Professional Documents
Culture Documents
Reference:
A101/ P002
Period of review:
November 2009
Review Sponsor:
Circulation:
This report and PricewaterhouseCoopers deliverables are intended solely for the Department of Finance and
Deregulations internal use and benefit and may not be relied on by any other party. This report may not be
distributed to, discussed with, or otherwise disclosed to any other party without PricewaterhouseCoopers prior
written consent. PricewaterhouseCoopers accept no liability or responsibility to any other party who gains access to
this report.
Contents
1.
Introduction.......................................................................................................................................... 3
2.
Background .......................................................................................................................................... 3
3.
Scope ..................................................................................................................................................... 5
4.
Summary of findings............................................................................................................................ 5
5.
6.
Appendix A Internal Audit Review Commonwealth Financial Statement (CFS) Process Review
Scope of Work................................................................................................................................................ 9
Glossary
Priority ratings have been assigned to issues raised in this report as follows:
Rating scale for individual findings
A
B
C
BPI
Active management required as an extreme priority. Controls are not adequate to address the associated
risk.
Active management required as a high priority. Controls are not adequate to address the associated risk.
Active management required as a moderate priority. Controls are not adequate to address the associated
risk.
Business Process Improvement opportunity. A suggested improvement in efficiency or better practice.
Control is adequate
CC
Extreme priority
High priority
Moderate priority
Low priority
Control Critical
Test controls regularly
Note: The overall review rating is the residual exposure to Finance after consideration of all findings
highlighted in this report. More detail on the rating scales used throughout this report can be found at
Appendix B.
Limitations
Our Internal Audit work was limited to that described in this report and was performed in accordance with International
Standards for the Professional Practice of Internal Auditing from the Institute of Internal Auditors. It did not constitute
an examination or a review in accordance with generally accepted auditing standards or assurance standards.
Accordingly, we provide no opinion or other form of assurance with regard to our work or the information upon which
our work was based. We did not audit or otherwise verify the information supplied to us in connection with this
engagement, except to the extent specified in this report or our approved objectives and scope.
Internal Audit Report
Review of Business Continuity Management
Page 2 of 34
1.
Introduction
As part of the Internal Audit Work Plan for 2008/09, PricewaterhouseCoopers (PwC)
reviewed the Internal Controls Framework surrounding the Consolidated Financial
Statements (CFS) process.
The purpose of the review is to check the integrity of processes and controls in place
which support the accuracy and timely production of the CFS.
The review of the Internal Controls Framework focused on the following key areas:
preparation of core CFS components
2.
Background
Under Section 55 of the Financial Management and Accountability Act 1997, the
Minister for Finance and Deregulation is required to prepare the Consolidated Financial
Statements (CFS) for the Australian Government.
The CFS are prepared in accordance with the Australian Accounting Standards and all
other financial reporting regulatory requirements and reflects a consolidation of the
financial statements of all Commonwealth controlled reporting entities.
These annual statements are prepared on behalf of the Minister of Finance and
Deregulation by the Financial Management Branch of the Department of Finance and
Deregulation (Finance) as soon as practicable following the end of the financial year.
These financial statements are audited by the Australian National Audit Office.
The process is currently conducted using the AIMS system. However, it is expected that a
transition to the Central Budge Management System (CBMS) during the next year will
take place and the AIMS system will be decommissioned.
In 2008/09 the CFS is being prepared for the first time in accordance with the Australian
Accounting Standard 1049 Whole of Government and General Government Financial
Reporting (AASB 1049). The objective of AASB 1049 is to specify requirements for the
financial reporting by whole of government and General Government Sector. It became
applicable for annual reporting periods beginning on or after 1 July 2008. The
introduction of this standard has resulted in no significant changes to the CFS process.
Internal Audit first performed a controls based agreed-upon procedures review to assist
Finance in preparing the CFS for the 2003/04 financial year. This identified a number of
process and control improvements for CFS preparation in future years. Internal Audit
have since performed controls based agreed-upon procedures to assist Finance in
preparing the CFS for each of the subsequent financial years. The following table
illustrates the number of control weaknesses outstanding at the end of each annual review
and their rating:
Year of review
The following diagram summarises the CFS preparation process considered as part of this
review. Detailed CFS preparation process maps are provided in Appendix G of this
report.
Input
Capture
MS Excel
AIMS
Cpack from
agencies
Working
Data 1
and
Working
Data 2
QA
Prepare
consolidated
statements
Consolidation
calculations
Adjust and
aggregate
MS Excel
Journal
and
elimination
workbooks
AIMS
MS Excel
MS Word
GG, PFC,
PNFC
P&L, B/S,
Derived
Cash Flow
and Notes
for GG,
PFC, PNFC
P&L, B/S,
Derived
Cash Flow
and Notes
for GG,
PFC, PNFC
MS Excel
Analytical
Workbooks
GG, PFC,
PNFC
Publish
statements
and
Column
Reports
MS Excel
Journal
and
elimination
workbooks
WoG
AIMS
MS Excel
MS Word
WoG
P&L, B/S,
Derived
Cash Flow
and Notes
for WoG
P&L, B/S,
Derived
Cash Flow
and Notes
for WoG
Diagram 1: The Whole of Government (WoG) Consolidated Financial Statements (CFS) comprise
the sum of General Government (GG), Public Finance Corporations (PFC) and Public Non-Finance
Corporations (PNFC).
Internal Audit Report
Review of Consolidated Financial Statements Controls 2009
Page 4 of 34
3.
Scope
A copy of the approved objectives and scope of this review is attached at Appendix A.
Specific limitations to the scope of this review are detailed below:
controls over business continuity and contingency arrangements were not within
the scope of agreed-upon procedures for this review.
4.
Summary of findings
Our work has identified that the controls originally identified in the 2003/04 audit
continue to be in place and operating as intended, however one opportunity for
improvement has been identified. This finding relates to:
a back-up of the data of the AIMS system is occurring on a nightly basis, however
there is currently no confirmation that these backups are occurring and are
complete.
Overall, Internal Audit considers that the controls identified in 2003-04 remain adequate
and appropriate for today's operating environment. Business requirements in terms of
accuracy and timeliness of the preparation of the CFS remain comparable, whilst the
observed stability and robustness of the process and its controls have in aggregate
improved each successive year of review.
It is worth noting that the scheduled replacement of the legacy AIMS system with CBMS
for next year's CFS process will require a re-evaluation and re-mapping of the risks and
controls for the updated aspects of the process.
A listing of the key controls over the CFS process is provided in Appendix C of this
report.
David Murphy
Partner
PricewaterhouseCoopers
4 November 2009
This review
Extreme priority
High priority
Moderate priority
Low exposure
BPI
5.
A summary of the work performed against in reviewing the processes and controls over
the preparation of the 2008/09 CFS is outlined in the table below.
Ref
Review existing process maps (documented in 2003) that describe the CFS
preparation process.
Review the controls map delivered in our 2003/04 review that describes and links
the identified controls with the existing CFS preparation process maps. We will
update these control maps for changes in processes of key controls made since our
2003/04 review.
Execute sample based audit tests (previously developed as part of 2003/04 review)
to confirm the effectiveness of controls.
6.
Review any updated process and control documentation held by the Branch.
review the processes and controls in place to support the accurate and timely
production of the CFS.
Perform process walkthroughs with relevant Finance staff to reconfirm process
flow and presence of key controls.
We will recommend specific and practical updates required to the process and
control documentation held by the Branch.
We will prepare a report for the CFS Audit Committee on our findings and
recommendations.
We will regularly liaise with FRB throughout the review to ensure that any issues
raised are discussed and that progress is known and clear.
Resources Seniority and Skills of proposed personnel
The review of the CFS processes and controls requires specialist knowledge that PwC is
well place to provide the Department. We have undertaken similar reviews for the
Department for each of the last five years and propose a team that understands the
processes, is well known and respected by the CFS team and has contributed significantly
to the improvement of process and controls over that time.
Staff
Partner
Audit Days*
2
Director
Senior Consultant
Appropriate Consultant
10
Total
23
*Our approach is based upon the current systems and processes that Finance utilise to
produce the CFS. We understand that a new system and processes are currently being
developed with an implementation timeframe that is yet to be determined. We anticipate
that the first year of this review under the new system and process would require
approximately 7 days more effort.
Likelihood of occurrence
Rare
The event type would occur only in exceptional circumstances and has not occurred
within Commonwealth Government.
Unlikely
The event type could occur but has not occurred in Finance before.
Average
The event type might occur or has occurred at least once within Finance.
Likely
The event type will probably occur or has occurred in Finance within the last two
years.
Almost certain
The event type has occurred within the last 12 months or is expected to occur.
Impact involves the consequences of a risk event, and may be in terms of, for example,
financial or human cost, business disruption, environmental damage or damage to
reputation. Each consequence/impact can be rated, in terms of its severity.
Consequence/impact area
Impact
Financial
Human
resources
Business
interruption
Outputs
Integrity/
reputation and
image
Insignificant
Up to
$100K
First Aid.
Leave of
absence.
Loss of service
capability for up to
half a day.
Up to 1%
impact on
targets.
Internal impact
only.
Minor
Up to
$500K
Injury to
staff.
Temporary
loss of key
staff.
Loss of service
capability for up to
two days.
Up to 2%
impact on
targets.
Adverse
comments in
local press.
Medium
Up to
$5M
Major injury
to staff.
Permanent
loss of key
staff.
Loss of service
capability for up to
one week.
Interruption of four
hours during budget.
Up to 5%
impact on
targets.
Senate
Estimates.
Other external
scrutiny,
ANAO, national
media.
Moderate
damage to
Finances
reputation.
Major
Up to
$20M
Permanent
injury to
multiple
staff. Loss of
critical mass
of staff.
Loss of service
capability for up to
one month.
Interruption of two
days during Budget.
Serious medium term
business/environmenta
l effects.
Up to 10%
impact on
targets.
Questions in
Parliament.
External
scrutiny.
Serious public,
political and/or
media outcry.
Consequence/impact area
Impact
Financial
Above
$100M.
Extreme
Human
resources
Business
interruption
Multiple
deaths of
staff. Loss of
critical mass
of key staff.
Loss of service
capability for more
than one month.
Inability to get Budget
completed in
timeframe. Very
serious long term
effects on
Departments
business.
Integrity/
reputation and
image
Outputs
Greater than
10% impact
on targets.
Royal
Commission.
Judicial inquiry.
Other form of
Parliamentary
inquiry.
Possible
litigation. Very
serious
legislative non
compliance.
The intersection of the likelihood and consequence ratings determines the overall inherent
risk rating as shown in the table below.
Impact
Likelihood
Extreme
Major
Medium
Minor
Insignificant
Almost certain
Extreme
Extreme
High
Significant
Moderate
Likely
Extreme
High
Significant
Moderate
Low
Average
High
High
Significant
Moderate
Low
Unlikely
High
Significant
Moderate
Low
Low
Significant
Moderate
Low
Low
Low
Rare
From this, a level of inherent risk can be determined using the table below.
Level of risk Description
Extreme
High
Significant
Moderate
Low
Unsatisfactory
Satisfactory
We then assess the effectiveness of controls that management have in place to manage the
risk according to the table below.
Rating*
Description
Excellent
Good
Incomplete
Unsatisfactory
Control is poorly designed and does not fully address the risk.
Documentation/communication and/or application need improvement.
Poor
Control is poorly designed and does not address the risk. Both control
documentation/communication and application need improvement.
Residual risk is the level of risk faced after considering the controls in place. Residual
risks are rated on the same likelihood and consequence/impact ratings as inherent risks
above but are then considered in conjunction with the adequacy of controls. Based on the
level of residual risk, management can prioritise the allocation of resources to address
these risks through mitigating actions or investments in improving controls. Or areas
where management should continue to test controls where residual risks are low, but
without the controls, inherent risk would be high that is, areas where controls are
critical, as illustrated in the following diagram:
Likelihood
Extreme
Control
Critical
No Major
Concern
Active
Management
(Extreme priority)
Active
Management
(High priority)
CC
E
H
M
Periodic
Monitoring
(Moderate priority)
L
Low
Satisfactory
Unsatisfactory
Control rating
Risk
Key controls
CS3
Management exception
reporting and oversight
The CFS creation process and the
final statements are not subject to
an appropriate level of
management review prior to
publishing.
- timeframes
- details of procedures expected to be performed
- allocation of resources and responsibilities
- documentation requirements.
CS4
Succession planning
The CFS production process is
highly manual and complex and
therefore relies heavily on
individuals with detailed
knowledge. Loss of key team
members is likely to reduce
Finances ability to produce the
CFS in a timely manner to an
acceptable standard.
Ref
CS5
Risk
Key controls
Access control
Unauthorised people can access
CFS files on the Treasury and
Finance network drives or make
changes to the core CFS
components.
CS7
CS8
Ref
CS9
Risk
Key controls
Ref
Risk
Key controls
A reconciliation is performed between the Analytical
Workbooks and the agencys audited financial statements at
the subtotal level.
The Column Report has inbuilt QA checks that identify
discrepancies between AIMS and the spreadsheet on a total
account basis.
Also, a variance analysis is performed on a line by line basis
between the Analytical Workbooks and budget estimates and
prior years agency data. The Analytical Workbook uses
formulas and macros to identify material differences (>$10
million) which are then followed up to determine if
misclassifications have occurred.
QA checklists over the CFS process are used to ensure that all
processes and related steps for each agency are conducted.
Ref
Risk
Key controls
The following controls are in place over consolidation
journals:
- a full audit trail of cash flow journals is maintained in the
cash flow derivation workbook
- all journals are compared to prior year journals for
completeness. Checks are in place to establish any
additional journals required in the current year
- completeness of cash flow journals is validated by creating
derived cash flow for each individual agency and checking
them against the audited cash flow statement provided by
the agency. Missing material cash flow journals will be
identified during this process and can be added to the master
cash flow statement that is derived from the consolidated
operating statement and balance sheet.
Ref
Risk
Key controls
The CFS publication is independently reconciled to supporting
spreadsheets which include a series of automated quality
assurance checks in additional manual checks are also
conducted, these reviews are conducted at all levels
culminating in a final review by the CFS Audit Committee.
Material movements between the current period and the
previous years audited data are investigated and explained to
the Audit Committee.
The following work plan details the steps we will perform in reviewing the systems,
processes and controls in preparing the 2008/09 Consolidated Financial Statements.
1. Review existing process maps (documented in 2003) that describe the CFS
preparation process.
2. Perform process walkthroughs with relevant Finance staff to reconfirm process flow
and the presence of key controls. Based on the content of the 2003 process maps, we
will perform our walkthrough on the following processes:
a. Preparation of CFS Plan, CPacks and Templates, including:
i.
Chart of Accounts update
ii.
CPack update
iii.
Preparation of shell financial statements & update Excel templates.
b. Preparation of Agency Cash Activity Reports, including ACM extract to Excel.
c. Validation/QA of GG, PFC and PNFC Annual Statements, including:
i.
Upload of CPack and Small Agency statements into AIMS WD1,
ii.
Validate data through AIMS WD2
iii.
Extraction of agency statements from AIMS,
iv.
Download of AIMS information into Analytical Workbook
v.
Reconciliation of workbooks with ACM
vi.
QA of Agency Financial Statements.
d.
3. Review the controls map delivered in our 2003/04 review that describes and links the
identified controls with the existing CFS preparation process maps. We will update
Internal Audit Report
Review of Consolidated Financial Statements Controls 2009
Page 19 of 34
these control maps for changes in processes of key controls made since our 2003/04
review.
a. Execute sample based audit tests (previously developed as part of 2003/04
review) to confirm the effectiveness of controls.
b. Conclude on the effectiveness of controls considered key to the CFS preparation
process in the report.
Name
Role
Matthew King
Tom Maloney
Denise Rambow
Simon Vellnagel-Dunn
Shane Jasprizza
Jenny Morris
Document
Version
Dated
Source
26/05/2009
Denise Rambow
1.3
1/06/2009
Denise Rambow
22/05/2009
Matthew King
1.1
18/06/2009
Denise Rambow
1/06/2009
Matthew King
15/04/2009
Denise Rambow
12/2003
Denise Rambow
31/07/2002
Denise Rambow
2.0
16/11/2004
Denise Rambow
28/08/2009
Denise Rambow
Denise Rambow
14/09/2009
Denise Rambow
9/09/2009
Denise Rambow
Jenny Morris
22/06/2009
Denise Rambow
29/6/2009
Denise Rambow
15/09/2009
Denise Rambow
Denise Rambow
Jenny Morris
Jenny Morris
Jenny Morris
Spreadsheet Procedures
Jenny Morris
Document
Version
Dated
Source
Jenny Morris
Jenny Morris
Section 55
FMA Act
Central
Systems &
Data Stores
Preparation of
CFS Plan
Preparation of
letter to CFOs
advising CFS
timetable
Letter to CFOs
advising CFS
timetable
Update Annual
Chart of Accounts
to send to
agencies
AIMS
Actuals
Agency CPack
Prepare shell
Financial
Statements
AIMS
(Estimates)
Update Excel
Templates
Preparation of
Agency Cash
Activity Reports
Cpack Manual
Agency QA
workbook
Variance
Analysis
Workbook
CashFlow
Derivation
Workbook
Elimination
Adjustment and
Elimination
Workbook
Journal
Workbook
Summary of findings
Control
reference
Control description
CFS project plan
CS1
Succession planning
CS4
C S5
Access control
CS6
CS7
CS8
CS9
Financial
Reporting
Central
Systems &
Data Stores
CS1
6
Financial Reporting
CS1
0
ACM
ACM receipts,
payments &
transactions
ACM MS
Access
database
Run queries to
format
transactions by
Agency
Preparation of Small
Agency Statements
Validation & QA of GG
Agency Annual
Financial Statements
Summary of findings
Control
reference
Control description
ACM extract reconciliation
CS10
CS16
Agency
Financial Reporting
Financial Reporting
CW9
AgencyCpack
Material audit cleared
Material
cleared
financialaudit
statements
financial
Submittestatements
via CPack
submitted
via CPack
d
CS14
CS13
CS11
CS12
CS12
Automated
system
validations
performed
Pass
System
validations
Yes
Statements
validated by
AIMS
Annual CFS
Reporting (Previou
(Previous
s
Year)
Budget Estimates
Update
Preparation of
Agency Cash
Activity Reports
AIMS (Actuals)
(WD1)
CS2
CS13
CS12
Upload Cpack
into AIMS and
authorise
CW12
CS17
CS16
CS15
CS14
Extract Agency
Statements
CW13
Analytical
Workbooks
Annual Final Budget
Outcome (FBO)
Reporting
No
Reconcile
Agency
Statements to
CAMM
ACM
CS16
CS15
AIMS (Actuals)
Validated
(WD2)
AIMS (Actuals)
(AIMS) Yr-1
AIMS (Estimates)
Archived (AIMS)
QA of Agency
Annual Financial
Statements
Summary of findings
Control
reference
Control description
CFS Tracking database
CS2
Cpack submission
CS11
Agency input
CS12
AIMS validation
CS13
CS14
CS15
CS16
Financial Reporting
Central
Systems &
Data Stores
Budget Estimates
Update
Preparation of
Agency Cash
Activity Reports
CS3
CS19
CS18
CS3
CS18
CS17
CS20
CS19
Preparation of
Small Agency
Statements
Validation & QA of Annual
Financial Statements
AIMS
Actuals
Prep. of
consolidated
consolidatedAASB
AAS
31 Tables
1049
Tables
(incl CF)
Annual FBO
Reporting
QA of Agency
Annual Financial
Statements
Preparation of WoG
Annual Statements &
comments
Validation & QA of GG
Agency Statements
(Small Agency)
Summary of findings
Control
reference
Control description
Management exception reporting and oversight
CS3
CS17
CS18
CS19
Consolidation journals
Cash flow statement journals
Cash flow statement data
Financial Reporting
CS21
CS20
4
Central
Systems &
Data Stores
AIMS
Actuals
CS22 CS22
CS21
CS23
Preparation of
Consolidated
AASB
AAS 311049
WoG
WOG
Tables
Tables
Preparation of
Notes to the
Accounts
Preparation of
Commentary
and Preface
Consolidated
Consolidated
AASB 1049
AAS 31 Financial
Financial
Statements
Statements
CFS
Commentary and
Preface
Preparation Annual
Financial Statements
CS24
CS23
CFS Publication
(Aggregate)
CFS Audit
CFS Sign-off
CS20
Control description
Reconciliation of WoG consolidated financial statements
Notes to the WoG financial statements
CS21
CS22
CS23
Summary of findings
No review findings were identified in this process.