Report 12: 2019-20

Audit Results Report – Annual 2018-19 Financial Audits of State Government Entities

Management issues

  • We identified 323 financial management control weaknesses and reported them to entities in 2018-19, an increase from 300 in the previous year. The number of significant issues increased by 1 to 36, while the proportion of unresolved issues decreased from 30% to 20%.
  • 434 information system control weaknesses were identified and reported to entities in 2018-19 of which 44% were unresolved issues from the previous year. The majority of issues are simple to fix but if not resolved they will leave entities vulnerable to security incidents and disruption to systems.
  • We reported 44 KPI weaknesses to entities in 2018-19, the same number as last year. Data integrity and collection processes were the main areas for improvement identified during our KPI audits.

Control environment

Responsibility for developing and maintaining adequate systems of internal control rests with entity management. These control systems reduce the risk of error and fraud, and provide assurance to management and auditors that management reports and financial statements are materially correct. Maintaining adequate internal control ensures:

  • financial information and other records, including data for KPIs, are accurately maintained
  • assets are appropriately safeguarded
  • errors and other irregularities are prevented or detected
  • compliance with legislation and policy guidelines
  • internal and external financial and non-financial performance reporting is reliable and timely.

The AG Act requires the Auditor General to audit entity accounts and, in the case of entities operating under the FM Act, to also form an opinion on their financial controls. This involves, as a minimum, an assessment of the design and implementation of relevant financial management and reporting controls.

Details of our control findings are included in management letters to the Accountable Authority. We rate control weaknesses according to their potential impact and base our ratings on the audit team’s assessment of risks and concerns about the probability and/or consequence of adverse outcomes if action is not taken. We consider the:

  • quantitative impact – for example, financial loss
  • qualitative impact – for example, inefficiency, non-compliance, poor service to the public or loss of public confidence.
Risk category Audit impact Management action required
Significant Control weaknesses that potentially present a significant financial or business risk to the entity if not addressed promptly.

These significant risk findings impact:

  • likelihood of material misstatement in the financial report
  • ability to achieve objectives or comply with legislation.
Priority or urgent action by management to correct the material misstatement in the financial report to avoid a qualified opinion
or
for control risks, implement a detailed action plan as soon as possible, within 1-2 months.
Moderate Normally matters requiring system or procedural improvements or low risk matters from previous audits that have not been satisfactorily resolved.

These moderate risk findings include:

  • misstatement in the financial report that has occurred, although not material
  • ongoing system control weakness which could or is having a moderate adverse effect of achieving objectives or legislative compliance.
Control weaknesses of sufficient concern to warrant action being taken as soon as practicable, within 3 to 6 months.

If not addressed promptly, they may escalate to significant or high risk.

Minor Isolated occurrences, non-systemic or procedural control weaknesses that are administrative shortcomings.

Minor weaknesses which are not of primary concern but still warrant action being taken.

Management to implement an action plan within 6 to 12 months to improve existing process or internal control.

Table 5: Risk categories for control weaknesses reported to management

We give entity management the opportunity to review our audit findings and provide comments prior to completion of the audit. Often management improves policies, procedures or practices after we raise them and before the audit is completed. At the completion of each audit, we send a copy of our management letter to the responsible Minister along with the audit opinion.

When management responds to control weaknesses, we request that they set a timeframe for remedial action to be completed. Most entities set themselves challenging timeframes for remedial action, and generally meet those timeframes. It is however disappointing that some entities do not remedy control weaknesses in a timely manner – this year, 20% of our financial control findings and 44% of information system control findings were unresolved findings from the previous year.

While our management letters relate specifically to an individual entity, the weaknesses are often common to other government entities. The following is a summary of control weaknesses identified during 2018-19.

Financial and management controls

During 2018-19, we alerted 75 entities to control weaknesses that needed their attention. At the conclusion of our audits, responsible Ministers received advice of these deficiencies.

In total, we reported 323 control weaknesses to management at entities. This was higher than the 300 reported in the previous year. The number of issues we rated as significant increased by 1, from 35 to 36. (Figure 1).

However, it was disappointing to note that 65 control weaknesses (20%) at 22 entities were unresolved from the prior year.

Figure 1: Ratings of financial and management control weaknesses reported to entities – by number and percentage

Figure 2 shows a breakdown of the categories of control weaknesses identified for the last 4 years. Expenditure control weaknesses again represented the highest proportion, followed by weaknesses in payroll and human resource management controls.

Figure 2: Financial and management control weaknesses for last 4 years

The 4 main areas of control weaknesses are expenditure, payroll and human resources, governance and assets.

Following are examples of control weaknesses:

Expenditure

We reported 86 expenditure control weaknesses to 35 entities in 2018-19. Eight were rated as significant and 19 weaknesses were unresolved from the prior year.

Thirty-four (40%) of the expenditure control weaknesses related to use of purchasing cards contrary to the entity’s policies and procedures. Our testing found instances where:

  • purchasing card statements and supporting transaction documents were not submitted by the cardholder before the payment due date for review and approval
  • staff exceeded their approved limits or expenditure categories
  • another staff member used the card while the cardholder was absent or on leave
  • 11 entities did not promptly cancel the purchasing card held by a cardholder who ceased employment.

Other expenditure control weaknesses included procurement procedures not being routinely implemented. There were instances where purchase orders were prepared after the suppliers’ invoices and goods had been received. In some entities staff were not seeking quotes (where required) or not completing purchase orders to start the ordering process and accountability trail. Sometimes quotes were received but evidence was not retained.

Payroll and human resources

Sixty-four payroll and human resource control weaknesses were reported to 25 entities. Nine rated as significant and 14 were unresolved from the previous year. It is essential that the human resource management and payroll functions are managed effectively, as employee benefits are a major cost for public sector entities. Our payroll controls audits identified the following weaknesses:

  • Responsible managers were not promptly reviewing and returning their business unit cost centre payroll reports prior to payroll distribution. Business unit managers are better placed to identify payments to their staff on leave, leave without pay, acting on higher pay, no longer employed or employees who are unknown to them or not employed in their business unit. Early notice of any errors can be actioned promptly to avoid making invalid salary payments. Our audits also found instances where staff were certifying payroll reports for their own pay, rather than a more senior staff member or manager.
  • At 10 entities we found that commencement and termination procedures were not completed appropriately, and in some instances the policies and procedures needed to be improved. The control weaknesses included delays in communicating the start and termination information of employees to the payroll section which meant delays in processing these changes. We advised 9 entities that their termination procedures required improvement to ensure that outgoing employees return all entity property, attractive assets, purchasing cards and security passes, and have their access to systems withdrawn.
  • 10 entities’ employee leave application procedures and reporting processes need improvement to ensure that leave taken is recorded in each employee’s record. For financial reporting, the correctness of an entity’s leave liability depends on the accuracy of its employees’ outstanding leave entitlements. Accurate and up-to-date employee records are also required to calculate an employee’s final leave entitlement payment when their employment ceases.

Governance

During our audits we identified 53 governance and legal compliance issues at 37 entities. Twelve were unresolved from the previous year.

We reported to 11 entities where they were not fully compliant with a section of the Financial Management Act 2006. These included the requirement to report estimates in their financial reports, the need to review or update their financial management policies, or prepare or update their risk management strategy and plan. Documentation of the entity’s current policies and procedures provides guidance to management and staff and reduces the likelihood of transactions being inadequately controlled or performed.

Assets

We reported 42 asset management weaknesses to 19 entities. Five rated as significant and 6 were unresolved from the previous year.

At 8 entities the fixed asset or portable and attractive asset registers did not contain complete and accurate information of all assets currently held. Identifying assets was more difficult where unique identification tags were not secured to the assets or there were insufficient descriptions or model and serial numbers recorded to identify individual asset items.

Some completed works were not transferred from work-in-progress to property, plant and equipment, or were not properly valued at 4 entities. This then impacted on the depreciation expense of the entities.

Recommendations

  1. All entities should ensure they maintain the integrity of their financial control environment by:
  2. periodically reviewing and updating all financial, asset, human resources, governance, information systems and other management policies and procedures and communicating these to relevant staff
  3. conducting ongoing reviews and improvement of internal control systems in response to regular risk assessments
  4. regularly monitoring compliance with relevant legislation
  5. promptly addressing control weaknesses brought to their attention by OAG audits.

Information systems controls

Information systems underpin most aspects of entity and government operations and services. It is therefore important that entities implement appropriate controls to maintain reliable, secure and resilient information systems.

Audits of general computer controls are a major part of work we undertake to assess the effectiveness of information system controls. Well implemented and managed general computer controls ensure reliable and secure processing of financial and key performance information. We focus our information systems audit capacity on those entities with significant computer environments to determine whether their controls are appropriately designed and operating effectively.

In 2018-19, we identified 434 weaknesses across 41 entities. Last year, we reported 438 findings at 33 entities. Three per cent of the issues were rated as significant and 62% were rated as moderate requiring action as soon as possible. The other 35% were rated as minor.

Figure 3 shows the percentage of total findings made against our 6 categories of control risk. Eighty-four percent of weaknesses we identified this year related to information technology (IT) operations (48%) and information security (36%). These 2 categories accounted for 83% of the findings last year. IT operations findings decreased this year by 2% while there was a 1% reduction in IT risk management and business continuity findings. Information security findings increased by 3% and there was a 1% increase in change management findings. The distribution of findings in the physical security category was similar to last year. We continue to find that many of these weaknesses are relatively simple to fix, and if not resolved they leave entities potentially vulnerable to significant disruption and costs.

Figure 3: Information systems control issues by category

A more detailed report on the results of our information system audits is planned for the first quarter of 2020. The report will consolidate the results of audits of entities with a 30 June 2019 reporting date and upcoming work on entities with a 31 December 2019 reporting date.

Key performance indicators

As shown in Table 6, in 2018-19 we reported 44 KPI weaknesses to management at entities, the same number as last year. The number of qualified KPI audit opinions decreased from 4 to 1.

Almost all of the 44 weaknesses need prompt or urgent attention by entities.

KPI shortcomings and qualifications 2015-16 2016-17 2017-18 2018-19
Number of entities with KPI weaknesses

Number of KPI weaknesses reported

Number of KPI weaknesses rated as significant

Number of entities with qualified KPI opinions

20

31

15

2

20

43

20

5

13

44

16

4

26

44

18

1

Table 6: Summary of KPI weaknesses reported to entities

Figure 4 shows that data integrity and collection is the key area needing improvement.

Figure 4: KPI control weaknesses for last 4 years

We reported 28 control weaknesses relating to data integrity and collection to 18 entities. Fourteen rated as significant. The weaknesses included:

  • dates and/or times were not accurately entered at source or from source documents. This resulted in the KPIs being calculated from data that was not consistent with the supporting records.
  • some data was not accurate or not easily auditable, especially where collected by third parties.

All data recorded by entities needs to be accurate, reliable and verifiable in order to measure and report the entity’s achievement of their outcomes.

Three entities need to re-assess the appropriateness of their KPI targets. Management’s annual KPI review of performance needs to set future targets that are challenging, realistic and encourage improvement. Targets that are repeatedly achieved without re-setting are especially in need of management attention.

At 4 entities, there was no KPI instructions setting out the KPI methodology, any assumptions made, sources of data, preparation procedures and calculation of each indicator. It is important that KPIs can be assessed by their trend over a number of years. Entity staff in any year need to prepare KPIs consistently with those prepared in previous years. Management approved KPI instructions are a valuable tool for achieving comparable and accurate KPIs across different performance periods.

Recommendations

  1. Entities should periodically review their KPIs to ensure that:
  2. they are calculated from reliable and complete data
  3. they remain relevant, appropriate and fairly present performance against realistic targets
  4. the KPI instructions are periodically reviewed and approved so that KPIs are consistently reported and comparable.
Page last updated: November 22, 2019

Back to Top