Control environment

Entity management is responsible for developing and maintaining adequate systems of internal control to ensure legislative compliance, as well as accurate recording and reporting of financial information and KPIs. These control systems reduce the risk of error and fraud, and provide assurance to management and auditors that management reports and financial statements are materially correct. Maintaining adequate internal control ensures:

• financial information and other records, including data for KPIs, are accurately maintained
• assets are appropriately safeguarded
• errors and other irregularities are prevented or detected
• compliance with legislation and policy guidelines
• internal and external financial and non-financial performance reporting is reliable and timely.

The AG Act requires the Auditor General to audit entity accounts and, in the case of entities operating under the Financial Management Act 2006, to also form an opinion on their financial controls. This involves, as a minimum, an assessment of the design and implementation of relevant financial management and reporting controls.

We report our control findings in management letters to the Accountable Authority. Control weaknesses are rated according to their potential impact and we base our ratings on the audit team’s assessment of risks and concerns about the probability and/or consequence of adverse outcomes if action is not taken. We consider the:

• quantitative impact – for example, financial loss
• qualitative impact – for example, inefficiency, non-compliance, poor service to the public or loss of public confidence.

Risk category	Audit impact	Management action required
Significant	Control weaknesses that potentially present a significant financial or business risk to the entity if not addressed promptly. These significant risk findings impact: likelihood of material misstatement in the financial report ability to achieve objectives or comply with legislation.	Priority or urgent action by management to correct the material misstatement in the financial report to avoid a qualified opinion or for control risks, implement a detailed action plan as soon as possible, within 1-2 months.
Moderate	Normally matters requiring system or procedural improvements or low risk matters from previous audits that have not been satisfactorily resolved. These moderate risk findings include: misstatement in the financial report that has occurred, although not material ongoing system control weakness which could or is having a moderate adverse effect of achieving objectives or legislative compliance.	Control weaknesses of sufficient concern to warrant action being taken as soon as practicable, within 3 to 6 months. If not addressed promptly, they may escalate to significant or high risk.
Minor	Isolated occurrences, non-systemic or procedural control weaknesses that are administrative shortcomings. Minor weaknesses which are not of primary concern but still warrant action being taken.	Management to implement an action plan within 6 to 12 months to improve existing process or internal control.

Source: OAG

Table 6: Risk categories for control weaknesses reported to management

We give management the opportunity to review our audit findings and provide comments prior to completion of the audit. Often management improves policies, procedures or practices after we raise them and before the audit is completed. At the completion of each audit, we send a copy of our management letter to the responsible Minister along with the audit opinion.

When management responds to control weaknesses, we request that they set a timeframe for remedial action to be completed. Most entities set themselves challenging timeframes for remedial action, and generally meet those timeframes. It is however disappointing that some entities do not remedy control weaknesses in a timely manner.

This year, 26% or 113 of our financial control findings and 41% or 173 of our information system control findings were unresolved findings from the previous year. Last year the comparative results were 20% or 65 for financial management control findings and 44% or 193 for information system control findings.

While our management letters relate specifically to an individual entity, the weaknesses are often common to other government entities. The following is a summary of control weaknesses identified during 2019-20.

Financial and management controls

During 2019-20, we alerted 87 entities to control weaknesses that needed their attention. At the conclusion of our audits, responsible Ministers received advice of these deficiencies.

In total, we reported 430 control weaknesses to management at entities. This was higher than the 323 reported in the previous year. The number of issues we rated as significant increased from 36 to 95. (Figure 1).

However, it was disappointing to note that 113 control weaknesses (26%) at 38 entities were unresolved from the prior year.

Source: OAG

Figure 1: Ratings of financial and management control weaknesses reported to entities – by number and percentage

Figure 2 shows a breakdown of the categories of control weaknesses identified for the last 4 years. Expenditure control weaknesses again represented the highest proportion, followed by weaknesses in accounting procedures, payroll and human resource management, and governance controls.

Source: OAG

Figure 2: Financial and management control weaknesses for last 4 years

Following are examples of control weaknesses in the major categories:

Expenditure

We reported 133 expenditure control weaknesses to 49 entities in 2019-20. Thirty-four were rated as significant and 39 weaknesses were unresolved from the prior year.

From January 2020, Treasurer’s instruction 304 Authorisation of Payments was revised, requiring entities to immediately review their purchasing and payment processes to ensure segregation of duties. Our audits have reported to management at 33 entities that their payment processes remain in need of improvement. For some entities, this included the need to more clearly comply with TI 304.

The mandatory requirements of TI 304 now expressly include segregation of the ordering, receiving, incurring and certifying functions. This was previously included in the guidelines to the TI only. Segregation of duties and the requirement for officers to be appointed to perform the various functions to delegated limits are key controls for every entity.

The following 4 purchasing functions are required to be performed by separate officers:

• Ordering – goods and services must be ordered by an authorised officer raising a purchase order, after seeking quotations or completion of a tender process (where necessary) and receiving the required level of delegated approval. Full details or specifications of the item/s or services ordered, and the agreed price and delivery instructions are to be included in the order.
• Receiving – goods and services are required to be received by a staff member with appropriate authority, with evidence retained of the receival.
• Incurring – an authorised incurring officer must check any differences between the order, the goods received report, invoice charges and quoted or contracted rates. This review is to be documented or evidenced before the officer incurs the payment.
• Certifying – a certifying officer, with appropriate delegated authority, must review the procurement evidence for the goods or services prior to certifying the invoice for payment.

These functions were not always separated, which increases the risk of inappropriate purchases and/or fraud due to the same person having control of too many checkpoints.

TI 304(4) allows an entity with limited resources where it is not ‘reasonably practicable’ to have the required segregation of duties to agree and approve an alternative arrangement between the Accountable Authority and the Audit and Risk Committee. However, any approved alternative arrangements cannot allow the same officer to perform the functions of incurring and certifying in relation to the same payment.

During our audits, we noted several entities that had approved alternative arrangements under TI 304(4). We gave consideration to these alternative arrangements and, although we made some recommendations for improvement, we considered the controls generally satisfactory.

Other expenditure control weaknesses included procurement procedures not routinely implemented. There were instances where purchase orders were prepared after the suppliers’ invoices and goods had been received. In some entities, staff were not seeking quotes (where required) or not completing purchase orders to start the ordering process and accountability trail. Sometimes quotes were received but evidence was not retained.

Of the 133 expenditure control weaknesses, 40 related to use of purchasing cards contrary to the policies and procedures at 18 entities. Our testing found instances where:

• purchasing card statements and supporting transaction documents were not submitted by the cardholder before the payment due date for review and approval
• staff exceeded their approved limits or expenditure categories
• another staff member used the card while the cardholder was absent or on leave
• 6 entities did not promptly cancel the purchasing card held by a cardholder who ceased employment.

Accounting procedures

During our audits we identified 79 accounting procedures issues at 39 entities. Eighteen rated as significant and 11 were unresolved from the previous year. The major control weaknesses included:

• at 12 entities, manual journal entries were recorded without evidence of review by a second senior officer or without appropriate supporting documentation. Accounting journals can represent significant adjustments to previously approved accounting transactions and can also be used to hide fraud. They should therefore be appropriately reviewed and approved.
• bank account signatories were not updated in a timely manner to remove terminating employees or to reflect changes in employees’ responsibilities. This exposes the entity to potential fraudulent activity over its cash balances.
• registers of contracts and leases were not maintained or kept up-to-date. Lack of complete and accurate information on all contracts, and any variations, could potentially limit the entity’s ability to effectively monitor and manage contractual obligations.
• review of the application of new or revised accounting standards was not conducted in a timely manner to ensure that management reporting was compliant with the current accounting standards at year end.

Payroll and human resources

We reported 69 payroll and human resource control weaknesses to 27 entities. Seventeen rated as significant and 16 were unresolved from the previous year. Our payroll controls audits identified the following weaknesses:

• Business unit managers were not promptly reviewing and returning their business unit cost centre payroll reports to the human resources division. This is an important control in all but small entities, as business unit managers are best placed to identify incorrect payments to their staff on leave, leave without pay, acting on higher pay, no longer employed or employees who are unknown to them or not employed in their business unit. This control also helps identify any fraudulent ’ghost employees‘ on the payroll. Early notice of any errors can be actioned promptly to avoid making invalid salary payments.
• At 17 entities we found weaknesses in commencement and termination procedures, including delays in communicating the start and termination information of employees to the payroll section which meant delays in processing these changes. This requires subsequent adjustments to pays. We advised 12 entities that their termination procedures required improvement to ensure that outgoing employees return all entity property, attractive assets, purchasing cards and security passes, and have their access to systems withdrawn promptly.
• We found 6 entities’ employee leave application procedures and reporting processes need improvement to ensure that leave taken is recorded in each employee’s record. For financial reporting, the correctness of an entity’s leave liability depends on the accuracy of its employees’ outstanding leave entitlements.

Governance

During our audits we identified 61 governance and legal compliance issues at 45 entities. Eleven rated as significant and 21 were unresolved from the previous year.

We reported to 25 entities that they were not fully compliant with a section of the Financial Management Act 2006. These included the requirement to prepare or update their audit and risk charter, their risk management policy and plan or their strategic plan. Without up-to-date policies, there is an increased risk that key business functions will not operate efficiently and continuously to support the entity’s operations. Also, some entities are still using pre-Machinery of Government (2017) policies and procedures or the financial management manual of their former entities. Documentation of the entity’s current policies and procedures provides guidance to management and staff and reduces the likelihood of transactions being inadequately controlled or performed.

Recommendations

1. All entities should ensure they maintain the integrity of their financial control environment by:

1. 1. periodically reviewing and updating all financial, asset, human resources, governance, information systems and other management policies and procedures and communicating these to relevant staff
   2. conducting ongoing reviews and improvement of internal control systems in response to regular risk assessments
   3. regularly monitoring compliance with relevant legislation
   4. promptly addressing control weaknesses brought to their attention by OAG audits.

Information systems controls

Information systems underpin most aspects of entity and government operations and services. It is therefore important that entities implement appropriate controls to maintain reliable, secure and resilient information systems.

Audits of general computer controls are a major part of work we undertake to assess the effectiveness of information system controls. Well implemented and managed general computer controls ensure reliable and secure processing of financial and key performance information. We focus our information systems audit capacity on those entities with significant computer environments to determine whether their controls are appropriately designed and operating effectively.

In 2019-20, we identified 423 weaknesses across 49 entities where our information system audits have been completed. Forty-one percent of these were unresolved issued from the previous year. Last year we reported 434 findings at 41 entities. Five percent of the issues were rated as significant and 71% were rated as moderate requiring action as soon as possible. The other 24% were rated as minor.

Of the weaknesses identified:

• 41% related to information security issues. These included system vulnerabilities, weak passwords, poor remote access controls, and unauthorised and inappropriate access
• 45% related to operations issues. These included the processing and handling of information, monitoring user activity, and review of access privileges.

Figure 3 shows the percentage of total findings made against our 6 categories of control risk. Information technology (IT) operations and business continuity findings decreased by 2% this year while there was a 1% reduction in change management findings. Information security findings increased by 4% and IT risk management findings increased by 1%. The distribution of findings in the physical security category was similar to last year. The majority of issues are simple to fix, but if not resolved these issues leave entities potentially vulnerable to security incidents and disruption of systems.

Source: OAG

Figure 3: Information systems control issues by category

A more detailed report on the results of our information system audits is planned for the first quarter of 2021. The report will consolidate the results of audits of entities with a 30 June 2020 reporting date and upcoming work on entities with a 31 December 2020 reporting date.

Details of our additional audit testing for COVID-19 pandemic IT risks commence on page 27 in the revised audit planning for COVID-19 section.

Key performance indicators

In 2019-20 we reported 26 KPI weaknesses to management at 19 entities. The number of qualified KPI audit opinions was 1.

Almost all of the 26 weaknesses need prompt or urgent attention by entities.

KPI shortcomings and qualifications	2016-17	2017-18	2018-19	2019-20
Number of entities with KPI weaknesses Number of KPI weaknesses reported Number of KPI weaknesses rated as significant Number of entities with qualified KPI opinions	20 43 20 5	13 44 16 4	26 44 18 1	19 26 9 1

Source: OAG

Table 7: Summary of KPI weaknesses reported to entities

Figure 4 shows that data integrity and collection is the key area needing improvement.

Source: OAG

Figure 4: KPI control weaknesses for last 4 years

We reported 18 control weaknesses relating to data integrity and collection to 13 entities. Seven rated as significant. The weaknesses included:

• data not accurately entered at source or from source documents. This resulted in the KPIs being calculated from data that was not consistent with the supporting records.
• some data was not accurate or not easily auditable, especially where collected by third parties.

All data recorded by entities needs to be accurate, reliable and verifiable in order to measure and report the entity’s achievement of their outcomes.

Recommendations

2. Entities should periodically review their KPIs to ensure that: 
   1. they are calculated from reliable and complete data
   2. they remain relevant, appropriate and fairly present performance against realistic targets
   3. the KPI instructions are periodically updated and approved so that KPIs are consistently reported and comparable.