- We identified 300 financial management control weaknesses and reported them to entities in 2017-18, down from 453 in the previous year. The number of significant issues decreased by 1 to 35, while the proportion of unresolved issues increased slightly from 29% to 30%.
- 438 information system control weaknesses were identified and reported to entities in 2017-18 of which 40% were unresolved issues from the previous year. The majority of issues are simple to fix but if not resolved they will leave entities vulnerable to security incidents and disruption to systems.
- We reported 44 KPI weaknesses to entities in 2017-18, 1 more than last year. Data collection processes and data integrity were the main areas for improvement identified during our KPI audits.
Responsibility for developing and maintaining adequate systems of internal control rests with entity management. These control systems reduce the risk of error and fraud, and provide assurance to management and auditors that management reports and financial statements are materially correct. Maintaining adequate internal control ensures:
- financial information and other records, including data for key performance indicators, are accurately maintained
- assets are appropriately safeguarded
- errors and other irregularities are prevented or detected
- compliance with legislation and policy guidelines
- internal and external financial and non-financial performance reporting is reliable and timely.
The AG Act requires the Auditor General to audit entity accounts and, in the case of entities operating under the FM Act, to also form an opinion on their financial controls. This involves, as a minimum, an assessment of the design and implementation of relevant financial management and reporting controls.
Details of our control findings are included in management letters to the Accountable Authority. We rate control weaknesses according to their potential impact and base our ratings on the audit team’s assessment of risks and concerns about the probability and/or consequence of adverse outcomes if action is not taken. We consider the:
- quantitative impact – for example, financial loss
- qualitative impact – for example, inefficiency, non-compliance, poor service to the public or loss of public confidence.
We give entity management the opportunity to review our audit findings and provide comments prior to completion of the audit. Often management improves policies, procedures or practices after we raise them and before the audit is completed. At the completion of each audit, we send a copy of our management letter to the responsible Minister along with the audit opinion.
When management responds to control weaknesses we report to them, we request them to set a time frame for remedial action to be completed. Most entities set themselves challenging timeframes for remedial action, and generally meet those timeframes. It is however disappointing that some entities do not remedy control weaknesses in a timely manner – this year, 30% of our financial control findings and 40% of information system control findings were unresolved findings from the previous year.
While our management letters relate specifically to an individual entity, the weaknesses are often common to other government entities. The following is a summary of control weaknesses identified during 2017-18.
During 2017-18, we alerted 59 entities to control weaknesses that needed their attention. At the conclusion of our audits, responsible Ministers received advice of these deficiencies.
In total, we reported 300 control weaknesses to management at entities. This was lower than the 453 reported in the previous year. The number of issues we rated as significant also decreased, from 36 to 35. (Figure 1).
However, it was disappointing to note that 90 control weaknesses (30%) at 28 entities were unresolved from the prior year.
Figure 2 shows a breakdown of the categories of control weaknesses identified for the last 4 years. Expenditure control weaknesses again represented the highest proportion, followed by weaknesses in payroll and human resource management and asset management.
Following are examples of control weaknesses:
We reported 88 expenditure control weaknesses to 25 entities in 2017-18. Five were rated as significant and 21 weaknesses were unresolved from the prior year.
The expenditure control weaknesses related to payments made through accounts payable systems, with 32% relating to use of purchasing cards. Issues included:
- Procurement procedures, such as getting quotes (where required) and completing purchase orders to start the ordering process and accountability trail, were not routinely practiced. In some instances evidence of quotes received had not been retained. At 3 entities we reported that purchase orders were prepared after the suppliers’ invoices and goods had been received.
- Transactions were being authorised, incurred or certified by officers outside their approved limits or expenditure categories.
- Cardholders were not submitting their transaction supporting documents in sufficient time for checking before the payment due date. This required additional tracking and administration by management after the bank had been paid.
- Use of the purchasing cards contrary to the entity’s policies and procedures, such as allowing another staff member to use the purchasing card while the cardholder was absent or on leave. At 8 entities purchasing cards were not cancelled promptly when the cardholder ceased employment.
Payroll and Human Resources
Sixty payroll and human resource control weaknesses were reported to 31 entities. Four rated as significant and 18 were unresolved from the previous year. As employee benefits expense is a major cost for public sector entities, it is essential that the human resource management and payroll functions are managed effectively. During our payroll controls audits the weakness we identified included the following:
- Commencement and termination procedures at 14 entities were not completed appropriately, including:
- new employee induction or processing procedures were not fully completed to ensure that Police clearances and authority to work documents were checked, and that contracts were signed and copies retained to confirm the conditions of employment and accountability for entity property
- there were delays in communicating the start and termination dates of employees to the payroll section, resulting in delays in processing these changes. Controls to ensure that outgoing employees return all entity property, attractive assets, purchasing cards and security passes, were also lacking in some instances.
- The accuracy of employee leave records at 3 entities was potentially compromised by leave forms not being submitted promptly. For financial reporting purposes, accurate leave records are required to calculate the entity’s leave liability and also for an employee’s final leave entitlement payment when their employment ceases.
- Business unit or cost centre payroll reports were not being promptly reviewed and returned by the responsible managers. These managers are better placed to identify payments to their staff on leave, leave without pay, acting on higher pay, no longer employed or employees who are unknown to them or not employed in their business unit. Early notice of any errors can be actioned promptly to avoid making invalid salary payments.
We reported 41 asset management weaknesses to 19 entities. Eleven rated as significant and 11 were unresolved from the previous year.
At 14 entities the fixed asset or portable and attractive asset registers did not contain complete and accurate information of all assets currently held. Identifying assets was more difficult where unique identification tags were not secured to the assets or there were insufficient descriptions or model and serial numbers recorded to identify individual asset items.
Issues relating to the timing of capitalising completed works in progress or valuation in the asset register were also identified at 5 entities. This then impacted on the depreciation expense of the entities.
During our audits we reported 39 governance and legal compliance issues to 26 entities. Fifteen were unresolved from the previous year.
Seven entities did not have up to date policies and procedures relating to entity operations. Documentation of the entity’s current policies, processes and procedures provides guidance to management and staff of business risks and priorities, and their related responsibilities.
A recurring issue reported to management at 5 entities was the lack of a formal agreement (Service Level Agreement or Memorandum of Understanding) with another entity for support services, ICT services or tenancy of premises. In most cases, service charges in these inter-entity relationships have been settled without issue, but formal agreements are essential for defining service requirements and accountability for the provision of services.
All entities should ensure they maintain the integrity of their financial control environment by:
- periodically reviewing and updating all financial, asset, human resources, governance, information systems and other management policies and procedures and communicating these to staff
- conducting ongoing reviews and improvement of internal control systems in response to regular risk assessments
- regularly monitoring compliance with relevant legislation
- promptly addressing control weaknesses brought to their attention by our audits.
Information systems underpin most aspects of entity and government operations and services. It is therefore vital that entities implement appropriate controls to maintain reliable, secure and resilient information systems.
Audits of general computer controls are a major part of the information systems work we undertake. Well implemented general computer controls ensure reliable and secure processing of financial and key performance information. We focus our information systems audit capacity on those entities with significant computer environments to determine whether their controls are appropriately designed and operating effectively.
In 2017-18, 438 weaknesses across 33 entities were identified. Last year, we reported 425 findings at 37 entities. Five percent of the issues were rated as significant and 64% were rated as moderate requiring action as soon as possible. The other 31% were rated as minor. Forty percent of the issues were unresolved from the previous year, and included those carried over from entities that merged after the 2017 Machinery of Government changes.
Figure 3 shows the percentage of total findings made against our six categories of control risk. Eighty-three percent of weaknesses we identified this year related to IT operations (50%) and information security (33%). These two categories accounted for 81% of the findings last year. IT operations findings decreased this year by 2% while there was a 1% reduction in Business Continuity and Physical Security findings. Information Security findings increased by 4%. The distribution of findings in the Change Management and IT Risk Management category were similar to last year. We continue to find that many of these weaknesses are relatively simple to fix, and if not resolved they leave entities potentially vulnerable to significant disruption and costs.
A more detailed report on the results of our information system audits is planned for the first quarter of 2019. The report will consolidate the results of audits of entities with a 30 June 2018 reporting date and upcoming work on entities with a 31 December 2018 reporting date.
As shown in Table 5, in 2017-18 we reported 44 KPI weaknesses to management at entities, 1 more than last year. The number of qualified KPI audit opinions decreased from 5 to 4.
Almost all of the 44 weaknesses needed prompt or urgent attention by entities.
Figure 4 shows that data collection and integrity are the key areas needing improvement.
We reported 20 control weaknesses relating to data collection and integrity to 12 entities. Nine rated as significant. The weaknesses included:
- dates and/or times were not accurately entered at source or from source documents. This resulted in the KPIs being calculated from data that was not consistent with the supporting records.
- some data was not accurate or not easily auditable, especially where collected by third parties.
All data recorded by entities needs to be accurate, reliable and verifiable in order to measure and report the entity’s achievement of their outcomes.
Seven entities need to re-assess the appropriateness of their KPI targets. Management needs to critically review whether the targets are challenging, realistic and encourage improved performance. Targets that are repeatedly achieved without resetting or review, are especially in need of management attention.
At 4 entities, documentation setting out the KPI methodology, sources of data, procedures and calculation of each indicator, was incomplete. As a result, entity staff had difficulty explaining to audit staff how the KPIs were calculated. A management approved KPI manual should be prepared to guide entity staff who prepare KPIs.
Entities should periodically review their KPIs to ensure that:
- they are calculated from reliable and complete data
- they remain relevant, appropriate and fairly present performance against realistic targets
- the KPI manual is periodically reviewed and approved so that KPIs are consistently reported and comparable.