2.1
The Auditor-General publishes two reports annually to provide the Parliament with an independent examination of the financial accounting and reporting of Commonwealth entities. For the 2016-17 financial year, this comprised:
Audit Report No. 60 (2016-17), Interim Report on Key Financial Controls of Major Entities, which focused on results of the interim audit phases of major Commonwealth entities, including an assessment of key internal controls
Audit Report No. 24 (2017-18), Audits of the Financial Statements of Australian Government Entities for the Period Ended 30 June 2017, which provided results of the final audits of the financial statements of all Commonwealth entities and the Consolidated Financial Statements
2.2
The Joint Committee of Public Accounts and Audit (JCPAA) inquiry into the Commonwealth financial statements was based on Audit Report No. 24 (2017-18), Audits of the Financial Statements of Australian Government Entities for the Period Ended 30 June 2017.
2.3
Reflecting the terms of reference adopted by the Committee for its inquiry (see Appendix A), this report focused on the following five matters regarding the evidence provided:
Consolidated Financial Statements: audit findings
Financial statements: audit findings by portfolio
National Disability Insurance Agency
Financial statements: audit findings by category
Equity investment, concessional loans and contingent liabilities: budget, accounting and valuation rules
Committee conclusions and recommendations
Committee conclusions and recommendations
Consolidated Financial Statements: audit findings
2.5
The Australian National Audit Office (ANAO) audits of the financial statements play a critical role in ensuring accountability to the Parliament and the Australian public for the expenditure of public funds. The Committee notes that the 2016-17 CFS was prepared in accordance with the Public Governance, Performance and Accountability Act 2013 (PGPA Act) and the requirements of the Australian Accounting Standards. The 2016-17 CFS was signed by the Minister for Finance on 27 November 2017, and an unmodified auditor’s report was issued on the same day.
Financial statements: audit findings by portfolio
2.6
The Committee notes that the Auditor-General issued auditor’s reports on the 2016-17 financial statements of 233 Commonwealth entities, up until 30 November 2017. All auditors’ reports were unmodified.
2.7
The Committee also notes that 222 findings were reported to entities as a result of these financial statement audits, comprising two significant, 20 moderate and 200 minor findings. The Committee makes recommendations about these matters below.
2.8
During 2016-17, the ANAO reported two significant legislative breaches to the Northern Land Council (NLC). The Committee has previously made a recommendation about NLC legislative breaches, and again makes a recommendation on this matter.
2.9
The Committee recommends that:
the Northern Land Council report back to the Committee on progress in responding to the two significant legislative breaches reported by the Australian National Audit Office (ANAO) in Audit Report No. 24 (2017-18)
should the ANAO audit of the financial statements of the Council for the period ended 30 June 2018 result in any significant legislative breaches being reported, whether new or unresolved from 2016-17, the Council promptly report back to the Committee on progress in responding to such findings
National Disability Insurance Agency
2.10
The Committee notes that, in Audit Report No. 24 (2017-18), the National Disability Insurance Agency (NDIA) had two significant audit findings and five moderate audit findings.
2.11
The Committee therefore welcomed progress made by the NDIA, as set out in Audit Report No. 47 (2017-18), in resolving these significant audit findings. One significant finding on IT user access management was resolved and the other significant finding on the business assurance compliance program was downgraded to a moderate audit finding. The Committee notes that, in its submission to the inquiry, the NDIA provided an update on progress undertaken to resolve this moderate audit finding.
2.12
The Committee also notes progress made by the NDIA in addressing the moderate audit findings, with one of these findings having been downgraded to a minor audit finding in Audit Report No. 47 (2017-18). In its submission, the NDIA noted that the moderate findings ‘all have action underway to address the identified risks’, and that ‘the NDIA is committed to these actions to address the outstanding findings’. The Committee will continue to closely monitor the NDIA’s progress in addressing these audit findings and makes a recommendation on this matter.
2.13
The Committee recommends that should the Australian National Audit Office audit of the financial statements of the National Disability Insurance Agency (NDIA) for the period ended 30 June 2018 result in any significant or moderate audit findings, whether new or unresolved from 2016-17, the NDIA promptly report back to the Committee on progress in responding to such findings.
Financial statements: audit findings by category
2.14
The Committee’s inquiry particularly focused on the ANAO’s audit findings in the category of IT control environment, which had the highest number of findings: one significant, 10 moderate and 73 minor. IT systems are an integral part of a Commonwealth entity’s control environment supporting the preparation of financial statements. The Committee notes that most common area requiring action by entities was in the management of user access and monitoring of privileged users.
2.15
In terms of the ANAO’s 20 moderate audit findings across all categories, the Committee focused on entities with multiple moderate audit findings, particularly in the category of IT control environment. These entities were:
Australian Federal Police—three moderate findings in the category of IT control environment
Department of Defence—two moderate findings, including one in the category of IT control environment
Director of National Parks—two moderate findings
Department of Home Affairs—two moderate findings, including one in the category of IT control environment
NDIA—five moderate findings, including three in the category of IT control environment
2.16
The Committee will continue to monitor entity progress in addressing these moderate audit findings, particularly in the category of IT control environment. The Committee emphasises that the IT control environment is an area requiring constant monitoring over time, due to recurring issues associated with managing user access. The Committee recognises that Commonwealth entities have overarching responsibility for their IT controls, with their audit committee having an important assurance role. The Department of Finance (Finance) also pointed to its support role in this area, including encouraging information sharing between entities on better practice. Finance further noted that shared services between entities may assist with standardisation of processes in the IT control environment, addressing some of the identified risks.
2.17
The Committee recommends that:
should the Australian National Audit Office (ANAO) audits of the financial statements of the Australian Federal Police, the Department of Defence, the Director of National Parks and the Department of Home Affairs for the period ended 30 June 2018 result in any significant or moderate audit findings, whether new or unresolved from 2016-17, these entities promptly report back to the Committee on progress in responding to such findings
in reporting back to the Committee on progress in addressing any significant or moderate audit findings in the ANAO category of IT control environment, entities should also outline:
what assurance for IT controls is undertaken by the entity’s audit committee
what plans have been established to continuously monitor IT controls, to prevent reoccurrence of such issues in future years
Equity investment, concessional loans and contingent liabilities: budget, accounting and valuation rules
2.18
The Committee terms of reference for the Commonwealth financial statements identified, as a particular focus, the budget, accounting and valuation rules for equity investment, concessional loans and contingent liabilities. Finance provided a detailed submission to the Committee setting out further information on these matters. Finance had also recently published a series of Advice Papers on General Principles for Recognition of Expenditure in Budget Aggregates (July 2018); Q&A—Concessional Loans (August 2018); and Q&A—Equity Investments (August 2018).
2.19
The Committee notes that all financial statements prepared by the Government, including those for the Budget, must comply with Australian Accounting Standards (AAS) and Government Financial Statistics (GFS) standards, which are prescribed in legislation and set independently of the Government. The Committee further notes that the Auditor-General examines compliance with AAS standards as part of the financial statement audits.
2.20
The Committee was interested to understand more about the research then being conducted by the Parliamentary Budget Office (PBO) on equity investment, concessional loans and contingent liabilities. The PBO outlined that one of the elements of its research program is to ‘undertake an examination of the accounting and budget impact of alternative financing mechanisms that are being used’, with the aim of publishing a report on this matter in 2019. Work in this area ‘links back to the PBO’s mandate to improve transparency around budget issues and to assist the parliament in making informed decisions about policy proposals and pieces of legislation that come before the parliament’. The Committee will be interested in monitoring the outcomes of this research and will seek a briefing by the PBO on this research following its release.
2.21
The Committee acknowledges the PBO’s work in publishing research that promotes public transparency and understanding of budget and fiscal policy settings. The Committee suggests there may be merit in the PBO considering further research on ways to promote public transparency around budget and financial reporting—including a clear read (line of sight) across budget and financial reporting documentation. Finance and the ANAO might also consider undertaking further work in this area—for example, the Committee notes that the ANAO has adopted Key Audit Matter reporting in its financial statements audits, including on alternative financing mechanisms.
2.22
The Committee notes the integrity of Commonwealth budget and accounting rules and auditing practices and, in its recommendations, instead focuses on further promoting public transparency in terms of budget and financial reporting.
2.23
The Committee recommends that the Department of Finance report back to the Committee on ways to further promote public transparency across budget and financial reporting documentation regarding alternative financing mechanisms.
2.24
The Committee recommends that the Australian National Audit Office consider:
undertaking an audit of one complete Commonwealth financial reporting cycle (for one or more Commonwealth entities), focused on clarity of terminology and a clear read of financial information (line of sight) across aggregated and disaggregated financial reporting documentation (budget papers, Portfolio Budget Statements, annual reports and financial statements)—including ease of tracking financial reporting information over time
reporting in greater detail on alternative financing mechanisms—such as equity investment, concessional loans and contingent liabilities—in its Key Audit Matter reporting for financial statement audits, to further promote public transparency in this area
2.25
The Committee recommends that the Parliamentary Budget Office consider undertaking further research into promoting public transparency and understanding of budget and financial reporting documentation, and ways to improve line of sight and tracking of aggregated and disaggregated financial information across such documentation, including over forward years.
Other audit matters
2.26
Audited financial statements are included in a Commonwealth entity’s annual report. Annual reports form a critical component of the Commonwealth performance cycle in providing accountability to the Parliament and the public about entity performance. The Committee emphasises that timeliness of financial reporting, which in turn ensures timely tabling of annual reports in the Parliament, is therefore crucial in enabling scrutiny of annual reports at Senate Estimates and also for future technological developments in digital tabling. The Committee welcomes the ANAO’s continued monitoring of this matter.
2.27
The Committee notes the Auditor-General’s view that there would be ‘benefit in the Government developing performance targets or benchmarks to enable entities to assess their own financial sustainability against agreed parameters over time and against like entities’. The Committee has previously made a recommendation supporting this initiative. In responding to this recommendation, Finance stated that financial sustainability performance metrics ‘could be released as part of the rollout of digitised 2018-19 Annual Reports’.
2.28
The Committee recommends that the Australian National Audit Office consider reporting back to the Committee on how the rollout of digitised annual reports by the Department of Finance might assist in the development of performance targets or benchmarks to enable Commonwealth entities to assess their own financial sustainability against agreed parameters over time and against like entities.
2.29
The Committee notes that, of the 157 Commonwealth entities requested to provide additional information on their websites relating to senior executive remuneration (starting from the 2016-17 reporting year, by 31 July 2017), as at 31 October 2017, 134 entities had published the information (with some 50 per cent having published this information in accordance with the requested timeframe of 31 July) and 23 entities had not.
2.30
In JCPAA Report 463: Commonwealth Financial Statements, the Committee made a number of recommendations to reinstate disclosure of executive remuneration reporting by Commonwealth entities, including Government Business Enterprises (GBEs), consistent with previous practice and also reflecting, as relevant, Australian Securities Exchange requirements.
2.31
The recent report of the Independent Review into the Operation of the PGPA Act and Rule also made recommendations on this matter, having noted that ‘current arrangements for reporting executive remuneration across Commonwealth entities do not provide sufficient transparency and accountability for the use of public resources for this purpose’.
2.32
The Committee awaits the Government response to the recommendations of the report of the Independent Review into the Operation of the PGPA Act and Rule, and to the relevant recommendations of JCPAA Report 463. The Committee will continue to monitor this area with interest, and welcomes the ANAO’s continued monitoring of this matter.
Review of evidence
Consolidated Financial Statements: audit findings
2.33
Government accountability and transparency is supported by the preparation and audit of the CFS. The CFS presents the consolidated whole-of-government financial results, inclusive of all Australian Government controlled entities, as well as the General Government Sector financial statements.
2.34
The 2016-17 CFS was prepared in accordance with section 48 of the PGPA Act and the requirements of the Australian Accounting Standards, including Australian Accounting Standards Board (AASB) 1049, Whole of Government and General Government Sector Financial Reporting.
2.35
There were no significant or moderate audit findings arising from the 2016-17 financial statements audits of the CFS. The 2016-17 CFS was signed by the Minister for Finance on 27 November 2017 and an unmodified auditor’s report was issued on the same day.
Financial statements: audit findings by portfolio
2.36
The Auditor-General issued auditor’s reports on the 2016-17 financial statements of 233 Commonwealth entities, up until 30 November 2017. All auditors’ reports were unmodified.
2.37
A total of 222 findings were reported to entities as a result of these financial statement audits, comprising:
two significant—National Disability Insurance Agency (NDIA)
20 moderate—including NDIA with five moderate findings
2.38
The significant and moderate audit findings for NDIA are discussed below, as this was a particular focus of the Committee’s terms of reference for the inquiry.
2.39
Other entities with multiple moderate audit findings included:
Australian Federal Police—three audit findings, discussed in the section below on IT control environment
Department of Defence—two audit findings (one of these audit findings is discussed in the section below on IT control environment)
Completeness and accuracy of Specialist Military Equipment (SME) data to support the fixed asset register—Audit Report No. 47 (2017-18) provided an update on Defence’s progress in addressing this audit finding, as follows: ‘Defence issued revised instructions to business units to strengthen the impairment assurance process. Defence is implementing the revised assurance process … [and] a new business process to validate the Key Defence Asset Register.
Director of National Parks (DNP)—two audit findings
Identification, valuation and classification of assets—the ANAO noted DNP advice that the ‘asset management process continues to be identified as a priority in the Corporate Plan’.
Financial statement quality control and preparation process—the ANAO noted DNP advice that ‘it is implementing procedures to address this issue in 2017-18’.
Department of Immigration and Border Protection—two audit findings (one of these audit findings is discussed in the section below on IT control environment)
Fraud and integrity reporting—Audit Report No. 47 (2017-18) provided an update on the department’s progress in addressing this audit finding, including ‘identification and analysis of the types of activities that may constitute fraud in the department’s context’; ‘development of a report that details fraud instances and related analysis’; and ‘development of standard operating procedures for compiling the fraud report’.
2.40
During 2016-17, the ANAO also reported two significant legislative breaches to the Northern Land Council (NLC) and one to the Corporations and Markets Advisory Committee.
2.41
The first significant legislative breach involved instances of NLC ‘non-compliance’ with the Aboriginal Land Rights (Northern Territory) Act 1976, as ‘not all of the funds in the Council’s royalty trust account had been distributed to traditional owners, within the agreed timeframe’. By way of addressing this matter, the ANAO noted that the NLC had commenced a royalty reform project ‘aimed at reducing incidents of non-compliance’ with the Act and ‘reconciling the outstanding balances in the royalty trust account to identify the appropriate owners for distribution’.
2.42
The second significant legislative breach concerned the need for NLC to establish a risk management framework. The ANAO noted that, at the time of the final audit, the NLC was preparing to undertake workshops to develop a risk register, to support ‘finalisation of the risk plan’ by the end of 2017.
2.43
At the public hearings for the Committee’s inquiry, Finance was asked what actions it had taken to drive change at the NLC with regard to these legislative breaches. Finance responded that it would ‘look for ways to continue working with the land councils on all of these issues’, and that it has ‘a team who has had ongoing and regular contact with the land councils in all their forms … Because of their composition, they present different issues to the composition of a lot of other parts of government’.
2.44
JCPAA Report 463: Commonwealth Financial Statements was based on the Committee’s inquiry into Audit Report No. 33 (2016-17), Audits of the Financial Statements of Australian Government Entities for the Period Ended 30 June 2016. The Committee recommended that:
the Northern Land Council report back to the Committee on progress in responding to the two significant legislative breaches reported by the Australian National Audit Office (ANAO) in Audit Report No. 33 (2016-17), including actions taken on this matter by the Council’s audit committee
should the ANAO audit of the financial statements of the Council for the period ended 30 June 2017 result in any significant legislative breaches being reported, whether new or unresolved from 2015-16, the Council promptly report back to the Committee on progress in responding to such findings
National Disability Insurance Agency
2.45
The NDIA had two significant audit findings and five moderate audit findings. However, as further discussed below, Audit Report No. 47 (2017-18), Interim Report on Key Financial Controls of Major Entities, provided an update on the status of audit findings in major Commonwealth entities—in particular, the ANAO noted that ‘the NDIA had addressed elements of one significant finding resulting in it being downgraded to a moderate audit finding, one significant finding was resolved and one moderate audit finding had been downgraded to a minor audit finding’.
2.46
The first significant audit finding identified in Audit Report No. 24 was in the category of IT control environment and concerned IT user access management—however, as discussed below, this finding had been resolved by the time of the following financial year’s interim audit (Audit Report No. 47).
2.47
The second significant audit finding identified in Audit Report No. 24 was in the category of compliance and quality assurance frameworks, and concerned the business assurance compliance program—however, as discussed below, this finding had been downgraded to a moderate finding by the time of the following financial year’s interim audit (Audit Report No. 47).
2.48
In 2015-16, the ANAO’s review of the NDIA’s progress towards implementing an assurance framework for claims paid to both National Disability Insurance Scheme (NDIS) participants and service providers, identified that there were ‘no documented compliance activities for payments made directly to self-managed participants’ and that the review program for payments made to providers ‘does not allow results to be extrapolated across the population to estimate the potential rate of non-compliance’. In Audit Report No. 47, the ANAO noted that, ‘based on the progress made to address this finding, it has been downgraded from a significant finding to a moderate finding’. The ANAO found that ‘considerable progress’ had been made by the NDIA with the ‘development and endorsement of a business assurance and compliance plan which is in the process of being implemented’.
2.49
In its submission, the NDIA acknowledged its ‘responsibility to build and maintain a strong control and assurance environment that assists in the monitoring of high quality participant outcomes and supports the financial sustainability of the Scheme’, and provided an update on progress undertaken to resolve this moderate audit finding, including:
enhancing the Agency’s capability and capacity to detect, respond to and resolve identified instances of incorrect payment or fraud, complemented by establishing partnership arrangements with law enforcement and other regulatory agencies;
further development of the quality checking systems covering NDIS access and planning decisions (including ICT functionality to support the checking of access decisions which was released in September 2017); and
reviewing the sampling methodology used in these programs to ensure a robust estimate of payment accuracy is able to be provided to support financial reporting for the Scheme.
2.50
Three of the five moderate audit findings for the NDIA were in the category of IT control environment.
2.51
The first of the IT related moderate audit findings identified in Audit Report No. 24 concerned IT change management—however, as discussed below, this finding had been downgraded to a minor finding by the time of the following financial year’s interim audit (Audit Report No. 47).
2.52
The second of the IT related moderate audit findings identified in Audit Report No. 24 involved provider registrations. A sample of provider registrations tested by the ANAO identified that, as ‘approximately 10% of provider registrations were completed by one NDIA user’, there was ‘no control preventing a single person from creating and approving a registered provider’ and, ‘once a provider has been approved as registered, a claim for payment can be made without any further approval or review by the NDIA’, increasing the risk of ‘inappropriate or unauthorised providers being registered and able to submit invalid claims for payment’. In Audit Report No. 47, the ANAO noted that:
The preliminary finding from quality assurance processes over registrations for the period July-December 2017 has not identified any provider registrations created and approved by the same person. The NDIA advised that a new report to identify provider registrations that have been created and approved by a single NDIA user is in the process of being developed. Any provider registrations that have been created and approved by a single user will be reviewed.
2.53
The third of the IT related moderate audit findings identified in Audit Report No. 24 concerned IT logging and monitoring. The ANAO identified that the NDIA ‘does not have a formal policy for logging and monitoring privileged user activity’. In Audit Report No. 47, the ANAO noted that:
The NDIA has committed to developing a logging and monitoring policy for the NDIA business system, to developing and implementing a process to review the activities of privileged users and to putting in place processes to gain assurance that Human Services has appropriate controls in place to oversight Human Services IT staff that have access to NDIA systems and data.
2.54
The remaining two of the five moderate audit findings for the NDIA were in the category of compliance and quality assurance frameworks.
2.55
The first of the compliance related moderate audit findings identified in Audit Report No. 24 concerned streamlined access to the NDIS as regards defined programs. The Commonwealth, state and territory governments provide information to the NDIA on existing disability clients transitioning into the NDIS in accordance with an agreed data standard, including if a potential participant is a participant in a defined program. The ANAO identified that, ‘due to the reliance on state and territory information and the limited access review processes for participants once they have been accepted as eligible to the NDIS, there is an increased risk of ineligible participants entering the NDIS and not being identified as ineligible in a timely manner’, with a risk mitigation strategy having ‘not been implemented to address this risk’. ANAO Report No. 47 (2017-18) noted that:
The NDIA has advised that a review of the Defined Program access processes, including the design of a risk-based assessment of participants deemed as eligible under a defined program, has commenced. The completion of this work is dependent on the outcome of legal advice regarding access reviews and the NDIA’s right to revoke access to the Scheme. This legal advice will be used to strengthen guidance and processes around the review of participants who have entered the Scheme through a Defined Program.
2.56
The second of the compliance related moderate audit findings identified in Audit Report No. 24 concerned scheme eligibility. From a sample of NDIS access requests, the ANAO identified a number of cases where ‘supporting evidence was not attached to the client record; additional evidence was requested but an access decision was made prior to receipt of the requested evidence; and the decision maker granting access did not detail the reasons for their access decision’. ANAO Report No. 47 (2017-18) noted that:
a program commenced in January 2018 whereby staff processing access requests have their decision reviewed prior to approval … the level of review of decisions prior to finalisation is linked to the decision makers’ level of accuracy … The ANAO will review this new process as part of our final audit phase. The NDIA has also advised that the review of access decisions is part of its broader assurance program for 2017-18. As this program had not been finalised at the time of the interim phase of our audit, this will be examined during the final audit phase.
2.57
In its submission, the NDIA noted that the five remaining moderate findings ‘all have action underway to address the identified risks’, and that it is ‘committed to these actions to address the outstanding findings’.
Financial statements: audit findings by category
2.58
The Auditor-General issued auditor’s reports on the 2016-17 financial statements of 233 Commonwealth entities, up until 30 November 2017.
2.59
A total of 222 findings were reported to entities as a result of these audits, comprising two significant, 20 moderate and 200 minor. The ANAO rated these audit findings across seven categories, as follows:
Compliance and quality assurance frameworks
Accounting and control of non-financial assets
Revenue, receivables and cash management
Human resources financial processes
Purchases and payables management
2.60
The highest number of significant and moderate audit findings were in the categories of:
one significant (NDIA), 10 moderate, 73 minor findings
compliance and quality assurance frameworks supporting program payments
one significant (NDIA), 5 moderate, 37 minor findings
2.61
The IT control environment is discussed below, as this was a particular focus of the Committee’s inquiry terms of reference.
IT control environment
2.62
IT systems are an integral part of a Commonwealth entity’s control environment supporting the preparation of financial statements. The ANAO noted that the most common area of weakness across IT related audit findings was in security management—in particular, the management of user access and monitoring of privileged users. The ANAO emphasised that a ‘lack of controls around privileged users increases the risk of unauthorised changes being made to systems and data, or unauthorised data leakage and is an area requiring sustained focus by entities’.
2.63
The audit findings for the NDIA in the category of IT control environment were discussed in the section above. Details of the remaining moderate audit findings in this category for other Commonwealth entities are as follows:
Australian Federal Police (AFP)
Financial Management Information System (FMIS) privileged user access management: the ANAO identified a ‘lack of formal approval processes’ for granting privileged user access; ‘inadequate processes’ for removal of access when no longer required; and ‘incomplete monitoring’ of user access
User access to FMIS generic accounts: the ANAO identified that ‘generic user accounts were not assigned to specific individuals’, with such access providing ‘higher level privileges’—activity initiated with these accounts ‘cannot be appropriately monitored’, increasing the risk of inappropriate transactional activity
FMIS user access provisioning and termination: the ANAO identified that the ‘configuration of the position based access provided an excessive number of users with access to sensitive transactions codes’ and ‘modifications to access were made without documentation supporting the approval’
the ANAO noted the AFP had ‘advised that it was implementing processes to address [these] issues in 2017-18’
Department of Defence (Defence)
Monitoring of privileged activities performed by service providers: the ANAO identified ‘lack of monitoring of privileged user access to key Defence systems’
Audit Report No. 47 found that, ‘during the 2017-18 interim audit … Defence had taken a number of steps to remediate this finding’
National Health and Medical Research Council (NHMRC)
User access management: the ANAO identified that external vendors have privileged user access to the agency’s IT infrastructure and FMIS—activities performed were ‘not logged’ and, as a result, ‘no regular monitoring of user activities was performed’
the ANAO noted NHMRC had ‘advised that it will implement processes and controls to address this issue in 2017-18’
Department of Immigration and Border Protection
Management of privileged security users in the IT networks: the ANAO identified ‘weaknesses in the operation of the controls relating to granting and terminating privileged user access’, the use of personal administrator accounts rather than a designated account for the running of scripted jobs, and scripts to deactivate users for inactivity were ‘not fully operational’
Audit Report No. 47 noted that the department had ‘advised it will undertake and implement processes to address the above finding’
Management of IT changes on the corporate network: the ANAO identified ‘weaknesses’ in IT change management processes, increasing the risk that unauthorised or inappropriate changes may be implemented
the ANAO noted Airservices had ‘advised that they will continue to mature the change processes for the corporate network as part of a program of work that started in 2016-17’
2.64
At the public hearings, the Committee further explored the issues identified by the ANAO regarding IT controls, including support provided to entities by Finance.
2.65
Finance noted that ‘accountable authorities have overarching responsibility for the IT controls within their entity’, and that ‘assurance regarding the adequacy of internal controls, including IT controls, is undertaken by an entity’s Audit Committee’. Finance supports entities in ‘applying rigorous internal controls to all of their systems, including IT systems, as such controls enhance the quality of financial and other information,’ but it ‘does not prescribe a whole of government controls regime, as appropriate controls must be tailored to the circumstances of each entity’. Finance further explained that it does ‘talk very regularly with CFOs [chief financial officers], and others, around the kinds of issues that have become concerns … When we see things like ICT controls becoming an issue in a particular place, we will offer support, we will offer help and … we will stay on their case to basically say that this matters’. Finance also observed that, as shared services evolve, with greater ‘standardisation’, the scope to ‘mitigate that risk is very significant’:
That will be not only in the systems they run, therefore reducing some of the variability that comes into play because people have different versions of this or that, but also in the business processes that apply. Under the banner of shared services, Finance and other departments have, in the last year or two, identified 200 or so processes that are very common across government and tried to reach agreement about what those processes ought to look like across government, if you take a whole-of-government perspective. That sort of thing … holds a lot of promise.
2.66
Finance emphasised that the IT control environment is ‘an area that changes or evolves. People have to do things to their ICT systems over time. So it is never a completely stable environment. It is always an environment where you have to go back and refresh these things … the exact nature of the ICT controls will never be completely static from one year to the next’. The Auditor-General similarly commented that IT control issues are a ‘recurring problem’:
We identify issues, and entities then usually fix them … And then people take their eye off it again and it comes back up again. It is a recurring thing in the sense that it seems to be fixed but it is something you need to keep a focus on all the time in order to prevent it from happening. In some cases, entities take their eyes off it. They don’t deal with their administrator access controls. They don’t effectively deal with making sure that users who are no longer in their department are removed from access and those types of things.
2.67
As to whether there were any best practice processes that might assist in addressing these IT control issues, Finance noted that it encourages ‘sharing of best practice and information so that there is a conversation between entities and between CFOs’. The Auditor-General also pointed to a number of better practice system processes, such as ensuring that ‘your access control environment is linked to the HR system so that when people are taken off the HR system they lose access’ and ‘continuous monitoring frameworks’.
Equity investment, concessional loans and contingent liabilities: budget, accounting and valuation rules
Definitions, accounting and auditing policies, and key financial reporting documents
2.68
The Committee terms of reference for the Commonwealth financial statements identified, as a particular focus, the budget, accounting and valuation rules for equity investment, concessional loans and contingent liabilities.
2.69
All financial statements prepared by the government, including those for the Budget, must comply with AAS and GFS standards. The two sets of relevant accounting standards are prescribed in legislation and set independently of the government. The AAS are mandated for financial statements by the Public Governance, Performance and Accountability Act 2013 (PGPA Act) and the Corporations Act 2001, and AAS and GFS are mandated for budget reports by the Charter of Budget Honesty Act 1998. In addition to these external standards, the financial statements format is derived from the Uniform Presentation Framework. The Auditor-General examines compliance with AAS standards as part of the financial statement audits.
2.70
Further information regarding the impact of expenditure, including equity investments and concessional loans, on the key budget aggregates, such as net operating balance, fiscal balance, net debt, headline cash balance and underlying cash balance is available in Finance Advice Paper, General Principles for Recognition of Expenditure in Budget Aggregates (July 2018).
2.71
Finance provided detailed definitions for the terms ‘equity investment’, ‘concessional loans’ and ‘contingent liabilities’. See also the following Finance publications:
Finance Advice Paper: Q&A—Concessional Loans (August 2018)
Finance Advice Paper: Q&A—Equity Investments (August 2018)
2.72
Accounting policies for equity investments, consistent with accounting standards, are set out in note 5C to the CFS and AAS. Expected future cash transactions in equity investments are included in the reconciliation of headline cash balance to underlying cash balance, and itemised where there are no confidentiality issues. Information about aggregate equity investments is also disclosed in the Note 5C of the CFS. Disclosure of the values of individual government bodies and the basis of valuations, including public corporations, is included in the financial statements of the relevant portfolio entity.
2.73
Accounting policies for concessional loans, consistent with accounting standards, are set out in the GFS Manual and AAS. The principal difference between GFS and AAS accounting for concessional loans is in the treatment of the concessional element, which is an ‘other economic flow’ for GFS and an initial expense for AAS. Loan programs are disclosed in the Budget papers. Significant individual loan programs, including concessional loans, are disclosed in the Statement of Risks. Expected future cash transactions in significant individual loan programs, including concessional loans, are included in the reconciliation of headline cash balance to underlying cash balance. Concessional loans are also disclosed in Note 5A of the CFS.
2.74
Contingent liabilities are required to be included in budget reports in the Statement of Risks, as well as Note 9A to the CFS. Where capable of being quantified, contingent liabilities are recorded in the notes to the financial statements at the best estimate of the amount that would currently be required to settle the obligation—normally measured as the expected financial outcome.
PBO research
2.75
The Committee’s public hearings for the inquiry explored whether the PBO was undertaking any research on equity investment, concessional loans and contingent liabilities, and the applicable budget, accounting and valuation rules. The PBO outlined that one of the elements of its research program is to ‘undertake an examination of the accounting and budget impact of alternative financing mechanisms that are being used’, with the aim of publishing a report on this matter in 2019. Work in this area ‘links back to the PBO’s mandate to improve transparency around budget issues and to assist the parliament in making informed decisions about policy proposals and pieces of legislation that come before the parliament’. The Parliamentary Budget Officer noted two observations from this work:
First of all, we’ve observed that there seems to be an increasing use of alternative financing mechanisms over time, and we think it would be quite useful for this report to document that—to step back and have a look at how the government’s financing of different sorts of investments has been changing over time. We’ve also observed that other organisations, like the IMF and the Office of Budget Responsibility in the UK, have been doing some work on these sorts of issues and how alternative financing mechanisms are being reflected in budget documentation. So we thought it would be useful to look at that work and see whether there are any reflections back to the way these are treated in Australia.
I would emphasise that we don’t have a view that these sorts of arrangements are inappropriate at all. We are really just coming from the perspective of making sure that the budget documentation can provide transparency—what’s the appropriate degree of transparency around what the budget impact of these sorts of arrangements are both when they are announced and over time?—so that it’s possible to understand how these arrangements are working to make a judgement as to whether or not they are working well.
2.76
The PBO further clarified that ‘when we say “alternative financing mechanisms”, we have a fairly big bucket here’:
We are talking about concessional loans, like loans to the WestConnex project in New South Wales; direct loans such as to the NBN; income-contingent loans like HELP loans; the establishment of lending facilities. Sometimes they are in the government sector and sometimes outside, like the CFC and Northern Australia Infrastructure Facility; equity injections like to NBN Co or into the Australian Rail Track Corporation or Snowy Hydro; and guarantees—though they haven’t been used so much recently … the main characteristic of them is that they’re not grants.
2.77
The PBO research report was expected to include:
an explanation of how the budget expresses and presents risks to the balance sheet and why that is important; a description of what alternative finance arguments are; some metrics around how they are being used historically in Australia; a simple-to-follow guide that will give parliamentarians and others a useful tool to assess how different instruments affect, how they are treated in the budget and how that presentation works. Then also … there will be some research on how fiscal authorities in other countries represent the transactions in their budget papers.
2.78
The PBO noted it had previously published two research reports in this area—National Broadband Network: Impact on the Budget, Report No. 04/2016 (December 2016); and Higher Education Loan Programme: Impact on the Budget, Report No. 02/2016 (April 2016). Both reports consider alternative financing arrangements. The PBO emphasised that ‘both of those exercises certainly demonstrated to us that at times it is quite difficult to understand what the budget impact of some of these arrangements are … We think that they are reflected in the aggregates. But it is actually in understanding the detail where it can be more difficult to unpack the impacts’.
2.79
The PBO also observed that ‘we are conscious in our engagements with parliamentarians’, concerning requests for costings involving the use of alternative financing arrangements, about ‘how challenging it can be for parliamentarians to understand what the actual impacts of these arrangements are on different measures of the budget aggregates and then also on net worth’:
So we have developed some practices within our costings side to provide more transparency to parliamentarians when we are providing advice on the costings for policy proposals that involve alternative financing arrangements. We think that that has probably provided more transparency to those parliamentarians than is sometimes available in the budget documentation.
2.80
The PBO noted the ‘different drivers for different alternative mechanisms’:
For equity investments, it’s because the government has come to the conclusion that it could be of benefit to the government to make an equity investment into a particular organisation because the government would then be able to benefit from some of the future dividends flow from that organisation. There could be a benefit from a net worth perspective in making an equity investment rather than a direct grant, for example, to an organisation. That’s on the one hand. On the other hand, we have a long history of having alternative financing arrangements being used in programs.
2.81
As to whether its research in this area would comment on the transparency around concessional loans, contingent liabilities and equity projects, the PBO responded that ‘there is what’s in the consolidated budget papers compared with what’s in the departmental portfolio budget statements compared with what’s in the annual reports and the details that entities themselves publish … what we are trying to do is to actually spell that out, and we’re not yet at the point of being able to determine whether there’s a particular view that we are going to land on about whether there is or isn’t enough transparency’.
Valuation processes
2.82
In 2016-17, the Auditor-General adopted Key Audit Matter (KAM) reporting, consistent with Auditing Standard 701, Communicating Key Audit Matters in the Independent Auditor’s Report (ASA 701).
2.83
Audit Report No. 60 (2016-17), Interim Report on Key Financial Controls of Major Entities, reported a total of 57 KAM across 25 Commonwealth entities. Details of these KAMs were also reported in Audit Report No. 24 (2017-18). Communicating KAM helps users of financial statements better understand those matters that, in the auditor’s professional judgement were of the most significance in the financial statements audit.
2.84
The majority of KAM reported in 2016-17 related to the valuation assertion in respect of assets and liabilities such as:
loans and other receivables
property plant and equipment
2.85
The public hearings further explored a KAM relating to the Communications and Arts Portfolio. The ANAO identified, as a key area of financial statements risk, the valuation of the Australian Government’s investment in the NBN Co and Australian Postal Corporation, due to the ‘complexity of the valuation process in light of estimates and judgments required’. As the Auditor-General explained, ‘some of the issues that are of significant complexity—difficult to measure, and impose risks—are those valuation activities’:
For NBN, the issues that we deal with … are how you value the asset base to appropriately reflect its income-earning capacity. What we do for NBN is look at the valuation on a cost basis, and then undertake an impairment assessment of it. That impairment assessment is an economic impairment, and it looks at the discounted cash-flow type of activities, so we get a triangulation of what an appropriate valuation is. So the entity is doing that, we’re retesting it and checking to see whether it’s appropriate. It’s complex, it’s assumption based, therefore it has risks associated with it. Similar things flow through to Australia Post.
2.86
The Auditor-General provided further information on how the ANAO tests the reasonableness of the assumptions underpinning these valuations:
They are assumptions—forecasts, whatever—so when we undertake the audit of these things we use the relevant audit standards with respect to that. Almost invariably, assumptions change as the world changes around us. We’re testing them to see whether they are the most robust assumptions at the point of time that the accounts are presented. I sign off those accounts on the basis of the work we do. When the NBN accounts are tabled, you’ll see the assurance that we give, and it will describe some of the work we do in this context … This is an area, like all of them, where we undertake our audit robustly. I can provide that level of confidence, because we signed off the accounts.
2.87
As to the process by which NBN Co is valued, Finance outlined that:
Every year, NBN is valued for the purposes of the accounts. It flows through the accounts of the Department of Communications and the Arts. It gets picked up in the consolidated financial statements. Every year, the process is done rigorously, both from the perspective of the preparation of the statements and from the perspective of the audit … Every year, when a figure is published for the valuation of NBN, that is the best possible information tested by the best possible means at that point in time, with all of the relevant assumptions tested at that point in time … … … when a number is published that gives a value to NBN, that is the best possible number that can be put on it.
2.88
Finance further emphasised the ‘rigorous process’ behind such valuations—‘the [NBN] board is responsible for running its business. It is responsible under the law for signing off on their accounts. They have gone through an incredibly rigorous process by the time they produce that. They test those assumptions’:
The very first thing that happens is that the board makes judgements and reaches conclusions based on all of the streams of information that are available to it. The board and its statements are themselves subject to audit. Then there are all of these other steps. The steps of consolidating them into the accounts of the Department of Communications and the Arts, and then the further step of consolidating it into the consolidated financial statements, goes through audit again, from a different perspective. So, in many ways, if you count internal audit, audit of NBN, audit of the Department of Communications and the Arts and audit of the consolidated financial statements, you can say that there are many layers here by which every piece of information that is relevant can be brought to the table—is brought to the table and is tested. Therefore, the number that comes out of it is the best possible number.
2.89
There was interest in a recent Standard and Poor’s publication on the NBN. The Auditor-General noted that, ‘with respect to our audit of the 2017-18 accounts of NBN, the Standard & Poor’s work came out during the course of that audit. We considered the analysis that they did in the context of it, like we would any of that type of analysis … Standard & Poor’s analysis came out, we saw it and we took it into account in undertaking our analysis’.
2.90
The PBO was asked if it had conducted any research identifying how much equity the government had invested in the NBN and how that compared to the current valuation of the NBN. The PBO responded that ‘the paper that we published in 2016 on the NBN tried to do exactly this … That paper was entirely based on publicly available information, but it was quite challenging to pull it together’. As the PBO further explained:
What we were doing in the NBN paper … was trying to track through time on a historical basis—so up to the latest information we had—and answer what the budget impact of the Commonwealth’s investment in the NBN is. So the way we went about that was we started at the bottom level. We went to the NBN Co annual reports and the financial statements that are contained in those and looked at the financial reporting that was in their statements, tracking that through to the annual reports of the Department of Communications and the Arts—how they were valuing the assets. There is a contributed equity and then there is a fair-value valuation, which is the value that the Commonwealth is placing on that particular asset at the point in time. Then we had a look at how that was reflected in the budget papers.
As part of that exercise and that report, we were able to on an annual basis work through from the NBN Co annual reports up through the budget papers to see what the budget impact was. Now, that’s on historical bases up to the latest actuals … on a forward-looking basis, it’s a bit more challenging to find the disaggregated information around the issue of valuations.
2.91
The PBO described its experience in trying to track such information—‘in a historical sense, it does require going through pages in terms of the entities’ annual reports and agencies’ reports through to the budget papers, but, in a forward-looking sense, it’s largely the measure descriptions … and to some extent the statement of risks’. As the PBO further observed:
As a general comment, based on our experience with research publications, there is more disaggregated information on the past budget impacts of alternative financing arrangements than there is on the projected future budget impact.
In our experience, entity and departmental annual reports tend to have detailed disaggregated information on a historical basis about the actual budget impacts on equity investments, asset valuations and flows relating to loans.
The forward looking Portfolio Budget Statements that are released as part of the budget papers tend to have less disaggregated information than annual reports. This makes it difficult to identify expected asset values and flows related to the individual entities administered by a government department.
2.92
On notice, Finance, the ANAO and the PBO were asked how much equity had been invested in the NBN, and for total government contributions to the NBN and the valuation of the NBN. On notice, Finance, the ANAO and the PBO were also asked about the projected draw-down of the loans and contribution of equity to the NBN, and any sense of the likely valuation as that occurs.
Equity investment
2.93
There was interest at the Committee’s public hearings in further understanding where details might be located in budget documentation for new projects such as infrastructure packages. Finance explained that:
New decisions of government will be reported in Budget Paper No. 2, which is the list of measures. Within Budget Paper No. 1, statement 9 is headed ‘Statement of risk’. Within that, there is a summary of Australian government loans exceeding $200 million … It gives you a listing of those and some information in relation to them. Then there are descriptions beyond the table, which gives you some more context there. That also gives you the indication of which portfolio those loans sit with. You’d be able to go back to the portfolio budget statements of the individual portfolios and information that they have available to give you further detail.
2.94
Finance confirmed that, before an equity investment is made, ‘an assessment is undertaken to determine whether it’s likely that a rate of return after inflation on the government’s investment will be achieved’. If, at a future point in time, ‘there’s an assessment done of a future investment and it isn’t anticipated that it will meet the threshold rate of return’, then a payment at that time ‘may be considered to be a grant’, and ‘if it was projecting to be a loss, we would only make some budget provision for that at the time that we were committed to contribute towards the loss’. In terms of the three sectors within government (the general government sector, the public non-financial corporations sector (PNFCs) and the public financial corporations sector), Finance further noted that the ‘first test for an equity investment is that the investment can only be by the general government sector in one of those other sectors’—typically the public non-financial corporations sector. In terms of the second and third tests, ‘one is about an expectation of a real rate of return at the time the investment is made and the other is about the expectation of the ability to recoup the investment’. As to what time period would be considered reasonable for recouping such an investment, Finance responded that, ‘if we’re talking about a business that has a five-year time span, then we’re talking five years. If we’re talking about a business that’s an ongoing operation, then it’s a much longer time frame’.
2.95
Noting the integrity of Commonwealth budget and accounting rules, there was also interest in exploring whether there was sufficient transparency at the project-level in financial reporting to track the following scenario—where an equity investment is made in a project (that does not generate a real rate of return and repay its capital within a reasonable time frame) and that project is placed in an otherwise profitable entity (that does generate a real rate of return and repay its capital within a reasonable time frame), with this lowering the entity value (reducing entity returns and a government’s net worth in future years) and the loss then being reported as an ‘other economic flow’.
2.96
Finance explained that transparency at the project level is provided through such documents as entity annual reports, audited entity financial statements and the Portfolio Budget Statements, as well as published business cases, rather than in the CFS and Budget documents, which provide aggregates and consolidations:
The right place to go and look for the level of impact [regarding projects] … is in the entities which have projects. They also have audited financial statements and they publish them in annual reports and other places—in plans and other documents. That’s where you will get that sort of detail. When we are talking about budget documents and CFSs, we are talking about aggregations and we are talking about the cumulative impacts, some of which are pluses and some of which are minuses. And we are talking about the cumulative impacts on the government’s position as a whole. In effect, that’s what these documents are trying to get across. They are not trying to get across the detail of an individual project because there are other places where that happens.
2.97
The PBO further commented that, ‘in the statement of risk, so statement 9, there is a listing … of government loans above $200 million on an individual loans basis. So the government does choose, or has over time chosen, to provide that level of detail around the exposure of the budget, or the balance sheet, to individual significant loans’.
2.98
As to which reporting documents would provide transparency in terms of the equity investment in the Australian Rail Track Corporation (ARTC), Finance responded that:
if you’re looking at the impact on the ARTC itself and the return it is getting on its own investment, that should be evident from its own annual report, where it would publish its own financial statements, publish its own balance sheet—profit and loss and what have you. If you are looking at the impact of the value of the business to the government, that would be reported in the financial statements of the responsible portfolio department. In their notes to their financial statements, they would identify the current values of the investments the government has in the various public corporations.
2.99
Finance provided an answer to a question on notice regarding the projections for the ARTC’s cash flows, returns, value and other financial metrics—both including and excluding the inland rail project. Some members of the Committee were not able to fully understand the impact on the ARTC’s profitability of being required to deliver the Inland Rail project. The Committee is interested in reporting approaches that will keep the Parliament informed about any changes to results during the life of a long-term project, where those changes could impact on the timing of its expected contribution to future profitability.
Other audit matters
Timeliness of financial reporting
2.100
The PGPA Act requires Commonwealth entities to provide an annual report to the entity’s responsible Minister by the 15th day of the fourth month after the end of the reporting period (15 October). Audited entity financial statements are included in an entity’s annual report.
2.101
Of the 178 entities required to table an annual report in 2016-17:
54 auditor’s reports (30 per cent) were signed within two months
108 auditor’s reports (61 per cent) were signed between two and three months
2.102
In relation to the dates of annual reports being tabled in Parliament:
two entities tabled the annual report within three months
151 entities tabled the annual report between three and four months
the remaining 25 entities tabled the annual report four months or more after the reporting date
2.103
The length of time taken by entities to approve and table the annual report from the date the auditor’s report was provided was:
approve the annual report: from zero to 91 days with an average time of 17 days
table the annual report: from 13 to 102 days with an average time of 47 days
Financial sustainability
2.104
The ANAO has developed parameters based on generally accepted concepts of financial sustainability and applied these to the operating results and balance sheets of the 68 material Commonwealth entities. The Auditor-General noted there would be ‘benefit in the Government developing performance targets or benchmarks to enable entities to assess their own financial sustainability against agreed parameters over time and against like entities’.
2.105
In JCPAA Report 463: Commonwealth Financial Statements, the Committee recommended that: ‘the Department of Finance, in consultation with the Australian National Audit Office, work to: develop appropriate and robust performance targets or benchmarks, which can be publicly reported, to enable Commonwealth entities to assess their own financial sustainability against agreed parameters over time and against like entities’ and ‘provide the Committee with a timeline and milestones for implementation of this initiative’.
2.106
In the Executive Minute response to the Committee’s recommendation, Finance noted that financial sustainability performance metrics ‘could be released as part of the rollout of digitised 2018-19 Annual Reports’.
Executive remuneration reporting
2.107
The ANAO noted that GBEs and Commonwealth entities were requested to provide additional information on their websites relating to senior management personnel remuneration, starting from the 2016-17 reporting year, by 31 July 2017.
2.108
The ANAO examined the executive remuneration reporting of 157 entities to establish whether they had published the requested information and when it was published. As at 31 October 2017, 134 had published the information—the 23 entities that had not published this information advised the ANAO this was variously due to:
two entities not being aware of the request
the current reporting in the financial statements, separately provided on the website, being considered adequate
the current reporting in the financial statements being considered adequate
the reporting not adding additional information as all executives were appointed under the remuneration tribunal
the decision to publish the requested information in the annual report or on the website at the time of tabling the annual report
2.109
A total of 68 entities (some 50 per cent) published the information in accordance with the requested timeframe of 31 July, with a further 36 entities (27 per cent) published in August. The ANAO noted that four entities did not provide a breakdown of the components within the remuneration package.
2.110
At the public hearings, Finance provided an update on Commonwealth entities and companies that had not published information on executive remuneration, as at 11 September 2018.
2.111
In JCPAA Report 463: Commonwealth Financial Statements, the Committee made a number of recommendations to reinstate disclosure of executive remuneration reporting by Commonwealth entities, including GBEs, consistent with previous practice and also reflecting, as relevant, Australian Securities Exchange requirements.
2.112
The recent report of the Independent Review into the Operation of the PGPA Act and Rule also made the following recommendations on this matter:
Current arrangements for reporting executive remuneration across Commonwealth entities do not provide sufficient transparency and accountability for the use of public resources for this purpose. To improve transparency and accountability on executive remuneration, we recommend:
35. Accountable authorities should disclose executive remuneration in annual reports on the following basis, as shown in Appendix C to this report:
(a) the individual remuneration (including allowances and bonuses) of the accountable authorities and their key management personnel on an accrual basis, in line with the disclosure by Australian Securities Exchange listed companies; and
(b) the number and average remuneration (including allowances and bonuses) of all other senior executives and highly paid staff, by band and on an accrual basis, broadly consistent with the reporting arrangements in place up to 2013-14.
36. Accountable authorities should provide an explanation of remuneration policy and practice, relating to key management personnel, senior executives and other highly paid staff, broadly consistent with the reporting practices of Australian Securities Exchange listed companies.