Every entity is responsible for developing and maintaining an internal control system and procedures to ensure legislative compliance, as well as accurately recording and reporting financial information and KPIs. The internal control system of an entity includes the controls for financial and human resource management, in addition to information systems procedures and governance processes. Where internal controls are weak, it is more likely that errors or fraud may occur and go undetected.
The AG Act requires the Auditor General to form an opinion on the controls of universities and TAFEs. In forming this opinion, the Auditor General assesses compliance with key aspects of legislation, and the ability of internal control systems and procedures to record and report reliable financial information and KPIs.
We reported 34 financial and management control weaknesses to the universities and TAFEs in 2018, compared to 60 in 2017. The reduced findings were due in part to control improvements that were implemented by management, and partially because last year’s findings included a one-off focus audit on contract extensions and variations performed at the 4 universities and 3 of the TAFEs.
We rated 85% of the control weaknesses as medium risk, which means they were of sufficient concern to warrant taking corrective action as soon as possible. Normally these matters require procedural improvements, and if not addressed, they could escalate to a significant risk. Twenty-six percent were unresolved prior year issues, compared to 28% last year.
Figure 1 summarises control weaknesses reported in 2017 and 2018.
Findings relating to revenue increased this year and were reported to 7 of the universities and TAFEs for 2018, compared to 5 the previous year. Common control weaknesses we identified this year related to revenue and purchasing cards.
Revenue control procedures were not routinely applied:
- for approving changes to resource fee charges to some students
- for review of student fee discounts and processing refunds.
Purchasing card control procedures were not followed to ensure that:
- purchasing card accounts were acquitted by cardholders within timelines set by management
- cards of former employees were cancelled promptly with the bank.
Each year we audit the design, implementation and operating effectiveness of information system (IS) controls at selected universities and TAFEs. Information system audits provide insights about the extent to which controls enable reliable and secure processing of financial and key performance information.
In 2018, we identified 90 IS control weaknesses across the 4 universities and 5 TAFEs we reviewed. We rated 2% of the weaknesses as significant, 60% as moderate, and the remainder as minor. Prompt corrective action is recommended for all significant findings and as soon as practicable for all findings rated as moderate.
Of the weaknesses identified:
- 40% related to information security issues. These included system vulnerabilities, weak passwords, and unauthorised and inappropriate access.
- 38% related to IT operations issues. These included the processing and handling of information, monitoring and logging user activity, and management and review of access privileges.
- 57% were unactioned from our previous audits.
Information system control weaknesses have the potential to compromise the confidentiality, integrity and availability of key computer systems if they are not addressed. Figure 2 shows the distribution of our findings across the 6 control categories we assessed during our audits.
More information on our IS audit results will be included in our next annual IS audit report.
Universities and TAFEs have significant leave liabilities, $249.7 million and $65.8 million respectively, which require proactive management. The combined total leave liability of universities and TAFEs at 31 December 2018 was $315.5 million, showing a notable decline for universities in 2018 and a very small decline for TAFEs over the last 3 years.
Figure 3 illustrates movement in total leave liability for the last 5 years. At 31 December 2018, the total leave liabilities of the universities were 3.2% ($8.2 million) lower, with 3 universities reducing their totals during the year. The TAFEs’ liability was 0.2% or $131,000 less, with 2 TAFEs reporting increased and 3 reporting reduced liabilities.
The universities and particularly the TAFEs need to continue to closely manage these liabilities for a number of reasons. We consider that large balances can lead to payouts at a higher pay rate than when the entitlement accrued. It is also important that staff take regular leave for their health and wellbeing, and to promote staff rotation through roles responsible for key financial management controls. Staff rotation, like segregation of duties, is recognised as an important risk management tool as it can prevent and identify practices that contribute to error or fraud.
During 2018 the 5 TAFEs commenced transitioning from their Unified Enrolments (UE) system to the new Student Management System (SMS). SMS is a key system for each TAFE’s student applications, enrolments, fees and life cycle management as students’ progress through their TAFE studies. Data integrity and security are paramount as the system is accessed by all TAFE campuses, students and the Department of Training and Workforce Development (DTWD). Data from SMS is also used to determine each TAFE’s funding.
DTWD’s project team managed the staged transition of the TAFEs to SMS during 2018. North Metropolitan TAFE was the first TAFE to start using the new SMS from 1 January 2018. The project required controls to be implemented for data capture, segregation of duties, data integrity and fraud prevention for each campus. By the end of 2018, 4 TAFEs were operating SMS, and South Metropolitan TAFE transitioned in January 2019.
Our audit teams reviewed SMS’s fee calculation, student enrolments, student bank account interface, student information (including online access and services), system access protocols, and departmental reporting for the VET Management Information Statistical Standard.
DTWD completed internal audit work around the migration of data from UE to SMS. Our review of this work, including corroboration as required by the auditing standards, confirmed that we could rely on the internal audit work.
Edith Cowan University and South Metropolitan TAFE submitted good quality statements within the planned and agreed timelines, and also met our other best practice criteria.
The universities and TAFEs were again timely in submitting their financial statements, with the 5 TAFEs submitting them to our audit teams earlier than the previous year. The new reduced reporting requirements detailed on page 20, which applied to the TAFEs for the first time for this reporting period, contributed to this improvement.
We consider timely preparation of good quality financial statements and KPIs, and being audit ready, enables entities to release resources for other important tasks.
Our criteria for achieving best practice status include:
- clear (unqualified) opinions on their financial statements, controls and KPIs
- being audit ready early, ideally by 31 January
- good quality financial statements and KPIs, supported by reliable working papers and submitted for audit within the agreed timeframe
- management resolution of accounting standards and presentation issues (before the audit process begins)
- key staff available during the audit process
- assessment of the number and significance of control weaknesses we identified.