 9 of 2023–24 Audits of the Financial Statements of Australian Government Entities for the Period Ended 30 June 2023, the ANAO analysed the increase in the write-downs and impairment of computer software which over the five year period from 2018–19 to 2022–23 totalled $789.1 million. Figure 1.11 shows the total write downs per year during this period ranged between $53.7 million and $352.0 million per year.

Figure 1.11: Balance of the Australian Government’s expenses for write downs of computer software 2018–19 to 2022–23

Source: ANAO analysis of the 2018–19 to 2022–23 CFS.

1.107 Given the value of the Australian Government’s investment in (and write downs of) computer software during this period, the ANAO has further analysed how entities are managing the delivery of software projects by considering:

• implementation of framework, policy, governance and assurance structures for management of software projects:
  • project management framework or policy;
  • committee oversight;
  • assurance arrangements; and
• total number of distinct software projects in entities, as at 31 January 2024 including value and total budget (including capital and operating expenses). The ANAO sought from each of the 27 entities information related to the development or implementation of software (through internal development or procurement processes) that is being managed as a project.⁵⁶

Framework, policy, governance and assurance structures for management of software projects

Project management frameworks and policies

1.108 The implementation of a formal project management framework or policy supports the management of software projects, timely delivery, management of risk, and provides consistency across the different projects which may be delivered by an entity. For the entities included in this report, the ANAO identified:

• twenty-five entities had a documented project management framework or policy; and
• two entities did not have a documented project management framework or policy in place. These entities were the Australian Office of Financial Management and Department of Industry, Science and Resources.

1.109 Given the scale of investment in computer software across the sector, these entities could enhance their system of internal control through the implementation of a formal framework or policy for the delivery of software projects.

1.110 The establishment of a project management office may also provide oversight and governance support for the delivery of projects within an entity. Of the 27 entities:

• twenty-three entities had established a project management office and embedded this in their governance framework.
• four entities had not established a project management office. These entities were Departments of: Climate Change, Energy, the Environment and Water; Industry, Science and Resources; Veterans’ Affairs and the Australian Office of Financial Management.

Committee oversight of software projects

1.111 The oversight of the delivery of software projects is generally assigned to a committee established within an entity’s organisational structure. These committees are generally chartered to provide oversight of the risks and delivery of software projects, in addition to their other responsibilities. These committees are generally comprised of a mix of senior executives from within each entity. Figure 1.12 outlines which committee has been charged with oversight of the delivery of software projects.

Figure 1.12: Committees responsible for the governance and oversight of software projects

Source: ANAO analysis of entity provided information.

1.112 Twenty-six entities had appointed a member of the entity’s finance division to the committee which oversighted software projects.⁵⁷ Embedding a representative of an entity’s finance division on these committees could support enhanced monitoring or early identification of financial or administrative risks.

1.113 Fifty-two per cent of entities (14 entities) provided regular reports on software projects to their audit committee. Regular standing reports on the delivery of software projects to an entity’s audit committee could enable further assurance and advice to accountable authorities relating to the effectiveness of entity project management controls and risks arising from software projects.

Assurance arrangements on software projects

1.114 The DTA has released the Assurance Framework for Digital and ICT Investments.⁵⁸ The Framework relates to digital or ICT investment which uses technology as the primary lever for achieving expected outcomes and benefits. This can include software projects. The Framework is:

• mandatory for NCEs, where an agency has a digital or ICT investment that the DTA deems meets the definition of in scope investments;
• mandatory for Corporate Commonwealth entities when determined by the Minister responsible for the DTA; and
• provides a source of information and guidance for which other entities are encouraged to follow to the extent it is relevant to an entity’s circumstances.^59,60

1.115 The Framework includes five key principles to be applied when planning for and delivering assurance: plan for assurance; drive good decisions; expert-led and independent; culture and tone at the top; and focus on risks and outcomes.

1.116 The Framework describes assurance as ‘independent and objective assessments and evaluations undertaken by people and entities separate to the delivery team and senior responsible officer to support decision making’.⁶¹ The Framework describes eight commonly accepted examples of assurance activities that can be applied by entities.

• Internal audit.
• Targeted review – a review of key areas of risk or an area critical to successful delivery by a specialist independent external team.
• Independent board member – an independent, experienced board member who helps the board keep the investment on track.
• Go-Live assessment – an independent review to provide additional confidence prior to a go-live decision being made.
• Gateway assurance – commissioned by the Government for high-risk and high-value investments.
• Integrated assurance – an independent assurance team which has an ongoing presence within the investment to provide confidence in delivery.
• Senior Responsible Officer Adviser – an independent advisor to the SRO with experience in similar investments.
• Health check – an independent, lightweight assessment of how the investment is tracking against its benefits by an external specialist assurer.

1.117 Although the Framework is not mandatory for all entities in this report it does provide a source of guidance on potential assurance mechanisms entities could adopt to support project delivery. All entities included in this report adopted at least one or more of the eight examples of project assurance activities identified by the DTA as likely to meet its definition of assurance for digital investments. Figure 1.13 provides an overview of the level of adoption of these examples of assurance activities.

Figure 1.13: Assurance activities in place at entities for software project delivery

Source: ANAO analysis of entity provided information.

1.118 As identified in Figure 1.13 the majority of entities adopted the use of internal audit to provide assurance over software projects. The majority of entities did not adopt the seven other examples of assurance activities identified by the DTA.

Software projects being delivered by entities

1.120 The ANAO obtained information on the number and value of software projects that were being delivered by 25 of the entities included in this report as at 31 January 2024⁶². The ANAO sought from each of the 27 entities information related to the development or implementation of software (through internal development or procurement processes) that is being managed as a project.⁶³

Total number of software projects being delivered at 31 January 2024

1.121 At 31 January 2024, 25 of the 27 entities were delivering 717 distinct projects. This ranged between one to 132 projects per entity. Figure 1.14 provides an illustration of the entities which comprise five per cent or more of the total number of software projects being delivered. Six entities accounted for 61 per cent of the total number of projects being delivered. These entities are: the Departments of: Employment and Workplace Relations; Health and Aged Care; Home Affairs; NBN Co Limited; Services Australia and Snowy Hydro Limited.

Figure 1.14: Entities which comprise five per cent or more of software projects being delivered at 31 January 2024

Source: ANAO analysis of entity provided information.

Total budget for software projects being delivered at 31 January 2024

1.122 The 25 entities advised the ANAO that they had budgeted for $3.3 billion to be spent on delivery of these projects during 2023–24 (including capital and operating expenditure).

1.123 Figure 1.15 below provides an analysis of entities which comprise five per cent or more of the total $3.3 billion to be spent on software projects by these entities in 2023–24. Four entities comprised 71 per cent of the total to be spent on these projects in 2023–24 entities. These entities are the Australian Taxation Office, Department of Defence, Department of Health and Aged Care and Services Australia.

Figure 1.15: Entities which comprise five per cent or more of total budgeted expenditure for software projects in 2023–24

Source: ANAO analysis of entity provided information.

1.124 The average 2023–24 budget (including capital and operating expenses) was $4.8 million, with an average range between $0.2 million and $38.0 million per project. Of the entities which were delivering more than one project, two entities had an average project value of greater than 50 per cent of the average. These entities are the Australian Taxation Office ($15.9 million) and Department of Defence ($38.0 million).

1.125 The total expected budget for the delivery of software projects at these entities is $10.9 billion. Table 1.2 provides analysis of the composition of the $10.9 billion total budgets for software projects (at 31 January 2024).⁶⁴ Three entities accounted for 75 per cent of this total. These entities are the Australian Taxation Office, Department of Defence and Services Australia.

Table 1.2: Total budget for software projects (including capital and operating expenditure) per entity

Source: ANAO analysis of entity provided information.

1.126 The average total budget (including capital and operating expenses) was $16.2 million, with an average range between $0.2 million and $187.8 million per project. Of the entities with more than one project being delivered, there were five entities with average project values greater than the average. These entities are:

• Department of Defence – $187.8 million;
• Australian Taxation Office – $47.0 million;
• Department of the Treasury – $28.3 million;
• Department of Veterans’ Affairs – $22.3 million; and
• Services Australia – $16.2 million.

What audit findings were identified in the ANAO’s interim audits?

1.127 Audit findings are reported by the ANAO in response to the identification of a potential business or financial risk posed to an entity. Often these risks arise from deficiencies within an entity’s internal control processes or frameworks. Weaknesses in internal controls increase the possibility that a material misstatement of an entity’s financial statements will not be prevented or detected in a timely manner.

1.128 The ANAO rates audit findings according to the potential business or financial management risk posed to the entity. The ANAO’s rating scale is presented in Table 1.3.

Table 1.3: Audit findings rating scale

Source: ANAO reporting policy.

1.129 Information on each significant and moderate audit finding identified by the ANAO in interim audits has been included in Chapter 3. The following section provides details of trends in audit findings and a summary of the key categories to which audit findings relate.

Trends in audit findings

1.130 Figure 1.16 details that 65 per cent of all audit findings unresolved at the end of the 2023–24 interim phase related to the IT control environment.

Figure 1.16: Percentage of audit findings by category at the completion of 2023–24 interim audits

Source: ANAO data.

1.131 Figure 1.17 shows that 72 per cent of all significant and moderate audit findings unresolved at the end of the 2023–24 interim phase related to the IT control environment. Of the remaining balance, 17 per cent related to compliance and quality assurance frameworks.

Figure 1.17: Percentage of significant and moderate audit findings by category at the completion of 2023–24 interim audits

Source: ANAO data.

1.132 A summary of findings identified at the completion of the 2023–24 interim phase is included in Table 1.4 below. The table includes all findings reported to the 27 entities included in this report.

Table 1.4: Number of audit findings by category for the 2023–24 interim audits

Source: Compilation of ANAO interim audit findings.

1.133 A summary of all significant, moderate, minor and legislative findings reported at the completion of the interim audit phase for the period 2019–20 to 2023–24 is presented in Figure 1.18 below.

Figure 1.18: Trend in aggregate interim findings 2019–20 to 2023–24

Source: ANAO data.

1.134 Unresolved audit findings are those findings which have been identified by the ANAO in previous audits which are yet to be resolved. When reporting an audit finding to an entity the ANAO details the implications, risk and recommendations to the entity for resolution. Each audit finding reported is classified by the level of risk that may be posed to the entity, or the entity’s financial statements, if unaddressed. As a result, entities should take action to address unresolved audit findings, and the particular weakness in internal control identified, in a timely manner which is commensurate with the level of risk identified.

1.135 Seventy-eight per cent of audit findings (72 findings) reported at the 2023–24 interim phase were findings unresolved from prior audits. Figure 1.19 indicates of the percentage of unresolved audit findings by rating.

Figure 1.19: Unresolved audit findings by rating at the completion of 2023–24 interim audits

Source: ANAO data.

1.136 Figure 1.20 provides an analysis of the period in which the 72 unresolved audit findings were first identified by ANAO. Of the unresolved findings four per cent were first identified in 2020–21, 25 per cent in 2021–22 and 66 per cent in 2022–23.

Figure 1.20: Number of unresolved audit findings by period first identified by the ANAO

Source: ANAO data.

1.137 Details of all unresolved, significant and moderate audit findings are included in Chapter 3. There are three unresolved moderate audit findings which were first identified in 2020–21 (all of which relate to the IT control environment):

• Department of Social Services – Removal of user access;
• Department of Veterans’ Affairs – Implementation of Process Direct; and
• National Disability Insurance Agency – Removal of user access.

1.138 There are four unresolved moderate audit findings which were first identified in 2021–22 (which mainly relate to the IT control environment):

• Australian Taxation Office – Uneconomic to pursue debt and re-raises;
• Department of Defence – Weaknesses around the disposal of assets and inventory;
• Department of Infrastructure, Transport, Regional Development, Communications and the Arts – User access removal; and
• Department of Veterans’ Affairs – Security governance - Monitoring implementation of controls.

Information Technology (IT) control environment

1.139 The review of information systems and related controls is an integral part of an entity’s control environment. This section summarises the results from interim tests of the operating effectiveness of IT general controls for each of the entities included in this report.

1.140 Figure 1.21 demonstrates the trends in interim audit findings related to entities’ overall IT control environments from 2019–20 to 2023–24.

Figure 1.21: IT control environment interim findings 2019–20 to 2023–24

Source: ANAO data.

1.141 Findings related to the IT control environment represent 65 per cent of total findings identified during the completion of 2023–24 interim audits. Consistent with the ANAO’s recent experience IT control environment findings continue to represent the highest proportion of all findings identified by the ANAO in financial statements audits.

1.142 There were three significant audit findings reported in 2023–24 interim audits (2022–23 interim audits: none). These findings were first identified in 2022–23 final audits of:

• Australian Taxation Office (ATO) – Weaknesses were identified associated with the ATO’s enterprise change management for key information technology systems supporting the preparation of the financial statements. These weaknesses included a disconnect between the change management policy and procedural documentation in relation to segregation of duties particularly in relation to developers and migrators.
• Department of Defence – Weaknesses were identified in relation to the removal of users’ access. During the 2022–23 final audit the ANAO identified 1,451 users whose access was not removed in accordance with the Information Security Manual (ISM) requirements.
• Services Australia – Weaknesses were identified related to Services Australia’s IT governance. The weaknesses identified were in relation to IT controls in the implementation of a large-scale IT roll-out for residential aged care and the re-emergence of a large number of individual control issues affecting change and access management and business operations.

1.143 There were 18 moderate findings reported in 2023–24 (2022–23: 21). Further details relating to the moderate findings are detailed in Chapter 3 for Departments of: Climate Change, Energy, the Environment and Water; Education; Employment and Workplace Relations; Infrastructure, Transport, Regional Development, Communications and the Arts; the Prime Minister and Cabinet; Social Services; the Treasury; Veterans’ Affairs; and the National Disability Insurance Agency and Services Australia. These moderate audit findings mainly related to IT security, particularly the removal of user access and the monitoring of privileged user access.

1.144 The information systems control environment audit findings reported at the conclusion of the 2023–24 interim audits for entities included in this report have been grouped as follows:

• IT security;
• IT change management; and
• disaster recovery arrangements.

1.145 Figure 1.22 provides an overview of the categorisation of audit findings identified for the IT control environment. Seventy-five per cent of IT control environment findings related to IT security, including user access.

Figure 1.22: IT control environment findings categorisation for the 2023–24 interim audits

Source: ANAO data.

1.146 The majority of IT controls continued to provide reasonable assurance about the operation of controls relied on to support the preparation of financial statements that are free from material misstatement. Consistent with observations made by the ANAO in previous years, IT security, particularly removal of user access, continues to be an area requiring improvement to address the risk of inappropriate access to systems and data.

IT security

1.147 IT security is concerned with protecting an entity’s information assets from internal and external threats. It includes controls to prevent or detect unauthorised access to systems, programs and data. In the context of the financial statements audit, the focus is on the financially significant systems and data only. The Protective Security Policy Framework⁶⁵ (PSPF) sets out the government protective security policy and the Information Security Manual⁶⁶ (ISM) provides guidance on strategies for protecting information and systems from cyber threats.

1.148 The key control areas that address risks relating to IT security and that are assessed as part of the interim audit are:

• IT security governance;
• general and privileged user access; and
• monitoring and reporting.

1.149 Figure 1.23 illustrates the trends in findings observed in entities’ IT security arrangements between 2019–20 and 2023–24.

Figure 1.23: IT security interim findings 2019–20 to 2023–24

Note: The comparative numbers in this figure have been updated to include findings previously categorised as IT application controls which related to IT security.

Source: ANAO data.

1.150 IT security findings represent 75 per cent of all IT control environment findings reported in 2023–24. Findings related to IT security were identified in 60 per cent of entities. There were two significant and 16 moderate findings reported in the 2023–24 interim audits. Further details of the significant and moderate findings are detailed in chapter 3.⁶⁷

1.151 A review of all IT security findings identified issues in the following areas:

• logging and monitoring of privileged user activity;
• user access management, including approving new user access and performing regular user access reviews;
• removal of user access when it is no longer required;
• password configuration; and
• risk management and monitoring of controls.

1.152 Users with administrative access privileges, commonly referred to as privileged users, are able to make significant changes to IT systems’ configuration and operation, bypass critical security settings and access sensitive information. As part of reviewing IT security arrangements, different groups of privileged users were examined, including:

• application administrators, sometimes referred to as super users;
• database administrators;
• system administrators; and
• network or domain administrators.

1.153 To reduce the risks associated with this access, ISM specifies that privileged user access be appropriately restricted and when provided, that the access is logged, regularly reviewed and monitored. There were 19 findings related to user access identified as a result of 2023–24 interim audits.

• Nine moderate findings related to the logging and monitoring of privileged user access. These moderate findings were reported to the Departments of: Climate Change Energy, the Environment and Water; Social Services and Veterans’ Affairs and Services Australia.
• Ten minor findings related to monitoring high-risk user activities.

1.154 The risk of inappropriate changes to financially significant systems and data arising from these findings is partially mitigated through alternate controls.

1.155 All users with access to financial systems may have the ability to change financial information, and therefore access should only be granted where it is required for the performance of the role; and should be reviewed whenever the role changes. Eleven minor findings related to granting and reviewing user access.

1.156 Entities must remove or suspend user access on the same day that a user no longer has a legitimate business requirement for its use.⁶⁸ Terminating a user account when the user no longer has a requirement to access it, such as upon departure from an entity, can prevent unauthorised use. There were 11 findings related to monitoring controls identified as a result of 2023–24 interim audits.

• One significant finding was related to the Department of Defence, particularly the absence of effective controls over the removal or monitoring of user access post termination.
• There were six moderate findings related to weaknesses in monitoring controls and access being performed by users who no longer required such access. These moderate findings were reported to the Departments of: Education; Employment and Workplace Relations; Infrastructure, Transport, Regional Development, Communications and the Arts; Social Services; the Prime Minister and Cabinet; and the National Disability Insurance Agency.
• The four minor findings were related to the design of controls, such as scope of access being reviewed and controls not being implemented in accordance with policies and procedures.

1.157 The ISM provides guidance on the password requirements for Australian Government systems. In October 2019 the ASD updated this guidance to specify passphrase requirements for instances where multi-factor authentication⁶⁹ is not supported; passphrases used for single-factor authentication should be at least four random words with a minimum of 14 characters⁷⁰. There was one minor finding identified in this area. Inadequate password controls increase the likelihood of unauthorised access to systems and data.

1.158 Monitoring the performance of security controls is essential to maintaining an entity’s security posture. It can contribute to improving the implementation of minimum core and supporting PSPF requirements, the detection of new and emerging security risks, and the identification controls that are not operating as planned. There were three findings related to monitoring controls identified as a result of 2023–24 interim audits.

• One significant finding was related to IT governance at Services Australia.
• One moderate finding related to the Department of Veterans’ Affairs, particularly the monitoring processes not providing assurance that policy requirements has been implemented.
• One minor finding related to cyber security governance.

1.159 The weaknesses identified within this category increases the risk of unauthorised access to systems and data, or data leakage. Entities should review their management (and design and effectiveness) of these areas in light of the recommendations of the ISM and the risks to their operational environment.

IT change management

1.160 IT change management provides a disciplined approach to making changes to the IT environment. It includes controls to prevent unauthorised changes being introduced, and to reduce the likelihood that normal business operations are interrupted with the implementation of authorised changes.

1.161 Figure 1.24 illustrates the trends in findings identified in entities’ IT change management controls between 2019–20 and 2023–24.

Figure 1.24: IT change management interim findings 2019–20 to 2023–24

Source: ANAO data.

1.162 Changes to entities’ IT environments were managed using standardised processes, usually based on the Information Technology Infrastructure Library (ITIL) Framework.⁷¹ While still low when compared to IT security, the number of findings in this area highlights the importance of maintaining and monitoring performance of change management processes.

1.163 There were 10 findings identified in relation to change management in 2023–24 interim audits.

• One significant finding was related to change management at the enterprise level at the Australian Taxation Office.
• Two moderate findings related to the Department of Veterans’ Affairs and Services Australia, particularly change processes associated with implementation of new systems to streamline income support aged care services respectively.
• Seven minor findings identified related to segregation of duties, deployment and a lack of documented testing for reports.

1.164 Weaknesses in change management elevate the risk of unauthorised or untested changes to systems during these activities. These weaknesses may also affect the availability or reliability of the overall IT environment. Entities should monitor the operating effectiveness of their IT control environments to mitigate risks.

Disaster recovery arrangements

1.165 Disaster recovery is concerned with the resumption of the IT environment including systems and data following an interruption to services. It relies on:

• effective back-up and recovery arrangements, to allow data to be recovered from current versions of key IT systems; and
• disaster recovery planning, including the development, maintenance and testing of a disaster recovery plan to enable IT systems to be recovered in line with defined business requirements.

1.166 The ANAO assesses entities’ disaster recovery arrangements in view of the potential for a disruptive event to impact on financial reporting. Figure 1.25 illustrates the trend for findings identified in entities’ disaster recover arrangements between 2019–20 and 2023–24.

Figure 1.25: Disaster recovery interim findings 2019–20 to 2023–24

Source: ANAO data.

1.167 In all cases where general IT controls testing has been completed, ANAO found that entities undertook regular backups of financially significant data. Five minor findings were identified in 2023–24 interim audits. These findings related to control weakness around backups, recovery of data and an absence of disaster recovery testing in relation to key services systems. These control weaknesses increase the risk that, in the event of a significant disruption, systems and data will not be recovered within an acceptable timeframe.

Compliance and quality assurance frameworks

1.169 Entities place reliance on internal and external systems, parties and information in decision-making processes. The implementation of effective compliance and quality frameworks and processes, provides assurance over the completeness and accuracy of information and is integral to the preparation of financial statements that are free from material misstatement.

1.170 Figure 1.26 below shows the total number of audit findings identified by the ANAO during interim audits from 2019–20 to 2023–24 related to compliance and quality assurance frameworks.

Figure 1.26: Compliance and quality assurance framework interim findings 2019–20 to 2023–24

Source: ANAO data.

1.171 Four of the five unresolved moderate audit findings were first identified in 2022–23 final audits as significant audit findings. These related to weaknesses in the design and implementation of internal controls established in relation the governance of legal and other matters impacting the financial statements in the following entities: Departments of: Health and Aged Care; Education; and Social Services and Services Australia. At the conclusion of the 2023–24 interim audits these findings were reduced from significant to moderate reflecting the progress of these entities in implementing additional internal controls and regularised reporting on legal matters.

1.172 One unresolved moderate audit finding related to weaknesses in the administration of international development assistance payments at the Department of Foreign Affairs and Trade.

1.173 There were six unresolved minor audit findings at the conclusion of 2023–24 interim audits. Of these minor findings:

• one finding was raised during 2023–24;
• four findings were unresolved from 2022–23; and
• one finding was unresolved from 2021–22.

1.174 The minor audit findings related to weaknesses in specific program compliance and assurance arrangements (mainly related to complex contracts and benefit payment programs).

Accounting and control of non-financial assets

1.175 Entities control a diverse range of non-financial assets on behalf of the Commonwealth, including land and buildings, specialist military equipment, leasehold improvements, infrastructure, plant and equipment, inventories and internally developed software.

1.176 Figure 1.27 shows the total number of accounting and control of non-financial assets audit findings identified by the ANAO during interim audits from 2019–20 to 2023–24.

Figure 1.27: Accounting and control of non-financial assets interim findings 2019–20 to 2023–24

Source: ANAO data.

1.177 There were two unresolved moderate audit findings relating to accounting and control of non-financial assets at the conclusion of 2023–24 interim audits. Of these moderate findings:

• one finding was unresolved from 2021–22. The finding relates to weaknesses around the asset and inventory disposal process at the Department of Defence; and
• one finding was unresolved from 2022–23. This finding relates to weaknesses in the management of intangible assets (computer software) at the Department of Education.

1.178 There were four minor audit findings unresolved at the conclusion of 2023–24 interim audits. Of these minor findings:

• one finding was identified in 2023–24; and
• three findings were unresolved from 2022–23.

1.179 The minor findings related to weaknesses in management of intangible assets (computer software), inventory management and integrity of asset registers.

Revenue, receivables and cash management

1.180 Revenue and receivables consist of parliamentary appropriations, taxation revenue, customs and excise duties and administered levies. Revenue is also generated by entities from the sale of goods and services and a range of other sources. Cash management involves the collection and receipt of public monies and the management of official bank accounts.

1.181 Figure 1.28 shows the total number of revenue, receivable and cash management audit findings identified by the ANAO during interim audits from 2019–20 to 2023–24.

Figure 1.28: Revenue, receivables and cash management interim findings 2019–20 to 2023–24

Source: ANAO data.

1.182 The unresolved moderate finding was first identified during the 2021–22 final audit and relates to the Australian Taxation Office’s treatment of uneconomic to pursue debts.

1.183 There were two minor audit findings unresolved at the conclusion of 2023–24 interim audits. Of these minor findings:

• one finding was raised during 2023–24; and
• one finding was unresolved from 2022–23.

1.184 The minor findings related to weaknesses in bank reconciliation processes and collection of ageing debts.

Human resource financial processes

1.185 Human resources encompass the day-to-day management and administration of employee entitlements and payroll functions. Employee benefits expenditure represents a significant departmental expenditure item for most entities. Employee entitlement liabilities involve estimates and judgements in inputs. It is important for entities to establish robust controls in these areas to support complete and accurate payment and recording of transactions. Human resource transactions are high volume with both automated and manual processing. As a result, any control weaknesses can result in systematic errors increasing the risk of material misstatement.

1.186 Figure 1.29 below shows the total number of human resources financial processes audit findings identified by the ANAO during interim audits from 2019–20 to 2023–24.

Figure 1.29: Human resources financial processes interim findings 2019–20 to 2023–24

Source: ANAO data.

1.187 There were no unresolved significant or moderate audit findings at the conclusion of 2023–24 interim audits.

1.188 The unresolved minor finding was first identified in 2020–21 and relates to maintenance of employees in the human resource management information system.

Purchases and payables management

1.189 Purchases and payables management covers controls and processes that provide management with assurance that payments processed by the entity are complete and accurate. This may include the implementation of appropriate systems of approval or controls designed to ensure that payments processed through the financial management information system are appropriate. These expenses typically comprise the second most significant departmental expenditure item of entities after employee benefits.

1.190 Figure 1.30 below shows the total number of purchases and payables audit findings identified during interim audits by the ANAO from 2019–20 to 2023–24.

Figure 1.30: Purchases and payables management interim findings 2019–20 to 2023–24

Source: ANAO data.

1.191 There were no unresolved significant or moderate other audit findings at the conclusion of 2023–24 interim audits. The two moderate audit findings reported in 2022–23 related to the Department of Veteran’s Affairs methodology for accounting for the Military Compensation Provision and the governance of ADF health services at the Department of Defence. These findings were resolved at the final phase of the 2022–23 audits.

1.192 There were four minor audit findings unresolved at the conclusion of 2023–24 interim audits. Of these minor findings:

• one was identified during 2023–24; and
• three were unresolved from 2021–22.

1.193 The minor findings related to weaknesses in the security of transmittal of payment files, contract management, delegation and bank account changes.

Financial statements preparation

1.194 Financial statements are an important means of demonstrating how Commonwealth entities, both at an individual and whole-of-government level, meet their financial management responsibilities. In order to provide relevant and reliable financial information to the users, entities should prepare quality financial statements in a timely manner to support entities in meeting legislative reporting obligations including tabling of annual reports. Effective project management underpins successful financial statements preparation processes. Reporting financial statements preparation findings separately allows the ANAO to specifically identify areas where there are concerns with the presentation and disclosure in the financial statements.

1.195 Figure 1.31 below shows the total number of audit findings identified during interim audits by the ANAO from 2019–20 to 2023–24 related to financial statement preparation processes.

Figure 1.31: Financial statements preparation interim findings 2019–20 to 2023–24

Source: ANAO data.

1.196 There were no unresolved significant or moderate audit findings at the conclusion of 2023–24 interim audits.

1.197 There were four minor audit findings unresolved at the conclusion of 2023–24 interim audits. Of these minor findings:

• one finding was raised during 2023–24; and
• three findings were unresolved from 2022–23 final audits.

1.198 The weaknesses identified by the ANAO primarily relate to the: robustness of entity financial statements preparation plans and processes, quality assurance supporting financial statements working papers and operating effectiveness of month-end financial reporting processes.

Other audit findings

1.199 Other audit findings typically include items relating to the: management and implementation of service level agreements or memoranda of understanding; and updating or maintaining key governance documentation.

1.200 Figure 1.32 below shows the total number of other audit findings identified during interim audits by the ANAO from 2019–20 to 2023–24.

Figure 1.32: Other interim findings 2019–20 to 2023–24

Source: ANAO data.

1.201 There were no unresolved significant or moderate other audit findings at the conclusion of 2023–24 interim audits. The two moderate findings reported in 2022–23 interim audits related to the management of Machinery of Government changes at the Department of Education and the Department of Employment and Workplace Relations. These findings were resolved at the final phase of the 2022–23 audit.

1.202 There were four minor audit findings unresolved at the conclusion of 2023–24 interim audits. Of these minor findings:

• three were unresolved from 2022–23; and
• one was unresolved from 2021–22.

1.203 The weaknesses identified by the ANAO primarily relate to the:

• assessment of eligibility, processing and management of grants expenses;
• assignment of personal benefit expenses; and
• the preparation, implementation and review of Cost Recovery Impact Statements.

Introduction

2.1 The Australian Government’s financial reporting framework is primarily based on standards made independently by the Australian Accounting Standards Board (AASB).

2.2 The AASB bases its accounting standards on the International Financial Reporting Standards (IFRS) issued by the International Accounting Standards Board. As IFRS are designed primarily for use by private sector and for-profit organisations, the AASB amends the IFRS to reflect significant transactions and events unique to the public sector and not-for-profit private sector. In doing so, the AASB considers standards issued by the International Public Sector Accounting Standards Board (IPSASB).

2.3 The Public Governance, Performance and Accountability Act 2013 (PGPA Act) requires Commonwealth entities to apply Australian accounting standards when preparing financial statements. In addition to Australian accounting standards, the Minister for Finance prescribes additional financial reporting requirements for Commonwealth entities via the Public Governance, Performance and Accountability (Financial Reporting) Rule 2015 (FRR).

2.4 The audits of the financial statements of Australian Government entities are conducted in accordance with the ANAO Auditing Standards, which are made by the Auditor-General under section 24 of the Auditor-General Act 1997 (Auditor-General Act). The ANAO Auditing Standards incorporate, by reference, the auditing standards made by the Australian Auditing and Assurance Standards Board (AUASB). The AUASB bases its standards on those made by the International Auditing and Assurance Standards Board (IAASB), an independent standard setting board of the International Federation of Accountants.⁷²

2.5 The financial reporting and auditing frameworks that apply in 2023–24 are discussed further in Appendix 1 and Appendix 2 of this report.

Key developments in public sector reporting and auditing

Sustainability reporting and assurance update

2.6 Sustainability reporting⁷³ has developed globally, primarily in the private sector, on the basis that sustainability factors are becoming a mainstream part of investment decision-making.

2.7 The International Sustainability Standards Board (ISSB) was established in November 2021 at the 26th United Nations Conference of Parties (COP26) in Glasgow to develop standards that will result in a high-quality, comprehensive global baseline of sustainability disclosures focused on the needs of investors and the financial markets. The ISSB issued its first two IFRS sustainability disclosure standards (IFRS S1 General Requirements for Disclosure of Sustainability-related Financial Information and IFRS S2 Climate-related Disclosures) in June 2023, which set out the requirements for disclosure of information on sustainability-related risks and opportunities.⁷⁴

2.8 The first stage of sustainability reporting under Australian Government policy (the policy) is the introduction of mandatory climate-related disclosures in the annual reports of Commonwealth entities and Commonwealth companies.

2.9 Under the policy:

• the Treasury is leading the Corporate Climate-related Financial Disclosure (CCFD) policy roll-out for companies reporting under the Corporations Act 2001 (Corporations Act). Five Commonwealth companies will be impacted by this legislation: Snowy Hydro Limited; ASC Pty Ltd; Australian Rail Track Corporation; NBN Co Limited; and WSA Co Ltd; and
• Finance is leading the Commonwealth Climate Disclosure (CCD) policy roll-out for Commonwealth entities and Commonwealth companies not captured by the thresholds set out in the proposed amendments to the Corporations Act. CCD requires Commonwealth entities and Commonwealth companies to publicly report on their exposure to climate risks and opportunities as well as their actions to manage them.

Key developments

2.10 Key developments, since publication of Auditor-General Report No. 9 2023–24 Audits of the Financial Statements of Australian Government Entities for the Period Ended 30 June 2023, include the:

• Passing of the Treasury Laws Amendment (2023 Measures No. 1) Act 2023 on 28 November 2023, which amended the Australian Securities and Investments Commission Act 2001 (ASIC Act) to provide the:
  • AASB with functions to develop and formulate sustainability standards; and
  • AUASB with functions to include formulating audits and assurance standards for sustainability purposes.
• Financial Reporting Council (FRC) oversight and governance powers to account for the development of sustainability standards.
• Government announcement⁷⁵ and release of the Net Zero in Government Operations Strategy⁷⁶ (the strategy) on 28 November 2023 describing the approach for implementing the commitment to achieve net zero in government operations by 2030. Actions by relevant entities under the strategy inform parts of their climate disclosures under the CCD reform.
• Department of Finance (Finance) announcement of CCD reform⁷⁷ on 28 November 2023 requiring Commonwealth entities and Commonwealth companies to publicly report exposure to climate risks and opportunities as well as their actions to manage them in their annual report.
• Government announcement⁷⁸ on 12 January 2024 of the final policy design for CCFD requirements⁷⁹ led by the Treasury applicable to companies reporting under the Corporations Act.
• Treasury issue of exposure draft (ED) Treasury Laws Amendment Bill 2024: Climate-related financial disclosure on 12 January 2024 seeking to amend parts of the ASIC Act and the Corporations Act to mandate requirements for large businesses and financial institutions to disclose their climate-related risks and opportunities.⁸⁰
• AUASB issue of consultation paper Assurance over Climate and Other Sustainability Information⁸¹ on 20 March 2024 seeking feedback to assist with developing a proposed model for phasing in assurance over mandatory climate information, the adoption of ISSA 5000 General Requirements for Sustainability Assurance Engagements (ISSA 5000) and development of local pronouncements to supplement the final ISSA 5000.⁸²
• Commencement of consultation between Finance and the ANAO on 21 March 2024 on the development of a CCD assurance and verification regime.
• Introduction of the Treasury Laws Amendment (Financial Market Infrastructure and Other Measures) Bill 2024 to the House of Representatives on 27 March 2024⁸³ to establish internationally aligned mandatory climate disclosure reporting. The Bill proposes a commencement date for entities meeting the reporting thresholds for certain large entities (Group 1⁸⁴) for financial reporting years starting on or after 1 January 2025.
• Finance issue of CCD Pilot Guidance on 27 March 2024 for disclosure of a limited range of climate risk management activities for all departments of state in 2023–24.⁸⁵

Entity preparedness for climate reporting

2.11 The ANAO surveyed the 27 entities included in this report in relation to the processes which they have established to support preparedness for climate reporting, given the range of emerging developments noted above. The ANAO has analysed:

• nature of processes which support preparedness for climate reporting; and
• oversight from entity audit committees.

2.12 Forty-eight per cent of entities had established a process or project to prepare for climate reporting requirements. Figure 2.1 provides an overview of type the processes and projects which these entities have implemented.

Figure 2.1: Overview of process and projects established by entities for climate reporting preparedness

Source: ANAO analysis.

2.13 The role of an entity’s audit committee in relation to climate reporting (and preparedness) is being considered across the sector. Fifteen of the 27 entities had briefed or sought advice from their audit committee on climate-related disclosures. The majority of these briefings were ‘ad-hoc’. Figure 2.2 details the role taken by audit committees in oversighting entity preparedness for sustainability reporting.

Figure 2.2: Audit committee oversight of climate reporting preparedness

Source: ANAO analysis.

2.14 Given the emerging developments on climate reporting which will apply to the sector, entities that have not yet considered these developments could take further steps to assist with preparedness.

Assurance over climate-related reporting

Department of the Treasury-led reform

2.15 The Treasury policy position statement for climate-related financial disclosure⁸⁶ states that climate disclosures will be subject to similar assurance requirements to those currently in the Corporations Act for financial reports. Entities will also be required to obtain an assurance report from their financial auditors with assistance from technical climate and sustainability experts where required. These requirements will be set out in the AUASB sustainability assurance standards.

2.16 The Treasury policy position statement also states that the AUASB will set out a pathway for phasing in requirements over time, which would commence with limited assurance over scope 1 (direct) and scope 2 (indirect) emissions⁸⁷ disclosures commencing 1 January 2025⁸⁸ and end with assurance of all climate disclosures made from financial reporting years commencing 1 July 2030.

Department of Finance-led reform

2.17 Finance is designing a verification and assurance regime for Commonwealth entities and Commonwealth companies that don’t meet the threshold for the Treasury-led reform in consultation with the ANAO. Similar to the Treasury-led reform, it is likely that assurance will be phased with audits of a small cohort of entities increasing until all entities have commenced climate-related disclosures.

Australian National Audit Office

2.18 As the financial auditor of Australian government entities, the ANAO is considering its readiness to implement a sustainability assurance regime. This includes:

• Audit mandate – the source of authority to conduct audits under the Auditor-General Act, or other legislation.
• Resources required to undertake the assurance function – staffing, IT and methodology, quality assurance and the budget associated with delivery.
• Staff capability – an uplift in terms of skills and expertise is required to provide assurance over climate-related disclosures.
• Specialist expertise – due to the limited availability of technical climate and sustainability specialists in the market, it may be difficult to source specialists:
  • to assist with assurance over technical climate matters that is not also involved in technical climate reporting in some capacity;
  • that are available at an appropriate stage of the audit to enable the audit to be completed in a timely manner in a competitive and growing market.
• Sector readiness – consideration of the readiness of entities to report climate-related disclosures and how the audit process can be used to drive enhanced disclosure across the Commonwealth.
• Market readiness – consideration of the number of contract audit firms used and the readiness of these firms to conduct sustainability audits.

2.19 As noted earlier, there are five⁸⁹ Commonwealth companies reporting under the Corporations Act that are subject to the Treasury-led reform requiring limited assurance over scope 1 and scope 2 disclosures commencing 1 January 2025. The ANAO will leverage the experience gained from auditing the climate disclosures of these entities in auditing entities subject to the Finance-led CCD reform.

Emerging technologies

2.20 Mirroring trends observed nationally and internationally, emerging technologies are increasingly being explored by Commonwealth entities to improve operations and service delivery. Emerging technologies are new technologies or the further development of existing technologies. Key emerging technologies include robotic process automation (RPA)⁹⁰ and artificial intelligence (AI)⁹¹, including generative AI and machine learning (ML).

2.21 Emerging technologies present opportunities for improvement and innovation, and risks. Some of the risks include a lack of transparency, auditability, reviewability, bias and discrimination, security and privacy concerns, legal and regulatory challenges, misinformation, manipulation and unintended consequences.

2.22 Appropriate governance structures are critical to achieving the ethical and responsible use of emerging technologies. Entities governance structures should consider usage of the technologies, an understanding of the operation of the technologies and consider both business and technology perspectives.⁹² The Report of the Royal Commission into the Robodebt Scheme recommended the establishment of a body to monitor and audit automated decision making (Recommendation 17.2).⁹³

The Commonwealth should consider establishing a body, or expanding an existing body, with the power to monitor and audit automate decision-making processes with regard to their technical aspects and their impact in respect of fairness, the avoiding of bias, and client usability.

2.23 In response to these trends, risks and challenges, governments, standards bodies and other entities have worked to develop guidance, policies and standards regarding the use of emerging technologies by the Australian Government.

• In June 2023, the Department of Industry, Science and Resources (DISR) opened consultation into the safe and responsible use of AI, while also establishing an AI in Government Taskforce, jointly led by the Digital Transformation Agency. In January 2024, the Australian Government released an interim response to this consultation.⁹⁴
• In September 2023, the Secretaries Board agreed the AI in Government Taskforce was the appropriate forum, in consultation with Attorney-General’s Department (AGD), to coordinate work to identify and map the extent to which automated decision making (ADM) technology is relied on in the delivery of government services and payments, and the supporting legislative basis. As a first step in the mapping, the AI in Government Taskforce and the Attorney General’s Department developed a survey to collect high-level information in September and 27 October 2023 on the use of ADM among entities.
• In November 2023, the Department of Home Affairs released the 2023-2030 Australian Cyber Security Strategy. As part of this, the cyber risks of using emerging technology will be managed. ⁹⁵
• In May 2024, the Australian Government released Budget 2024-25 and outlined a new budget measure⁹⁶ over the four years commencing from 2024-25 to establish a reshaped National AI Centre and an AI advisory body within DISR in response to the potential risks of AI.⁹⁷ These included potential regulatory responses that would complement existing voluntary measures such as the Artificial Intelligence Ethics Principles.⁹⁸

2.24 In Auditor-General Report No. 9 2023–24 Audits of the Financial Statements of Australian Government Entities for the Period Ended 30 June 2023, the ANAO reported that of the entities which advised the ANAO that they had implemented emerging technologies, including Artificial Intelligence, the majority did not create policies or a governance framework to support their use of these technologies, or have regard to external policies guidance such as Australia’s eight Artificial Intelligence Ethics Principles.

2.25 The ANAO has made a number of ongoing audit findings in previous financial and performance audits in relation to information technology controls, particularly weakness in change management policies and controls for IT systems. The development of AI significantly raises these risks and places greater importance on the control frameworks required to ensure that there are appropriate governance, minimum standards, or requirements for auditability or traceability, on the process and output of or decisions made through AI.

2.26 The Joint Committee of Public Accounts and Audit is exploring the use of AI as part of the Inquiry into Commonwealth Financial Statements 2022–23. The ANAO intends to build a consideration of risks relating to the use of AI into its audit planning processes in order to provide Parliament with assurance regarding the efficient, effective, economical, ethical and safe use of AI in the APS. In February 2024 the ANAO commenced a performance audit relating to the use of automation and AI in the Australian Taxation Office, which is intended to inform future audit approaches.

2.27 Given that the policy framework for AI continues to evolve and be subject to development, the ANAO will continue to monitor the progress of the AI in Government Taskforce, and entities’ readiness of the adoption of AI; and assess the associated risks and the controls for the APS.

 

Introduction

3.0.1 The ANAO’s assessment of the overall risk of material misstatement of the financial statements is based on professional judgement relating to the entity’s particular circumstances. The financial statements audit planning process involves joint procedures with the performance audit and performance statements audit groups. The process takes into account an entity’s environment and governance arrangements, its system of internal control, and prior year financial and performance audit findings. These planning processes inform the identification of areas of key risk that have the potential to impact on the integrity of the financial statements.

3.0.2 The interim phase of the audit focuses on the steps taken by entities to manage these risks, including their systems of internal control. This chapter reflects entity funding arrangements existing at 30 April 2024 and outlines the following information for each of the reported entities:

• the entity’s primary role, as reflected in the 2023–24 Portfolio Budget Statements;
• key financial balances, as reflected in the 2023–24 Portfolio Additional Estimates Statements, or 2022–23 audited balances, as published in 2022–23 annual reports;⁹⁹
• the ANAO’s assessment of the overall engagement risk for the 2023–24 financial statements audit, which informs the audit processes to be undertaken;
• key areas of financial statements risk; and
• the status of significant and moderate audit findings and significant legislative breaches at the completion of the interim audit, and the conclusion relating to audit coverage to date.¹⁰⁰

3.0.3 The entities discussed in this report include all departments of state, the Department of Parliamentary Services and other Commonwealth entities that significantly contribute to the revenues, expenses, assets and liabilities within the 2022–23 CFS. The National Indigenous Australians Agency is also included in this report given the role it plays working across government with indigenous communities and stakeholders.

3.0.4 The entities are presented in order of portfolio below.

• Department of Agriculture, Fisheries and Forestry
• Attorney-General’s Department
• Department of Climate Change, Energy, the Environment and Water
  • Snowy Hydro Limited
• Department of Defence
  • Department of Veterans’ Affairs
• Department of Education
• Department of Employment and Workplace Relations
• Department of Finance
  • Future Fund Management Agency
• Department of Foreign Affairs and Trade
• Department of Health and Aged Care
• Department of Home Affairs
• Department of Industry, Science and Resources
• Department of Infrastructure, Transport, Regional Development, Communications and the Arts
  • Australian Postal Corporation
  • NBN Co Limited
• Department of Parliamentary Services
• Department of the Prime Minister and Cabinet
  • National Indigenous Australians Agency
• Department of Social Services
  • National Disability Insurance Agency
  • Services Australia
• Department of the Treasury
  • Australian Office of Financial Management
  • Australian Taxation Office
  • Reserve Bank of Australia

3.0.5 Where a performance audit was tabled prior to 30 April 2024 that was relevant to the financial management or administration of an entity, consideration is given to the impact of observations on the approach for the 2023–24 financial statements audit.

Engagement risk

3.0.6 An audit engagement is assessed as being a high, moderate or low risk engagement by the ANAO based upon the overall risk of the engagement to the Auditor-General and the ANAO in accordance with the requirements of the ANAO Audit Manual. This includes consideration of:

• the inherent risk of material misstatement arising from the engagement (that is, the risk that there is a material misstatement in the subject matter before the conduct of the engagement); and
• other professional risks, being any other source of risk to the Auditor-General and the ANAO arising from the conduct of the engagement, including but not limited to litigious and reputational risks.

3.0.7 Table 3.0.1 provides further information on matters which may be considered by the ANAO when considering the inherent risk of material misstatement or other professional risks arising from the engagement.

Table 3.0.1: Considerations made by the ANAO in determining engagement risk

3.0.8 Engagement risks are communicated to entities during the planning phase of the audit. Engagement risk is also monitored during the course of the audit. Risk ratings may be subject to change where new developments emerge. Where information-gathering processes reveal evidence of misrepresentation or inadequacies, the risk of an engagement would be rated higher to reflect the risk of expressing an inappropriate conclusion based on a lack of sufficient appropriate audit evidence.

3.0.9 The level of engagement risk identified by the ANAO is a factor in determining the nature, timing and extent of audit procedures to be performed during the audit. In addition, for high risk audits the ANAO considers whether further resources, including staff with specialty skills and/or more experience, are needed to address the identified risks.

3.0.10 Seven entities have been assessed as having a high engagement risk rating for 2023–24 (2022–23: 11 entities). Table 3.0.2 shows the engagement risk rating for 2022–23 and 2023–24 for each of these entities.

Table 3.0.2: Entities with a high engagement risk rating for 2022–23 or 2023–24

Source: 2022–23 and 2023–24 audit correspondence.

Analysis of entities included in this report contributions to the 2022–23 CFS

3.0.11 An analysis of the percentage contribution of entities in this report to the 2022–23 CFS is presented below. Figure 3.0.1 presents the results of seven entities that contribute greater than 10 per cent of either the income, expenses, assets or liabilities of the CFS. The remaining entities are presented in Figure 3.0.2 and contribute less than 10 per cent of all categories.

Figure 3.0.1: Entities contributing more than 10 per cent to the Australian Government’s 2022–23 Consolidated Financial Statements

Source: ANAO analysis of CFS and entities’ financial statements for the year ended 30 June 2023.

Figure 3.0.2: Entities contributing less than 10 per cent to the Australian Government’s 2022–23 Consolidated Financial Statements

Source: ANAO analysis of CFS and entities’ financial statements for the year ended 30 June 2023.

Audit findings

3.0.12 Table 3.0.3 presents a summary of new and unresolved significant and moderate audit findings¹⁰¹ at the conclusion of the 2023–24 interim¹⁰² audits and the 2022–23 interim and final audits.

Table 3.0.3: Significant and moderate audit findings by entity

Note a: New findings are those raised during the audit period.

Note a: Unresolved findings are those that have not yet been remediated by the entity from prior audit periods, including audit findings reduced from significant to moderate.

Source: 2022–23 and 2023–24 ANAO audit correspondence.

3.0.13 Table 3.0.4 presents a summary of the total number of unresolved findings by entity¹⁰³ at the conclusion of the 2023–24 interim¹⁰⁴.

Table 3.0.4: Unresolved audit findings by entity

3.1 Department of Agriculture, Fisheries and Forestry

Overview

3.1.1  DAFF is responsible for developing and implementing policies and initiatives to promote more sustainable, productive, internationally competitive and profitable Australian agricultural, food and fibre industries; safeguarding Australia’s animal and plant health status to maintain overseas markets and protect the economy and environment from exotic pests and diseases.

3.1.2  DAFF’s main source of funding is from appropriations. DAFF charges fees for certain import and export certifications and inspections on a cost recovery basis.

Key financial statements items

3.1.3  Figure 3.1.1 and Figure 3.1.2 below provide a summary of the key 2023–24 financial statements items.

Figure 3.1.1: Key departmental financial statements items

Source: DAFF’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

Figure 3.1.2: Key administered financial statements items

Source: DAFF’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

What are the key areas of audit focus identified by the ANAO for the 2023–24 financial statements?

Engagement risk

3.1.4  Paragraph 3.0.6 describes the factors considered by the ANAO in determining the engagement risk rating and the associated audit response required. The engagement risk for the 2023–24 financial statements has been assessed as moderate. Key factors contributing to this rating are:

• breadth of legislation for departmental revenue (charges for import and export functions) and self-assessment nature of administered revenue (primary industry levies and charges);
• financial sustainability including tight liquidity position experienced during 2022–23; and
• significance of the judgement and estimation involved in determining the valuation of loans to state and territory governments and farm businesses.

Key areas of financial statements risk

3.1.5  The ANAO’s risk assessment process identifies key areas of risk that have the potential to materially impact DAFF’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items, the results of recent ANAO performance audits and an understanding of DAFF’s environment and governance arrangements, including its financial reporting regime and system of internal control.

3.1.6  The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of DAFF’s financial statements.

3.1.7  Figure 3.1.3 and Figure 3.1.4 below shows the key financial statements items reported by DAFF and the key areas of financial statements risk.

Figure 3.1.3: Key departmental financial balances and areas of financial statements risk

Source: ANAO analysis and DAFF’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

Figure 3.1.4: Key administered financial balances and areas of financial statements risk

Source: ANAO analysis and DAFF’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

3.1.8  Further information on the key areas of financial statements risk identified by the ANAO are provided below in Table 3.1.1.

Table 3.1.1: Key areas of financial statements risk

Source: ANAO 2023–24 risk assessment.

What are the results that have been identified by the ANAO’s interim audit coverage?

Interim audit coverage

3.1.9  The ANAO has completed its 2023–24 interim audit coverage, including an assessment of controls relating to: revenue from contracts with customers (import and export functions); grants expenditure; non-financial assets; employee benefits; and suppliers expenses. In addition, an assessment of the IT general controls for the financial and human resources management information system and selected revenue collection IT systems has been completed.

3.1.10  Audit procedures relating to: loans receivable, levies and charges; non-financial assets; and financial sustainability will be undertaken as part of the planned 2023–24 final audit.

Audit findings

3.1.11  Table 3.1.2 summarises the status of audit findings as at the end of the 2023–24 interim audit as reported by the ANAO.

Table 3.1.2: Status of audit findings raised by the ANAO

Note a: The previously reported moderate audit finding relating to Removal of user access has been reduced to a minor audit finding as part of the 2023–24 interim audit (refer to paragraphs 3.1.14 to 3.1.17).

Source: ANAO 2023–24 interim audit results.

3.1.12  As a result of these findings, the ANAO has designed further audit procedures to obtain reasonable assurance that the financial statements balances are not materially misstated.

3.1.13  The following section provides an overview of moderate audit findings.

Reduced moderate audit finding

Removal of user access

3.1.14  The Protective Security Policy Framework (PSPF) helps Australian Government entities to protect their people, information and assets. The PSPF sets out government protective security policy in terms of: security governance; information security; personnel security; and physical security.¹⁰⁵ PSPF Policy 9 Access to information and PSPF Policy 14 Separating personnel outline security measures to control access to Australian Government information and mitigate risks associated with departing personnel. PSPF Policy 9 requires entities to control access to supporting Information, Communication and Technology (ICT) systems and applications and ensure access to sensitive information is only provided to people on a need-to-know basis.¹⁰⁶ PSPF Policy 14 requires personnel’s access to be removed upon separation or transfer from the entity. ¹⁰⁷ Inadequate security measures for timely removal of access from former personnel increase the risk of unauthorised access to sensitive information.

3.1.15  During the 2022–23 audit, the ANAO identified users who had accessed the DAFF network and systems supporting the preparation of the financial statements post termination. Unauthorised user access post termination poses a business risk and could potentially impact the integrity of the entity’s financial or other data. While DAFF’s ‘System Access Management Policy’ was consistent with the Protective Security Policy Framework (PSPF), DAFF did not have a process in place to identify users who had access to systems, applications and data repositories after termination from the entity.

3.1.16  The ANAO recommended that DAFF review the process for user access termination to ensure that terminations are processed in a more timely manner; and to design a process that would allow DAFF to ‘look back’ on user activity which occurred post termination to confirm appropriateness.

3.1.17  DAFF implemented a control to identify users who have accessed the network post termination in March 2024. Where access is identified an investigation is undertaken to determine the appropriateness of activities undertaken. As a result of the implementation of additional controls, the ANAO has reduced this audit finding to a minor audit finding. Given the recent implementation of the control, which continues to mature, and limited instances of its application, the ANAO will test the operating effectiveness of the process during the 2023–24 final audit.

Conclusion

3.1.18  Based on the audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that DAFF will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2023–24 final audit.

3.2 Attorney-General’s Department

Overview

3.2.1  AGD supports the Attorney-General through the provision of expert advice and services on a range of law, justice, integrity, and national security issues.

3.2.2  AGD’s main source of funding is from appropriations. AGD also receives funding from own-source revenue relating to services provided by the AGS.

Key financial statements items

3.2.3  Figure 3.2.1 and Figure 3.2.2 below provide a summary of the key 2023–24 financial statements items.

Figure 3.2.1: Key departmental financial statements items

Source: AGD’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

Figure 3.2.2: Key administered financial statements items

Source: AGD’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

What are the key areas of audit focus identified by the ANAO for the 2023–24 financial statements?

Engagement risk

3.2.4  Paragraph 3.0.6 describes the factors considered by the ANAO in determining the engagement risk rating and the associated audit response required. The engagement risk for the 2023–24 financial statements has been assessed as moderate. Key factors contributing to this rating are: AGD’s broad range of functions which require organisational structures and IT systems to support the key activities, including supporting the AGS; and management of agreements and arrangements with other Commonwealth departments relating to service delivery responsibilities for administered grants.

Key areas of financial statements risk

3.2.5  The ANAO’s risk assessment process identifies key areas of risk that have the potential to materially impact the AGD’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items, the results of recent ANAO performance audits and an understanding of AGD’s environment and governance arrangements, including its financial reporting regime and system of internal control.

3.2.6  The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of AGD’s financial statements.

3.2.7  Figure 3.2.3 and Figure 3.2.4 below show the key financial statements items reported by AGD and the key areas of financial statements risk.

Figure 3.2.3: Key departmental financial balances and areas of financial statements risk

Source: ANAO analysis and AGD’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

Figure 3.2.4: Key administered financial balances and areas of financial statements risk

Source: ANAO analysis and AGD’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

3.2.8  Further information on the key areas of financial statements risk identified by the ANAO is provided below in Table 3.2.1.

Table 3.2.1: Key areas of financial statements risk

Source: ANAO 2023–24 risk assessment.

What are the results that have been identified by the ANAO’s interim audit coverage?

Interim audit coverage

3.2.9  The ANAO has completed its 2023–24 interim audit coverage, including an assessment of the controls relating to: cash and cash equivalents; revenue; grants, suppliers and employee expenses.

3.2.10  Audit procedures relating to: the valuation of non-financial assets including administered investments; employee provisions; and financial statements close processes will be undertaken as part of the planned 2023–24 final audit.

Audit findings

3.2.11  Table 3.2.2 summarises the status of audit findings as at the end of the 2023–24 interim audit as reported by the ANAO.

Table 3.2.2: Status of audit findings raised by the ANAO

Source: ANAO 2023–24 interim audit results.

3.2.12  As a result of these findings, the ANAO has designed further audit procedures to obtain reasonable assurance that the financial statements balances are not materially misstated.

3.2.13  The following section provides an overview of moderate audit findings.

Resolved moderate audit finding

Monitoring of privileged FMIS access

3.2.14  During the 2022–23 audit, the ANAO identified weaknesses with the monitoring of authorised privileged user access within AGD’s Financial Management Information System (FMIS). Inadequate monitoring of privileged user access increases the likelihood that inappropriate activity would not be detected.

3.2.15  During 2023–24 AGD has developed updated procedures for monitoring privileged user access to the FMIS and controls have been strengthened to improve monitoring arrangements. AGD has also implemented a manual control within its network to notify system administrators of unauthorised access to the FMIS by separated users. Access to the AGD network is removed if a user does not log in for 90 days.

3.2.16  As part of the 2023–24 interim audit the ANAO has reviewed and tested the design and operating effectiveness of the updated procedures and manual control implemented by AGD and did not identify any weaknesses. As a result, this finding is considered to be resolved.

Conclusion

3.2.17  Based on the audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that AGD will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2023–24 final audit.

3.3 Department of Climate Change, Energy, the Environment and Water

Overview

3.3.1  DCCEEW is responsible for developing and implementing policies and initiatives across climate change, energy the environment, heritage and water.

3.3.2  DCCEEW’s main source of funding is from appropriations.

Key financial statements items

3.3.3  Figure 3.3.1 and Figure 3.3.2 below provide a summary of the key 2023–24 financial statements items.

Figure 3.3.1: Key departmental financial statements items

Source: DCCEEW’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

Figure 3.3.2: Key administered financial statements items

Source: DCCEEW’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

What are the key areas of audit focus identified by the ANAO for the 2023–24 financial statements?

Engagement risk

3.3.4  Paragraph 3.0.6 describes the factors considered by the ANAO in determining the engagement risk rating and the associated audit response required. The engagement risk for the 2023–24 financial statements has been assessed as high. Key factors contributing to this rating are:

• DCCEEW’s diverse functions across a range of programs outcomes, and broad strategic direction to support the Australian Government’s commitments to reduce emissions, lower energy costs, protect Australia’s environment, and implement the Murray-Darling Basin Plan, which results in large number of programs and payments under management. DCCEEW’s operations are delivered geographically dispersed locations;
• the level of judgement and complexity involved in determining the fair value of key financial balances, including the Australian Government’s investment in Snowy Hydro Limited, water entitlements and restoration obligations in Antarctica; and
• continuing change and maturation of DCCEEW’s operating model and system of internal control, including relating to IT systems, following establishment of DCCEEW in 2022–23.

Key areas of financial statements risk

3.3.5  In The ANAO’s risk assessment process identifies key areas of risk that have the potential to materially impact DCCEEW’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items, the results of recent ANAO performance audits and an understanding of DCCEEW’s environment and governance arrangements, including its financial reporting regime and system of internal control.

3.3.6  The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of DCCEEW’s financial statements.

3.3.7  Figure 3.3.3 and Figure 3.3.4 below show the key financial statements items reported by DCCEEW and the key areas of financial statements risk.

Figure 3.3.3: Key departmental financial balances and areas of financial statements risk

Source: ANAO analysis and DCCEEW’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

Figure 3.3.4: Key administered financial balances and areas of financial statements risk

Source: ANAO analysis and DCCEEW’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

3.3.8  Further information on the key areas of financial statements risk identified by the ANAO are provided below in Table 3.3.1.

Table 3.3.1: Key areas of financial statements risk

Source: ANAO 2023–24 risk assessment.

What are the results that have been identified by the ANAO’s interim audit coverage?

Interim audit coverage

3.3.9  The ANAO has completed its 2023–24 interim audit coverage, including an assessment of the controls relating to: revenue and receivables; supper and employee expenses; non-financial assets, grants and the Natural Heritage Trust of Australia Account. Interim audit coverage also included an assessment of IT general controls, including security and change management processes relevant to the financial and human resources management information systems.

3.3.10  Audit procedures relating to: appropriations and special accounts; lease liabilities; the Antarctic restoration provision, water entitlements; valuation of the investments in Snowy Hydro Limited and Marinus Link Pty Ltd; and recognition of joint operations (Living Murray Initiative and River Murray Operations) will be undertaken as part of the 2023–24 final audit.

Audit findings

3.3.11  Table 3.3.2 summarises the status of audit findings as at the end of the 2023–24 interim audit as reported by the ANAO.

Table 3.3.2: Status of audit findings raised by the ANAO

Source: ANAO 2023–24 interim audit results.

3.3.12  As a result of these findings, the ANAO has designed further audit procedures to obtain reasonable assurance that the financial statements balances are not materially misstated.

3.3.13  The following section provides an overview of moderate audit findings.

New moderate audit finding

Tech One FMIS privileged user management

3.3.14  Maintaining and supporting IT systems requires some user accounts, both at the network and the application level, to have extensive access rights (privileged access). Privileged user accounts can be used to circumvent security controls to make direct changes, either to system settings or systems data, or to access files and accounts used by others.

3.3.15  During 2023–24 interim audit, the ANAO identified weaknesses in the effectiveness of DCCEEW’s monitoring of privileged user activities within the Tech One Financial Management Information System (FMIS). DCCEEW implemented the Tech One FMIS on 1 July 2023. The ANAO identified that audit logs of privileged activity reports had been generated but no evidence of the review of the logs could be provided. This weaknesses in monitoring increases the risk of erroneous or unauthorised changes to IT systems will not be identified and addressed.

3.3.16  The ANAO recommended that DCCEEW update the privileged user access monitoring policy to regularise these reviews, including the requirement to retain evidence to support that the reviews had been appropriately undertaken in accordance with the policy.

3.3.17  The ANAO will focus on the action taken by DCCEEW in response to this finding as part of the 2023–24 final audit.

Unresolved moderate audit finding

SAP FMIS user access provisioning and removal of user access

3.3.18  The provisioning and removal of access to the SAP FMIS relies on a mix of automated and manual controls. The effective operation of these controls would ensure that users only have access to functions and transactions within the FMIS that are appropriate to their role. User accounts should be removed or updated when there is no longer a business requirement for access after this date.

3.3.19  During the 2022–23 interim audit the ANAO identified instances where user access was not removed in a timely manner following a user’s termination and where users had access to functions and roles within the SAP FMIS that were not relevant to their position. The ANAO recommended that DCCEEW develop risk-based monitoring controls to confirm user access and role assignments are appropriate and that user access is removed in a timely manner.

3.3.20  During the 2023–24 interim audit, DCCEEW advised that it had not yet fully addressed the ANAO’s finding. DCCEEW are addressing this finding in tandem with the actions it is taking to implement a new HRMIS and FMIS progressively during 2023–24. DCCEEW expect that remaining action required to address this finding will be completed by June 2024. As a result, this finding remains unresolved. The ANAO will focus on the action taken by DCCEEW in response to this finding as part of the 2023–24 final audit.

Resolved moderate audit finding

SAP FMIS privileged user management

3.3.21  During the 2021–22 audit of the former Department of Agriculture, Water and the Environment the ANAO identified weaknesses in the effectiveness of monitoring of privileged user activities within the SAP FMIS. The SAP FMIS transferred to DCCEEW on 1 July 2022.

3.3.22  The ANAO identified that audit logs of privileged user activities were not regularly reviewed and that reviews confirming the currency of user access had not been regularly completed. Failure to undertake these reviews increases the risk of erroneous or unauthorised changes to IT systems will not be identified and addressed. In July 2023 DCCEEW finalised the outstanding reviews of privileged user activities, however, the reviews were not timely. The ANAO recommended that DCCEEW embed a formal process that supports the review being performed in a timely manner.

3.3.23  During the 2023–24 interim audit the ANAO has confirmed that DCCEEW are performing the monthly review of privileged user activity logs in a timely manner. As a result, this finding is considered resolved.

Conclusion

3.3.24  At the completion of the 2023–24 interim audit, and except for the two moderate audit findings reported, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that DCCEEW will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed by the ANAO in conjunction with additional audit procedures during the 2023–24 final audit.

3.3.25  During the 2023–24 final audit the ANAO will undertake further procedures and assess action taken by DCCEEW to address the weaknesses identified.

3.4 Snowy Hydro Limited

Overview

3.4.1  Snowy Hydro is a government business enterprise responsible for energy generation activities to supply the National Electricity Market (NEM) as well as operating as a retail energy provider.

3.4.2  Snowy Hydro does not receive any appropriation funding. The operational functions of Snowy Hydro are funded through own source income. The primary income sources for Snowy Hydro are retail revenue which arises from the supply of electricity and gas to customers through the Red and Lumo energy brands and wholesale revenue arising from the generation and supply of electricity to the NEM.

3.4.3  Snowy Hydro is accessing a mix of private debt funding and equity injections from the Australian Government to fund the construction and delivery of the Snowy 2.0 and Hunter Power projects.

Key financial statements items

3.4.4  Figure 3.4.1 below provides a summary of the key financial statements items as reported in Snowy Hydro’s 2022–23 annual report.

Figure 3.4.1: Key financial statements items

Source: Snowy Hydro’s 2022–23 audited financial statements.

What are the key areas of audit focus identified by the ANAO for the 2023–24 financial statements?

Engagement risk

3.4.5  Paragraph 3.0.6 describes the factors considered by the ANAO in determining the engagement risk rating and the associated audit response required. The engagement risk for the 2023–24 financial statements has been assessed as moderate. Key factors contributing to this rating are:

• the significance of the financial investment made in, and complexity in the delivery of, long-term infrastructure developments relating to the Snowy 2.0 and Hunter Power projects;
• the dynamism and complexity of Snowy Hydro’s operating and regulatory environment. There are ongoing structural changes in the NEM relating to Australia’s planned decarbonisation and transition to higher levels of energy generated through renewable sources;
• the heightened level of competition in the NEM for supply of energy to retail customers; and
• the complexity of the valuation of Snowy Hydro’s energy derivatives (contracts) to sell electricity or buy electricity in the NEM. The level of complexity is primarily driven by the size of the portfolio and the inherent subjectivity and significance of judgements and estimates required where market data is not available to determine the fair value of these derivatives.

Key areas of financial statements risk

3.4.6  The ANAO’s risk assessment process identifies key areas of risk that have the potential to materially impact Snowy Hydro’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items, the results of recent ANAO performance audits and an understanding of Snowy Hydro’s environment and governance arrangements, including its financial reporting regime and system of internal control.

3.4.7  The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of Snowy Hydro’s financial statements.

3.4.8  Figure 3.4.2 below shows the key financial statements items reported by Snowy Hydro and the key areas of financial statements risk.

Figure 3.4.2: Key financial balances and areas of financial statements risk

Source: ANAO analysis and Snowy Hydro’s 2022–23 audited financial statements.

3.4.9  Further information on the key areas of financial statements risk identified by the ANAO are provided below in Table 3.4.1.

Table 3.4.1: Key areas of financial statements risk

Source: ANAO 2023–24 risk assessment.

What are the results that have been identified by the ANAO’s interim audit coverage?

Interim audit coverage

3.4.10  The ANAO has completed its 2023–24 interim audit coverage, including an assessment of the controls relating to: retail and generation revenue and receivables; supplier expenses; cash and cash equivalents; treasury; renewable energy certificates; financial reporting; and payroll.

3.4.11  Audit procedures relating to IT general and application controls, assessment of controls relating to non-financial assets and substantive testing on all material financial statements line items will be undertaken as part of the planned 2023–24 final audit. This will include audit procedures to test material accounting estimates made by Snowy Hydro, relating to the key areas of financial risk: valuation of financial instruments; capitalisation of customer acquisition costs; valuation of unbilled electricity revenue receivable; valuation of renewable energy certificates; impairment of goodwill; and impairment of trade and other receivables.

Audit findings

3.4.12  At the completion of the 2023–24 interim audit, no new significant or moderate audit findings were identified.

Conclusion

3.4.13  Based on the audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that Snowy Hydro will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2023–24 final audit.

3.5 Department of Defence

Overview

3.5.1  Defence is responsible for protecting and advancing Australia’s strategic interests through the promotion of security and stability, the provision of military capabilities to defend Australia and its national interests, and the provision of support for the Australian community and civilian authorities as directed by the Australian Government.

3.5.2  Defence’s main source of funding is from appropriations.

Key financial statements items

3.5.3  Figure 3.5.1 and Figure 3.5.2 below provide a summary of the key 2023–24 financial statements items.

Figure 3.5.1: Key departmental financial statements line items

Source: Defence’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

Figure 3.5.2: Key administered financial statements line items

Source: Defence’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

What are the key areas of audit focus identified by the ANAO for the 2023–24 financial statements?

Engagement risk

3.5.4  Paragraph 3.0.6 describes the factors considered by the ANAO in determining the engagement risk rating and the associated audit response required. The engagement risk for the 2023–24 financial statements has been assessed as high. Key factors contributing to this rating are:

• the nature, magnitude and complexity of Defence’s operations and strategic environment, including a highly decentralised control environment and the use of multiple IT systems that operate independently of each other;
• the high level of public interest and scrutiny of Defence’s activities; and
• the number and financial significance of complex accounting estimates in the financial statements, including the valuation of specialist military equipment and military defined benefit superannuation liabilities which are subject to higher levels of estimation uncertainty.

Key areas of financial statements risk

3.5.5  The ANAO’s risk assessment process identifies key areas of risk that have the potential to materially impact Defence’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items, the results of recent ANAO performance audits and an understanding of Defence’s environment and governance arrangements, including its financial reporting regime and system of internal control.

3.5.6  The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of Defence’s financial statements.

3.5.7  Figure 3.5.3 and Figure 3.5.4 below show the key financial statements items reported by Defence and the key areas of financial statements risk.

Figure 3.5.3: Key departmental financial balances and areas of financial statements risk

Source: ANAO analysis and Defence’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

Figure 3.5.4: Key administered financial balances and areas of financial statements risk

Source: ANAO analysis and Defence’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

3.5.8  Further information on the key areas of financial statements risk identified by the ANAO are provided below in Table 3.5.1.

Table 3.5.1: Key areas of financial statements risk

Source: ANAO 2023–24 risk assessment.

What are the results that have been identified by the ANAO’s interim audit coverage?

Interim audit coverage

3.5.9  The ANAO has completed its 2023–24 interim audit coverage, including an assessment of the controls relating to: IT general controls over the financial management information system and human resources information management system, as well as testing the operating effectiveness of controls implemented to confirm the existence and completeness of inventory.

3.5.10  Audit procedures relating to 30 June 2024 balances for SME, general non-financial assets and employee provisions will be undertaken as part of the 2023–24 final audit.

Audit findings

3.5.11  Table 3.5.2 summarises the status of audit findings as at the end of the 2023–24 interim audit as reported by the ANAO.

Table 3.5.2: Status of audit findings raised by the ANAO

Source: ANAO 2023–24 interim audit results.

3.5.12  As a result of these findings, the ANAO has designed further audit procedures to obtain reasonable assurance that the financial statements balances are not materially misstated.

3.5.13  The following section provides an overview of significant and moderate audit findings.

Unresolved significant audit finding

Removal of system access for Defence personnel and contractors

3.5.14  During the 2022–23 audit, ANAO identified 1,451 users whose access to the Defence Network was not disabled in accordance with Information Security Manual (ISM) requirements, which requires entities to remove or suspend access on the same day personnel (including contractors) no longer have a legitimate business requirement for the access. The ANAO also identified that a number of terminated employees continued to receive salary payments, in one case, for more than two months after termination. The ANAO also identified that Defence does not have effective controls in place for removing access to the financial management information system when personnel or contractors remain within Defence, but their duties change hence they no longer have a legitimate business requirement to access the system.

3.5.15  The absence of effective of controls over the removal or monitoring of user access post termination increases the risk of inappropriate activity occurring in systems that have significant and sensitive data holdings. Inappropriate access can result in data integrity issues, as well as access to sensitive information. There is a significant fraud and reputational risk exposure to Defence as a result of the above system access weaknesses. These risks relate to terminated employees as well as contractors.

3.5.16  Defence has established a working group and developed a remediation plan to address the risks identified through this finding. During the 2023–24 interim audit, Defence advised the ANAO that action undertaken included policy and system changes as well as the implementation of new monitoring and assurance processes over terminated personnel.

3.5.17  The ANAO will focus on the action taken by Defence in response to this finding as part of the 2023–24 final audit.

Unresolved moderate audit finding

Weaknesses around the disposal of assets and inventory

3.5.18  During the 2018–19 audit, Defence was unable to provide appropriate documentation in a timely manner in relation to the disposal of buildings. Between the 2019–20 and 2022–23 financial years, the ANAO continued to identify examples of asset disposals occurring in the IT system significantly after the physical disposal of the asset. Instances were also identified where there was a planned disposal, but the disposal directive was not signed until after the physical disposal had occurred.

3.5.19  During the 2023–24 interim audit, Defence advised the ANAO that work has been undertaken to address this audit finding. The ANAO will focus on the action taken by Defence in response to this finding as part of the 2023–24 final audit.

Conclusion

3.5.20  At the completion of the 2023–24 interim audit, the ANAO has reported a number of areas where improvements are required. These audit findings reduce the level of confidence that can be placed on the key elements of internal control that support the preparation of the financial statements that are free from material misstatement.

3.5.21  During the 2023–24 final audit the ANAO will undertake further procedures and assess action taken by Defence to address the weaknesses identified.

3.6 Department of Veterans’ Affairs

Overview

3.6.1  DVA is responsible for developing and implementing programs to assist the veteran and ex-service communities. This includes granting pensions, allowances and other benefits, and providing treatment under the Veterans’ Entitlements Act 1986; the administration of benefits and arrangements under the Military Rehabilitation and Compensation Act 2004; determining and managing claims relating to defence service under the Safety, Rehabilitation and Compensation (Defence-related Claims) Act 1988; administering the Defence Service Homes Act 1918, the War Graves Act 1980; and conducting commemorative programs to acknowledge the service and sacrifice of Australian servicemen and women.

3.6.2  DVA’s main source of funding is from appropriations.

Key financial statements items

3.6.3  Figure 3.6.1 and Figure 3.6.2 below provide a summary of the key 2023–24 financial statements items.

Figure 3.6.1: Key departmental financial statements items

Source: DVA’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

Figure 3.6.2: Key administered financial statements items

Source: DVA’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

What are the key areas of audit focus identified by the ANAO for the 2023–24 financial statements?

Engagement risk

3.6.4  Paragraph 3.0.6 describes the factors considered by the ANAO in determining the engagement risk rating and the associated audit response required. The engagement risk for the 2023–24 financial statements has been assessed as moderate. Key factors contributing to this rating are:

• the complexities in assessing and managing personal benefit and health care claims for veterans. The legislation which establishes these payments is complex. There is a significant backlog of claims that DVA is required to process. Additionally, the recommendations made in the interim report of the Royal Commission into Defence and Veterans’ Suicide have resulted in changes to manage the backlog with the aim of having the backlog cleared by 31 March 2024;
• the reliance on external information and shared service arrangements, including IT systems, for making decisions for personal benefits and health care payments; and
• the complexity of, and significance of the judgements required, to determine the valuation of key financial balances including the provision for military compensation. The calculation of these estimates relies on the extraction and generation of quality data from multiple systems and the use of actuarial assumptions relating to future events.

Key areas of financial statements risk

3.6.5  The ANAO’s risk assessment process identifies key areas of risk that have the potential to materially impact the DVA’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items, the results of recent ANAO performance audits and an understanding of DVA’s environment and governance arrangements, including its financial reporting regime and system of internal control.

3.6.6  The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of DVA’s financial statements.

3.6.7  Figure 3.6.3 and Figure 3.6.4 below show the key financial statements items reported by DVA and the key areas of financial statements risk.

Figure 3.6.3: Key departmental financial balances and areas of financial statements risk

Source: ANAO analysis and DVA’s revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

Figure 3.6.4: Key administered financial balances and areas of financial statements risk

Source: ANAO analysis and DVA’s revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

3.6.8  Further information on the key areas of financial statements risk identified by the ANAO are provided below in Table 3.6.1.

Table 3.6.1: Key areas of financial statements risk

Source: ANAO 2023–24 risk assessment.

What are the results that have been identified by the ANAO’s interim audit coverage?

Interim audit coverage

3.6.9  The ANAO has completed its 2023–24 interim audit coverage, including an assessment of the controls relating to: cash; appropriations; supplier expenses; employee benefits and personal benefit and health care payments.

3.6.10  Audit procedures relating to: an assessment of IT general and application controls; accuracy of personal benefit and health care payments including payments to public and private hospitals and valuation of the personal benefits and health care (military compensation) provision will be undertaken as part of the 2023–24 final audit.

Audit findings

3.6.11  Table 3.6.2 summarises the status of audit findings as at the end of the 2023–24 interim audit as reported by the ANAO.

Table 3.6.2: Status of audit findings raised by the ANAO

Source: ANAO 2023–24 interim audit results.

3.6.12  As a result of these findings, the ANAO has designed further audit procedures to obtain reasonable assurance that the financial statements balances are not materially misstated.

3.6.13  The following section provides an overview of significant and moderate audit findings.

Unresolved moderate audit findings

Security governance – monitoring implementation of controls

3.6.14  During the 2021–22 audit, the ANAO noted instances that indicated DVA’s governance and monitoring processes were not fully effective to address identified business risks. The ANAO recommended an effective governance and assurance framework be developed over security governance to ensure controls were implemented and operating effectively.

3.6.15  At the completion of the 2023–24 interim audit, DVA had documented the IT controls in place. This needs to be extended to document the processes in place to continuously validate that the controls, managed by both DVA and Services Australia, continue to operate effectively to support business processes.

3.6.16  The ANAO will focus on the action taken by DVA in response to this finding as part of the 2023–24 final audit.

Process Direct security risk management

3.6.17  During the 2020–21 audit, the ANAO identified weaknesses relating to the management of security risks as part of an upgrade to Process Direct implemented in November 2020. The ANAO recommended that DVA address the self-identified security risks when implementing the system.

3.6.18  DVA affirmed that accreditation of Process Direct was finalised in August 2021 and all required security documentation developed. The ANAO’s inspection of the accreditation documents, including the Process Direct System Security Plan, identified that two of the three self-identified risks remained untreated. DVA acknowledged that the untreated risks were accepted when the interim approval to operate was issued.

3.6.19  As part of the 2023–24 interim audit, DVA has approved an updated Interim Authority to Operate for Process Direct which included a risk assessment and a targeted risk remediation plan. The Interim Authority to Operate highlighted three unmitigated high risks relating to Process Direct. The ANAO noted that one of these risks was planned to be remediated during February 2024 while the treatments for other two risks are currently being developed by DVA.

3.6.20  The ANAO will focus on the action taken by DVA in response to this finding as part of the 2023–24 final audit.

Conclusion

3.6.21  At the completion of the interim audit, and except for the two moderate audit findings reported, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that DVA will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed by the ANAO in conjunction with additional audit procedures during the 2023–24 final audit.

3.6.22  During the 2023–24 final audit the ANAO will undertake further procedures and assess action taken by DVA to address the weaknesses identified.

3.7 Department of Education

Overview

3.7.1  Education contributes to Australia’s economic prosperity and social wellbeing by creating opportunities and driving better outcomes through access to quality education. Investment in early childhood, schools, youth and higher education creates the foundation for a resilient and equitable society. The department aims to deliver an education system that is inclusive, accessible, and affordable for all Australians.

3.7.2  Education’s main source of funding is from appropriations.

Key financial statements items

3.7.3  Figure 3.7.1 and Figure 3.7.2 below provide a summary of the key 2023–24 financial statements items.

Figure 3.7.1: Key departmental financial statements items

Source: Education’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

Figure 3.7.2: Key administered financial statements items

Source: Education’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

What are the key areas of audit focus identified by the ANAO for the 2023–24 financial statements?

Engagement risk

3.7.4  Paragraph 3.0.6 describes the factors considered by the ANAO in determining the engagement risk rating and the associated audit response required. The engagement risk for the 2023–24 financial statements has been assessed as moderate. Key factors contributing to this rating include:

• administering a range of complex legislation and programs, including significant payments to schools, universities and other education providers. In order to make these payments there is reliance by Education on a complex IT environment;
• a significant audit finding first reported in the 2022–23 audit relating to weaknesses in Education’s financial statements preparation processes with respect to consideration of legal matters;
• the separation of the Department of Employment and Workplace Relations (DEWR) from the shared financial management information system (FMIS) and human resources information management system (HRMIS) arrangements; and
• material balances reliant upon estimates reported in the financial statements, with significant judgment involved in the selection of appropriate inputs and assumptions. This includes reliance on third parties to process and provide accurate and complete information these balances.

Key areas of financial statements risk

3.7.5  The ANAO’s risk assessment process identifies key areas of risk that have the potential to materially impact Education’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items, the results of recent ANAO performance audits and an understanding of Education’s environment and governance arrangements, including its financial reporting regime and system of internal control.

3.7.6  The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of Education’s financial statements.

3.7.7  Figure 3.7.3 and Figure 3.7.4 below show the key financial statements items reported by Education and the key areas of financial statements risk.

Figure 3.7.3: Key departmental financial balances and areas of financial statements risk

Source: ANAO analysis and Education’s revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

Figure 3.7.4: Key administered financial balances and areas of financial statements risk

Source: ANAO analysis and Education’s revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

3.7.8  Further information on the key areas of financial statements risk identified by the ANAO are provided below in Table 3.7.1.

Table 3.7.1: Key areas of financial statements risk

Source: ANAO 2023–24 risk assessment.

What are the results that have been identified by the ANAO’s interim audit coverage?

Interim audit coverage

3.7.9  The ANAO has completed components of its 2023–24 interim audit coverage, including an assessment of the controls relating to: cash and cash equivalents, employee and grants expenses.

3.7.10  Audit procedures relating to: IT general and application controls on key business systems; appropriations (including special accounts and special appropriations); review and assessment of year-end estimate balances relating to HESP and HELP; childcare subsidies; grants expenses; administered investments; and compliance programs will be undertaken as part of the 2023–24 final audit.

Audit findings

3.7.11  Table 3.7.2 summarises the status of audit findings as at the end of the 2023–24 interim audit as reported by the ANAO. As a result of these findings, the ANAO has designed further audit procedures to obtain reasonable assurance that the financial statements balances are not materially misstated.

Table 3.7.2: Status of audit findings raised by the ANAO

Note a: The previously reported significant audit finding relating to Governance – legal and other matters has been reduced to a moderate audit finding as part of the 2023–24 interim audit (refer to paragraphs 3.7.14 to 3.7.19).

Source: ANAO 2023–24 interim audit results.

3.7.12  As a result of these findings, the ANAO has designed further audit procedures to obtain reasonable assurance that the financial statements balances are not materially misstated.

3.7.13  The following section provides an overview of significant and moderate audit findings.

Reduced significant audit finding

Governance – legal and other matters

3.7.14  As part of the financial statements audit process, the ANAO requests that Education provides access to all information, such as records and documentation and other matters, of which Education is aware of and that is relevant to the financial statements preparation process.

3.7.15  During the 2022–23 audit, the ANAO became aware of legal matters from a source other than Education that had not been considered in the preparation of the financial statements, nor advised to the ANAO by Education. One of these matters resulted in a late adjustment to the financial statements.

3.7.16  During the 2023–24 interim audit, Education has implemented a new process for the identification and timely communication of significant legal non-compliance. This report is periodically provided to senior executives, the audit committee and Risk, Security and Governance Committee. Underpinning the significant legal non-compliance reporting is the significant legal non-compliance protocol which establishes clear process and accountabilities for the determination, monitoring and reporting significant legal non-compliance.

3.7.17  Education has also commenced work with Services Australia to develop a Statement of Intent which will see the Chief Financial Officers of both entities providing quarterly advice on legal and other matters which may have impacts on Education’s operations.

3.7.18  As a result of the action taken by Education, the ANAO has reduced the finding from significant to moderate at the completion of the 2023–24 interim audit.

3.7.19  The ANAO will review further action taken by Education in response to this finding as part of the 2023–24 final audit.

Unresolved moderate audit findings

User access removal

3.7.20  The Protective Security Policy Framework (PSPF) requires non-corporate Commonwealth entities to control access to systems, networks, and applications. The requirement includes removing system access from employees and contractors without an operational need for access to IT resources.

3.7.21  During the 2021–22 audit of the former Department of Education, Skills and Employment the ANAO identified instances where users had accessed the former systems after completion of their employment or contract. The ANAO noted that there were delays in completion of Exit Advice Notification which triggers a number of actions across Education, including the termination of access to ICT networks and systems.

3.7.22  At the completion of the 2023–24 interim audit, Education advised the ANAO that the implementation of additional controls to address the audit finding were expected to be in place by the end of April 2024. The ANAO will test the operating effectiveness of the revised controls as part of the 2023–24 final audit.

Management of intangible assets

3.7.23  Education has implemented a number of intangible assets that support its administered programs, with these systems undergoing continuous enhancements and upgrades to support changes in programs.

3.7.24  As part of the 2022–23 audit, the ANAO noted a number of assets under construction which had not been appropriately assessed for impairment or recognising the assets in use as at 30 June 2023 in accordance with Australian Accounting Standards. As a result, Education subsequently reviewed these assets and made material adjustments to the financial statements.

3.7.25  At the completion of the 2023–24 interim phase, Education had updated its processes and policies to support enhanced management of Education’s intangible assets and projects. However, areas have been identified by the ANAO for which Education will be required to strengthen these processes. This includes formalising the review of all assets under construction to assess their status on an ongoing basis.

3.7.26  The ANAO will focus on the action taken by Education in response to this finding as part of the 2023–24 final audit.

Conclusion

3.7.27  At the completion of the 2023–24 interim audit, and except for the three moderate audit findings reported, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that Education will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed by the ANAO in conjunction with additional audit procedures during the 2023–24 final audit.

3.7.28  During the 2023–24 final audit the ANAO will undertake further procedures and assess action taken by Education to address the weaknesses identified.

3.8 Department of Employment and Workplace Relations

Overview

3.8.1  DEWR is the lead entity in the portfolio and is responsible for ensuring Australians can experience the social well-being and economic benefits that training and employment provide. DEWR is also responsible for workplace relations and work health and safety, rehabilitation and compensation.

3.8.2  DEWR’s main source of funding is from appropriations.

Key financial statements items

3.8.3  Figure 3.8.1 and Figure 3.8.2 below provide a summary of the key 2023–24 financial statements items.

Figure 3.8.1: Key departmental financial statements items

Source: DEWR’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

Figure 3.8.2: Key administered financial statements items

Source: DEWR’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

What are the key areas of audit focus identified by the ANAO for the 2023–24 financial statements?

Engagement risk

3.8.4  Paragraph 3.0.6 describes the factors considered by the ANAO in determining the engagement risk rating and the associated audit response required. The engagement risk for the 2023–24 financial statements has been assessed as moderate. Key factors contributing to this rating are: administering and regulating a complex legislative framework that underpins various significant payments; and material balances reliant upon estimates reported in the financial statements, with significant judgment involved in the selection of appropriate inputs and assumptions.

Key areas of financial statements risk

3.8.5  The ANAO’s risk assessment process identifies key areas of risk that have the potential to materially impact the DEWR’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items, the results of recent ANAO performance audits and an understanding of DEWR’S environment and governance arrangements, including its financial reporting regime and system of internal control.

3.8.6  The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of DEWR’s financial statements.

3.8.7  Figure 3.8.3 and Figure 3.8.4 below show the key financial statements items reported by DEWR and the key areas of financial statements risk.

Figure 3.8.3: Key departmental financial balances and areas of financial statements risk

Source: ANAO analysis and DEWR’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

Figure 3.8.4: Key administered financial balances and areas of financial statements risk

Source: ANAO analysis and DEWR’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

3.8.8  Further information on the key areas of financial statements risk identified by the ANAO are provided below in Table 3.8.1.

Table 3.8.1: Key areas of financial statements risk

Source: ANAO 2023–24 risk assessment.

What are the results that have been identified by the ANAO’s interim audit coverage?

Interim audit coverage

3.8.9  The ANAO has completed components of its 2023–24 interim audit coverage, including an assessment of the controls relating to: cash and cash equivalents; supplier expenses; employee benefits expenses; apprenticeships payments; Fair Entitlements Guarantee payments; Workforce Australia payments; and VSL payments. Audit coverage also included an assessment of the IT general controls over the financial management information system.

3.8.10  Audit procedures relating to: IT application controls on key IT systems supporting the financial statements; review and assessment of the year-end VSL and AASL loan balances; administered grants; administered investments and compliance programs; non-financial assets; and employee benefits will be undertaken as part of the planned 2023–24 final audit.

Audit findings

3.8.11  Table 3.8.2 summarises the status of audit findings as at the end of the 2023–24 interim audit as reported by the ANAO.

Table 3.8.2: Status of audit findings raised by the ANAO

Source: ANAO 2023–24 interim audit results.

3.8.12  As a result of these findings, the ANAO has designed further audit procedures to obtain reasonable assurance that the financial statements balances are not materially misstated.

3.8.13  The following section provides an overview of significant and moderate audit findings.

Unresolved moderate audit finding

Removal of user access

3.8.14  The Protective Security Policy Framework (PSPF) requires non-corporate Commonwealth entities to control access to systems, networks, and applications. The requirement includes removing system access from employees and contractors without an operational need for access to IT resources.

3.8.15  During the 2021–22 audit of the former Department of Education, Skills and Employment the ANAO identified instances where users had accessed the former systems after completion of their employment or contract. The ANAO noted that there were delays in completion of Exit Advice Notification which triggers a number of actions across the department, including the termination access to ICT networks and systems.

3.8.16  As part of the 2023–24 interim audit, the ANAO has assessed DEWR’s progress in addressing the weaknesses identified. In April 2024, DEWR advised the ANAO that it is implementing a number of new controls to mitigate the control deficiency which are expected to be in place by the end of April 2024. The ANAO will test the operating effectiveness of the revised controls as part of the 2023–24 final audit.

Conclusion

3.8.17  At the completion of the 2023–24 interim audit, and except for the moderate audit finding reported, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that DEWR will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed by the ANAO in conjunction with additional audit procedures during the 2023–24 final audit.

3.8.18  During the 2023–24 final audit the ANAO will undertake further procedures and assess action taken by DEWR to address the weaknesses identified.

3.9 Department of Finance

Overview

3.9.1  Finance is responsible for supporting the government’s budget process and the development and implementation of the government’s regulatory frameworks for public sector resource management, governance and accountability. Finance is also responsible for the preparation of the Australian Government’s consolidated financial statements. Finance provides shared services through the Service Delivery Office.

3.9.2  From 1 July 2023, Machinery of Government changes transferred the responsibility for digital, data and regulatory reform from the Digital Transformation Agency to Finance. On 1 October 2023, legislation passed by the Australian Government took effect and included a transfer of responsibility of providing human resource advice and assistance to parliamentarians and Members of Parliament (Staff) Act 1984 employees to the Parliamentary Workplace Support Service (PWSS). The Parliamentary Workplace Support Service Commencement Proclamation 2023 was issued by the Governor-General on 28 September 2023.

3.9.3  The Machinery of Government changes: A guide for entities — November 2021 (the Guide), jointly issued by the Australian Public Service Commission and the Department of Finance provides that where a completion date is not specified in relation to a Machinery of Government change, entities are expected to complete changes within 13 weeks from the date of effect. At the conclusion of 2023–24 interim phase, the Machinery of Government with Parliamentary Workplace Support Service has not been completed.

3.9.4  Finance’s main source of funding is from appropriations.

Key financial statements items

3.9.5  Figure 3.9.1 and Figure 3.9.2 below provide a summary of the key 2023–24 financial statements items.

Figure 3.9.1: Key departmental financial statements items

Source: Finance’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

Figure 3.9.2: Key administered financial statements items

Source: Finance’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

What are the key areas of audit focus identified by the ANAO for the 2023–24 financial statements?

Engagement risk

3.9.6  Paragraph 3.0.6 describes the factors considered by the ANAO in determining the engagement risk rating and the associated audit response required. The engagement risk for the 2023–24 financial statements has been assessed as moderate. Key factors contributing to this rating are: the complexity of key accounting balances, estimates and judgements that impact the financial statements; and the significance of the administered schedule of financial position to the Australian Government financial statements.

Key areas of financial statements risk

3.9.7  The ANAO’s risk assessment process identifies key areas of risk that have the potential to materially impact Finance’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items, the results of recent ANAO performance audits and an understanding of Finance’s environment and governance arrangements, including its financial reporting regime and system of internal control.

3.9.8  The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of Finance’s financial statements.

3.9.9  Figure 3.9.3 and Figure 3.9.4 below show the key financial statements items reported by Finance and the key areas of financial statements risk.

Figure 3.9.3: Key departmental financial balances and areas of financial statements risk

Source: ANAO analysis and Finance’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

Figure 3.9.4: Key administered financial balances and areas of financial statements risk

Source: ANAO analysis and Finance’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

3.9.10  Further information on the key areas of financial statements risk identified by the ANAO are provided below in Table 3.9.1.

Table 3.9.1: Key areas of financial statements risk

Source: ANAO 2023–24 risk assessment.

Risks and findings identified in ANAO performance audits

3.9.11  The ANAO also considers the results of recent performance audits in identifying risks and designing an approach for the financial statements audit. Auditor-General Report No. 12 of 2023–24 Administration of the Parliamentary Expenses Management System was tabled in January 2024 and is relevant to the financial management or administration of Finance.

3.9.12  This audit found that Finance was partly effective in implementing the Parliamentary Expenses Management System (PEMS), the IT system for parliamentarians, their staff and administering agencies to claim and process office, travel expenses and administer payroll services. As explained in Table 3.9.1, the ANAO identifies the accuracy of employee expenses and valuation of provisions for members of Parliament and their staff as a key area of risk.

What were the results identified by the ANAO’s interim audit coverage?

Interim audit coverage

3.9.13  The ANAO has completed its 2023–24 interim audit coverage, including an assessment of the controls relating to: employee and supplier expenditure (including members of Parliament and their staff); appropriations and special accounts; and asset and cash management. The interim audit coverage also included an assessment of IT general and application controls relating to the Service Delivery Office.

3.9.14  Audit procedures relating to: the valuation of the insurance provision, superannuation provision, collective investment vehicles, land and buildings (including investment properties) and provisions relating to members of Parliament and their staff will be undertaken as part of the 2023–24 final audit.

Audit findings

3.9.15  At the completion of the 2023–24 interim audit, the ANAO has not identified any new significant or moderate audit findings.

Conclusion

3.9.16  Based on our audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that Finance will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2023–24 final audit.

3.10 Future Fund Management Agency

Overview

3.10.1  The Future Fund is responsible for investing the assets of the Future Fund under the Future Fund Act 2006, and other investment funds, managed on behalf of the Department of Finance. The investment of the funds is managed under the Disability Care Australia Fund Act 2013; the Medical Research Future Fund Act 2015; the Aboriginal and Torres Strait Islander Land and Sea Future Fund Act 2018; the Future Drought Fund Act 2019; the Disaster Ready Fund Act 2019; and the Housing Australia Future Fund Act 2023 as a means to provide financing sources for substantial future investments in the Australian economy.

3.10.2  The Future Fund does not receive any appropriation funding. The operational functions of the Future Fund are funded from earnings (including dividends, franking credits, distributions and interest income) from the assets of the investment funds which the Future Fund manages.

Key financial statements items

3.10.3  Figure 3.10.1 and Figure 3.10.2 below provide a summary of the key 2023–24 financial statements items.

Figure 3.10.1:  Key departmental financial statements items

Source: The Future Fund’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

Figure 3.10.2:  Key administered financial statements items

Source: The Future Fund’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

What are the key areas of audit focus identified by the ANAO for the 2023–24 financial statements?

Engagement risk

3.10.4  Paragraph 3.0.6 describes the factors considered by the ANAO in determining the engagement risk rating and the associated audit response required. The engagement risk for the 2023–24 financial statements has been assessed as moderate. Key factors contributing to this rating are:

• the valuation of investments made by the Future Fund, due to the size of the private market investment portfolio and the inherent subjectivity and significance of judgements and estimates required where market data is not available to determine the fair value of these investments;
• the relative size of the Future Fund and the other investment funds under management to the Australian Government’s financial position; and
• the extensive use of third parties, particularly reliance on the valuation undertaken by the investment custodian.

Key areas of financial statements risk

3.10.5  The ANAO’s risk assessment process identifies key areas of risk that have the potential to materially impact the Future Fund’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items, the results of recent ANAO performance audits and an understanding of the Future Fund’s environment and governance arrangements, including its financial reporting regime and system of internal control.

3.10.6  The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of the Future Fund’s financial statements.

3.10.7  Figure 3.10.3 and Figure 3.10.4 below show the key financial statements items reported by the Future Fund’s and the key areas of financial statements risk

Figure 3.10.3:  Key departmental financial balances and areas of financial statements risk

Source: ANAO analysis and the Future Fund’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

Figure 3.10.4: Key administered financial balances and areas of financial statements risk

Source: ANAO analysis and the Future Fund’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

3.10.8  Further information on the key areas of financial statements risk identified by the ANAO are provided below in Table 3.10.1.

Table 3.10.1: Key areas of financial statements risk

Source: ANAO 2023–24 risk assessment.

What are the results that have been identified by the ANAO’s interim audit coverage?

Interim audit coverage

3.10.9  The ANAO has completed its interim audit coverage, including an assessment of the controls relating to: the management of investments; monitoring of third parties; and operational expenses incurred by the Future Fund.

3.10.10  Audit procedures relating to the valuation of investments, including the assessment of controls that reside within the investment custodian, will be undertaken as part of the 2023–24 final audit.

Audit findings

3.10.11  At the completion of the 2023–24 interim audit, no new significant or moderate audit findings were identified.

Conclusion

3.10.12  Based on the audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that the Future Fund will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2023–24 final audit.

3.11 Department of Foreign Affairs and Trade

Overview

3.11.1  DFAT is responsible for the administration of Australia’s foreign, trade, international development and international security policies.

3.11.2  DFAT’s main source of funding is from appropriations.

Key financial statements items

3.11.3  Figure 3.11.1 and Figure 3.11.2 below provide a summary of the key 2023–24 financial statements items.

Figure 3.11.1:  Key departmental financial statements items

Source: DFAT’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

Figure 3.11.2:  Key administered financial statements items

Source: DFAT’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

What are the key areas of audit focus identified by the ANAO for the 2023–24 financial statements?

Engagement risk

3.11.4  Paragraph 3.0.6 describes the factors considered by the ANAO in determining the engagement risk rating and the associated audit response required. The engagement risk for the 2023–24 financial statements has been assessed as moderate. Key factors contributing to this rating are:

• the complexity of DFAT’s business operations, particularly in relation to a decentralised control framework supporting post operations, which includes different IT support systems and a variety of locally engaged staff enterprise arrangements;
• the current economic environment and valuation methodology used to determine the fair value of land and buildings recognised in the departmental financial statements, which is underpinned by significant professional judgement and estimation; and
• reliance on third parties for the provision of services associated with the delivery and maintenance of the overseas property portfolio and provision of international development assistance.

Key areas of financial statements risk

3.11.5  The ANAO’s risk assessment process identifies key areas of risk that have the potential to materially impact DFAT’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items, the results of recent ANAO performance audits and an understanding of DFAT’s environment and governance arrangements, including its financial reporting regime and system of internal control.

3.11.6  The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of DFAT’s financial statements.

3.11.7  Figure 3.11.3 and Figure 3.11.4 below show the key financial statements items reported by DFAT and the key areas of financial statements risk.

Figure 3.11.3:  Key departmental financial balances and areas of financial statements risk

Source: ANAO analysis and DFAT’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

Figure 3.11.4:  Key administered financial balances and areas of financial statements risk

Source: ANAO analysis and DFAT’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

3.11.8  Further information on the key areas of financial statements risk identified by the ANAO are provided below in Table 3.11.1.

Table 3.11.1:  Key areas of financial statements risk

Source: ANAO 2023–24 risk assessment.

What are the results that have been identified by the ANAO’s interim audit coverage?

Interim audit coverage

3.11.9  The ANAO has completed its 2023–24 interim audit coverage, including an assessment of the controls relating to: quality assurance processes relating to leases; employee payroll processing relating to Australian Public Service (APS) employees; cash and cash equivalents; international development assistance expenses; and supplier expenses.

3.11.10  Audit procedures relating to: non-financial assets; overseas-based non-APS employees; and passport revenue will be undertaken as part of the planned 2023–24 final audit.

Audit findings

3.11.11  Table 3.11.2 summarises the status of audit findings as at the end of the 2023–24 interim audit as reported by the ANAO.

Table 3.11.2:  Status of audit findings raised by the ANAO

Source: ANAO 2023–24 interim audit results.

3.11.12  As a result of these findings, the ANAO has designed further audit procedures to obtain reasonable assurance that the financial statements balances are not materially misstated.

3.11.13  The following section provides an overview of moderate audit findings.

Unresolved moderate audit finding

Administration of international development assistance payments

3.11.14  The international development assistance funding is highly decentralised across numerous geographies, covering various industry sectors. DFAT has a centralised framework in place that underpins international development assistance programs. This is supplemented by additional processes and controls that are implemented at a post or program level that are designed to specifically respond to the risks and circumstances affecting that particular region, industry sector or program.

3.11.15  During the 2022–23 audit, the ANAO identified that there was an inconsistent application of DFAT’s centralised framework for administrating international development assistance payments across individual programs. Specifically, there are varying degrees of validation conducted by DFAT staff with respect to payments for cost reimbursements. This increased the risk that payments may be made for goods or services not received. The ANAO recommended that DFAT revise its guidelines and implement additional controls to mitigate the identified risks to an acceptable level.

3.11.16  DFAT has implemented an interim validation process, training and other initiatives to respond to the risks identified in the finding. Following an evaluation of the interim validation process, DFAT have advised the ANAO that they intend to implement a new control framework in July 2024. The ANAO will focus on the action taken by DFAT in response to this finding as part of the 2023–24 final audit.

Conclusion

3.11.17  At the completion of the interim audit, and except for the moderate audit finding reported, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that DFAT will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed by the ANAO in conjunction with additional audit procedures during the 2023–24 final audit.

3.11.18  During the 2023–24 final audit the ANAO will undertake further procedures and assess action taken by DFAT to address the weakness identified.

3.12 Department of Health and Aged Care

Overview

3.12.1  DoHAC is responsible for achieving the Australian Government’s health outcomes in the areas of health system policy, design and innovation; health access and support services; sport and recreation; individual health benefits; regulation, safety and protection; and ageing and aged care. This includes administering programs and services, such as Medicare and the Pharmaceutical Benefits Scheme, and forming partnerships with the states and territories, as well as other stakeholders.

3.12.2  DoHAC’s main source of funding is from appropriations.

Key financial statements items

3.12.3  Figure 3.12.1 and Figure 3.12.2 below provide a summary of the key 2023–24 financial statements items.

Figure 3.12.1:  Key departmental financial statements items

Source: DoHAC’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

Figure 3.12.2:  Key administered financial statements items

Source: DoHAC’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

What are the key areas of audit focus identified by the ANAO for the 2023–24 financial statements?

Engagement risk

3.12.4  Paragraph 3.0.6 describes the factors considered by the ANAO in determining the engagement risk rating and the associated audit response required. The engagement risk for the 2023–24 financial statements has been assessed as high. Key factors contributing to this rating are:

• the complexity of the environment in which DoHAC operates, with a public health system jointly administered by the Commonwealth and the states and territories;
• the broad range and complex environment in which health and aged care is regulated;
• the diversity and complexity of programs administered by DoHAC;
• the high number of enterprise level risks that have implications on the financial statements.

Key areas of financial statements risk

3.12.5  The ANAO’s risk assessment process identifies key areas of risk that have the potential to materially impact DoHAC’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items, the results of recent ANAO performance audits and an understanding of DoHAC’s environment and governance arrangements, including its financial reporting regime and system of internal control.

3.12.6  The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of DoHAC’s financial statements.

3.12.7  Figure 3.12.3 and Figure 3.12.4 below show the key financial statements items reported by DoHAC and the key areas of financial statements risk.

Figure 3.12.3:  Key departmental financial balances and areas of financial statements risk

Source: ANAO analysis and DoHAC’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

Figure 3.12.4:  Key administered financial balances and areas of financial statements risk

Source: ANAO analysis and DoHAC’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

3.12.8  Further information on the key areas of financial statements risk identified by the ANAO are provided below in Table 3.12.1.

Table 3.12.1:  Key areas of financial statements risk

Source: ANAO 2023–24 risk assessment.

Risks and findings identified in ANAO performance audits

3.12.9  The ANAO also considers the results of recent performance audits in identifying risks and designing an approach for the financial statements audit. The following performance audit reports were tabled during 2023–24 relevant to the financial management or administration of DoHAC:

• Auditor-General Report No. 3 2023–24 Management of Non-Compliance with the Therapeutic Goods Act 1989 for Unapproved Therapeutic Goods;
• Auditor-General Report No. 8 2023–24 Design and Early Implementation of Residential Aged Care Reforms; and
• Auditor-General Report No. 19 2023–24 Effectiveness of the Department of Health and Aged Care’s Performance Management of Primary Health Networks.

3.12.10  The observations included in these reports were considered in designing audit procedures that address the key areas of financial statements risk detailed above in Table 3.12.1 relating to aged care subsidies and expenses and personal benefit expenses.

What are the results that have been identified by the ANAO’s interim audit coverage?

Interim audit coverage

3.12.11  The ANAO has completed its 2023–24 interim audit coverage, including an assessment of the controls relating to: IT security, change management and application controls in the financial management and human resource information systems; and the accuracy of personal benefits health care entitlements. Substantive testing has also been performed in relation to grants expenses.

3.12.12  Audit procedures relating to other key areas of financial statements risk, including: the accuracy of aged care subsidies; the valuation of inventories; and the valuation of the personal benefits provision will be undertaken as part of the 2023–24 final audit.

Audit findings

3.12.13  Table 3.12.2 summarises the status of audit findings as at the end of the 2023–24 interim audit as reported by the ANAO.

Table 3.12.2:  Status of audit findings raised by the ANAO

Note a: The significant audit finding relating to governance – legislative compliance, legal matters and legal advice was identified during the 2022–23 audit. This audit finding was reduced to a moderate audit finding during the 2023–24 interim audit (refer to paragraphs 3.12.16 to 3.12.20)

Source: ANAO 2023–24 interim audit results.

3.12.14  As a result of these findings, the ANAO has designed further audit procedures to obtain reasonable assurance that the financial statements balances are not materially misstated.

3.12.15  The following section provides an overview of significant and moderate audit findings.

Reduced significant audit finding

Governance – legislative compliance, legal matters and legal advice

3.12.16  As part of the financial statements audit process, the ANAO requests that DoHAC provides access to all information, such as records and documentation and other matters, of which DoHAC is aware that is relevant to the preparation of the financial statements and additional information that the ANAO requests from DoHAC for the purpose of the audit. The request includes that DoHAC has disclosed to the ANAO all known instances of non-compliance or suspected non-compliance with laws and regulations, whose effects should be considered in the preparation of DoHAC’s financial statements. This includes all known potential and actual breaches of section 83 of the Constitution.

3.12.17  The ANAO was provided with evidence that legal advice was sought by Services Australia and DoHAC regarding the payment of residential aged care subsidies in August 2022. This advice was not considered by DoHAC in the preparation of the 2021–22 financial statements. The ANAO was not advised that this advice had been sought by Services Australia on behalf of DoHAC. This weakness in internal control increased the risk that matters that may affect the financial statements were not appropriately considered in the preparation of the financial statements.

3.12.18  The ANAO has received and reviewed evidence that DoHAC has:

• developed a significant non-compliance guidance document to assist officials within DoHAC with identifying, classifying and reporting of non-compliance and clarify the associated notification and disclosure requirements where non-compliance is deemed significant;
• updated the Accountable Authority Instructions to include a requirement that where an official receives a copy of legal advice obtained and/or produced by another agency about departmental legislation, the official must, as soon as is reasonably practicable, provide a copy of that advice to the relevant legal area;
• formalised quarterly meetings between DoHAC’s Legal and Assurance division and Service Australia’s legal team with agendas being set and minutes prepared. The topic of significant matters that could have a financial impact has been included as a standing agenda item. The Legal and Assurance Division provides DoHAC’s Chief Financial Officer with the minutes and a summary of actual or potential section 83 breaches and other potentially relevant matters; and
• facilitated regular formal engagement, collaboration and issues management between DoHAC and Services Australia through the Strategic Business Committee (the Committee). The Committee is comprised of senior representatives from Services Australia and DoHAC. DoHAC’s Chief Financial Officer and Deputy Chief Financial Officer joined as members of the Committee during 2023–24.

3.12.19  At the conclusion of the 2023–24 interim audit this finding has been reduced to a moderate audit finding as a result of DoHAC’s progress in addressing the recommendations However, DoHAC has yet to finalise a risk assessment of programs in relation to compliance with legislative requirements, including section 83 breaches. Additionally, for those programs identified as having a higher risk of non-compliance with legislative requirements, DoHAC has yet to conduct further work to ensure payments to recipients are compliant.

3.12.20  The ANAO will review further action taken by DoHAC in response to this finding as part of the 2023–24 final audit.

Resolved moderate audit finding

Commonwealth Home Support Programme – Compliance Program

3.12.21  The Commonwealth Home Support Programme (CHSP) supports older Australians with complex needs to stay at home and access affordable and coordinated care services such as light gardening, bathing, nursing, health therapies and meal preparation. At 30 June 2023, the personal benefits reported in connection with home care packages totalled $5.2 billion. There are three parties involved in the delivery of the CHSP:

• DoHAC reviews the program to ensure that it continues to meet the changing needs of Australia;
• Services Australia administers payments to providers, adjusting fee, subsidy and supplement rates and provides online claiming services for providers; and
• the Aged Care Quality and Safety Commission assesses and monitors home care services to makes sure they meet quality standards and resolves complaints concerning these services.

3.12.22  In 2021–22, the ANAO reported a minor audit finding in relation to the CHSP compliance program. The ANAO recommended that DoHAC, in conjunction with the other entities involved in the delivery of the CHSP, agree and document the roles and responsibilities of each entity in relation to the CHSP.

3.12.23  During the 2022–23 audit, the ANAO continued to assess the processes implemented by management in response to the minor audit finding raised. Sufficient progress had not been made by DoHAC to address the weaknesses identified. In the absence of effective monitoring controls, there was an increased risk that payments made were not appropriate and were not in accordance with the Aged Care Act 1997. As a result, the ANAO upgraded this finding to a moderate audit finding.

3.12.24  At the completion of the 2023–24 interim audit, the ANAO has reviewed evidence that DoHAC, in conjunction with the other agencies, has agreed and appropriately documented the roles and responsibilities of each agency in relation to the CHSP.

Conclusion

3.12.25  At the completion of the interim audit, and except for the moderate audit finding reported, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that DoHAC will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed by the ANAO in conjunction with additional audit procedures during the 2023–24 final audit.

3.12.26  During the 2023–24 final audit the ANAO will undertake further procedures and assess action taken by DoHAC to address the weaknesses identified.

3.13 Department of Home Affairs

Overview

3.13.1  Home Affairs’ coordinates policy and operations for Australia’s national and transport security, cyber security, immigration, border security, multicultural affairs, counter-terrorism and customs-related functions.

3.13.2  Home Affairs’ main source of funding is from appropriations.

Key financial statements items

3.13.3  Figure 3.13.1 and Figure 3.13.2 below provide a summary of the key 2023–24 financial statements items.

Figure 3.13.1:  Key departmental financial statements items

Source: Home Affairs’ 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

Figure 3.13.2:  Key administered financial statements items

Source: Home Affairs’ 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

What are the key areas of audit focus identified by the ANAO for the 2023–24 financial statements?

Engagement risk

3.13.4  Paragraph 3.0.6 describes the factors considered by the ANAO in determining the engagement risk rating and the associated audit response required. The engagement risk for the 2023–24 financial statements has been assessed as high. Key factors contributing to this rating are:

• high value of customs revenue, geographically dispersed operations and level of reliance on IT systems in managing programs and collecting revenue;
• management of a number of high value contracts and payments for service delivery, including detention centres and regional processing centres, and development and construction of IT and other assets; and
• the nature of the operating environment of Home Affairs including management of people and goods across Australia’s borders.

Key areas of financial statements risk

3.13.5  The ANAO’s risk assessment process identifies key areas of risk that have the potential to materially impact the Home Affairs’ financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items, the results of recent ANAO performance audits and an understanding of Home Affairs’ environment and governance arrangements, including its financial reporting regime and system of internal control.

3.13.6  The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of Home Affairs’ financial statements.

3.13.7  Figure 3.13.3 and Figure 3.13.4 below show the key financial statements items reported by Home Affairs and the key areas of financial statements risk.

Figure 3.13.3:  Key departmental financial balances and areas of financial statements risk

Source: ANAO analysis and Home Affairs’ 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

Figure 3.13.4:  Key administered financial balances and areas of financial statements risk

Source: ANAO analysis and Home Affairs’ 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

3.13.8  Further information on the key areas of financial statements risk identified by the ANAO are provided below in Table 3.13.1.

Table 3.13.1:  Key areas of financial statements risk

Source: ANAO 2023–24 risk assessment.

What are the results that have been identified by the ANAO’s interim audit coverage?

Interim audit coverage

3.13.9  The ANAO has completed its 2023–24 interim audit coverage, including an assessment of the controls relating to: IT general controls for key IT systems supporting financial management and revenue collection; non-financial assets; employee and supplier expenses (including expenses incurred in the management of the detention and regional processing network).

3.13.10  Audit procedures relating to the: design and implementation of customs duty revenue compliance programs (including risk treatment strategies); controls and testing relating to customs duty revenue, visa application charges, valuation of non-financial assets and employee provisions will be undertaken as part of the 2023–24 final audit.

Audit findings

3.13.11  At the completion of the 2023–24 interim audit, no new significant or moderate audit findings were identified. One minor finding was resolved and two minor audit findings were unresolved.

Conclusion

3.13.12  Based on the audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that Home Affairs will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2023–24 final audit.

3.14 Department of Industry, Science and Resources

Overview

3.14.1  Industry is responsible for supporting a productive, resilient, and sustainable economy that is enriched by science and technology. It does this by growing innovative and competitive businesses, industries and regions, and supporting a strong resources sector.

3.14.2  Industry offers a grants hub and shared services centre which provides other Commonwealth entities with administrative support including grants administration and payments processing; human resources and financial transactions processing and the provision of management information systems supporting these processes.

3.14.3  Industry’s main source of funding is from appropriations. Industry also receives funding from own-sourced revenue for the provision of grants administration services, measurement services and products, shared services, and educational services.

Key financial statements items

3.14.4  Figure 3.14.1 and Figure 3.14.2 below provide a summary of the key 2023–24 financial statements items.

Figure 3.14.1:  Key departmental financial statements items

Source: Industry’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

Figure 3.14.2:  Key administered financial statements items

Source: Industry’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

What are the key areas of audit focus identified by the ANAO for the 2023–24 financial statements?

Engagement risk

3.14.5  Paragraph 3.0.6 describes the factors considered by the ANAO in determining the engagement risk rating and the associated audit response required. The engagement risk for the 2023–24 financial statements has been assessed as moderate. Key factors contributing to this rating are the size and complexity of Industry’s activities and programs.

Key areas of financial statements risk

3.14.6  The ANAO’s risk assessment process identifies key areas of risk that have the potential to materially impact Industry’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items, the results of recent ANAO performance audits and an understanding of Industry’s environment and governance arrangements, including its financial reporting regime and system of internal control.

3.14.7  The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of Industry’s financial statements.

3.14.8  Figure 3.14.3 and Figure 3.14.4 below show the key financial statements items reported by Industry and the key areas of financial statements risk.

Figure 3.14.3:  Key departmental financial balances and areas of financial statements risk

Source: ANAO analysis and Industry’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

Figure 3.14.4:  Key administered financial balances and areas of financial statements risk

Source: ANAO analysis and Industry’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

3.14.9  Further information on the key areas of financial statements risk identified by the ANAO are provided below in Table 3.14.1.

Table 3.14.1:  Key areas of financial statements risk

Source: ANAO 2023–24 risk assessment.

Risks and findings identified in ANAO performance audits

3.14.10  The ANAO also considers the results of recent performance audits in identifying risks and designing an approach for the financial statements audit. Auditor-General Report No. 5 2023–24 Trade Measurement Compliance Activities was tabled in September 2023 and is relevant to the financial management or administration of Industry. The observations of this report were considered in designing audit procedures relating to the recognition of revenue arising from the operations of the National Measurement Institute (which is part of Industry).

What are the results that have been identified by the ANAO’s interim audit coverage?

Interim audit coverage

3.14.11  The ANAO has completed its 2023–24 interim audit coverage, including an assessment of the controls relating to: IT general and applications controls for key financial and human resource management systems; employee and supplier expenditure; appropriations and special accounts; cash and cash equivalents; and royalties’ revenue.

3.14.12  Audit procedures relating to: the completeness and accuracy of royalties; the valuation of administered investments; and the rehabilitation provision will be undertaken as part of the 2023–24 final audit.

Audit findings

3.14.13  At the completion of the 2023–24 interim audit, no new significant or moderate audit findings were identified. Three minor audit findings were unresolved.

Conclusion

3.14.14  Based on our audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that Industry will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2023–24 final audit.

3.15 Department of Infrastructure, Transport, Regional Development, Communications and the Arts

Overview

3.15.1  Infrastructure is responsible for improving infrastructure across Australia through funding coordination of transport and other infrastructure; providing an efficient, sustainable, competitive and safe transport system for all transport users; strengthening the sustainability, capacity and diversity of regional economies; providing advice on population policy; implementing the national policy on cities; and promoting an innovative and competitive communications sector. Infrastructure also promotes participation in and access to Australia’s arts and culture through developing and supporting cultural expression and supports governance arrangements in the Australian territories.

3.15.2  Infrastructure’s main source of funding is from appropriations.

Key financial statements items

3.15.3  Figure 3.15.1 and Figure 3.15.2 below provide a summary of the key 2023–24 financial statements items.

Figure 3.15.1:  Key departmental financial statements items

Source: Infrastructure’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

Figure 3.15.2:  Key administered financial statements items

Source: Infrastructure’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

What are the key areas of audit focus identified by the ANAO for the 2023–24 financial statements?

Engagement risk

3.15.4  Paragraph 3.0.6 describes the factors considered by the ANAO in determining the engagement risk rating and the associated audit response required. The engagement risk for the 2023–24 financial statements has been assessed as moderate. Key factors contributing to this rating are the: complexity in accounting for some key balances; estimates and judgements that impact the financial statements; the administration of significant outlays on behalf of the Australian Government through grants and subsidies; and the significance of the Administered Balance Sheet to the Australian Government financial statements.

Key areas of financial statements risk

3.15.5  The ANAO’s risk assessment process identifies key areas of risk that have the potential to materially impact the Infrastructure’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items, the results of recent ANAO performance audits and an understanding of Infrastructure’s environment and governance arrangements, including its financial reporting regime and system of internal control.

3.15.6  The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of Infrastructure’s financial statements.

3.15.7  Figure 3.15.3 and Figure 3.15.4 below show the key financial statements items reported by Infrastructure and the key areas of financial statements risk.

Figure 3.15.3:  Key departmental financial balances and areas of financial statements risk

Source: ANAO analysis and Infrastructure’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

Figure 3.15.4:  Key administered financial balances and areas of financial statements risk

Source: ANAO analysis and Infrastructure’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

3.15.8  Further information on the key areas of financial statements risk identified by the ANAO are provided below in Table 3.15.1.

Table 3.15.1: Key areas of financial statements risk

Source: ANAO 2023–24 risk assessment.

What are the results that have been identified by the ANAO’s interim audit coverage?

Interim audit coverage

3.15.9  The ANAO has completed its 2023–24 interim audit coverage, including an assessment of the controls relating to: non-financial assets; grants and supplier expenses. Interim audit coverage has also commenced testing of the IT general controls including security and change management processes relevant to the financial management information systems and human resources management information system.

3.15.10  Audit procedures relating to: valuation of administered investments and the valuation of other assets including non-financial assets and loans and advances will be undertaken as part of the 2023–24 final audit.

Audit findings

3.15.11  Table 3.15.2 summarises the status of audit findings as at the end of the 2023–24 interim audit as reported by the ANAO. As a result of these findings, the ANAO has designed further audit procedures to obtain reasonable assurance that the financial statements balances are not materially misstated.

Table 3.15.2:  Status of audit findings raised by the ANAO

Note a: The previously reported moderate audit finding relating to Departmental internally developed software has been reduced to a minor audit finding as part of the 2023–24 interim audit (refer to paragraphs 3.15.12 to 3.15.14).

Source: ANAO 2023–24 interim audit results.

Reduced moderate audit finding

Departmental internally developed software

3.15.12  During the 2022–23 audit, the ANAO identified that Infrastructure had recognised internally developed software that did not meet the criteria for recognition as an intangible asset in accordance with the relevant accounting standards which resulted in adjustments to the financial statements. The ANAO recommended that Infrastructure undertake a review of all intangible asset balances to confirm they meet the definition of intangible assets.

3.15.13  During 2023–24 interim audit, Infrastructure finalised a detailed review of the balance of internally developed software and implemented revised policies and processes that support the identification of the appropriate accounting treatment for software within the entity.

3.15.14  During the 2023–24 interim audit, the ANAO reviewed the results of the work undertaken by Infrastructure. The ANAO has determined that the finding had been substantially addressed and reduced to a minor finding. The ANAO will focus on the operating effectiveness of the revised processes for software during the final phase of the 2023–24 audit.

Unresolved moderate audit finding

Removal of user access

3.15.15  The Protective Security Policy Framework (PSPF) requires non-corporate Commonwealth entities to control access to systems, networks, and applications. The requirement includes removing system access from employees and contractors without an operational need for access to IT resources.

3.15.16  During the 2021–22 audit, the ANAO identified that Infrastructure did not have sufficient controls in place to identify and perform timely investigations over access by users post cessation of their employment or contract. During the 2022–23 audit, ANAO identified an instance of users accessing Infrastructure’s systems post cessation.

3.15.17  At the time of the 2023–24 interim audit, Infrastructure made progress in addressing this finding by implementing a new control to identify user access post cessation and undertake investigation of any activity. However, the ANAO has identified weaknesses in the design of this control in completely identifying post cessation activity. Infrastructure has advised the ANAO that they will further enhance the design of the control. The ANAO will review the actions taken by Infrastructure during the 2023–24 final audit.

Conclusion

3.15.18  At the completion of the 2023–24 interim audit, and except for the moderate audit finding reported, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that Infrastructure will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed by the ANAO in conjunction with additional audit procedures during the 2023–24 final audit.

3.15.19  During the 2023–24 final audit the ANAO will undertake further procedures and assess action taken by Infrastructure to address the weaknesses identified.

3.16 Australian Postal Corporation

Overview

3.16.1  Australia Post is a government business enterprise responsible for supplying postal services to Australia, including the distribution of letters and parcels in Australia and internationally.

3.16.2  Australia Post does not receive any appropriation funding. The operational functions of Australia Post are funded from the following sources: revenue from parcel services; mail services; and retail, agency, and other services.

Key financial statements items

3.16.3  Figure 3.16.1 below provides a summary of the key financial statements items as reported in Australia Post’s 2022–23 annual report.

Figure 3.16.1:  Key financial statements items

Source: Australia Post’s 2022–23 audited financial statements.

What are the key areas of audit focus identified by the ANAO for the 2023–24 financial statements?

Engagement risk

3.16.4  Paragraph 3.0.6 describes the factors considered by the ANAO in determining the engagement risk rating and the associated audit response required. The engagement risk for the 2023–24 financial statements has been assessed as moderate. Key factors contributing to this rating are the complexity of Australia Post’s operations and ongoing reform agenda and the number of different revenue streams.

Key areas of financial statements risk

3.16.5  The ANAO’s risk assessment process identifies key areas of risk that have the potential to materially impact Australia Post’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items, the results of recent ANAO performance audits and an understanding of Australia Post’s environment and governance arrangements, including its financial reporting regime and system of internal control.

3.16.6  The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of Australia Post’s financial statements.

3.16.7  Figure 3.16.2 below shows the key financial statements items reported by Australia Post and the key areas of financial statements risk.

Figure 3.16.2:  Key financial balances and areas of financial statements risk

Source: ANAO analysis and Australia Post’s 2022–23 audited financial statements.

3.16.8  Further information on the key areas of financial statements risk identified by the ANAO are provided below in Table 3.16.1.

Table 3.16.1:  Key areas of financial statements risk

Source: ANAO 2023–24 risk assessment.

What are the results that have been identified by the ANAO’s interim audit coverage?

Interim audit coverage

3.16.9  The ANAO has completed its 2023–24 interim audit coverage, including an assessment of the controls relating to: employee benefits; suppliers expenses; and goods and services income. In addition, audit procedures have been completed over cash and cash equivalents; trade and other receivables; property, plant and equipment; trade and other payables; and employee provisions. Interim coverage also included testing of the IT general controls and application controls of key systems supporting the financial statements.

3.16.10  Audit procedures relating the: valuation of unearned postage revenue, intangible assets goodwill and the net superannuation asset, will be completed as part of the 2023–24 final audit.

Audit findings

3.16.11  At the completion of the 2023–24 interim audit, no new significant or moderate audit findings were identified. One minor audit finding was resolved.

Conclusion

3.16.12  Based on the audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that Australia Post will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2023–24 final audit.

3.17 NBN Co Limited

Overview

3.17.1  The primary objective of NBN Co is to provide wholesale services to internet service providers. NBN Co is a government business enterprise incorporated under the Corporations Act 2001.

3.17.2  NBN Co does not receive any appropriation funding. The operational functions of NBN Co are funded from the following sources: telecommunications revenue; non-telecommunications revenue, including co-investments and grants; equity funding and borrowings from bank facilities and capital debt markets.

Key financial statements items

3.17.3  Figure 3.17.1 below provides a summary of the key financial statements items as reported in NBN Co’s 2022–23 annual report.

Figure 3.17.1:  Key financial statements items

Source: NBN Co’s 2022–23 audited financial statements.

What are the key areas of audit focus identified by the ANAO for the 2023–24 financial statements?

Engagement risk

3.17.4  Paragraph 3.0.6 describes the factors considered by the ANAO in determining the engagement risk rating and the associated audit response required. The engagement risk for the 2023–24 financial statements has been assessed as high. Key factors contributing to this rating are:

• the ongoing investment in the build and transition to Fibre to the Premises (FTTP);
• the regulated nature of the industry in which NBN Co operates;
• NBN Co’s financial position. The entity is highly leveraged with exposure to external debt markets; and
• risks to NBN Co arising from technological changes.

Key areas of financial statements risk

3.17.5  The ANAO’s risk assessment process identifies key areas of risk that have the potential to materially impact NBN Co’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items, the results of recent ANAO performance audits and an understanding of NBN Co’s environment and governance arrangements, including its financial reporting regime and system of internal control.

3.17.6  The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of NBN Co’s financial statements.

3.17.7  Figure 3.17.2 below shows the key financial statements items reported by NBN Co and the key areas of financial statements risk.

Figure 3.17.2:  Key financial balances and areas of financial statements risk

Source: ANAO analysis and NBN Co’s 2022–23 audited financial statements.

3.17.8  Further information on the key areas of financial statements risk identified by the ANAO are provided below in Table 3.17.1.

Table 3.17.1:  Key areas of financial statements risk

Source: ANAO 2023–24 risk assessment

What are the results that have been identified by the ANAO’s interim audit coverage?

Interim audit coverage

3.17.9  The ANAO has completed its 2023–24 interim audit coverage, including an assessment of the controls relating to: revenue and receivables (telco and non-telco, including co-investment projects), purchases and payables; payroll; treasury, including derivatives and borrowings, non-financial assets, including lease management; and design and implementation of IT general and application controls.

3.17.10  Audit procedures relating to the key areas of risks and testing of IT general and application controls will be undertaken as part of the planned 2023–24 final audit.

Audit findings

3.17.11  At the completion of the 2023–24 interim audit, no new significant or moderate audit findings were identified. Three minor audit findings were unresolved.

Conclusion

3.17.12  Based on the audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that NBN Co will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2023–24 final audit.

3.18 Department of Parliamentary Services

Overview

3.18.1  DPS is responsible for supporting the Parliament through the provision of a range of services, including library, research, Hansard, broadcasting, telecommunications, central computing, food and beverages, and building security and maintenance.

3.18.2  DPS’ main source of funding is from appropriations.

Key financial statements items

3.18.3  Figure 3.18.1 and Figure 3.18.2 below provide a summary of the key 2023–24 financial statements items.

Figure 3.18.1:  Key departmental financial statements items

Source: DPS’ 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

Figure 3.18.2:  Key administered financial statements items

Source: DPS’ 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

What are the key areas of audit focus identified by the ANAO for the 2023–24 financial statements?

Engagement risk

3.18.4  Paragraph 3.0.6 describes the factors considered by the ANAO in determining the engagement risk rating and the associated audit response required. The engagement risk for the 2023–24 financial statements has been assessed as low.

Key areas of financial statements risk

3.18.5  The ANAO’s risk assessment process identifies key areas of risk that have the potential to materially impact the DPS’ financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items, and an understanding of DPS’ environment and governance arrangements, including its financial reporting regime and system of internal control.

3.18.6  The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of the DPS’ financial statements.

3.18.7  Figure 3.18.3 and Figure 3.18.4 below show the key financial statements items reported by DPS and the key areas of financial statements risk.

Figure 3.18.3:  Key departmental financial balances and areas of financial statements risk

Source: ANAO analysis and DPS’ 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

Figure 3.18.4:  Key administered financial balances and areas of financial statements risk

Source: ANAO analysis and DPS’ 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

3.18.8  Further information on the key areas of financial statements risk identified by the ANAO are provided below in Table 3.18.1.

Table 3.18.1:  Key areas of financial statements risk

Source: ANAO 2023–24 risk assessment.

What are the results that have been identified by the ANAO’s interim audit coverage?

Interim audit coverage

3.18.9  The ANAO has completed its 2023–24 interim audit coverage, including an assessment of the controls relating to: cash and cash equivalents; non-financial assets; employee expenses; and revenue. In addition, the ANAO has commenced testing of IT general controls over the financial management and human resource management information systems.

3.18.10  Audit procedures relating to: valuation of non-financial assets; employee provisions and supplier expenses will be undertaken as part of the planned 2023–24 final audit.

Audit findings

3.18.11  At the completion of the 2023–24 interim audit, the ANAO has not identified any new significant or moderate audit findings.

Conclusion

3.18.12  Based on the audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that DPS will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2023–24 final audit.

3.19 Department of the Prime Minister and Cabinet

Overview

3.19.1  PM&C is responsible for providing advice to the Prime Minister, the Cabinet, portfolio ministers, and assistant ministers to improve the lives of all Australians, including through coordination of government activities, effective policy advice and development, and program delivery.

3.19.2  PM&C’s main source of funding is from appropriations.

Key financial statements items

3.19.3  Figure 3.19.1 and Figure 3.19.2 below provide a summary of the key 2023–24 financial statements items.

Figure 3.19.1:  Key departmental financial statements items

Source: PM&C’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

Figure 3.19.2:  Key administered financial statements items

Source: PM&C’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

What are the key areas of audit focus identified by the ANAO for the 2023–24 financial statements?

Engagement risk

3.19.4  Paragraph 3.0.6 describes the factors considered by the ANAO in determining the engagement risk rating and the associated audit response required. The engagement risk for the 2023–24 financial statements has been assessed as moderate. Key factors contributing to this rating are: accounting for investments in Commonwealth corporate entities and companies; and shared services provided to the National Indigenous Australians Agency and other entities.

Key areas of financial statements risk

3.19.5  The ANAO’s risk assessment process identifies key areas of risk that have the potential to materially impact PM&C’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items, the results of recent ANAO performance audits and an understanding of PM&C’s environment and governance arrangements, including its financial reporting regime and system of internal control.

3.19.6  The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of PM&C’s financial statements.

3.19.7  Figure 3.19.3 and Figure 3.19.4 below shows the key financial statements items reported by PM&C and the key areas of financial statements risk.

Figure 3.19.3:  Key departmental financial balances and areas of financial statements risk

Source: ANAO analysis and PM&C’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

Figure 3.19.4:  Key administered financial balances and areas of financial statements risk

Source: ANAO analysis and PM&C’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

3.19.8  Further information on the key areas of financial statements risk identified by the ANAO are provided below in Table 3.19.1.

Table 3.19.1:  Key areas of financial statements risk

Source: ANAO 2023–24 risk assessment.

What are the results that have been identified by the ANAO’s interim audit coverage?

Interim audit coverage

3.19.9  The ANAO has completed its 2023–24 interim audit coverage, including an assessment of controls relating to: IT general controls for the finance and human resource management information systems; cash and cash equivalents; and suppliers, grant and employee expenses.

3.19.10  Audit procedures relating to: IT application controls; administered investments; employee benefits provisions; and non-financial assets will be undertaken as part of the planned 2023–24 final audit.

Audit findings

3.19.11  Table 3.19.1 summarises the status of audit findings as at the end of the 2023–24 interim audit as reported by the ANAO.

Table 3.19.2:  Status of audit findings raised by the ANAO

Source: ANAO 2023–24 interim audit results.

3.19.12  As a result of these findings, the ANAO has designed further audit procedures to obtain reasonable assurance that the financial statements balances are not materially misstated.

3.19.13  The following section provides an overview of moderate audit findings.

Unresolved moderate audit finding

Removal of user access

3.19.14  The PSPF helps Australian Government entities to protect their people, information and assets. PSPF Policy 14 requires personnel’s access to be removed upon separation or transfer from the entity. Inadequate security measures for timely removal of access from former personnel increase the risk of unauthorised access to sensitive information.

3.19.15  During the 2022–23 audit the ANAO identified instances where users had accessed PM&C’s systems after completion of their employment or contract. The ANAO noted that investigation of post termination access was not always timely.

3.19.16  At the completion of the 2023–24 interim audit, PM&C advised the ANAO that remedial actions were underway but had not been completed. The ANAO will focus on the actions taken by PM&C in response to this finding as part of the 2023–24 final audit.

Conclusion

3.19.17  At the completion of the interim audit, and except for the moderate audit finding reported, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that PM&C will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed by the ANAO in conjunction with additional audit procedures during the 2023–24 final audit.

3.19.18  During the 2023–24 final audit the ANAO will undertake further procedures and assess action taken by PM&C to address the weaknesses identified.

3.20 National Indigenous Australians Agency

Overview

3.20.1  NIAA is responsible for policy oversight in relation to the Indigenous agencies in the Prime Minister and Cabinet portfolio.

3.20.2  NIAA’s main source of funding is from appropriations.

Key financial statements items

3.20.3  Figure 3.20.1 and Figure 3.20.2 below provide a summary of the key 2023–24 financial statements items.

Figure 3.20.1:  Key departmental financial statements items

Source: NIAA’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

Figure 3.20.2:  Key administered financial statements items

Source: NIAA’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

What are the key areas of audit focus identified by the ANAO for the 2023–24 financial statements?

Engagement risk

3.20.4  Paragraph 3.0.6 describes the factors considered by the ANAO in determining the engagement risk rating and the associated audit response required. The engagement risk for the 2023–24 financial statements has been assessed as moderate. Key factors contributing to this rating are:

• decentralised processing and monitoring of grant programs and operations across Australia;
• risks associated with the administration and integrity of the Community Development Program; and
• NIAA’s reliance on the systems managed by other agencies.

Key areas of financial statements risk

3.20.5  The ANAO’s risk assessment process identifies key areas of risk that have the potential to materially impact the NIAA’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items, the results of recent ANAO performance audits and an understanding of the NIAA’s environment and governance arrangements, including its financial reporting regime and system of internal control.

3.20.6  The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of NIAA’s financial statements.

3.20.7  Figure 3.20.3 and Figure 3.20.4 below show the key financial statements items reported by NIAA and the key areas of financial statements risk.

Figure 3.20.3:  Key departmental financial balances and areas of financial statements risk

Source: ANAO analysis and NIAA’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

Figure 3.20.4:  Key administered financial balances and areas of financial statements risk

Source: ANAO analysis and NIAA’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

3.20.8  Further information on the key areas of financial statements risk identified by the ANAO are provided below in Table 3.20.1.

Table 3.20.1:  Key areas of financial statements risk

Source: ANAO 2023–24 risk assessment.

What are the results that have been identified by the ANAO’s interim audit coverage?

Interim audit coverage

3.20.9  The ANAO has completed its 2023–24 interim audit coverage, including an assessment of: IT general controls for financial and human resources management systems; controls relating to cash and cash equivalents; supplier expenses; and reconciliations between the NIAA financial system and systems operated by third party service providers.

3.20.10  Audit procedures, including IT application controls, relating to: grants expenses; compliance by CDP providers; non-financial assets; and employee expenses will be undertaken as part of the planned 2023–24 final audit.

Audit findings

3.20.11  At the completion of the 2023–24 interim audit, no new significant or moderate audit findings were identified. One new minor audit finding was identified and one minor audit finding was unresolved.

Conclusion

3.20.12  Based on our audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that NIAA will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2023–24 final audit.

3.21 Department of Social Services

Overview

3.21.1  DSS is responsible for social security, families and communities, disability and carers, and housing. DSS works in partnership with other government and non-government organisations on a range of policies, programs and services focused on improving the wellbeing of people and families in Australia.

3.21.2  Services Australia processes the social services payments that are within DSS’ responsibility. DSS processes grants payments itself and provide a grants administration facility to other Commonwealth entities.

3.21.3  DSS’ main source of funding is from appropriations.

Key financial statements items

3.21.4  Figure 3.21.1 and Figure 3.21.2 below provide a summary of the key 2023–24 financial statements items.

Figure 3.21.1:  Key departmental financial statements items

Source: DSS’ 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

Figure 3.21.2:  Key administered financial statements items

Source: DSS’ 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

What are the key areas of audit focus identified by the ANAO for the 2023–24 financial statements?

Engagement risk

3.21.5  Paragraph 3.0.6 describes the factors considered by the ANAO in determining the engagement risk rating and the associated audit response required. The engagement risk for the 2023–24 financial statements has been assessed as moderate. Key factors contributing to this rating are:

• improving governance and oversight within the portfolio following heightened public scrutiny and interest that DSS has been under as a result of the Robo-Debt Royal Commission and other reviews;
• the range and complexity of DSS’ operations, including a complex and outsourced IT environment;
• reliance on third parties to provide information that is critical to support payments made for personal benefits and grants; and
• significant judgements and assumptions made in the complex estimation process around the valuation of personal benefit provisions and receivables.

Key areas of financial statements risk

3.21.6  The ANAO’s risk assessment process identifies key areas of risk that have the potential to materially impact DSS’ financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items, the results of recent ANAO performance audits and an understanding of DSS’ environment and governance arrangements, including its financial reporting regime and system of internal control.

3.21.7  The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of DSS’ financial statements.

3.21.8  Figure 3.21.3 and Figure 3.21.4 below show the key financial statements items reported by the Department of Social Services and the key areas of financial statements risk.

Figure 3.21.3:  Key departmental financial balances and areas of financial statements risk

Source: ANAO analysis and DSS’ 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

Figure 3.21.4:   Key administered financial balances and areas of financial statements risk

Source: ANAO analysis and DSS’ 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

3.21.9  Further information on the key areas of financial statements risk identified by the ANAO are provided below in Table 3.21.1.

Table 3.21.1: Table 3.21.1: Key areas of financial statements risk

Source: ANAO 2023–24 risk assessment.

Risks and findings identified in ANAO performance audits

3.21.10  The ANAO also considers the results of recent performance audits in identifying risks and designing an approach for the financial statements audit. Auditor-General Report No. 4 2023–24 Accuracy and Timeliness of Welfare Payments was tabled in August 2023 and included observations relevant to the accuracy and occurrence of personal benefits expenses.

3.21.11  This report identified DSS’ and Services Australia’s management of welfare payment accuracy and timeliness was partly effective and scope existed for enhancement through a number of initiatives including: enhancing bilateral agreements, assurance arrangements and shared risk management; data collection that supports continuous improvement; and methodology for measuring timeliness is robust and neutrality of reporting.

3.21.12  The observations included in this report were considered in designing audit procedures that address the key areas of financial statements risk detailed above in Table 3.21.1 relating to accuracy and occurrence of personal benefits expenses. In addition, the ANAO will consider the impact of

3.21.13  The 2023–24 financial statements audit will consider the impact of any additional controls implemented by DSS in respect of the recommendations in the report as they are implemented.

What are the results that have been identified by the ANAO’s interim audit coverage?

Interim audit coverage

3.21.14  The ANAO has completed its 2023–24 interim audit coverage, including an assessment of the controls relating to: IT general controls over the financial, personal benefits and grant management information systems; and compliance and assurance processes relating to personal benefits and disability services. Audit procedures have also been completed for processes relating to: grants expenses; cash and cash equivalents; appropriations; special accounts; non-financial assets; employee and supplier expenses; and departmental revenue.

3.21.15  Audit procedures relating to the: valuation of personal benefit provisions and receivables; validity of personal benefit receivables; additional testing over grants payments, and IT application controls over the personal benefits and grant management information systems will be undertaken as part of the 2023–24 final audit.

Audit findings

3.21.16  Table 3.21.2 summarises the status of audit findings as at the end of the 2023–24 interim audit as reported by the ANAO.

Table 3.21.2:  Status of audit findings raised by the ANAO

Note a: The significant audit finding relating to governance of legal and other matters was identified during the 2022–23 audit. This audit finding was reduced to a moderate audit finding at the 2023–24 interim phase (refer to paragraphs 3.21.19to 3.21.21).

Source: ANAO 2023–24 interim audit results.

3.21.17  As a result of these findings, the ANAO has designed further audit procedures to obtain reasonable assurance that the financial statements balances are not materially misstated.

3.21.18  The following section provides an overview of significant and moderate audit findings.

Reduced significant audit finding

Governance of legal and other matters

3.21.19  During the 2022–23 audit, the ANAO made requests for information relating to known or suspected instances of non-compliance with laws and regulations including legal matters, whose effects should be considered in the preparation of DSS’ financial statements. In July 2023, the ANAO became aware of a legal matter being managed by DSS that was the subject of an own-motion investigation by the Commonwealth Ombudsman into the practice of income apportionment for personal benefit payments. DSS had been aware of this legal matter for at least two years prior. This increased the risk that matters that may affect the financial statements are not appropriately considered in the preparation of the financial statements.

3.21.20  During 2023–34 DSS has finalised a legal risk management plan, revised legal risk framework reporting, established a new legal services protocol with Services Australia under the Bilateral Management Agreement, and now provides quarterly legal risk register reporting to its Audit and Risk Committee. DSS is also progressing a review of legal advice provided to the department, including assessment of what happens to legal advice once its provided, if the legal advice has not been followed and the reasons why.

3.21.21  At the conclusion of the 2023–24 interim audit, as a result of the actions taken and evidence provided to the ANAO by DSS, the finding has been reduced to a moderate finding. As part of the 2023–24 final audit, the ANAO will assess whether the improvements and new processes implemented by DSS have been operating effectively for the remainder of the financial year to support the preparation of financial statements which are free from material misstatement.

New moderate audit finding

Privileged User Management

3.21.22  Maintaining and supporting IT systems requires some user accounts, both at the network and the application level, to have extensive access rights (privileged access). Privileged user accounts can be used to circumvent security controls to make direct changes, either to system settings or systems data, or to access files and accounts used by others.

3.21.23  During the interim phase of the 2023–24 audit, the ANAO identified that the monitoring undertaken does not verify that the activities which are being performed by privileged are appropriate. This is a weakness in the monitoring of privileged user activities within the financial and human resources management information systems. This increases the risk that inappropriate or inaccurate undertaken by these users are not identified.

3.21.24  The ANAO has recommended that DSS regularly review and annually certify the currency of:

• a comprehensive risk assessment for privileged access;
• risk management strategies for identified risks; and
• results of risk strategy measures; and assessment and appropriate management of any residual risks.

3.21.25  The ANAO will review further action taken by DSS in response to this finding as part of the 2023–24 final audit.

Unresolved moderate audit finding

Removal of user access

3.21.26  The Protective Security Policy Framework (PSPF) requires non-corporate Commonwealth entities to control access to systems, networks, and applications. The requirement includes removing system access from employees and contractors without an operational need for access to IT resources.

3.21.27  During the 2020–21 interim audit the ANAO identified weaknesses in user access termination processes in relation to the Human Resources Management Information System. The ANAO identified a number of instances where users continued to access systems for up to five days following separation from DSS.

3.21.28  During the 2022–23 audit, the ANAO identified eight instances where users had a last logon date after their termination date, with no evidence of the actions taken by DSS. DSS’ detective control processes did identify these terminations as having potentially accessed the DSS ICT environment post-termination, however there was no clear documentation that investigation had occurred at the time of the access.

3.21.29  The ANAO will focus on the actions taken by DSS to address this finding as part of the 2023–24 final audit.

Conclusion

3.21.30  At the completion of the interim audit, and except for the three moderate audit findings reported, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that DSS will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed by the ANAO in conjunction with additional audit procedures during the 2023–24 final audit.

3.21.31  During the 2023–24 final audit the ANAO will undertake further procedures and assess action taken by DSS to address the weaknesses identified.

3.22 National Disability Insurance Agency

Overview

3.22.1  The NDIA was established under the National Disability Insurance Scheme Act 2013. The NDIA is responsible for delivering the National Disability Insurance Scheme (the Scheme). The Scheme is designed to provide individual control and choice in the delivery of reasonable and necessary supports; to improve the independence, and social and economic participation, of eligible people with disability, their families and carers; and to provide associated referral services and activities.

3.22.2  The NDIA has established arrangements with Services Australia for facilitating the information technology platforms for provider and participant payments, supplier payments and payroll processing under a service agreement.

3.22.3  The NDIA’s main source of funding is from appropriations. The NDIA also receives contributions to Scheme costs from State and Territory governments.

Key financial statements items

3.22.4  Figure 3.22.1 below provides a summary of the key 2023–24 financial statements items.

Figure 3.22.1:  Key financial statements items

Source: NDIA’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

What are the key areas of audit focus identified by the ANAO for the 2023–24 financial statements?

Engagement risk

3.22.5  Paragraph 3.0.6 describes the factors considered by the ANAO in determining the engagement risk rating and the associated audit response required. The engagement risk for the 2023–24 financial statements has been assessed as high. Key factors contributing to this rating are:

• number of changes in key management positions over 2023–24 and 2022–23, particularly those officers charged with governance;
• the high level of scrutiny on the operations of NDIA by the Parliament and members of the public;
• complexity of decisions made by the NDIA as to the appropriate level of support required for a growing number of participants and the level of maturity of the NDIA’s compliance activities for Scheme access, plan approval and payments since implementation. Administration of the Scheme is supported by a complex and partially outsourced IT environment. NDIA are implementing a new customer relationship management (CRM) system during 2023–24;
• the significant number of recommendations relating to internal controls and management of fraud risks made by the ANAO in Auditor-General Report No. 43 of 2022–23 Effectiveness of the National Disability Insurance Agency’s management of assistance with daily life support, including the failure to fully implement seven prior ANAO audit recommendations.

Key areas of financial statements risk

3.22.6  The ANAO’s risk assessment process identifies key areas of risk that have the potential to materially impact the NDIA’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items, the results of recent ANAO performance audits and an understanding of NDIA’s environment and governance arrangements, including its financial reporting regime and system of internal control.

3.22.7  The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of NDIA’s financial statements.

3.22.8  Figure 3.22.2 below shows the key financial statements items reported by NDIA and the key areas of financial statements risk.

Figure 3.22.2:  Key departmental financial balances and areas of financial statements risk

Source: ANAO analysis and NDIA’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

3.22.9  Further information on the key areas of financial statements risk identified by the ANAO are provided below in Table 3.22.1.

Table 3.22.1:  Key areas of financial statements risk

Source: ANAO 2023–24 risk assessment.

What are the results that have been identified by the ANAO’s interim audit coverage?

Interim audit coverage

3.22.10  The ANAO has completed its 2023–24 interim audit coverage, including an assessment of the controls relating to: cash management, human resources information, provider and participant payment systems; compliance and business assurance processes relating to scheme access; and plan approval and claims processing. Audit procedures have also been completed for the processes relating to provider and participant claims, supplier expenses, leases and revenue.

3.22.11  Audit procedures relating to valuation of provider and participant provisions will be undertaken as part of the 2023–24 final audit.

Audit findings

3.22.12  Table 3.22.2 summarises the status of audit findings as at the end of the 2023–24 interim audit as reported by the ANAO.

Table 3.22.2:  Status of audit findings raised by the ANAO

Source: ANAO 2023–24 interim audit results.

3.22.13  As a result of these findings, the ANAO has designed further audit procedures to obtain reasonable assurance that the financial statements balances are not materially misstated.

3.22.14  The following section provides an overview of moderate audit findings.

Unresolved moderate audit findings

Removal of user access

3.22.15  During the 2020–21 interim audit, the ANAO’s testing of user access found weaknesses in user access terminations processes. User accounts should be removed upon termination date as they no longer have a legitimate requirement to access the NDIA’s network.

3.22.16  The NDIA moved to a new ICT operating environment and created a new process to address this finding during the 2022–23, however there were weaknesses with the reporting used to detect potentially inappropriate activity.

3.22.17  During the 2023–24 interim audit, the NDIA advised the ANAO that they had remediated the weaknesses previously identified with reporting. The ANAO will consider the operating effectiveness of these controls as part of the 2023–24 final audit.

Privileged User Activity Monitoring – PACE

3.22.18  During the interim phase of the 2022–23 audit, the ANAO found that the NDIA did not have a formal process to review privileged user activity in the PACE system. The ANAO recommended that the NDIA should assess whether the real-time alert system meets the underlying business risks relating to privileged user access and implement a formal process to document the outcomes of alerts raised.

3.22.19  During the 2023–24 interim audit, the NDIA advised the ANAO that they had remediated this weakness by implementing a formal monitoring process over privileged user activity. The ANAO will consider the operating effectiveness of these controls as part of the 2023–24 final audit.

Conclusion

3.22.20  At the completion of the 2023–24 interim audit, and except for the two moderate audit findings reported, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that NDIA will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed by the ANAO in conjunction with additional audit procedures during the 2023–24 final audit.

3.22.21  During the 2023–24 final audit the ANAO will undertake further procedures and assess action taken by NDIA to address the weaknesses identified.

3.23 Services Australia

Overview

3.23.1  Services Australia is part of the Social Services portfolio and is the Australian Government’s primary payment and service delivery provider. Services Australia delivers a range of payments and services to support individuals, families and communities, as well as providers and businesses. These include income support payments and services, aged care payments, Medicare payments and services, child support services and a range of Information and Communication Technology functionalities for Australian Government departments and agencies. Further information is available from Services Australia’s website.

3.23.2  Services Australia’s main source of funding is from appropriations.

Key financial statements items

3.23.3  Figure 3.23.1 and Figure 3.23.2 below provide a summary of the key 2023–24 financial statements items.

Figure 3.23.1:  Key departmental financial statements items

Source: Services Australia’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

Figure 3.23.2:  Key administered financial statements items

Source: Services Australia’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

What are the key areas of audit focus identified by the ANAO for the 2023–24 financial statements?

Engagement risk

3.23.4  Paragraph 3.0.6 describes the factors considered by the ANAO in determining the engagement risk rating and the associated audit response required. The engagement risk for the 2023–24 financial statements has been assessed as high. Key factors contributing to this rating are heightened public scrutiny and interest that Services Australia has been under as a result of the Robo-Debt Royal Commission and other public reviews; the role of Services Australia in delivery of the Australian Government’s social welfare and health benefits; and significant IT and legal governance findings reported at the conclusion of the 2022–23 audit (refer to paragraphs 3.23.15 to 3.23.24).

Key areas of financial statements risk

3.23.5  The ANAO’s risk assessment process identifies key areas of risk that have the potential to materially impact Services Australia’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items, the results of recent ANAO performance and performance statements audits and an understanding of Services Australia’s environment and governance arrangements, including its financial reporting regime and system of internal control.

3.23.6  The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of Services Australia’s financial statements.

3.23.7  Figure 3.23.3 and Figure 3.23.4 below shows the key financial statements items reported by Services Australia and the key areas of financial statements risk.

Figure 3.23.3:  Key departmental financial balances and areas of financial statements risk

Source: ANAO analysis and Services Australia’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

Figure 3.23.4:  Key administered financial balances and areas of financial statements risk

Source: ANAO analysis and Services Australia’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

3.23.8  Further information on the key areas of financial statements risk identified by the ANAO are provided below in Table 3.23.1.

Table 3.23.1:  Key areas of financial statements risk

Source: ANAO 2023–24 risk assessment.

What are the results that have been identified by the ANAO’s interim audit coverage?

Interim audit coverage

3.23.9  The ANAO has completed its 2023–24 interim audit coverage, including an assessment of the controls relating to: IT controls over security and change management of the financial management and human resource management systems; child support expenses and revenue; non-financial assets; and leases.

3.23.10  An assessment of the controls over social services and health related payments made by Services Australia on behalf of other Australian Government entities, including associated compliance and assurance activities, have commenced and will be finalised as part of the planned 2023–24 final audit.

3.23.11  Audit procedures relating to: valuation of child support receivables, employee provisions and non-financial assets, particularly intangibles will be undertaken as part of the planned 2023–24 final audit.

Audit findings

3.23.12  Table 3.23.2 summarises the status of audit findings as at the end of the 2023–24 interim audit as reported by the ANAO.

Table 3.23.2:  Status of audit findings raised by the ANAO

Note a: The significant audit finding relating to governance of legal and other matters was identified during the 2022–23 audit. This audit finding was reduced to a moderate audit finding during the 2023–24 interim audit. Refer to paragraphs 3.23.15 to 3.23.17.

Note b: Two minor audit findings relating to Medicare Mainframe Passwords and User Access Management were combined and upgraded to a moderate audit finding during the 2023–24 interim audit phase. Refer to paragraphs 3.23.22 to 3.23.25).

Source: ANAO 2023–24 interim audit results.

3.23.13  As a result of these findings, the ANAO has designed further audit procedures to obtain reasonable assurance that the financial statements balances are not materially misstated.

3.23.14  The following section provides an overview of significant and moderate audit findings.

Reduced significant audit finding

Governance of legal and other matters

3.23.15  During the 2022–23 audit the ANAO made requests for information relating to known or suspected instances of non-compliance with laws and regulations including legal matters, Commonwealth Ombudsman or other Commonwealth reviews and Administrative Appeals Tribunals rulings. Evidence identified by the ANAO did not accord with management representations and additional audit work was required to be undertaken by the ANAO. A number of the matters identified impacted either Services Australia’s (child support) or other agencies’ financial statements including income apportionment (Department of Social Services), child care subsidy (Department of Education), aged care and Medicare issues (Department of Health and Aged Care).

3.23.16  Both the number of matters identified and the number of adjustments made to Services Australia’s and other agencies’ financial statements highlighted a significant failure of governance in the assessment and reporting of these matters. This matter was considered to pose a significant financial, business and reputational risk to Services Australia. The ANAO recommended that Services Australia design, implement and document a process to ensure legal or other matters are identified for consideration for their impact on the financial statements, and that all matters identified for consideration are communicated to the ANAO.

3.23.17  At the conclusion of the 2023–24 interim audit, Services Australia has designed and is implementing a comprehensive process which includes regular reporting on legal matters and review by the CFO, Audit and Risk committee and Executive Board. The ANAO considers the actions have mitigated some of the risks relating to this finding. As a result the ANAO has reduced the finding from significant to moderate at the conclusion of the interim audit.

3.23.18  The ANAO will review further action taken Services Australia in response to this finding as part of the 2023–24 final audit.

Unresolved significant audit finding

IT Governance

3.23.19  During the 2022–23 audit the ANAO examined controls around significant information technology (IT) systems used to support the preparation of the financial statements. This examination identified a significant audit risk in relation to the increasing number of issues in IT governance within Services Australia. In particular, the ANAO identified weaknesses in IT controls in the implementation of a large-scale IT roll-out for residential aged care and the re-emergence of a large number of individual control issues affecting change and access management and business operations. The volume of the findings identified indicates that Services Australia’s IT governance and monitoring processes are not providing appropriate assurance that policy requirements have been implemented and are operating effectively.

3.23.20  This matter is considered to pose a significant financial, business and reputational risk to Services Australia. The ANAO recommended that Services Australia’s IT governance and monitoring processes be reviewed to ensure they are fit for purpose and that identified deficiencies are appropriately reported and responded to.

3.23.21  At the conclusion of the 2023–24 interim audit, Services Australia advised the ANAO that remedial actions were in progress, but evidence for the completion of these actions had not yet been provided to the ANAO. The ANAO plans to focus on the actions taken by Services Australia in response to this finding as part of the 2023–24 final audit.

New moderate audit finding

Medicare Mainframe Passwords and User Access Management

3.23.22  During previous audits, the ANAO raised separate minor audit findings for issues relating to passwords and user access management for the Medicare Mainframe system (the Mainframe) and reported these to the accountable authority. These findings included:

• Services Australia did not identify and remove Mainframe users in a timely manner who no longer had a valid business case to have access to the Mainframe;
• access management processes were not being managed in accordance with Services Australia’s User Access for ICT Systems Policy;
• supporting evidence of approvals for access was not retained for all users;
• changes to user accounts were being actioned without appropriate supporting evidence of the required approval; and
• lack of documented processes around how internal and external staff authenticate to the Mainframe.

3.23.23  These weaknesses reduce Services Australia’s ability to rely on the Mainframe’s underlying data, including data that is used to support the financial statements.

3.23.24  At the conclusion of the 2023–24 interim audit, Services Australia advised the ANAO that remediation actions were underway for the minor findings previously identified, but had yet to be completed. While the ANAO noted that Services Australia has implemented an automated process for creating standard users in the mainframe, a clear and documented process is not in place for non-standard users and the maintenance of existing users within the system, which continues to pose risk.

3.23.25  As a result of the unaddressed findings and recommendations, and the potential risks and impacts on the financial statements, the ANAO has combined these findings and upgraded the findings to a moderate level. The ANAO plans to focus on the actions taken by Services Australia in response to this finding as part of the 2023–24 final audit.

Unresolved moderate audit findings

FMIS and HRMIS Privileged User Management

3.23.26  Maintaining and supporting IT systems requires some user accounts, both at the network and the application level, to have extensive access rights (privileged access). Privileged user accounts can be used to circumvent security controls to make direct changes, either to system settings or systems data, or to access files and accounts used by others. During the 2022–23 audit the ANAO identified weaknesses in the effectiveness of Services Australia’s monitoring of privileged user activities within the Financial Management Information System (FMIS) and Human Resource Management Information System (HRMIS).

3.23.27  At the conclusion of the 2023–24 interim audit, while Services Australia advised the ANAO that remedial actions were in progress, evidence for these actions had not been provided to the ANAO. The ANAO plans to focus on the actions taken by Services Australia in response to this finding as part of the 2023–24 final audit.

Medicare, Child Support and Health IT Mainframe Privileged User Management

3.23.28  Maintaining and supporting IT systems requires some user accounts, both at the network and the application level, to have extensive access rights (privileged access). Privileged user accounts can be used to circumvent security controls to make direct changes, either to system settings or systems data, or to access files and accounts used by others. During the 2022–23 audit, the ANAO identified weaknesses in the effectiveness of Services Australia’s monitoring of privileged user activities within the Medicare, Child Support and Health IT mainframes.

3.23.29  At the conclusion of the 2023–24 interim audit, while Services Australia advised that remedial actions were in progress, evidence for these actions had not been provided to the ANAO. The ANAO plans to focus on the actions taken by Services Australia in response to this finding as part of the 2023–24 final audit.

Centrelink IT Mainframe Privileged User Management

3.23.30  Maintaining and supporting IT systems requires some user accounts, both at the network and the application level, to have extensive access rights (privileged access). Privileged user accounts can be used to circumvent security controls to make direct changes, either to system settings or systems data, or to access files and accounts used by others. During the 2022–23 audit the ANAO identified weaknesses in the effectiveness of Services Australia’s monitoring of privileged user activities within the Centrelink IT mainframe.

3.23.31  At the conclusion of the 2023–24 interim audit, while Services Australia advised that remedial actions were in progress, evidence for these actions had not been provided to the ANAO. The ANAO plans to focus on the actions taken by Services Australia in response to this finding as part of the 2023–24 final audit.

New Residential Aged Care System Access Management

3.23.32  In August 2022, Services Australia implemented a new residential aged care system. Maintaining and supporting IT systems requires some user accounts to have extensive access rights (privileged access). Privileged user accounts can be used to circumvent security controls to make direct changes, either to system settings or systems data, or to access files and accounts used by others.

3.23.33  During the 2022–23 audit, the ANAO identified that there were weaknesses in the design and operating effectiveness of controls supporting privileged and other user access. More broadly, the ANAO has observed a break-down in Services Australia’s re-established security governance control framework, particularly the lack of formal system accreditation or other supporting system security risk assessments that would identify and allow system and project owners to formally analyse, understand and mitigate and/or accept key security governance risks prior to the implementation of the new system. The ANAO recommended that Services Australia strengthen privileged user access and logging and monitoring processes.

3.23.34  At the conclusion of the 2023–24 interim audit, while Services Australia advised that remedial actions were in progress, evidence for these actions had not been provided to the ANAO. The ANAO plans to focus on the actions taken by Services Australia in response to this finding as part of the 2023–24 final audit.

New Residential Aged Care System Change Management

3.23.35  In August 2022, Services Australia implemented a new residential aged care system. IT change management provides a disciplined approach to making changes to the IT environment. It includes controls to prevent unauthorised changes being made and reduce the likelihood that normal business operations are interrupted with the implementation of authorised changes.

3.23.36  During the 2022–23 audit, the ANAO identified that there were weaknesses in segregation of duties controls associated with key change management processes, with Services Australia developers having access to release and deploy changes directly into the system. The ANAO recommended that Services Australia strengthen change management processes to address the identified control weakness.

3.23.37  At the conclusion of the 2023–24 interim audit, while Services Australia advised that remedial actions were in progress, evidence for these actions had not been provided to the ANAO. The ANAO plans to focus on the actions taken by Services Australia in response to this finding as part of the 2023–24 final audit.

Conclusion

3.23.38  At the completion of the 2023–24 interim audit, the ANAO has identified one significant and seven moderate audit findings where improvements are required. These audit findings reduce the level of confidence that can be placed on the key elements of internal control that support the preparation of financial statements that are free from material misstatement.

3.23.39  During the 2023–24 final audit the ANAO will undertake further procedures and assess action taken by Services Australia to address the weaknesses identified.

3.24 Department of the Treasury

Overview

3.24.1  The Treasury provides policy advice, analysis and the delivery of economic policies and programs, including legislation, administrative payments and regulatory functions, which support the effective management of the Australian economy.

3.24.2  The Treasury’s main source of funding is from appropriations.

Key financial statements items

3.24.3  Figure 3.24.1 and Figure 3.24.2 below provide a summary of the key 2023–24 financial statements items.

Figure 3.24.1:  Key departmental financial statements items

Source: Treasury’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

Figure 3.24.2:  Key administered financial statements items

Source: Treasury’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

What are the key areas of audit focus identified by the ANAO for the 2023–24 financial statements?

Engagement risk

3.24.4  Paragraph 3.0.6 describes the factors considered by the ANAO in determining the engagement risk rating and the associated audit response required. The engagement risk for the 2023–24 financial statements has been assessed as moderate. Key factors contributing to this rating are the complexity and judgement required in the accounting treatment and valuation for a number of administered financial statements line items and balances; and the number and value the significance of payments made to State and Territory Governments.

Key areas of financial statements risk

3.24.5  The ANAO’s risk assessment process identifies key areas of risk that have the potential to materially impact the Treasury’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items, the results of recent ANAO performance audits and an understanding of the Treasury’s environment and governance arrangements, including its financial reporting regime and system of internal control.

3.24.6  The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of the Treasury’s financial statements.

3.24.7  Figure 3.24.3 and Figure 3.24.4 below show the key financial statements items reported by Treasury and the key areas of financial statements risk.

Figure 3.24.3:  Key departmental financial balances and areas of financial statements risk

Source: ANAO analysis and Treasury’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

Figure 3.24.4:  Key administered financial balances and areas of financial statements risk

Source: ANAO analysis and Treasury’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

3.24.8  Further information on the key areas of financial statements risk identified by the ANAO are provided below in Table 3.24.1.

Table 3.24.1:  Key areas of financial statements risk

Source: ANAO 2023–24 risk assessment.

What are the results that have been identified by the ANAO’s interim audit coverage?

Interim audit coverage

3.24.9  The ANAO has completed its 2023–24 interim audit coverage, including an assessment of the controls relating to: grants expenses, non-financial assets and supplier expenses. The ANAO’s interim audit coverage also includes an assessment of the IT general controls over the financial and human resource management information systems.

3.24.10  Audit procedures relating to valuation of provisions and further testing on grants expenses will be undertaken as part of the 2023–24 final audit.

Audit findings

3.24.11  At the completion of the 2023–24 interim audit, no new significant or moderate audit findings were identified. One new minor audit finding was identified.

Conclusion

3.24.12  Based on our audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that Treasury will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2023–24 final audit.

3.25 Australian Office of Financial Management

Overview

3.25.1  AOFM is responsible for managing Australian Government debt and financial assets. AOFM issues Treasury Bonds, Treasury Indexed Bonds and Treasury Notes, manages the government’s cash balances and invests in high quality financial assets under the Australian Business Securitisation Fund and the Structured Finance Support Fund.

3.25.2  The AOFM’s main source of funding is from appropriations.

Key financial statements items

3.25.3  Figure 3.25.1 and Figure 3.25.2 below provide a summary of the key 2023–24 financial statements items.

Figure 3.25.1:  Key departmental financial statements items

Source: AOFM’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

Figure 3.25.2:  Key administered financial statements items

Source: AOFM’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

What are the key areas of audit focus identified by the ANAO for the 2023–24 financial statements?

Engagement risk

3.25.4  Paragraph 3.0.6 describes the factors considered by the ANAO in determining the engagement risk rating and the associated audit response required. The engagement risk for the 2023–24 financial statements has been assessed as moderate. The key factor contributing to the moderate rating is complexity of AOFM’s operations, particularly the management of the Australian Government’s debt portfolio, which is a significant financial balance.

Key areas of financial statements risk

3.25.5  The ANAO’s risk assessment process identifies key areas of risk that have the potential to materially impact AOFM’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items, the results of recent ANAO performance audits and an understanding of AOFM’s environment and governance arrangements, including its financial reporting regime and system of internal control.

3.25.6  The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of AOFM’s financial statements.

3.25.7  Figure 3.25.3 and Figure 3.25.4 below shows the key financial statements items reported by AOFM and the key areas of financial statements risk.

Figure 3.25.3:  Key departmental financial balances and areas of financial statements risk

Source: ANAO analysis and AOFM’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

Figure 3.25.4:  Key administered financial balances and areas of financial statements risk

Source: ANAO analysis and AOFM’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

3.25.8  Further information on the key areas of financial statements risk identified by the ANAO are provided below in Table 3.25.1.

Table 3.25.1:  Key areas of financial statements risk

Source: ANAO 2023–24 risk assessment.

Risks and findings identified in ANAO performance audits

3.25.9  The ANAO also considers the results of recent performance audits in identifying risks and designing an approach for the financial statements audit. Auditor-General Report No. 18 of 2023–24 Australian Office of Financial Management’s Management of the Australian Government’s Debt was tabled in February 2024 and is relevant to the financial management or administration of AOFM. The observations included in this report were considered in designing audit procedures that address the key areas of financial statements risk detailed above in Table 3.25.1 relating to Australian Government Securities.

What are the results that have been identified by the ANAO’s interim audit coverage?

Interim audit coverage

3.25.10  The ANAO has completed its 2023–24 interim audit coverage, including an assessment of the controls relating to: cash and cash equivalents; supplier expenses; and issuance and management of Australian Government Securities.

3.25.11  Audit procedures relating to the valuation of Australian Government Securities will be undertaken as part of the planned 2023–24 final audit.

Audit findings

3.25.12  At the completion of the 2023–24 interim audit, no new significant or moderate audit findings were identified.

Conclusion

3.25.13  Based on the audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that AOFM will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2023–24 final audit.

3.26 Australian Taxation Office

Overview

3.26.1  The Australian Taxation Office (ATO) is Australia’s principal revenue collection entity and is part of the Treasury portfolio. The ATO’s role is to administer Australia’s tax system, significant aspects of Australia’s superannuation system and business registry services, together with the provision of support to the Tax Practitioners Board and the Australian Charities and Not-for-profits Commission.

3.26.2  The ATO’s main source of funding is from appropriations.

Key financial statements items

3.26.3  Figure 3.26.1 and Figure 3.26.2 below provide a summary of the key 2023–24 financial statements items.

Figure 3.26.1:  Key departmental financial statements items

Source: ATO’s 2023–24 revised budget as reported in the 2023–24 Portfolio Budget Statements.

Figure 3.26.2:  Key administered financial statements items

Source: ATO’s 2023–24 revised budget as reported in the 2023–24 Portfolio Budget Statements.

What are the key areas of audit focus identified by the ANAO for the 2023–24 financial statements?

Engagement risk

3.26.4  Paragraph 3.0.6 describes the factors considered by the ANAO in determining the engagement risk rating and the associated audit response required. The engagement risk for the 2023–24 financial statements has been assessed as high. Key factors contributing to this rating are:

• level of ongoing scrutiny of the ATO’s operations by Parliament and members of the public, given ATO’s role as Australia’s principal revenue collection agency, administering the legislation governing tax and significant aspects of Australia’s superannuation system;
• dependence on sophisticated and interfaced IT systems and business applications for financial reporting, including one significant unresolved audit finding identified in 2022–23 relating to enterprise change management (refer to paragraphs 3.26.15 to 3.26.17); and
• the considerable level of judgement required and significant application of estimation and allocation processes to determine key financial balances.

Key areas of financial statements risk

3.26.5  The ANAO’s risk assessment process identifies key areas of risk that have the potential to materially impact the ATO’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items, the results of recent ANAO performance audits and an understanding of ATO’s environment and governance arrangements, including its financial reporting regime and system of internal control.

3.26.6  The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of ATO’s financial statements.

3.26.7  Figure 3.26.3 and Figure 3.26.4 below shows the key financial statements items reported by ATO and the key areas of financial statements risk.

Figure 3.26.3:  Key departmental financial balances and areas of financial statements risk

Source: ANAO analysis and ATO’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

Figure 3.26.4:  Key administered financial balances and areas of financial statements risk

Source: ANAO analysis and ATO’s 2023–24 revised budget as reported in the 2023–24 Portfolio Additional Estimates Statements.

3.26.8  Further information on the key areas of financial statements risk identified by the ANAO are provided below in Table 3.26.1.

Table 3.26.1:  Key areas of financial statements risk

Source: ANAO 2023–24 risk assessment.

What are the results that have been identified by the ANAO’s interim audit coverage?

Interim audit coverage

3.26.9  The ANAO has completed its 2023–24 interim audit coverage, including an assessment of the controls relating to the ATO’s business operations which incorporated the ATO’s key financial administration systems and material revenue collection and recognition processes.

3.26.10  Audit procedures relating to the ANAO’s interim audit coverage included an assessment of controls relating to: IT general controls over security, change management and computer operations; cash; appropriations; asset and human resource management and supplier expenses. An assessment of the controls over: taxes¹⁰⁸; excise; super guarantee charge; penalties and interest; and settlements has commenced and will be finalised as part of the planned 2023–24 final audit.

3.26.11  The ANAO will finalise the assessment of the complex manual processes for financial reporting, coverage over the ATO’s external compliance program, administered estimates and receivables and impairment as part of the 2023–24 final audit.

Audit findings

3.26.12  Table 3.26.2 summarises the status of audit findings as at the end of the 2023–24 interim audit as reported by the ANAO.

Table 3.26.2:  Status of audit findings raised by the ANAO

Source: ANAO 2023–24 interim audit results.

3.26.13  As a result of these findings, the ANAO has designed further audit procedures to obtain reasonable assurance that the financial statements balances are not materially misstated.

3.26.14  The following section provides an overview of significant and moderate audit findings.

Unresolved significant audit finding

Enterprise change management

3.26.15  During the 2022–23 audit, the ANAO identified weaknesses associated with the ATO’s enterprise change management for key IT systems supporting the preparation of ATO’s financial statements. These weaknesses included a disconnect between change management policy and procedural documentation in relation to segregation of duties particularly in relation to developers and migrators. The ATO was also unable to demonstrate that its IT service management system contained a complete and accurate list of changes made to the systems assessed by the ANAO as in scope for the financial statements audit, and accordingly was unable to demonstrate that these changes were appropriately authorised and managed in all instances. This matter is considered to pose significant financial, business and reputational risk to the ATO. The ANAO recommended that the ATO improve the change management framework to ensure policy alignment throughout ATO’s business operations, all changes are recorded in the approved system in line with ATO policy and changes have effective system enforced segregation of duties.

3.26.16  During the 2023–24 interim audit, the ANAO observed that the ATO has implemented a series of changes to policy and procedural documentation as well as enhancements to the change management recording system. However, the ANAO has continued to identify weaknesses in processes and non-compliance with policy for systems such as the Enterprise Data Warehouse, reporting and case management systems, which are relevant to the management and production of data relevant to financial and performance statements and reporting. The ANAO has noted that the ATO’s processes for managing changes to IT applications in the mainframe environment and the financial management information system have improved.

3.26.17  The identified issues pose a risk that unauthorised changes negatively impact the ATO’s business operations. As a result of identified deficiencies the ANAO will be required to undertake additional testing to obtain assurance over the reliability of reports generated to support financial statements balances. The degree of additional work will be dependent on the quality and subsequent remediation activities undertaken by the ATO. The ANAO will focus on the action taken by ATO in response to this finding as part of the 2023–24 final audit.

Unresolved moderate audit finding

Uneconomic to pursue debt and re-raises

3.26.18  During the 2021–22 audit, the ANAO identified issues in the ATO’s treatment of debts considered to be uneconomical to pursue (‘non-pursued debt’). Excluding non-pursued debts from offsetting was not consistent with Part IIB of the Taxation Administration Act 1953 (Tax Act). Issues identified included:

• the timeframe where the automatic re-raise functionality was switched off that resulted in the ATO not re-raising debts that had previously been identified as uneconomical to pursue where the taxpayer became entitled to a credit; and
• the use of exclusionary criteria that had the effect of preventing a re-raise on a taxpayer’s account for non-pursued debt.

3.26.19  In both of these cases there was a potential effect of a taxpayer being able to receive a full credit despite having a debt owed to the Commonwealth.

3.26.20  At the completion of the 2023–24 interim audit, the ATO had updated its policies to conform with relevant legislation for debt offsetting and implemented updates to IT systems to remove all selected exclusionary criteria relating to non-pursued debts not currently subject to an approved deferral by the Commissioner of Taxation. One exclusionary criteria remains in place for debts non-pursued prior to 2017 that has not been removed and is subject to a temporary deferral by the Commissioner of Taxation. This cohort of debt is significant to the original issue and the absence of an implemented plan or process means that there remains a risk to law conformance.

3.26.21  The ANAO will focus on the further actions expected to be taken by the ATO in response to this finding during the 2023–24 final audit.

Conclusion

3.26.22  At the completion of the 2023–24 interim audit, the ANAO has reported one significant and one moderate audit finding where improvements are required. These audit findings reduce the level of confidence that can be placed on the key elements of internal control that support the preparation of financial statements that are free from material misstatement.

3.26.23  During the 2023–24 final audit the ANAO will undertake further procedures and assess action taken by ATO to address the weaknesses identified.

3.27 Reserve Bank of Australia

Overview

3.27.1  The Reserve Bank of Australia (RBA) is responsible for determining and implementing monetary policy that seeks to contribute to the stability of the currency and maintains full employment; works to maintain a strong financial system and efficient payments system; and issues Australia’s banknotes. As well as being a policymaking body, the RBA provides selected banking services to a range of Australian Government entities and to a number of overseas central banks and official institutions. The RBA is also responsible for the management of Australia’s gold and foreign exchange reserves.

3.27.2  RBA does not receive any appropriation funding. The operational functions of the RBA are primarily funded from net interest income earnings and fees and commission income.

Key financial statements items

3.27.3  Figure 3.27.1 below provides a summary of the key financial statements items as reported in the RBA’s 2022–23 annual report.

Figure 3.27.1:  Key financial statements items

Source: RBA’s 2022–23 audited financial statements.

What are the key areas of audit focus identified by the ANAO for the 2023–24 financial statements?

Engagement risk

3.27.4  Paragraph 3.0.6 describes the factors considered by the ANAO in determining the engagement risk rating and the associated audit response required. The engagement risk for the 2023–24 financial statements has been assessed as moderate. Key factors contributing to this rating are:

• the high level of public interest and accountability for the operations, given the RBA’s role as the central bank of Australia and in conducting monetary policy;
• value, complexity and level of judgment required to manage a significant portfolio of investments and other financial assets and liabilities that support monetary policy outcomes; and
• the reliance by the public and Australian financial institutions on the RBA to manage and provide key banking and settlements infrastructure as well as issuing Australia’s banknotes.

Key areas of financial statements risk

3.27.5  The ANAO’s risk assessment process identifies key areas of risk that have the potential to materially impact the RBA’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items, the results of recent ANAO performance audits and an understanding of the RBA’s environment and governance arrangements, including its financial reporting regime and system of internal control.

3.27.6  The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of RBA’s financial statements.

3.27.7  Figure 3.27.2 below shows the key financial statements items reported by the RBA and the key areas of financial statements risk.

Figure 3.27.2:  Key financial balances and areas of financial statements risk

Source: ANAO analysis and RBA’s 2022–23 audited financial statements.

3.27.8  Further information on the key areas of financial statements risk identified by the ANAO are provided below in Table 3.27.1.

Table 3.27.1:  Key areas of financial statements risk

Source: ANAO 2023–24 risk assessment.

What are the results that have been identified by the ANAO’s interim audit coverage?

Interim audit coverage

3.27.9  The ANAO has completed its 2023–24 interim audit coverage, including an assessment of the controls relating to: the initiation, authorisation, settlement and recording of Australian dollar investments and foreign currency investments; the return and issuance of Australian banknotes on issue; and the design and implementation of IT general controls.

3.27.10  Audit procedures relating to: superannuation and unsettled purchases of securities and testing of IT general and application controls will be undertaken as part of the 2023–24 final audit.

Audit findings

3.27.11  At the completion of the 2023–24 interim audit, no new significant or moderate audit findings were identified. Two new minor audit findings were identified, one minor audit finding was unresolved and two minor audit findings were resolved.

Conclusion

3.27.12  Based on our audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that the RBA will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2023–24 final audit.