- Areas of inquiry by the Committee
Principal audit findings
Legislative breaches
2.1The ANAO identified 14 legislative breaches in the Financial Statements Audits for 2022-23. These included 10 moderate and one minor legislative breach which mostly related to incorrect payments of remuneration to key management personnel and/or non-compliance with determinations made by the Remuneration Tribunal. Three of the legislative breaches were categorised as significant (see Appendix C) and are discussed below.
Northern Land Council
2.2One unresolved significant legislative breach by the Northern Land Council (NLC) had first been identified in 2012-13 and involved non-compliance with the legislative requirement [Aboriginal Land Rights (Northern Territory) Act 1976] that royalty trust funds be distributed to traditional owners within six months.
2.3In its submission to the inquiry addressing this long-standing issue, NLC commented that it had ‘no difficulty paying Land Rights Act sub-section 64(3) mining royalty-equivalents within the sub-section 35(2) six months timeframe’ as it had standing arrangements in place to make these payments to specific Aboriginal Corporations. NLC further stated in this regard however:
Failure to pay within six months has occurred only in respect of lease, licence and other income about which NLC staff needed to identify, assemble and consult traditional owners, after this income was received and accounted. These problematic categories of receipt, especially in respect of leases and license agreements made pursuant to Land Rights Act sections 15,16 and 19, increased markedly over the last decade.
2.4NLC further remarked in its submission that it is continuing to implement strategies, particularly in relation to securing more multi-year standing payment agreements with traditional owners, that are increasing its capacity to meet the six-month requirement.
Tiwi Land Council
2.5Tiwi Land Council was found to have an unresolved breach from 2021-22 in which no formal system of risk oversight and management had been put in place, in contravention of Section 16 of the Public Governance, Performance and Accountability Act 2013 (PGPA Act).
2.6Tiwi Land Council noted in its submission to the inquiry that it had ‘engaged an external consultant to (a) develop the Council's risk management framework and (b) advise the council in relation to implementing a risk monitoring framework in November 2023’.
2.7Tiwi Land Council further stated in its submission that this work was progressing well against its objectives and that it was recruiting a Governance, Risk Management and Compliance Officer.
Department of Health and Aged Care
2.8The Department of Health and Aged Care (Health) was newly found to have potentially breached section 83 of the Constitution by not complying with finance law in respect of certain payments.
2.9Health noted in its submission to the inquiry that there were four programs or payment types that may have had actual or potential section 83 breaches:
- aged care subsidies and fees
- Medicare Easyclaim program
- telehealth assignment of benefits
- services rendered or referred by midwives.
- Health further submitted to the Committee that it was reviewing appropriate corrective actions in relation to compliance with section 83 and developing legislative or program changes to prevent future breaches.
- At the public hearing on 24 April 2024, Health stated that:
… there are a whole heap of different reasons why these issues are noncompliant with the Constitution, from administrative error within Services Australia and the way in which they were managing a particular issue through to legacy system issues that really only became apparent through this audit and inconsistencies in the way in which payments are made consistent with the relevant act. I think what has been really helpful for us to do is have a look at all of those to the degree we can to make sure, within Services Australia, that systems, processes and legislation are all regularly reviewed to make sure the way in which money is being paid is consistent with financial law.
2.12Health further remarked at this hearing that it has a financial assurance census process that is designed to enhance financial governance and control, including any potential section 83 issues.
Executive remuneration
2.13Noting that 7 of the 11 non-significant legislative breaches identified in the 2022-23 audit related to ‘incorrect payments of remuneration to key management personnel (KMP) and/or non-compliance with determinations made by the Remuneration Tribunal’, ANAO stated in the audit report:
It is important that entities have a robust framework in place to govern payments made to KMP to ensure that they are consistent with policy or legal requirements. Effective management of remuneration includes aligning payroll process with policy, legal and contractual requirements.
2.14ANAO found in the audit that the causes of these incorrect payments included:
- incorrect rates of superannuation or incorrect calculation of base salary for superannuation being factored into total remuneration
- allowances and other payments paid to executives that were not provided for in contracts or a Remuneration Tribunal determination
- reportable fringe benefits that were provided by an entity that were not included in the calculation of salary
- acting arrangements or engagements with other Commonwealth entities that did not attract remuneration being paid to executives or board members
- bonus payments made to executives that were not provided for in the relevant determination or contract.
- The acting Auditor-General noted at the 19 April 2024 public hearing for the inquiry that the entities in question were not named in the audit report.
- The Department of Finance (Finance) emphasised in its submission to the inquiry that it has responsibility for administering executive remuneration reporting requirements for Commonwealth entities, which are set out in the PGPA Rule, but is not responsible for determining remuneration policies and practices. Finance stated:
This is done through various mechanisms depending on the type of entity, employment arrangements (for example employing under the Public Service Act 1999) and Remuneration Tribunal Determinations.
2.17At the public hearing on 19 April 2024, the acting Auditor-General reflected on this issue more broadly upon questions from the Committee around agency culture and public expectations:
It's making sure that the entitlements are monitored, assured, governed, and also that there's no risk that the person who's doing that is just saying, 'That's the boss—you have to do this' or 'I'll just tick it because it's the boss.' It's thinking about where in the organisation you can get assurance from. I'm concerned about non-compliance with determinations made by the Rem Tribunal. It's a long-standing framework and it ought to be well governed. So that's a concern.
2.18The acting Auditor-General stressed at this same hearing that these were compliance breaches, and that nothing untoward had been reported by ANAO in relation to executive remuneration, but that ‘chief executives, secretaries, boards should be assured that their remuneration is being well managed’. The acting Auditor-General further commented:
We have a very mobile workforce in many respects in Australia. It is an area that we're focussing on in our financial statements auditing this year, because we do see different arrangements even within the Rem Tribunal framework, where people live in a city and work in another, not just travelling for business purposes but almost commuting as a traveller interstate et cetera. We want to make sure that the frameworks that people are applying to all of that are well-managed and robust and that people comply.
2.19ANAO also commented on prior instances where entities had not been aware of the restrictions under the Remuneration Tribunal Act that Commonwealth officials cannot receive any further remuneration if they perform a statutory role with another Commonwealth entity.
Other significant and moderate audit findings
2.20ANAO reported 9 significant (8 new, 1 repeat/unresolved) and 36 moderate (24 new, 12 repeat/unresolved) findings in its audit of the 2022-23 financial statements (seeAppendix C).
2.21These significant and moderate findings were predominantly in the categories of:
- governance of legal and other matters impacting entity financial statements
- IT governance including security, change management and user access
- accounting and control of non-financial assets (including computer software).
- Ineffective IT controls continued to be a key issue. There were an increased number of audit findings in 2022-23 in this respect, with 78 per cent of entities found not to have appropriate systems in place to monitor user access after employment cessation. These matters are scrutinised and commented on further below in this chapter.
Committee comment
2.23Any legislative breaches uncovered by the financial statements audits are always of particular concern to the Committee given the central role that public sector entities must play in ensuring the robust application of Commonwealth laws and regulations. The actions being taken by the two land councils and by Health to address their respective significant breaches are noted. The Committee welcomes the fact that these entities appear to have accepted the seriousness of these issues and are taking active steps to mitigate them.
2.24The issue of executive remuneration breaches is no less troubling, notwithstanding the fact that they were compliance breaches and not classified as significant by ANAO. The Committee agrees with the acting Auditor-General’s comments that they have implications in terms of the prevailing culture of the agency and also public expectations regarding pay and other entitlements for public servants. The Committee fully agrees also that the frameworks around executive remuneration, such as the Remuneration Tribunal, are long-standing and there should be an expectation across all entities for robust governance and full compliance with the rules.
2.25Finance should take a more active role in dealing with instances of executive remuneration breaches and the Committee would like to see it actively engage with this issue to strengthen and increase future compliance.
2.26The Committee requires an update within six months of the tabling of this report from the Northern Land Council, Tiwi Land Council, and the Department of Health and Aged Care on their respective progress in addressing the significant legislative breaches identified by the Australian National Audit Office.
2.27The Committee recommends that the Department of Finance amends the current guidelines to require that it be notified immediately of any breach of the executive remuneration rules and then engage with the entity in question to discuss remediation steps. The Committee is requesting an anonymised update from the Department of Finance within 12 months of the tabling of this report on the number of reported breaches it has received, the amounts involved, and whether they have been adequately resolved.
Preparation of financial statements
Overview
2.28The ANAO found overall that the financial statements had been finalised, and auditor’s reports issued, for 91 per cent of Commonwealth entities within three months of the 2022-23 financial year-end. This was an increase from the previous year (86 per cent). ANAO further stated that:
A quality financial statements preparation process will reduce the risk of inaccurate or unreliable reporting. Seventy-two per cent of entities delivered financial statements in line with an agreed timetable, an increase compared with 2021–22 (65 per cent).
2.29ANAO also noted however that many annual reports were still not being tabled in time to be scrutinised at subsequent Senate Estimates hearings and that only 66percent of entities met this timeframe in 2022-23, down from 74 per cent in 2021-22.
2.30Noting that ‘an effective internal control framework provides a level of assurance that entities are able to prepare financial statements that are free from material misstatement’ the audit report indicated that this was the case for the majority of entities in 2022-23.
2.31ANAO further indicated in this regard that:
For entities where audit findings were reported, the ANAO was required to undertake additional audit procedures to obtain sufficient and appropriate audit evidence that provided reasonable assurance the entity’s financial statements were not materially misstated.
2.32The ANAO stated that its 2022–23 audit approach identified six key areas of financial statements risk that had the potential to impact the Australian Government, and which were therefore considered Key Audit Matters (KAM). These were:
- accuracy of taxation revenue
- accuracy and occurrence of personal benefits expense
- valuation of superannuation liabilities
- valuation of collective investment vehicles
- valuation of specialist military equipment and other plant, equipment and infrastructure assets
- valuation and disclosure of Australian Government Securities.
Weaknesses in consideration of legal matters
2.33Five of the nine significant and unresolved audit findings in 2022-23 had implications for the timely and accurate preparation of financial statements for the entity in question. Four of these related to weaknesses in the consideration of legal matters representing a failure of governance including the Department of Education (Education), Department of Health and Aged Care (Health), Department of Social Services (Social Services), and Services Australia.
2.34ANAO found instances ‘where information on legal matters was not referred to entity Chief Financial Officers, or was not otherwise assessed for impact on the financial statements’.
Department of Education
2.35The ANAO stated in the audit report in relation to this significant issue for Education that it became aware of ‘legal matters from a source other than the Department that had not been considered in the preparation of the financial statements, nor advised to the ANAO’.
2.36Education noted in its submission to the inquiry that a late adjustment to its financial statements was required due to this matter and that it had since undertaken ‘improvement actions’. Education further submitted:
The department has developed a framework to support the timely communication of any systemic or otherwise significant legal non-compliance within the department and periodic reporting to senior executives and to the Audit and Risk Committee. A project closure pack was submitted to the ANAO, with a view to working with the ANAO during the 2023-24 financial statements audit to close the finding.
2.37Education noted also in its submission in relation to closing this finding that ANAO had issued an ‘Interim Management Letter’ in May 2024 in which it downgraded this audit finding based on the evidence that had been presented in the year to date and that ‘the ANAO will finalise audit testing late August 2024, and the department continues to work with the ANAO to close the finding’.
Department of Health and Aged Care
2.38ANAO had not been notified by Health that legal advice had been sought in August2022 in conjunction with Services Australia regarding the payment of residential aged care subsidies. This advice was not then considered in the preparation of Health’s financial statements.
2.39Health commented in its submission that it has since strengthened its governance arrangements ‘to ensure that responsible program, legal, and finance areas within Health and Services Australia are aware of all relevant legal matters and legal advice.
2.40Health further advised at the public hearing that it attends quarterly meetings with Services Australia on financial reporting matters, specifically including section 83 and other financial statement risks.
2.41Health also stated in its submission:
The Chief Financial Officer has been added to the membership of the Strategic Business Committee, which has responsibility for oversight of the Government's health and aged care related policy for which both the Department and Services Australia are jointly accountable, and where consideration of legal matters is a standing agenda item. In addition, the Chief Counsels of the Department and Services Australia meet formally to report on and consider significant legal matters.
Department of Social Services
2.42Social Services indicated in its submission that its significant ‘governance of legal and other matters’ finding from the financial statements audit related to the late disclosure of information on income apportionment, which had been the subject of an own-motion investigation by the Commonwealth Ombudsman. Social Services commented in this regard that:
The sensitive nature of the Ombudsman review and associated legal issues meant that the information was not widely shared across the department, despite the potential for financial statement implications.
2.43Social Services noted in its submission that it had agreed with ANAO that this was an issue as soon as it was raised, and immediately implemented a new quarterly legal risk report as part of its response. Social Services further stated:
The quarterly reporting cycle the department has instigated for the legal risk report will also provide the ANAO with greater visibility and assurance around the management of significant legal matters by the department with financial implications relevant to the ANAO’s audit.
Services Australia
2.44Services Australia also noted in its submission that several instances of non-compliance with laws and regulations had not been brought to the attention of the ANAO and that their possible material impact on the financial statements had therefore not been considered.
2.45Services Australia recognised this deficiency in its submission to the inquiry, stating:
The Agency acknowledges the requirement for strengthened legal risk identification and reporting mechanisms, and has implemented a new legal risk register which will be utilised to keep the ANAO, ARC, agency senior officials and partner agencies informed of potential significant legal issues that are likely to have a material impact on financial statements for affected agencies.
Certain entities with high financial statements risks
Financial sustainability
2.46The ANAO reported from its financial statements audit of the Department of Agriculture, Fisheries and Forestry (DAFF) that it had ‘identified an additional area of financial risk relating to financial sustainability for which specific audit procedures were performed during the course of the audit’. ANAO further indicated:
In light of the key areas of risk and the ANAO’s understanding of the operations of DAFF, during the interim phase of the 2022–23 audit the ANAO increased the overall risk of material misstatement in the financial statements audit from moderate to high in 2022–23. This increase was a result of DAFF’s forecast financial position for 2022–23, which increased the risk that entity level and transactional internal controls important to financial management, preparation of the financial statements and the supporting information technology (IT) environment may not operate effectively.
2.47DAFF stated in its submission that while the ANAO’s reassessment of this risk rating from moderate to high was appropriate, it regarded its financial sustainability as favourable in 2023-24 for the following reasons:
- funding supplementation received in late 2022-23 which restored the department’s cash reserves to an acceptable level
- increases to biosecurity fees and charges on 1 July 2023 approved by the Minister for Agriculture
- additional funding provided by the government through MYEFO to sustain export regulatory functions.
Other risks of material misstatement
2.48ANAO identified three KAMs for the National Disability Insurance Agency (NDIA) that were associated with a high risk of material misstatement:
- Accuracy and occurrence of participant plan expenses
- continued growth in participant numbers entering the Scheme
- the high volume of transactions
- decisions as to the appropriate level of support and therefore the associated expenses are complex as the Scheme participants have varying needs
- Valuation of participants’ plan provisions
- significant judgements and assumptions about the timing and amount of cashflows need to be made due to the complexity of estimating the pattern of support claimed by participants or providers
- Completeness, occurrence and accuracy of contributions of in-kind services from state and territory governments
- reliance on third party data from state and territory governments
- in-kind revenue and expenses may be misstated if services provided directly to eligible participants by states and territories are not reported to the NDIA in line with bilateral agreements.
- NDIA noted these areas of risk in its submission to the inquiry and commented that it ‘undertakes a risk assessment of the potential for financial misstatement at a financial statement note level, as part of its annual financial statement preparation process’. NDIA further submitted:
[NDIA] then prepares a financial statement preparation plan which outlines its procedures to reduce each potential risk of misstatement to an acceptable level. This process addresses the ANAO’s key areas of financial statements risk.
2.50ANAO also reported a high overall risk of material misstatement in the 2022–23 financial statements audit for the Department of Climate Change, Energy, the Environment and Water (DCCEEW), which included three higher rated KAMs:
- valuation of water entitlements assets
- valuation of the Australian Government’s investment in Snowy Hydro Limited
- valuation of the Antarctic restoration provision.
- DCCEEW noted in its submission response to this issue that due to the machinery of government changes involved in its establishment, its first series of financial statements needed to draw information from three separate financial management information systems (FMISs), including DAFF and the Department of Industry, Science and Resources (DISR). DCCEEW stated:
Relying on other entities system controls is not new; it is a feature of shared services; however, the Department was not just in a situation where its own FMIS was hosted by another ICT platform. The Department’s transactions were contained within DAFF and DISR’s financial systems, hence the Department was using three general ledgers, three sets of accounts, and three reporting suites.
2.52These and other key areas identified by ANAO as having a higher risk of material misstatement across the 2022-23 financial statements of Commonwealth entities are included in a table at appendix D. Moderate areas of material misstatement risk are also included in this table if they represented a KAM. The underlying reasons why the financial statements for a particular entity can have been misstated include the requirements for significant assumptions and judgements, and the complexity of the information or required calculations.
Timeliness of financial reporting
2.53Noting that ‘entities should prepare quality financial statements in a timely manner to support entities in meeting legislative reporting obligations including tabling of annual reports’ and that ‘effective project management underpins successful financial statements preparation processes’, ANAO reported a decline in the number of entities that tabled an annual report prior to the portfolio’s Senate estimates hearing, from 74 per cent in 2021-22 to 66 per cent in 2022-23.
2.54The audit report indicated also that 12 per cent of entities tabled their annual report only one week before the estimates hearings, although noted that this was a marked reduction from the proportion of entities that had done this in the previous year (52per cent in 2021-22).
2.55ANAO further stated in the audit report that the number of entities that delivered financial statements in line with an agreed timetable had increased over this same period from 65 to 72 per cent. One of ANAO’s overarching conclusions from these assessments was that:
… there are opportunities for entities to improve quality assurance frameworks, to ensure that significant accounting policies, estimates and adjustments underpinning financial statements are reviewed as early as possible in the preparation process.
2.56There were two moderate and nine minor audit findings in 2022-23 relating to the quality and timeliness of financial statement preparation.
2.57One of the moderate findings was for the National Archives of Australia (NAA), which was found by ANAO to have a number of weaknesses in its financial statements processes including:
- a deficiency in the timely preparation of workpapers to support the financial statements and associated notes
- a lack of review and approval of year-end adjusting journals by an independent reviewer
- an inability to provide sufficient supporting documentation to validate certain year-end transactions
- the identification of a number of adjusted and unadjusted audit differences.
- A number of recommendations were made by ANAO to resolve these issues, which were agreed to by NAA. These included the development of key timelines for a designated officer to complete key tasks, identification and management of risks associated with the financial statements close process, and the required level of management oversight and review to support the preparation of timely and quality financial statements.
- NAA further noted in its submission that it had undertaken a necessary FMIS upgrade in the 2021-22 financial year and then used the new system to prepare its 2022-23 financial statements. NAA stated:
Whilst still in draft, a set of the 2022-23 financial statements was provided to the ANAO to commence their review. In reviewing this first draft and supporting documentation, the ANAO identified areas of concern including the use of a number of control ‘work arounds’ and other practices associated with a lack of accountable standards resulting from the agency’s upgrade to the TechnologyOne FMIS.
2.60NAA further commented in its submission that serious other issues had also arisen over the lack of segregation of duties among staff with FMIS access. This significant IT controls finding is discussed further in the IT Governance section.
2.61NAA indicated in its submission that its Executive Board is continuously monitoring the actions that have been taken to address ANAO’s findings and that an independent Audit and Risk Committee works with the internal auditors also to assess these actions in addition to financial processes and controls.
2.62A second unresolved moderate finding by ANAO that had material consequences for the timeliness of financial reporting was for the Royal Australian Mint (the Mint). ANAO reported in the audit that there were ‘a number of material unexplained and unreconciled differences in the reconciliations performed by management in preparing the Mint’s financial statements’.
2.63ANAO commented with respect to this finding that reconciliations need to be supported by relevant information and that any differences should be explained, followed up, and adjusted. ANAO further indicated that material adjustments were eventually required for the Mint’s financial statements once the variances had been investigated and subsequently corrected.
2.64The Mint agreed with ANAO that it needed to strengthen its reconciliation processes, particularly with respect to management’s review of reconciliations and reporting of variances.
Committee comment
2.65The timeliness of financial statements preparation and ultimately of annual reporting by Commonwealth entities who have a legislative requirement to prepare these reports is of considerable interest to the Committee. The Parliament must have this information on time to readily and properly scrutinise the effectiveness of the expenditure of taxpayer funds on behalf of the Australian public.
2.66There are quite simply too many entities failing to meet the annual reporting timetable required for the supplementary budget estimates hearings that take place towards the end of each year. The increase in the proportion of entities that failed to do so last year is certainly not a welcome trend.
2.67The Committee understands that there is a considerable degree of complexity and high workload involved in preparing an annual report, but the timelines are the same every year for every agency that is required to present one. The Committee notes in particular the ANAO’s comments at the public hearing that delays in its ability to complete the financial statements audits due to a lack of preparedness by an entity is a key reason why an annual report can be late.
2.68That one third of the required Commonwealth entities did not table their annual reports on time to be scrutinised at estimates hearings is not good enough in the Committee’s view. It is amazing to the Committee that 52 per cent of these entities tabled their annual report only one week before these hearings in 2022. It is acknowledged that this figure was only 12 per cent last year but there are clearly some perpetual issues that need to be looked at and the Committee cannot be confident at present that this figure will not markedly increase again in future years.
2.69The ANAO documents the entities that have failed to table their annual reports in time for the end-of-year estimates hearings in its Financial Statements Audit Reports and has collated this information from the past three years in its submission to this inquiry. This has been reproduced in Table 2.1 below. The Committee will be requesting a response from the agencies that have not met this timeline now for each of the past three years so that it can better understand what the underlying issues are.
Table 2.1Annual reports that were tabled after the supplementary budget estimates hearings
| |
| | |
Attorney General’s portfolio |
Australian Commission on Law Enforcement Integrity | Yes | No | No |
High Court of Australia | Yes | Yes | Yes |
Defence portfolio |
AAF Company | Yes | No | No |
Army and Airforce Canteen Service | Yes | Yes | No |
Australian Military Forces Relief Trust Fund | Yes | No | No |
Australian Strategy Policy Institute Ltd | Yes | Yes | Yes |
Royal Australian Air Force Veterans’ Residences Trust Fund | Yes | Yes | Yes |
RAAF Welfare Recreational Company | Yes | Yes | Yes |
Royal Australian Air Force Welfare Trust Fund | Yes | Yes | No |
Royal Australian Navy Central Canteens Board | Yes | Yes | Yes |
Royal Australian Navy Relief Trust Fund | Yes | Yes | No |
Employment and Workplace Relations portfolio |
Seafarers Safety, Rehabilitation and Compensation Authority | Yes | No | No |
Infrastructure, Transport, Regional Development, Communications and the Arts portfolio |
Bundanon Trust | Yes | Yes | Yes |
National Archives of Australia | Yes | Yes | No |
Prime Minister and Cabinet portfolio |
Anindilyakwa Land Council | Yes | Yes | Yes |
Central Land Council | Yes | Yes | Yes |
Northern Land Council | Yes | Yes | Yes |
Northern Territory Aboriginal Investment Corporation | Yes | N/A | N/A |
Outback Stores Pty Ltd | Yes | Yes | Yes |
Tiwi Land Council | Yes | Yes | Yes |
Workplace Gender Equality Agency | Yes | Yes | Yes |
Wreck Bay Aboriginal Community Council | Yes | Yes | Yes |
Social Services portfolio |
NDIS Quality and Safeguards Commission | Yes | No | No |
Source: ANAO, Submission 24, Attachment C, p. 5.
2.70The Committee recommends that the following entities provide a response within six months on why their annual report has not been tabled in time to be scrutinised at supplementary budget estimates for the past three years
- High Court of Australia
- Australian Strategy Policy Institute Ltd
- Royal Australian Air Force Veterans’ Residences Trust Fund
- RAAF Welfare Recreational Company
- Royal Australian Navy Central Canteens Board
- Bundanon Trust
- Anindilyakwa Land Council
- Central Land Council
- Northern Land Council
- Outback Stores Pty Ltd
- Tiwi Land Council
- Workplace Gender Equality Agency
- Wreck Bay Aboriginal Community Council
Internal auditing
Overview
2.71The role that internal auditors play in assisting Commonwealth entities with the timeliness and robustness of their financial reporting was of interest to the Committee. The ANAO’s view of internal auditing is that it plays ‘an important role in providing assurance over an entity’s system of risk management and internal control’.
2.72ANAO noted that there are a variety of models for delivering an internal auditing function ‘including outsourced to external service providers or insourced partially or fully with an entity’s own internal auditors’, but that it is most likely to be delivered among Commonwealth entities via outsourcing.
2.73ANAO further noted that a majority of entities have an internal audit function, although it is not a mandatory requirement. ANAO’s analysis indicated that 16percent of Commonwealth entities, comprising smaller organisations, did not have an internal audit function due to their views on the:
- level of complexity or scale of their entity’s operations
- system of risk management and internal control operated effectively.
Overarching issues highlighted by ANAO
2.74ANAO indicated in its 2022-23 audit that it had reviewed both the structure and coverage provided by internal audit function and found several areas for improvement, including:
- adopting formal audit committee charters
- As noted in the audit report:
Fifty-five per cent of entities had internal audit charters. In the absence of a charter, there is a risk that the internal audit function’s mandate, authority and independence are not well understood with an entity, potentially limiting the effectiveness of the function
- developing and monitoring internal audit budgets to determine they are fit for purpose
- As noted in the audit report:
A safeguard to the independence and objectivity of the internal audit function is regular consideration of the appropriateness of the internal audit function’s budget by an entity’s audit committee (in providing advice on the function). Seventy-three per cent shared the budget with the audit committee
- considering appropriate organisational structure for the officer overseeing the internal audit function
- As noted in the audit report:
In 77 per cent of entities the officer responsible for internal audit had shared responsibilities (including for financial management, or the system of internal control and risk management). Accountable authorities should be mindful of the potential for impairments to objectivity and implement appropriate safeguards in determining the organisational structure for internal audit.
2.75ANAO found that 81 per cent of entities had established an internal audit function in 2022–23 but also that 21 per cent had decreased their internal audit budget in the period 2020–21 to 2022–23. ANAO further stated in the audit report:
There were 2,687 internal audits undertaken by Commonwealth entities between 2020–21 and 2022–23. Most internal audits completed focused [on]: systems of risk management and governance; information, communications and technology, project and program management; and financial controls. Over this period there was a decrease in internal audits completed on procurement and information, communications and technology, but an increase in internal audits completed on cyber security and performance reporting.
2.76In relation to entities without an internal audit function, ANAO comments in the audit report:
There is merit for Accountable Authorities, with advice from audit committees, in entities without internal audit regularly reassessing this posture. This assessment should consider and document the sources of assurance available in forming a view on the effectiveness of governance and internal controls in the absence of internal audit.
2.77ANAO also concluded that the Australian Government could consider whether providing guidance on internal audit delivery would enhance its system of internal control.
2.78At the public hearing on 19 April 2024, the acting Auditor-General commented on the lack of a mandatory requirement for Commonwealth entities to have an internal audit function:
It's interesting, because in some domains there are mandatory requirements for internal audits. For example, APRA has mandated internal audit for financial institutions. For those people that are using quality standards like ISO 9001, you have to internally audit it but it's not a mandated requirement for the Commonwealth, which we just find strange… I guess we're bringing to the committee's attention that it's an area that could be more robust in a world of dynamic risk and an area where accountable authorities could get a stronger view about whether their duty and their obligations under the PGPA Act, to have systems of risk management and fraud control et cetera, are robust.
2.79Finance stated in its submission to the inquiry that it agrees with ANAO that ‘an effective internal audit process is integral to a Commonwealth entity’s system of internal control’. Finance further indicated that it has commenced a consultation process for the development of enhanced guidance on internal audit as per the ANAO’s suggestion.
Issues for specific entities
Social Services
2.80The Committee queried Social Services at the hearing on 24 April 2024 on why its own internal auditing did not pick up on the issue of income apportionment (see paragraphs 2.27-2.28), which was a significant finding by ANAO in the 2022-23 audit.
2.81Social Services responded that it had attended to this audit finding in many of the same ways that Health had done with respect to proper consideration of legal issues around certain payments and potential section 83 breaches (see paragraphs 2.21-2.24). Social services indicated that it had instigated ‘more regular and specific reporting around legal risk’, stating:
That report is now available to the ANAO on a regular basis. Part of our finding was both that we didn't have a mechanism to inform the ANAO of emerging issues that could have a significant impact on our financial statements and that we didn't have a robust mechanism to ensure that the CFO had visibility of those so that we could make any adjustments that we needed to in the context of the statements… We're confident that people have visibility of the issues, and we're confident that the CFO now has visibility of all those things that might have implications for the financial statements.
2.82Social Services confirmed at the hearing for the Committee, and also on notice, that it has reduced its internal audit budget by about 20 per cent over the three-year period up to 2022-23, commenting:
We still did more than we did in a previous year—we've been gradually growing that capability, notwithstanding what looks like a dip. We've been trying to grow the capability of the audit and assurance function here, including fraud and audit, to make sure that we've got robust processes around internal audit.
DAFF
2.83DAFF noted in its submission that it was one of the entities identified by ANAO as having a 20 per cent or greater reduction in its internal audit budget in the three years up to 2022-23, and also having completed 40-49 percent fewer internal audits in that same period.
2.84DAFF stated that both of these reductions were due to the 1 July 2022 machinery-of-government changes, commenting that:
These changes included the environment and water functions and funding being moved to the newly established Department of Climate Change, Energy, Water and the Environment (DCCEEW). The impact of the austerity measures also reduced the number of completed audits in 2022-23 however, since that time, the number of internal audits completed has returned to a level commensurate with the 2020-21 levels.
Committee comment
2.85The Committee agrees with the position taken by the ANAO that the lack of a mandatory internal audit function for Commonwealth entities is somewhat puzzling given the well-accepted benefits that result from this additional layer of oversight, including better risk management, fraud control, and legislative compliance.
2.86The Committee is therefore troubled that 1 in 5 entities have reduced their internal audit budgets over the past several years, regardless of the reasoning, as a less robust framework could possibly end up being far more costly for the Commonwealth. While it is understandable on one level why a number of smaller entities do not have an internal audit function at all, the Committee’s view is that this oversight should become mandatory across the Commonwealth public sector to foster better accountability, regardless of agency size.
2.87It is pleasing that Finance acknowledges the importance of internal auditing and is conducting a consultation process to update and enhance the guidance for this function. As mentioned above however, it should no longer be optional and the Committee wishes to see a mandatory framework developed by Finance, with input from ANAO and other key stakeholders, that must be adhered to and fully resourced by everyone.
2.88The Committee recommends that, as part of its ongoing consultation process, the Department of Finance now develops a mandatory framework with detailed guidelines for internal auditing for all Commonwealth entities within 12 months of the tabling of this report.
Governance of information technology
Overview
2.89Issues with the effective governance and control of information technology (IT) by Commonwealth entities, including user access and privileged access to core IT systems, were again prominent among the significant and moderate findings by the ANAO in its financial statements audits. The ANAO found that 78 per cent of entities did not have effective control to monitor user access to their IT systems after cessation of employment. This particular subject was therefore of continuing interest and of considerable concern to the Committee.
2.90ANAO defines the IT control environment as ‘the policies, procedures and controls that maintain the integrity of information and security of data in an entity’ which include:
- IT security management, which incorporates user access management, privileged user activity logging and monitoring as well as security configuration settings such as password controls
- IT change management and data centre and network operations, including management of backup and recovery processes.
- The Acting Auditor-General noted more broadly at the public hearing on 19 April 2024 that:
I think one of the big gaps that we see is the lack of communication within an entity between its HR function and its IT function… When someone leaves an organisation, we need to turn them off. We just need to turn them off. That turning off often happens in the IT part of the organisation for the IT access, not in the HR part of the organisation.
Significant findings
2.92ANAO reported new significant and unresolved findings in the IT control environment for four Commonwealth entities in 2022-23: Australian Taxation Office (ATO), Defence, NAA, and Services Australia (see also Appendix C).
Australian Taxation Office
2.93Weaknesses were reported by ANAO in the ATO’s enterprise change management for key IT systems supporting financial statements preparation, including:
- a disconnect between change management policy and procedural documentation in relation to segregation of duties particularly in relation to developers and migrators
- an inability of ATO to provide a complete and accurate list of changes made to financial systems assessed as in scope for the financial statements audit.
- ANAO stated in relation to these issues, and made recommendations accordingly to improve the change management framework, that:
As a result of identified deficiencies, the ANAO was required to undertake significant additional testing to obtain assurance over the reliability of reports generated to support financial statements balances.
2.95The ATO agreed with the findings and recommendations of the ANAO and stated in its submission to the inquiry that it has ‘already enhanced its governance controls to ensure evidence is consistently captured within the IT Service Management system’ which includes uplifted Change Advisory Board controls, enhancements to the IT Service Management system and completed reconciliation of system change logs.
Defence
2.96There was a new and significant audit finding for Defence relating to the removal of access to its IT systems for both Defence personnel and also contractors who had ceased employment with the department. As noted by ANAO, this contravenes the requirements of the Protective Security Policy Framework (PSPF) which is designed to provide information security for the Australian Government.
2.97The audit report stated in this regard:
The ANAO identified 1,451 users whose access to the Defence Network was not removed in accordance with Information Security Manual (ISM) requirements. Testing also identified almost 2,000 instances where former employees and/or contractors had logged into and accessed data from Defence systems.
2.98The Financial Statements audit report further noted in relation to Defence employees post-termination that:
- some employees continued to receive salary payments
- 215 users retained access to the FMIS
- ANAO was unable to assess whether access to inventory management systems had been retained, or if these systems had been accessed, as data logs were unavailable
- issues concerning user access had previously been reported by Defence’s Internal Audit Branch, which stated that insufficient controls were in place
- a prior performance audit by ANAO of Defence’s management of contractors had found insufficient compliance with PSPF Policy 14: Separating personnel.
- Noting the ‘significant fraud and reputational risk exposure to Defence as a result of the above system access weaknesses’ ANAO made a number of recommendations for remediation, which were agreed to by the department.
- In its submission to the inquiry, Defence stated that it agreed with this category A finding and had undertaken a number of activities in response including:
- an extensive review of the instances of unauthorised access to the Defence Network; and
- investigated all alleged post separation network access by unauthorised persons.
- Defence cited its actions that were underway to close this finding, which involved an integrated solution to prevent and detect unauthorised access, controls to strengthen the governance of the access and usage of its IT systems, and an automated capability to remove access upon cessation of employment.
National Archives of Australia
2.102The NAA was found by ANAO to have ineffective IT general controls to support the preparation of its financial statements, with the following weaknesses identified:
- insufficient oversight and documentation of review of privilege user access and activity logs.
- no formalised or documented periodic review of user access.
- inconsistent mapping of roles and responsibility configurations, including workflow approvers and inconsistent chart of accounts mapping configurations.
- ANAO recommended a detailed review to address these significant issues, which was agreed to by NAA. In its submission to the inquiry, NAA stated that it had:
… immediately engaged an independent external consultant to undertake a forensic audit review of all the underlying transactions on which the financial statements were based and identify any potential fraud resulting from the financial management processes that were in place. ANAO provided oversight into the scope of works undertaken by the forensic auditor to ensure a complete and accurate review was undertaken.
2.104NAA indicated to the Committee in its submission that there would be continuous monitoring by its Executive Board and Audit and Risk Committee of the actions undertaken to address each of the ANAO findings until their implementation was completed.
Services Australia
2.105The audit reported ‘a significant audit risk in relation to the increasing number of issues in IT governance within Services Australia’ stating:
… the ANAO identified weaknesses in IT controls in the implementation of a large-scale IT roll-out for residential aged care and the re-emergence of a large number of individual control issues affecting change and access management and business operations.
2.106ANAO further noted in the report, and made recommendations accordingly, that the IT governance and monitoring processes at Services Australia were not providing sufficient assurance to its management that policy requirements were being met, further commenting that ‘this matter is considered to pose a significant financial, business and reputational risk to Services Australia.’
2.107In its submission to the inquiry, Services Australia agreed with these assessments and the ANAO’s recommendations. Services Australia stated:
Due to the Agency’s complex and large number of IT platforms, in excess of 50 systems, that need to be reviewed to address the audit recommendations, the Agency has established a new Division to ensure the appropriate oversight and monitoring of remediation activities. Additional resources have also been onboarded to assist with remediation activities, including specialist resources with ICT policy, governance and assurance expertise.
2.108Services Australia noted in its submission that it would require time to conduct its remediation due to the complexity of its systems but that the first phase of this process, ‘focussed on access management, change management and disaster recovery policies’ was expected to be completed by June 2024 with the expectation that ‘it will take until the 2025 interim audit process for all aspects of the recommendations to be fully resolved.’
Moderate findings mostly relate to removing IT user access
2.109The ANAO reported 20 moderate findings in 2022-23 relating to weaknesses in user access management, with nine pertaining to management of terminated user access. ANAO further stated:
IT security management continues to remain the most common area of weakness in the IT control environment, with over 77 per cent of findings, and 82 per cent of the significant and moderate findings, relating to this area. Focus is required by entities to ensure that the risks of unauthorised changes to systems and data and unauthorised data leakage are being appropriately managed.
2.110ANAO comments that ‘timely removal of access from terminated staff continues to be an issue across entities in 2022–23’ indicating that despite some improvements in developing security policies relating to this removal and in implementing monitoring controls, the number of findings relating to the removal of access processes has increased.
Committee comment
2.111Failures in IT governance and control, most particularly with regard to unauthorised user access to IT systems across the Commonwealth, have become a staple of the Financial Statements audits findings for many years and this situation simply has to change. In its report on the 2021-22 Financial Statements audit, the Committee devoted a whole section to the wide scale lack of compliance with the IT requirements of the PSPF. The Committee sensibly recommended that an assurance mechanism for agencies’ self-reporting on cybersecurity be developed, and that appropriate performance measures be implemented on promoting compliance with the IT security aspects of this framework.
2.112The Department of Home Affairs, which has since taken over responsibility for the PSPF from the Attorney-General’s Department, has agreed to both recommendations and has indicated that they will commence the assurance mechanism following the 2024-25 PSPF reporting period. Home Affairs has also stated that it will develop the required performance measures for inclusion in its 2024-25 corporate plan, in consultation with accountable officials, its audit and risk committee, and the accountable authority.
2.113These responses are fully welcomed by the Committee and the advent of these new processes and their future impact on the instances and nature of IT breaches will be monitored with interest.
2.114The Committee in the meantime will require updates from the four entities that had significant IT issues in this last audit cycle. It is the sincerest hope of the Committee that recommendations of this nature will eventually no longer be needed. There are once again just too many serious risks to the Commonwealth arising from persistent user access issues, particularly when considering the highly sensitive information that is held by many key agencies such as Defence.
2.115The Committee recommends that the Australian Taxation Office, Department of Defence, National Archives of Australia and Services Australia each report to the Committee within six months of this report on their progress in closing the significant breaches relating to their governance and control of IT systems.
Use and governance of artificial intelligence in the public sector
Separate inquiry
2.116The Committee has a significant interest in the use and control of emerging technologies by public sector entities, particularly artificial intelligence. ANAO noted in the Financial Statements audit that 36 Commonwealth entities had reported the adoption of some form of emerging technology such as AI but also that no supporting policies or governance frameworks for this had been created in most cases.
2.117The Committee corresponded with most of these entities with a series of specific written questions on their use and governance of AI. The responses received were published as submissions to this inquiry but will now be considered by the Committee in a separate future inquiry that focuses specifically on the future use and regulation of AI by the public sector.
Hon Linda Burney MP
Chair
12 September 2024