Internal Audit Report Sample

Department of Finance and Deregulation
Internal Audit Report

Review of Consolidated Financial Statements Controls
2009
Reference:
A101/ P002
Period of review:
September - October 2009
Date of final report:
November 2009
Review Sponsor:
Tim Youngberry, A/g General Manager, Financial Management Group
Circulation:
Matthew King, Branch Manager, Financial Reporting Branch

Greg Feeney, A/g Division Manager, Financial Reporting and Cash
Management Division
Audit Committee
This report and PricewaterhouseCoopers deliverables are intended solely for the Department of Finance and
Deregulations internal use and benefit and may not be relied on by any other party. This report may not be
distributed to, discussed with, or otherwise disclosed to any other party without PricewaterhouseCoopers prior
written consent. PricewaterhouseCoopers accept no liability or responsibility to any other party who gains access to
this report.
Rating for Audit Committee Reporting:

Low Exposure
Liability limited by a scheme approved under Professional Standards Legislation
Contents
1.
Introduction.......................................................................................................................................... 3
2.
Background .......................................................................................................................................... 3
3.
Scope ..................................................................................................................................................... 5
4.
Summary of findings............................................................................................................................ 5
5.
Summary of work performed ............................................................................................................. 7
6.
Findings and agreed management actions ......................................................................................... 8
Appendix A Internal Audit Review Commonwealth Financial Statement (CFS) Process Review
Scope of Work................................................................................................................................................ 9
Appendix B Review priority and control rating keys............................................................................ 10
Appendix C CFS Key Controls Framework .......................................................................................... 13
Appendix D Detailed Approach .............................................................................................................. 19
Appendix E Key personnel interviewed.................................................................................................. 21
Appendix F Key documentation reviewed.............................................................................................. 22
Appendix G - Process Maps........................................................................................................................ 24
Glossary
Priority ratings have been assigned to issues raised in this report as follows:
Rating scale for individual findings
A
B
C
BPI
Active management required as an extreme priority. Controls are not adequate to address the associated
risk.
Active management required as a high priority. Controls are not adequate to address the associated risk.
Active management required as a moderate priority. Controls are not adequate to address the associated
risk.
Business Process Improvement opportunity. A suggested improvement in efficiency or better practice.
Rating scale for overall report

Control is inadequate
Control is adequate
CC
Extreme priority
High priority
Moderate priority
Low priority
Control Critical
Test controls regularly
Note: The overall review rating is the residual exposure to Finance after consideration of all findings
highlighted in this report. More detail on the rating scales used throughout this report can be found at
Appendix B.
Limitations
Our Internal Audit work was limited to that described in this report and was performed in accordance with International
Standards for the Professional Practice of Internal Auditing from the Institute of Internal Auditors. It did not constitute
an examination or a review in accordance with generally accepted auditing standards or assurance standards.
Accordingly, we provide no opinion or other form of assurance with regard to our work or the information upon which
our work was based. We did not audit or otherwise verify the information supplied to us in connection with this
engagement, except to the extent specified in this report or our approved objectives and scope.
Review of Business Continuity Management
Page 2 of 34
1.
Introduction
As part of the Internal Audit Work Plan for 2008/09, PricewaterhouseCoopers (PwC)
reviewed the Internal Controls Framework surrounding the Consolidated Financial
Statements (CFS) process.
The purpose of the review is to check the integrity of processes and controls in place
which support the accuracy and timely production of the CFS.
The review of the Internal Controls Framework focused on the following key areas:
preparation of core CFS components
preparation of Agency Cash Activity reports
validation and quality assurance of annual financial statements
preparation of annual financial statements by sector
preparation of Whole of Government annual financial statements and commentary.
Note: no Administrative Arrangement Orders (AAOs) to restructure the General

Government Agencies were issued during the financial year under review, therefore no
additional supplementary controls testing for the AAO process was required.
A copy of the CFS key controls framework is attached at Appendix C.
2.
Background
Under Section 55 of the Financial Management and Accountability Act 1997, the
Minister for Finance and Deregulation is required to prepare the Consolidated Financial
Statements (CFS) for the Australian Government.
The CFS are prepared in accordance with the Australian Accounting Standards and all
other financial reporting regulatory requirements and reflects a consolidation of the
financial statements of all Commonwealth controlled reporting entities.
These annual statements are prepared on behalf of the Minister of Finance and
Deregulation by the Financial Management Branch of the Department of Finance and
Deregulation (Finance) as soon as practicable following the end of the financial year.
These financial statements are audited by the Australian National Audit Office.
The process is currently conducted using the AIMS system. However, it is expected that a
transition to the Central Budge Management System (CBMS) during the next year will
take place and the AIMS system will be decommissioned.
In 2008/09 the CFS is being prepared for the first time in accordance with the Australian
Accounting Standard 1049 Whole of Government and General Government Financial
Reporting (AASB 1049). The objective of AASB 1049 is to specify requirements for the
financial reporting by whole of government and General Government Sector. It became
applicable for annual reporting periods beginning on or after 1 July 2008. The
introduction of this standard has resulted in no significant changes to the CFS process.

Review of Consolidated Financial Statements Controls 2009
Page 3 of 34
Internal Audit first performed a controls based agreed-upon procedures review to assist
Finance in preparing the CFS for the 2003/04 financial year. This identified a number of
process and control improvements for CFS preparation in future years. Internal Audit
have since performed controls based agreed-upon procedures to assist Finance in
preparing the CFS for each of the subsequent financial years. The following table
illustrates the number of control weaknesses outstanding at the end of each annual review
and their rating:
Year of review
Number of priority issues

A
Number of control weaknesses

identified in 2003 review

unresolved in 2005 review




The following diagram summarises the CFS preparation process considered as part of this
review. Detailed CFS preparation process maps are provided in Appendix G of this
report.
Input
Capture
MS Excel
AIMS
Cpack from
agencies
Working
Data 1
and
Working
Data 2
QA
Prepare
consolidated
statements
Consolidation
calculations
Adjust and
aggregate
MS Excel
Journal
and
elimination
workbooks
AIMS
MS Excel
MS Word
GG, PFC,
PNFC
P&L, B/S,
Derived
Cash Flow
and Notes
for GG,
PFC, PNFC
P&L, B/S,
Derived
Cash Flow
and Notes
for GG,
PFC, PNFC
MS Excel
Analytical
Workbooks
GG, PFC,
PNFC
Publish
statements
and
Column
Reports
MS Excel
Journal
and
elimination
workbooks
WoG
AIMS
MS Excel
MS Word
WoG
P&L, B/S,
Derived
Cash Flow
and Notes
for WoG
P&L, B/S,
Derived
Cash Flow
and Notes
for WoG
Diagram 1: The Whole of Government (WoG) Consolidated Financial Statements (CFS) comprise
the sum of General Government (GG), Public Finance Corporations (PFC) and Public Non-Finance
Corporations (PNFC).
Page 4 of 34
3.
Scope
A copy of the approved objectives and scope of this review is attached at Appendix A.
Specific limitations to the scope of this review are detailed below:
controls over business continuity and contingency arrangements were not within
the scope of agreed-upon procedures for this review.
4.
Summary of findings
Our work has identified that the controls originally identified in the 2003/04 audit
continue to be in place and operating as intended, however one opportunity for
improvement has been identified. This finding relates to:
a back-up of the data of the AIMS system is occurring on a nightly basis, however
there is currently no confirmation that these backups are occurring and are
complete.
Overall, Internal Audit considers that the controls identified in 2003-04 remain adequate
and appropriate for today's operating environment. Business requirements in terms of
accuracy and timeliness of the preparation of the CFS remain comparable, whilst the
observed stability and robustness of the process and its controls have in aggregate
improved each successive year of review.
It is worth noting that the scheduled replacement of the legacy AIMS system with CBMS
for next year's CFS process will require a re-evaluation and re-mapping of the risks and
controls for the updated aspects of the process.
A listing of the key controls over the CFS process is provided in Appendix C of this
report.
David Murphy
Partner
PricewaterhouseCoopers
4 November 2009

Page 5 of 34
Summary of ratings and issues

The review of Business Continuity Management has been rated a Low priority for
Finance due to the number and nature of the priority issues identified. The sliding scale
diagram that follows explains the system used to rate the overall review.
Appendix B provides more detail on the rating scales used throughout this report.
This review
Extreme priority
High priority
Moderate priority
Low exposure
Control Critical - Test controls regularly
Number of priority issues

A
BPI

Page 6 of 34
5.
Summary of work performed
A summary of the work performed against in reviewing the processes and controls over
the preparation of the 2008/09 CFS is outlined in the table below.
Ref
Summary of work performed
Review existing process maps (documented in 2003) that describe the CFS
preparation process.
Perform process walkthroughs with relevant Finance staff to reconfirm process

flow and the presence of key controls.
Review the controls map delivered in our 2003/04 review that describes and links
the identified controls with the existing CFS preparation process maps. We will
update these control maps for changes in processes of key controls made since our
2003/04 review.
Execute sample based audit tests (previously developed as part of 2003/04 review)
to confirm the effectiveness of controls.
Conclude on the effectiveness of controls considered key to the CFS preparation

process in the report.
The detailed approach is presented in Appendix D.

Page 7 of 34
6.
Findings and agreed management actions
6.1. Notification of backups of the AIMS data being performed (CS9)

Observation
A backup of the AIMS database was previously conducted on an hourly basis. However,
these are no longer being supported due to the decommissioning of AIMS. Instead a
backup of the system is occurring on a nightly basis. However, there is no confirmation
received by the System Administrator that the backup process is successful and complete.
It is also acknowledged that on an ad hoc basis backups are tested by loading them into
the AIMS test environment.
Risk
In the event of a major outage or loss or system data, the ability of System Administrators
to recover the most up to date AIMS data may be compromised by missing or incomplete
backups.
Recommendation
Finance will introduce a daily automated email notification produced from the system to
confirm the completion of the backup process. This should be received by the AIMS
System Administrator and reviewed to ensure that no errors were detected.
Further to this a formal schedule of testing backups should be defined and followed.
Priority: Low
Management Response
Management agrees to the recommendation. However, email confirmation of the backup
is not available. The AIMS System Administrator will review the TSM reports on a daily
basis to confirm successful completion.
AIMS will be decommissioned subsequent to production of the Consolidated Financial
Statements and the data will be archived. There is no requirement to put in place a formal
schedule of testing the backup.
Management will ensure that a notification and formal testing process of the replacement
to AIMS is put in place for the 2009-10 CFS process.
Responsibility: Matthew King, Branch Manager, Financial Reporting Branch
Implementation date: 31 December 2009

Page 8 of 34
Appendix A Internal Audit Review Commonwealth Financial

Statement (CFS) Process Review Scope of Work
Objective
The objective is to prepare a report annually to the CFS Audit Committee reviewing the
processes within Finance for the preparation of the Commonwealths annual consolidated
financial statements including any difficulties encountered and suggesting improvements.
Approach
We will consult with Financial Reporting Branch (FRB) to validate our proposed
approach to update our understanding of any material changes that have occurred since
our last review that may impact the approach. Specifically we will:
Update our approach as required by our initial consultation.
Review any updated process and control documentation held by the Branch.
Through discussion, observation and review of evidence we will document and
review the processes and controls in place to support the accurate and timely
production of the CFS.
Perform process walkthroughs with relevant Finance staff to reconfirm process
flow and presence of key controls.
We will recommend specific and practical updates required to the process and
control documentation held by the Branch.
We will prepare a report for the CFS Audit Committee on our findings and
recommendations.
We will regularly liaise with FRB throughout the review to ensure that any issues
raised are discussed and that progress is known and clear.
Resources Seniority and Skills of proposed personnel
The review of the CFS processes and controls requires specialist knowledge that PwC is
well place to provide the Department. We have undertaken similar reviews for the
Department for each of the last five years and propose a team that understands the
processes, is well known and respected by the CFS team and has contributed significantly
to the improvement of process and controls over that time.
Staff
Partner
Audit Days*
2
Director
Senior Consultant
Appropriate Consultant
10
Total
23
*Our approach is based upon the current systems and processes that Finance utilise to
produce the CFS. We understand that a new system and processes are currently being
developed with an implementation timeframe that is yet to be determined. We anticipate
that the first year of this review under the new system and process would require
approximately 7 days more effort.

Page 9 of 34
Appendix B Review priority and control rating keys

The keys used in this report are based on the Finance Risk Management Framework for
inherent risks. Likelihood involves an assessment of the probability or frequency of
occurrence of a risk event.
Likelihood
Likelihood of occurrence
Rare
The event type would occur only in exceptional circumstances and has not occurred
within Commonwealth Government.
Unlikely
The event type could occur but has not occurred in Finance before.
Average
The event type might occur or has occurred at least once within Finance.
Likely
The event type will probably occur or has occurred in Finance within the last two
years.
Almost certain
The event type has occurred within the last 12 months or is expected to occur.
Impact involves the consequences of a risk event, and may be in terms of, for example,
financial or human cost, business disruption, environmental damage or damage to
reputation. Each consequence/impact can be rated, in terms of its severity.
Consequence/impact area
Impact
Financial
Human
resources
Business
interruption
Outputs
Integrity/
reputation and
image
Insignificant
Up to
$100K
First Aid.
Leave of
absence.
Loss of service
capability for up to
half a day.
Up to 1%
impact on
targets.
Internal impact
only.
Minor
Up to
$500K
Injury to
staff.
Temporary
loss of key
staff.
Loss of service
two days.
Up to 2%
impact on
targets.
Adverse
comments in
local press.
Medium
Up to
$5M
Major injury
to staff.
Permanent
loss of key
staff.
Loss of service
one week.
Interruption of four
hours during budget.
Up to 5%
impact on
targets.
Senate
Estimates.
Other external
scrutiny,
ANAO, national
media.
Moderate
damage to
Finances
reputation.
Major
Up to
$20M
Permanent
injury to
multiple
staff. Loss of
critical mass
of staff.
Loss of service
one month.
Interruption of two
days during Budget.
Serious medium term
business/environmenta
l effects.
Up to 10%
impact on
targets.
Questions in
Parliament.
External
scrutiny.
Serious public,
political and/or
media outcry.

Page 10 of 34
Consequence/impact area
Impact
Financial
Above
$100M.
Extreme
Human
resources
Business
interruption
Multiple
deaths of
staff. Loss of
critical mass
of key staff.
Loss of service
capability for more
than one month.
Inability to get Budget
completed in
timeframe. Very
serious long term
effects on
Departments
business.
Integrity/
reputation and
image
Outputs
Greater than
10% impact
on targets.
Royal
Commission.
Judicial inquiry.
Other form of
Parliamentary
inquiry.
Possible
litigation. Very
serious
legislative non
compliance.
The intersection of the likelihood and consequence ratings determines the overall inherent
risk rating as shown in the table below.
Impact
Likelihood
Extreme
Major
Medium
Minor
Insignificant
Almost certain
Extreme
Extreme
High
Significant
Moderate
Likely
Extreme
High
Significant
Moderate
Low
Average
High
High
Significant
Moderate
Low
Unlikely
High
Significant
Moderate
Low
Low
Significant
Moderate
Low
Low
Low
Rare
From this, a level of inherent risk can be determined using the table below.
Level of risk Description
Extreme
Immediate action required. Move resources from other areas.
High
Action required. Prioritise resources to complete as soon as possible.
Significant
Action required as soon as resources become available, include as a priority on work

plans
Moderate
No immediate action required but to be scheduled for action as part of program or

business plan.
Low
No action required but monitor for worsening of the risk.

Page 11 of 34
Unsatisfactory
Satisfactory
We then assess the effectiveness of controls that management have in place to manage the
risk according to the table below.
Rating*
Description
Excellent
Controls have reduced the level of risk to an acceptable level (designed

appropriately). Controls are in operation, applied consistently,
documented, communicated and monitored.
Good
Controls have reduced the level of risk to an acceptable level. Controls

are in operation, applied consistently, documented, communicated and
monitored although minor improvements could be made.
Incomplete
Control is designed to only partially address the risk. Control

documentation/communication and/or application require improvement.
Unsatisfactory
Control is poorly designed and does not fully address the risk.
Documentation/communication and/or application need improvement.
Poor
Control is poorly designed and does not address the risk. Both control
documentation/communication and application need improvement.
Residual risk is the level of risk faced after considering the controls in place. Residual
risks are rated on the same likelihood and consequence/impact ratings as inherent risks
above but are then considered in conjunction with the adequacy of controls. Based on the
level of residual risk, management can prioritise the allocation of resources to address
these risks through mitigating actions or investments in improving controls. Or areas
where management should continue to test controls where residual risks are low, but
without the controls, inherent risk would be high that is, areas where controls are
critical, as illustrated in the following diagram:
Likelihood
Inherent risk rating
Extreme
Control
Critical
No Major
Concern
Active
Management
(Extreme priority)
Active
Management
(High priority)
CC
E
H
M
Periodic
Monitoring
(Moderate priority)
L
Low
Satisfactory
Unsatisfactory
Control rating

Page 12 of 34
Control critical - control is adequate but

critical due to high inherent risks;
continued monitoring of controls required.
Active management - extreme priority.
Controls not adequate; risks exist which
require urgent management.
Active management - high priority.
Controls not adequate; requires active
management.
Periodic monitoring - moderate priority.
Controls not strong but risk impact is not

high. Consider improving control or
monitoring to ensure the residual risk
rating does not increase over time.
Low priority. Control is adequate. Consider
excess or redundant controls.
Appendix C CFS Key Controls Framework

The following table describes the risks that are present in the CFS process and the key
controls in place addressing each risk. A key control is considered to be one that if absent
could significantly affect the completeness, accuracy and validity of the annual CFS
reporting process.
Ref
CS1
Risk
Key controls
CFS project plan
A project plan is prepared for the annual CFS process which

provides a framework around the process, including:
The CFS process is performed in

an unplanned and unstructured
manner potentially leading to:
- timeframes not being met
- poor quality of outcome
- key controls circumvented
- key components of the process
incomplete or not undertaken.
CS2
CFS tracking database

Communication with agencies is
not recorded or followed up on a
timely basis. This may hinder
Finances ability to report on the
reporting timeliness statistics
required under the BEFR
implementation.
CS3
Management exception
reporting and oversight
The CFS creation process and the
final statements are not subject to
an appropriate level of
management review prior to
publishing.
- timeframes
- details of procedures expected to be performed
- allocation of resources and responsibilities
- documentation requirements.
The preparation team have a database in which they record the

dates and details of key communication and file transfer
receipt with agencies. This database also keeps a record of
which Quality Assurance (QA) checklists have been
completed.
Analytical workbooks are also maintained for each agency
which includes provision for the storage of all
communications with agencies.
All statements are reviewed by the Branch Head of the
Financial Reporting Branch, the Division Head of the
Financial Reporting and Cash Management Division, the
General Manager of the Financial Management Group and the
CFS Audit Committee prior to publication.
An analysis of movements between the current statements and
prior year and budget is also provided to assist management
with their review of the draft financial statements.
All journals are signed off by CFS team member and reviewed
by CFS Manager and Finance Team Leader.
CS4
Succession planning
The CFS production process is
highly manual and complex and
therefore relies heavily on
individuals with detailed
knowledge. Loss of key team
members is likely to reduce
Finances ability to produce the
CFS in a timely manner to an
acceptable standard.
The risk has been identified by management and appropriate

measures have been implemented to address the risk going
forward including having some redundancy in the team and
providing training to a number of staff. Finance has contracted
support arrangements to assist in the preparation of current
and future CFS.

Page 13 of 34
Ref
CS5
Risk
Key controls
Change control over

spreadsheet components
Changes to the chart of accounts in AIMS are subject to

change control procedures. These changes would be replicated
in the Cpacks to maintain consistency with AIMS.
Changes to the CFS spreadsheets

are not subject to robust change
controls which could lead to
inaccurate or unauthorised
changes to CFS components such
as:
- Chart of Accounts
- Cpack
- Cpack manual
- Shell CFS financial statements
- Excel templates such as the
Journal workbook, elimination
workbook and the cash flow
derivation model.
CS6
Access control
Unauthorised people can access
CFS files on the Treasury and
Finance network drives or make
changes to the core CFS
components.
The process for making changes to the Cpacks is documented.

A list is produced each year during the Chart of Accounts
review that identifies which templates in the Cpack will need
to be changed for the current year.
A change management system has been implemented which
tracks changes in a spreadsheet. Finance management
provides approval for each change.
The CFS Audit Committee is advised of changes to the
accounting standards, and how this impacts on the CFS,
including how the information will be collated.
Finance undertakes regular review of the appropriateness of

access rights to the Finance CFS network folders.
All Cpacks cells except agency input cells are locked and
password protected.
Other CFS components such as the Excel spreadsheets are
password protected.
The AIMS system is subject to both smartcard and password
controls.
CS7
CS8
Version control of spreadsheet

systems and templates
Controls such as directory structures and naming conventions

are in place.
Incorrect versions of core CFS

components will be used thereby
introducing data inaccuracies into
the CFS process.
A spreadsheet inventory is maintained that describes the

purpose, location, current version and dependencies relevant
to each spreadsheet component in the system.
System and procedure

documentation
System documentation is maintained, including coverage of

the following areas:
Robust procedure and system

documentation does not exist
potentially leading to:
- over-reliance on key team
members
- important systems knowledge
not being captured within the
organisation
- increased difficulty in
knowledge transfer to new team
members
- increased difficulty in making
accurate changes to the system
due to lack of documentation of
system functionality and
linkages.
- system overview, objective and purpose

- system technical and functional design including
dependencies and linkages
- documentation of business rules including detailed
formulas, macros and calculations.
- separate user manuals for use of the Cpack and AIMS by
agencies.
Process documentation is maintained including coverage of
detailed procedure guidelines for all CFS processes.

Page 14 of 34
Ref
CS9
Risk
Key controls
Back-up of data and

spreadsheets stored on the
network
The Finance network drive is backed up on a daily basis.

Spreadsheets and data are kept on the Finance network drives.
Core data and spreadsheet systems

associated with the CFS processes
is stored on the Finance network
drive. There is a risk that this data
and spreadsheet functionality
could be lost.
CS10 ACM extract reconciliation
Cash activity reports generated for
each agency do not accurately
reflect the agency data in ACM.
Therefore agencies are reconciling
their own accounts to inaccurate
central data.
CS11 Cpack submission
The agency data contained in the
Cpack is modified or viewed by
unauthorised people, intentionally
or unintentionally, while in transit.
CS12 Agency input
The agency data received by
Finance through the Cpack is
inaccurate, incomplete, invalid or
subject to unauthorised access.
A reconciliation is performed between the Cash Activity

reports and ACM prior to sending the reports to the agencies.
A process of submitting the Cpack through either AIMS Mail

or the use of express post courier is in place to ensure that any
classified information is sent by an appropriately secure
mechanism.
The Cpack template used to capture agency information has

inbuilt controls, including:
- Accounting business rules are enforced prior to submission
to Finance through the inbuilt validation checks
- A checklist of quality assurance measures is undertaken to
validate agency information
- All non-input cells are locked and password protected in the
Cpack.
CS13 AIMS validation

The agency data uploaded by
Finance from the Cpack into
AIMS is inaccurate, incomplete,
invalid or subject to unauthorised
access.
CS14 Integrity of AIMS data

Working Data 2 is vulnerable to
reductions in integrity through
invalid data changes or data
corruption.
Automated AIMS system validation checks are performed

when the data is in the temporary holding database called
Working Data 1. These validation checks must pass to permit
transfer of the data into the Working Data 2 database. Only
selected members of the CFS team are authorised to transfer
data in to Working Data 2. Any outstanding variances are
further investigated in the Analytical Workbook (refer CS15
Accuracy and completeness of AIMS data inputs and
outputs below).
AIMS uses two logically separated databases for current year
agency data. These are Working Data 1 and Working Data 2.
No changes are made directly to Working Data 2. All changes
are first made to Working Data 1 then uploaded to Working
Data 2 through the validation checks and authorisation
process.

Page 15 of 34
Ref
Risk
CS15 Accuracy and completeness of

AIMS data inputs and outputs
System input/output errors result
in discrepancies between the
Cpacks and that stored in AIMS
Working Data 2. These errors may
also cause discrepancies between
AIMS and the information
extracted from AIMS to the
Analytical Workbooks or Column
Reports.
Key controls
A reconciliation is performed between the Analytical
Workbooks and the agencys audited financial statements at
the subtotal level.
The Column Report has inbuilt QA checks that identify
discrepancies between AIMS and the spreadsheet on a total
account basis.
Also, a variance analysis is performed on a line by line basis
between the Analytical Workbooks and budget estimates and
prior years agency data. The Analytical Workbook uses
formulas and macros to identify material differences (>$10
million) which are then followed up to determine if
misclassifications have occurred.
QA checklists over the CFS process are used to ensure that all
processes and related steps for each agency are conducted.
CS16 Official Public Account

reconciliation (General
Government only)
A reconciliation is performed between the ACM report and the

agency financial statements.
Agency reported transfers to and

from the Official Public Account
may not agree to ACM data.
CS17 Consolidation journals
Consolidation journals are
inaccurate, incomplete, invalid or
not subject to appropriate
approval.
The following controls are in place over consolidation

journals:
- a full audit trail is maintained of all adjustments and journals
- all journals are compared to prior year journals for
completeness. Checks are in place to establish any
additional journals required in the current year
- the sum of consolidation adjustments and journals for each
account is reconciled to the adjustment entity in AIMS. The
adjustment entities are consolidation entities in AIMS that
holds the sum of all consolidation adjustments and journals.
It is included in the final aggregation process that is used to
produce the consolidated balances
- management review any variances identified by the
automated reconciliation between the Journal workbook and
the adjustment entity
- all journals are signed off by CFS team member and reviewed
by CFS Manager and Finance Team Leader.

Page 16 of 34
Ref
Risk
CS18 Cash flow statement journals

Cash flow statement journals are
incomplete, inaccurate, invalid or
subject to unauthorised approval.
Key controls
The following controls are in place over consolidation
journals:
- a full audit trail of cash flow journals is maintained in the
cash flow derivation workbook
- all journals are compared to prior year journals for
completeness. Checks are in place to establish any
additional journals required in the current year
- completeness of cash flow journals is validated by creating
derived cash flow for each individual agency and checking
them against the audited cash flow statement provided by
the agency. Missing material cash flow journals will be
identified during this process and can be added to the master
cash flow statement that is derived from the consolidated
operating statement and balance sheet.
CS19 Cash flow statement data

Cash flow statement data is
incomplete, inaccurate or invalid.
The master cash flow statement is linked to source data and

contains variance checks between the Cash Flow and the Cash
Flow reconciliation and relevant notes.
The consolidated cash flow statement is derived from the
consolidated operating statement and balance sheet. This
statement is then updated for additional cash flow statement
journals identified during the check against each agencies
audited cash flow statements.
CS20 Reconciliation of WoG

consolidated financial
statements
Balance sheet and operating statements in the master Excel

templates are stored in AIMS and retrieved directly into the
statements. This information is also retrieved in its
disaggregated form from AIMS into individual notes tabs in
The WOG consolidated financial
the spreadsheet. The disaggregated total is reconciled to the
statements in the Excel
total figure in AIMS to ensure that all of the notes are being
spreadsheets does not agree to that
grossed up into the total.
stored in AIMS Working Data 2.
Variances may be due to system
input/output errors.
CS21 Notes to the WoG financial

statements
Notes to the WoG financial
statements are inaccurate,
incomplete or invalid.
The notes to the financial statements are consolidated using

the same methodology as consolidation of the face statements.
Therefore the key controls are:
- Cpack validations
- AIMS validations
- agreement to agencys audited financial statements
- management review and authorisation of consolidations
journals.
CS22 Narrative notes to the WoG

financial statements
Notes to the WoG financial
statements are inaccurate,
incomplete or invalid.
The narrative notes to the financial statements are

consolidated manually. The key control over this process is
agreement of the consolidated note to each agencys audited
financial statements by a person independent of the Note 1
consolidation process.
Other narrative notes go through a CFS teams own three tier
review process.

Page 17 of 34
Ref
Risk
CS23 CFS publication

The CFS publication may be
inaccurate or incomplete.
Key controls
The CFS publication is independently reconciled to supporting
spreadsheets which include a series of automated quality
assurance checks in additional manual checks are also
conducted, these reviews are conducted at all levels
culminating in a final review by the CFS Audit Committee.
Material movements between the current period and the
previous years audited data are investigated and explained to
the Audit Committee.

Page 18 of 34
Appendix D Detailed Approach
The following work plan details the steps we will perform in reviewing the systems,
processes and controls in preparing the 2008/09 Consolidated Financial Statements.
1. Review existing process maps (documented in 2003) that describe the CFS
preparation process.
2. Perform process walkthroughs with relevant Finance staff to reconfirm process flow
and the presence of key controls. Based on the content of the 2003 process maps, we
will perform our walkthrough on the following processes:
a. Preparation of CFS Plan, CPacks and Templates, including:
i.
Chart of Accounts update
ii.
CPack update
iii.
Preparation of shell financial statements & update Excel templates.
b. Preparation of Agency Cash Activity Reports, including ACM extract to Excel.
c. Validation/QA of GG, PFC and PNFC Annual Statements, including:
i.
Upload of CPack and Small Agency statements into AIMS WD1,
ii.
Validate data through AIMS WD2
iii.
Extraction of agency statements from AIMS,
iv.
Download of AIMS information into Analytical Workbook
v.
Reconciliation of workbooks with ACM
vi.
QA of Agency Financial Statements.
d.
Preparation of GG, PFC and PNFC Consolidated Annual Statements, including:

i.
Preparation of consolidation journals
ii.
Execution of aggregation scripts to update AIMS WD2
iii.
Download of consolidated data from AIMS WD2 into spreadsheets
iv.
Download of consolidated data into Cash flow model, review of Analytical
v.
Workbooks and preparation of cash flow adjustments
vi.
Preparation of cash flow statement
vii.
Allocation of elimination by functions in Function Allocation Workbook.
e. Preparation of WoG Annual Statements & Comments, including:

i.
Preparation of consolidation journals
ii.
iii.
Download of consolidated data into Excel spreadsheets
iv.
Review of Analytical Workbooks and preparation of cash flow adjustments
v.
Preparation of consolidated cash flow statement
vi.
Allocation of elimination by functions
vii.
viii.
Retrieval of functional data and production of AAS31 CFS
ix.
Extraction of financial note data from AIMS WD2
x.
Preparation of financial and narrative notes.
3. Review the controls map delivered in our 2003/04 review that describes and links the
identified controls with the existing CFS preparation process maps. We will update
Page 19 of 34
these control maps for changes in processes of key controls made since our 2003/04
review.
a. Execute sample based audit tests (previously developed as part of 2003/04
review) to confirm the effectiveness of controls.
b. Conclude on the effectiveness of controls considered key to the CFS preparation
process in the report.

Page 20 of 34
Appendix E Key personnel interviewed
Name
Role
Matthew King
Branch Manager, Financial Reporting Branch
Tom Maloney
Finance Contractor (KPMG)
Denise Rambow
Team Leader, Financial Reporting Branch
Simon Vellnagel-Dunn
AIMS System Administrator, FeSG
Shane Jasprizza
Jenny Morris

Page 21 of 34
Appendix F Key documentation reviewed
Document
Version
Dated
Source
26/05/2009
Denise Rambow
1.3
1/06/2009
Denise Rambow
22/05/2009
Matthew King
1.1
18/06/2009
Denise Rambow
Internal Audit Report Comment on CFS 2008

09 Risk Management Plan
1/06/2009
Matthew King
CFS 2008-09 Qualitative Risk Assessment

Matrix
15/04/2009
Denise Rambow
AIMS User Manual - Table of contents
12/2003
Denise Rambow
AIMS User Manual - Table of contents (small

agencies)
31/07/2002
Denise Rambow
Secure Remote Access Services (SRAS) User

Guide
2.0
16/11/2004
Denise Rambow
File Catalogue - Change Register and File Log

2008-09
28/08/2009
Denise Rambow
Change Request Forms (signed)
Denise Rambow
Spreadsheet Change Register 2008-09
14/09/2009
Denise Rambow
2008-09 Chart of Accounts listing report
9/09/2009
Denise Rambow
2008-09 Revised AIMS Variable Dimensions
Jenny Morris
Material Agencies CPack Navigation Manual
22/06/2009
Denise Rambow
CFS Accounting Policies & Procedures 01 to 17
29/6/2009
Denise Rambow
Effective Folder Permissions Report (extract)
15/09/2009
Denise Rambow
QA / Analytical Review Checklist template
Denise Rambow
QA / Analytical Review Checklists 2008-09

ACS (Departmental & Administered)
AFP (Departmental & Administered)
ASIC (Departmental & Administered)
DH&A (Departmental & Administered)
DEWHA (Departmental & Administered)
DIAC (Departmental & Administered)
DPS (Departmental & Administered)
DVA (Departmental & Administered)
Infrastructure (Departmental &
Administered)
Medicare Australia (Departmental)
Jenny Morris
Financial Statement QA Checklist

AFP (Departmental & Administered)
AusAID (Departmental & Administered)
DFAT (Departmental & Administered)
Jenny Morris
All Agencies ACM Variance Report
Jenny Morris
Spreadsheet Procedures
Jenny Morris
CFS Process Diagrams (KPMG)

CFS 2008-09 Production Plan
Internal Audit Report Comment on CFS 2008
09 Production Plan
CFS 2008-09 Risk Management Plan

Page 22 of 34
Document
Version
Dated
Source
Balanced Journal Spreadsheets

AFP (Departmental)
AusAID (Departmental & Administered)
DFAT (Departmental & Administered)
Jenny Morris
AIMS Primary Statement Validations

ACS (Departmental)
AOFM (Departmental)
DoFD (Departmental)
DPS (Departmental)
NLA (Departmental)
Jenny Morris
Elimination Journal and Function Allocation

2008-09
Cash Flow Analysis spreadsheet 2008-09

Page 23 of 34
Appendix G - Process Maps

We have used CFS process maps provided by the CFS team to summarise the CFS process into 5 flow diagrams by combining the
Public Non-Financial Corporations (PNFC), Public Financial Corporations (PFC) and General Government (GG) sector processes into
single diagrams. The processes, systems and controls surrounding the PNFC, PFC and GG are essentially the same.
We confirmed the process flow and understanding of key controls through interviews with Shane Jasprizza and Jenny Morris (Finance
contractor). We also interviewed Denise Rambow and Simon Vellnagel-Dunn (Finance) to confirm processes and controls
surrounding AIMS.
Audit symbols used in the sub-process diagrams
The symbol on the diagrams refers to a key control that was identified during our work. A key control is any factor that plays an
important role in managing risk inherent in the process. The absence or ineffective operation of a key control will give rise to a
reportable control weakness. These controls are listed in the sub-process descriptions below and are also described in more detail in
Appendix A of this report.
The x symbol indicates an internal audit finding that may be either a control weakness or a process improvement suggestion. Note
that one process improvement has been identified in the course of this review.

Page 24 of 34
Phase A Preparation of core CFS components
Section 55
FMA Act
Central
Systems &
Data Stores
Preparation of
CFS Plan
Preparation of
letter to CFOs
advising CFS
timetable
CFS Project Plan
Letter to CFOs
advising CFS
timetable
CS1 CS4 CS5 CS6 CS7 CS8 CS9
Update Annual
Chart of Accounts
to send to
agencies
AIMS
Actuals
Update Cpack &

Manual for Year
End Financial
Statements
Agency CPack
Prepare shell
Financial
Statements
AIMS
(Estimates)
Update Excel
Templates
Preparation of
Agency Cash
Activity Reports
Cpack Manual
Timetable letter sent to

Agencies
CFS Shell
Financial
Statements
CPacks and Manuals
sent to Agencies
Agency QA
workbook

Page 25 of 34
Variance
Analysis
Workbook
CashFlow
Derivation
Workbook
Elimination
Adjustment and
Elimination
Workbook
Journal
Workbook
Summary of Phase A controls
Summary of findings
The following table summarises the key controls identified in Phase A,

the preparation of core CFS components.
No review findings were identified in this process.
Control
reference
Control description
CFS project plan
CS1
Succession planning
CS4
Change control over spreadsheet components
C S5
Access control
CS6
Version control of spreadsheet systems and templates
CS7
System and procedure documentation
CS8
Back-up of data and spreadsheets stored on the network
CS9

Page 26 of 34
Phase B Preparation of Agency Cash Activity Reports
Financial
Reporting
Central
Systems &
Data Stores
CS1
6
Financial Reporting
CS1
0
ACM
ACM receipts,
payments &
transactions
ACM MS
Access
database
Run queries to
format
transactions by
Agency
Cash Draw Down

Preparation of OPA
Statements
Preparation of Small
Agency Statements

Page 27 of 34
Validation & QA of GG
Agency Annual
Financial Statements
Summary of Phase B controls
Summary of findings
The following table summarises the key controls identified in Phase B,

the preparation of agency cash activity reports.
Control
reference
Control description
ACM extract reconciliation
CS10
Official Public Account reconciliation (General Government only)
CS16

Page 28 of 34
Phase C Validation and quality assurance of annual financial statements
Agency
Financial Reporting
Central Systems & Data Stores
Financial Reporting
CW9
AgencyCpack
Material audit cleared
Material
cleared
financialaudit
statements
financial
Submittestatements
via CPack
submitted
via CPack
d
CS14
CS13
CS11
CS12
CS12
Automated
system
validations
performed
Pass
System
validations
Yes
Statements
validated by
AIMS
Annual CFS
Reporting (Previou
(Previous
s
Year)
Budget Estimates
Update

Page 29 of 34
Preparation of
Agency Cash
Activity Reports
AIMS (Actuals)
(WD1)
CS2
CS13
CS12
Upload Cpack
into AIMS and
authorise
CW12
CS17
CS16
CS15
CS14
Extract Agency
Statements
CW13
Analytical
Workbooks
Annual Final Budget
Outcome (FBO)
Reporting
No
Reconcile
Agency
Statements to
CAMM
ACM
CS16
CS15
AIMS (Actuals)
Validated
(WD2)
AIMS (Actuals)
(AIMS) Yr-1
AIMS (Estimates)
Archived (AIMS)
QA of Agency
Annual Financial
Statements
Summary of Phase C controls
Summary of findings
The following table summarises the key controls identified in Phase C,

the validation and quality assurance of annual financial statements.
Control
reference
Control description
CFS Tracking database
CS2
Cpack submission
CS11
Agency input
CS12
AIMS validation
CS13
Integrity of AIMS data
CS14
Accuracy and completeness of AIMS data inputs and outputs
CS15
Official Public Account reconciliation (General Government only)
CS16

Page 30 of 34
Phase D Preparation of annual financial statements by sector (GG, PFC, PNFC)
Financial Reporting
Central
Systems &
Data Stores
Budget Estimates
Update
Preparation of
Agency Cash
Activity Reports
CS3
CS19
CS18
CS3
CS18
CS17
CS20
CS19
Preparation of
Small Agency
Statements
Validation & QA of Annual
AIMS
Actuals
Prep. of
consolidated
consolidatedAASB
AAS
31 Tables
1049
Tables
(incl CF)
Annual FBO
Reporting
QA of Agency
Annual Financial
Statements
Preparation of WoG
Annual Statements &
comments

Page 31 of 34
Validation & QA of GG
Agency Statements
(Small Agency)
Summary of Phase D controls
Summary of findings
The following table summarises the key controls identified in Phase D,

preparation of annual financial statements by sector (GG, PFC, PNFC).
Control
reference
Control description
Management exception reporting and oversight
CS3
CS17
CS18
CS19
Consolidation journals
Cash flow statement journals
Cash flow statement data

Page 32 of 34
Phase E Preparation of Whole of Government annual financial statements and commentary
Financial Reporting
CS21
CS20
4
Central
Systems &
Data Stores
AIMS
Actuals
CS22 CS22
CS21
CS23
Preparation of
Consolidated
AASB
AAS 311049
WoG
WOG
Tables
Tables
Preparation of
Notes to the
Accounts
Preparation of
Commentary
and Preface
Consolidated
Consolidated
AASB 1049
AAS 31 Financial
Financial
Statements
Statements
CFS Notes to the

Accounts
CFS
Commentary and
Preface
Preparation Annual
CS24
CS23
CFS Publication
(Aggregate)
CFS Audit

Page 33 of 34
CFS Sign-off
Summary of Phase E controls

The following table summarises the key controls identified in Phase E, preparation of
Whole of Government annual financial statements and commentary.
Control
reference
CS20
Control description
Reconciliation of WoG consolidated financial statements
Notes to the WoG financial statements
CS21
CS22
CS23
Narrative notes to the WoG financial statements

CFS publication
Summary of findings

Page 34 of 34

Internal Audit Report Sample

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Internal Audit Report Sample

Uploaded by

Copyright:

Available Formats

Department of Finance and Deregulation

Internal Audit Report

September - October 2009

Date of final report:

Tim Youngberry, A/g General Manager, Financial Management Group

Matthew King, Branch Manager, Financial Reporting Branch

Rating for Audit Committee Reporting:

Summary of work performed ............................................................................................................. 7

Findings and agreed management actions ......................................................................................... 8

Appendix B Review priority and control rating keys............................................................................ 10

Appendix C CFS Key Controls Framework .......................................................................................... 13

Appendix D Detailed Approach .............................................................................................................. 19

Appendix E Key personnel interviewed.................................................................................................. 21

Appendix F Key documentation reviewed.............................................................................................. 22

Appendix G - Process Maps........................................................................................................................ 24

Rating scale for overall report

preparation of Agency Cash Activity reports

validation and quality assurance of annual financial statements

preparation of annual financial statements by sector

preparation of Whole of Government annual financial statements and commentary.

Note: no Administrative Arrangement Orders (AAOs) to restructure the General

Internal Audit Report

Number of priority issues

Number of control weaknesses

Number of control weaknesses

Number of control weaknesses

Number of control weaknesses

Number of control weaknesses

Number of control weaknesses

Internal Audit Report

Summary of ratings and issues

Control Critical - Test controls regularly

Number of priority issues

Internal Audit Report

Summary of work performed

Summary of work performed

Perform process walkthroughs with relevant Finance staff to reconfirm process

Conclude on the effectiveness of controls considered key to the CFS preparation

The detailed approach is presented in Appendix D.

Internal Audit Report

Findings and agreed management actions

6.1. Notification of backups of the AIMS data being performed (CS9)

Internal Audit Report

Appendix A Internal Audit Review Commonwealth Financial

Through discussion, observation and review of evidence we will document and

Internal Audit Report

Appendix B Review priority and control rating keys

Internal Audit Report

Immediate action required. Move resources from other areas.

Action required. Prioritise resources to complete as soon as possible.

Action required as soon as resources become available, include as a priority on work

No immediate action required but to be scheduled for action as part of program or

No action required but monitor for worsening of the risk.

Internal Audit Report

Controls have reduced the level of risk to an acceptable level (designed

Controls have reduced the level of risk to an acceptable level. Controls

Control is designed to only partially address the risk. Control

Inherent risk rating

Internal Audit Report

Control critical - control is adequate but

Periodic monitoring - moderate priority.

Controls not strong but risk impact is not

Appendix C CFS Key Controls Framework

CFS project plan