Escolar Documentos
Profissional Documentos
Cultura Documentos
This report and PricewaterhouseCoopers deliverables are intended solely for the Department of Finance and
Deregulations internal use and benefit and may not be relied on by any other party. This report may not be
distributed to, discussed with, or otherwise disclosed to any other party without PricewaterhouseCoopers prior
written consent. PricewaterhouseCoopers accept no liability or responsibility to any other party who gains access to
this report.
1. Introduction.......................................................................................................................................... 3
2. Background .......................................................................................................................................... 3
3. Scope ..................................................................................................................................................... 5
4. Summary of findings............................................................................................................................ 5
Appendix A Internal Audit Review Commonwealth Financial Statement (CFS) Process Review
Scope of Work................................................................................................................................................ 9
Glossary
Priority ratings have been assigned to issues raised in this report as follows:
Note: The overall review rating is the residual exposure to Finance after consideration of all findings
highlighted in this report. More detail on the rating scales used throughout this report can be found at
Appendix B.
Limitations
Our Internal Audit work was limited to that described in this report and was performed in accordance with International
Standards for the Professional Practice of Internal Auditing from the Institute of Internal Auditors. It did not constitute
an examination or a review in accordance with generally accepted auditing standards or assurance standards.
Accordingly, we provide no opinion or other form of assurance with regard to our work or the information upon which
our work was based. We did not audit or otherwise verify the information supplied to us in connection with this
engagement, except to the extent specified in this report or our approved objectives and scope.
As part of the Internal Audit Work Plan for 2008/09, PricewaterhouseCoopers (PwC)
reviewed the Internal Controls Framework surrounding the Consolidated Financial
Statements (CFS) process.
The purpose of the review is to check the integrity of processes and controls in place
which support the accuracy and timely production of the CFS.
The review of the Internal Controls Framework focused on the following key areas:
preparation of core CFS components
preparation of Agency Cash Activity reports
validation and quality assurance of annual financial statements
preparation of annual financial statements by sector
preparation of Whole of Government annual financial statements and commentary.
Note: no Administrative Arrangement Orders (AAOs) to restructure the General
Government Agencies were issued during the financial year under review, therefore no
additional supplementary controls testing for the AAO process was required.
2. Background
Under Section 55 of the Financial Management and Accountability Act 1997, the
Minister for Finance and Deregulation is required to prepare the Consolidated Financial
Statements (CFS) for the Australian Government.
The CFS are prepared in accordance with the Australian Accounting Standards and all
other financial reporting regulatory requirements and reflects a consolidation of the
financial statements of all Commonwealth controlled reporting entities.
These annual statements are prepared on behalf of the Minister of Finance and
Deregulation by the Financial Management Branch of the Department of Finance and
Deregulation (Finance) as soon as practicable following the end of the financial year.
These financial statements are audited by the Australian National Audit Office.
The process is currently conducted using the AIMS system. However, it is expected that a
transition to the Central Budge Management System (CBMS) during the next year will
take place and the AIMS system will be decommissioned.
In 2008/09 the CFS is being prepared for the first time in accordance with the Australian
Accounting Standard 1049 Whole of Government and General Government Financial
Reporting (AASB 1049). The objective of AASB 1049 is to specify requirements for the
financial reporting by whole of government and General Government Sector. It became
applicable for annual reporting periods beginning on or after 1 July 2008. The
introduction of this standard has resulted in no significant changes to the CFS process.
The following diagram summarises the CFS preparation process considered as part of this
review. Detailed CFS preparation process maps are provided in Appendix G of this
report.
Prepare
Consolidation Adjust and Publish
Input Capture QA consolidated
calculations aggregate statements
statements
and
Column
Reports
Diagram 1: The Whole of Government (WoG) Consolidated Financial Statements (CFS) comprise
the sum of General Government (GG), Public Finance Corporations (PFC) and Public Non-Finance
Corporations (PNFC).
4. Summary of findings
Our work has identified that the controls originally identified in the 2003/04 audit
continue to be in place and operating as intended, however one opportunity for
improvement has been identified. This finding relates to:
a back-up of the data of the AIMS system is occurring on a nightly basis, however
there is currently no confirmation that these backups are occurring and are
complete.
Overall, Internal Audit considers that the controls identified in 2003-04 remain adequate
and appropriate for today's operating environment. Business requirements in terms of
accuracy and timeliness of the preparation of the CFS remain comparable, whilst the
observed stability and robustness of the process and its controls have in aggregate
improved each successive year of review.
It is worth noting that the scheduled replacement of the legacy AIMS system with CBMS
for next year's CFS process will require a re-evaluation and re-mapping of the risks and
controls for the updated aspects of the process.
A listing of the key controls over the CFS process is provided in Appendix C of this
report.
David Murphy
Partner
PricewaterhouseCoopers
4 November 2009
The review of Business Continuity Management has been rated a Low priority for
Finance due to the number and nature of the priority issues identified. The sliding scale
diagram that follows explains the system used to rate the overall review.
Appendix B provides more detail on the rating scales used throughout this report.
E Extreme priority
H High priority
M Moderate priority
Observation
A backup of the AIMS database was previously conducted on an hourly basis. However,
these are no longer being supported due to the decommissioning of AIMS. Instead a
backup of the system is occurring on a nightly basis. However, there is no confirmation
received by the System Administrator that the backup process is successful and complete.
It is also acknowledged that on an ad hoc basis backups are tested by loading them into
the AIMS test environment.
Risk
In the event of a major outage or loss or system data, the ability of System Administrators
to recover the most up to date AIMS data may be compromised by missing or incomplete
backups.
Recommendation
Finance will introduce a daily automated email notification produced from the system to
confirm the completion of the backup process. This should be received by the AIMS
System Administrator and reviewed to ensure that no errors were detected.
Further to this a formal schedule of testing backups should be defined and followed.
Priority: Low
Management Response
Management will ensure that a notification and formal testing process of the replacement
to AIMS is put in place for the 2009-10 CFS process.
Approach
We will consult with Financial Reporting Branch (FRB) to validate our proposed
approach to update our understanding of any material changes that have occurred since
our last review that may impact the approach. Specifically we will:
Update our approach as required by our initial consultation.
Review any updated process and control documentation held by the Branch.
review the processes and controls in place to support the accurate and timely
production of the CFS.
Perform process walkthroughs with relevant Finance staff to reconfirm process
flow and presence of key controls.
We will recommend specific and practical updates required to the process and
control documentation held by the Branch.
We will prepare a report for the CFS Audit Committee on our findings and
recommendations.
We will regularly liaise with FRB throughout the review to ensure that any issues
raised are discussed and that progress is known and clear.
Impact involves the consequences of a risk event, and may be in terms of, for example,
financial or human cost, business disruption, environmental damage or damage to
reputation. Each consequence/impact can be rated, in terms of its severity.
Consequence/impact area
Impact Integrity/
Human Business
Financial Outputs reputation and
resources interruption
image
Insignificant Up to First Aid. Loss of service Up to 1% Internal impact
$100K Leave of capability for up to impact on only.
absence. half a day. targets.
Minor Up to Injury to Loss of service Up to 2% Adverse
$500K staff. capability for up to impact on comments in
Temporary two days. targets. local press.
loss of key
staff.
Medium Up to Major injury Loss of service Up to 5% Senate
$5M to staff. capability for up to impact on Estimates.
Permanent one week. targets. Other external
loss of key Interruption of four scrutiny,
staff. hours during budget. ANAO, national
media.
Moderate
damage to
Finances
reputation.
Major Up to Permanent Loss of service Up to 10% Questions in
$20M injury to capability for up to impact on Parliament.
multiple one month. targets. External
staff. Loss of Interruption of two scrutiny.
critical mass days during Budget. Serious public,
of staff. Serious medium term political and/or
business/environmenta media outcry.
l effects.
The intersection of the likelihood and consequence ratings determines the overall inherent
risk rating as shown in the table below.
Impact
From this, a level of inherent risk can be determined using the table below.
Rating* Description
Excellent Controls have reduced the level of risk to an acceptable level (designed
Satisfactory
Residual risk is the level of risk faced after considering the controls in place. Residual
risks are rated on the same likelihood and consequence/impact ratings as inherent risks
above but are then considered in conjunction with the adequacy of controls. Based on the
level of residual risk, management can prioritise the allocation of resources to address
these risks through mitigating actions or investments in improving controls. Or areas
where management should continue to test controls where residual risks are low, but
without the controls, inherent risk would be high that is, areas where controls are
critical, as illustrated in the following diagram:
Extreme
Control critical - control is adequate but
Active CC critical due to high inherent risks;
Control
Management continued monitoring of controls required.
Critical
(Extreme priority) Active management - extreme priority.
Inherent risk rating
Satisfactory Unsatisfactory
Control rating
CS3 Management exception All statements are reviewed by the Branch Head of the
reporting and oversight Financial Reporting Branch, the Division Head of the
Financial Reporting and Cash Management Division, the
The CFS creation process and the
General Manager of the Financial Management Group and the
final statements are not subject to
CFS Audit Committee prior to publication.
an appropriate level of
management review prior to An analysis of movements between the current statements and
publishing. prior year and budget is also provided to assist management
with their review of the draft financial statements.
All journals are signed off by CFS team member and reviewed
by CFS Manager and Finance Team Leader.
CS4 Succession planning The risk has been identified by management and appropriate
measures have been implemented to address the risk going
The CFS production process is
forward including having some redundancy in the team and
highly manual and complex and
providing training to a number of staff. Finance has contracted
therefore relies heavily on
support arrangements to assist in the preparation of current
individuals with detailed
and future CFS.
knowledge. Loss of key team
members is likely to reduce
Finances ability to produce the
CFS in a timely manner to an
acceptable standard.
CS7 Version control of spreadsheet Controls such as directory structures and naming conventions
systems and templates are in place.
Incorrect versions of core CFS A spreadsheet inventory is maintained that describes the
components will be used thereby purpose, location, current version and dependencies relevant
introducing data inaccuracies into to each spreadsheet component in the system.
the CFS process.
CS8 System and procedure System documentation is maintained, including coverage of
documentation the following areas:
Robust procedure and system - system overview, objective and purpose
documentation does not exist
- system technical and functional design including
potentially leading to:
dependencies and linkages
- over-reliance on key team
members - documentation of business rules including detailed
- important systems knowledge formulas, macros and calculations.
not being captured within the - separate user manuals for use of the Cpack and AIMS by
organisation agencies.
- increased difficulty in
Process documentation is maintained including coverage of
knowledge transfer to new team
members detailed procedure guidelines for all CFS processes.
- increased difficulty in making
accurate changes to the system
due to lack of documentation of
system functionality and
linkages.
CS13 AIMS validation Automated AIMS system validation checks are performed
when the data is in the temporary holding database called
The agency data uploaded by
Working Data 1. These validation checks must pass to permit
Finance from the Cpack into
transfer of the data into the Working Data 2 database. Only
AIMS is inaccurate, incomplete,
selected members of the CFS team are authorised to transfer
invalid or subject to unauthorised
data in to Working Data 2. Any outstanding variances are
access.
further investigated in the Analytical Workbook (refer CS15
Accuracy and completeness of AIMS data inputs and
outputs below).
CS14 Integrity of AIMS data AIMS uses two logically separated databases for current year
agency data. These are Working Data 1 and Working Data 2.
Working Data 2 is vulnerable to
No changes are made directly to Working Data 2. All changes
reductions in integrity through
are first made to Working Data 1 then uploaded to Working
invalid data changes or data
Data 2 through the validation checks and authorisation
corruption.
process.
CS16 Official Public Account A reconciliation is performed between the ACM report and the
reconciliation (General agency financial statements.
Government only)
Agency reported transfers to and
from the Official Public Account
may not agree to ACM data.
CS17 Consolidation journals The following controls are in place over consolidation
journals:
Consolidation journals are
inaccurate, incomplete, invalid or - a full audit trail is maintained of all adjustments and journals
not subject to appropriate
- all journals are compared to prior year journals for
approval.
completeness. Checks are in place to establish any
additional journals required in the current year
- the sum of consolidation adjustments and journals for each
account is reconciled to the adjustment entity in AIMS. The
adjustment entities are consolidation entities in AIMS that
holds the sum of all consolidation adjustments and journals.
It is included in the final aggregation process that is used to
produce the consolidated balances
- management review any variances identified by the
automated reconciliation between the Journal workbook and
the adjustment entity
- all journals are signed off by CFS team member and reviewed
by CFS Manager and Finance Team Leader.
CS19 Cash flow statement data The master cash flow statement is linked to source data and
contains variance checks between the Cash Flow and the Cash
Cash flow statement data is
Flow reconciliation and relevant notes.
incomplete, inaccurate or invalid.
The consolidated cash flow statement is derived from the
consolidated operating statement and balance sheet. This
statement is then updated for additional cash flow statement
journals identified during the check against each agencies
audited cash flow statements.
CS20 Reconciliation of WoG Balance sheet and operating statements in the master Excel
consolidated financial templates are stored in AIMS and retrieved directly into the
statements statements. This information is also retrieved in its
disaggregated form from AIMS into individual notes tabs in
The WOG consolidated financial
the spreadsheet. The disaggregated total is reconciled to the
statements in the Excel
total figure in AIMS to ensure that all of the notes are being
spreadsheets does not agree to that
grossed up into the total.
stored in AIMS Working Data 2.
Variances may be due to system
input/output errors.
CS21 Notes to the WoG financial The notes to the financial statements are consolidated using
statements the same methodology as consolidation of the face statements.
Therefore the key controls are:
Notes to the WoG financial
statements are inaccurate, - Cpack validations
incomplete or invalid.
- AIMS validations
- agreement to agencys audited financial statements
- management review and authorisation of consolidations
journals.
CS22 Narrative notes to the WoG The narrative notes to the financial statements are
financial statements consolidated manually. The key control over this process is
agreement of the consolidated note to each agencys audited
Notes to the WoG financial
financial statements by a person independent of the Note 1
statements are inaccurate,
consolidation process.
incomplete or invalid.
Other narrative notes go through a CFS teams own three tier
review process.
The following work plan details the steps we will perform in reviewing the systems,
processes and controls in preparing the 2008/09 Consolidated Financial Statements.
1. Review existing process maps (documented in 2003) that describe the CFS
preparation process.
2. Perform process walkthroughs with relevant Finance staff to reconfirm process flow
and the presence of key controls. Based on the content of the 2003 process maps, we
will perform our walkthrough on the following processes:
a. Preparation of CFS Plan, CPacks and Templates, including:
i. Chart of Accounts update
ii. CPack update
iii. Preparation of shell financial statements & update Excel templates.
b. Preparation of Agency Cash Activity Reports, including ACM extract to Excel.
c. Validation/QA of GG, PFC and PNFC Annual Statements, including:
i. Upload of CPack and Small Agency statements into AIMS WD1,
ii. Validate data through AIMS WD2
iii. Extraction of agency statements from AIMS,
iv. Download of AIMS information into Analytical Workbook
v. Reconciliation of workbooks with ACM
vi. QA of Agency Financial Statements.
d. Preparation of GG, PFC and PNFC Consolidated Annual Statements, including:
i. Preparation of consolidation journals
ii. Execution of aggregation scripts to update AIMS WD2
iii. Download of consolidated data from AIMS WD2 into spreadsheets
iv. Download of consolidated data into Cash flow model, review of Analytical
v. Workbooks and preparation of cash flow adjustments
vi. Preparation of cash flow statement
vii. Allocation of elimination by functions in Function Allocation Workbook.
e. Preparation of WoG Annual Statements & Comments, including:
i. Preparation of consolidation journals
ii. Execution of aggregation scripts to update AIMS WD2
iii. Download of consolidated data into Excel spreadsheets
iv. Review of Analytical Workbooks and preparation of cash flow adjustments
v. Preparation of consolidated cash flow statement
vi. Allocation of elimination by functions
vii. Execution of aggregation scripts to update AIMS WD2
viii. Retrieval of functional data and production of AAS31 CFS
ix. Extraction of financial note data from AIMS WD2
x. Preparation of financial and narrative notes.
3. Review the controls map delivered in our 2003/04 review that describes and links the
identified controls with the existing CFS preparation process maps. We will update
Name Role
We confirmed the process flow and understanding of key controls through interviews with Shane Jasprizza and Jenny Morris (Finance
contractor). We also interviewed Denise Rambow and Simon Vellnagel-Dunn (Finance) to confirm processes and controls
surrounding AIMS.
The symbol on the diagrams refers to a key control that was identified during our work. A key control is any factor that plays an
important role in managing risk inherent in the process. The absence or ineffective operation of a key control will give rise to a
reportable control weakness. These controls are listed in the sub-process descriptions below and are also described in more detail in
Appendix A of this report.
The x symbol indicates an internal audit finding that may be either a control weakness or a process improvement suggestion. Note
that one process improvement has been identified in the course of this review.
Central
Section 55 Systems &
FMA Act
x
Data Stores
Preparation of Update Annual CS1 CS4 CS5 CS6 CS7 CS8 CS9
Preparation of letter to CFOs Chart of Accounts
AIMS
CFS Plan advising CFS to send to
agencies Actuals
timetable
CFS Shell
Financial
Statements
Elimination
Variance CashFlow
Agency QA Adjustment and Journal
Analysis Derivation
workbook Elimination Workbook
Workbook Workbook
Workbook
The following table summarises the key controls identified in Phase A, No review findings were identified in this process.
the preparation of core CFS components.
Control
Control description
reference
Succession planning
CS4
Access control
CS6
CS1
CS1 0 ACM receipts, Run queries to
6 ACM payments & ACM MS format
transactions Access transactions by
database Agency
Cash Draw Down
Preparation of OPA
Statements
The following table summarises the key controls identified in Phase B, No review findings were identified in this process.
the preparation of agency cash activity reports.
Control
Control description
reference
Agency Financial Reporting Central Systems & Data Stores Financial Reporting
CW9
Upload Cpack Preparation of
AgencyCpack into AIMS and Agency Cash CW12
authorise AIMS (Actuals) Activity Reports
Material audit cleared (WD1)
Material
financialaudit cleared
statements
financial
Submittestatements
submitted
via CPack
via CPack
CS17
CS16 CW13
d
CS2 CS14
CS13
Automated
system
validations
CS15
CS14 Extract Agency
Statements
Analytical
Workbooks
CS11 performed
CS13
CS12 CS12
CS12 Annual Final Budget
Outcome (FBO)
Reporting
Reconcile
Pass No Agency
System
validations Statements to
CAMM
ACM
Yes
CS16
CS15
QA of Agency
Statements
Annual Financial
validated by AIMS (Actuals) Statements
AIMS Validated
(WD2)
Annual CFS
Reporting (Previou
(Previouss
AIMS (Actuals)
Year)
(AIMS) Yr-1
The following table summarises the key controls identified in Phase C, No review findings were identified in this process.
the validation and quality assurance of annual financial statements.
Control
Control description
reference
Cpack submission
CS11
Agency input
CS12
AIMS validation
CS13
Budget Estimates
Update
CS3 CS19
CS18
Preparation of AIMS
Agency Cash
Activity Reports
CS3 CS18
CS17 CS20
CS19 Actuals
Preparation of Prep. of
consolidated
consolidatedAASB
AAS
Small Agency 31 Tables
1049 Tables
Statements (incl CF)
Validation & QA of Annual
Financial Statements
Validation & QA of GG
Agency Statements
Annual FBO
(Small Agency)
Reporting
QA of Agency
Annual Financial
Statements
Preparation of WoG
Annual Statements &
comments
The following table summarises the key controls identified in Phase D, No review findings were identified in this process.
preparation of annual financial statements by sector (GG, PFC, PNFC).
Control
Control description
reference
Consolidation journals
CS17
AIMS
Actuals
CS21
CS20 CS22 CS22
CS21 CS23
Preparation of
Preparation of Preparation of
Consolidated
4 Notes to the Commentary
AASB
AAS 311049
WoG
WOG Tables Accounts and Preface
Tables
Preparation Annual
Financial Statements
Consolidated
Consolidated CFS
AASB 1049 CFS Notes to the
AAS 31 Financial Commentary and
Financial Accounts
Statements
Statements Preface
CS24
CS23
CFS Publication
(Aggregate)
The following table summarises the key controls identified in Phase E, preparation of
Whole of Government annual financial statements and commentary.
Control
Control description
reference
CFS publication
CS23
Summary of findings