Foi-11-38-Review of Consolidated Financial Statements Controls 2009 PDF

Department of Finance and Deregulation
Internal Audit Report
Review of Consolidated Financial Statements Controls

2009
Reference: A101/ P002

Period of review: September - October 2009
Date of final report: November 2009
Review Sponsor: Tim Youngberry, A/g General Manager, Financial Management Group
Circulation: Matthew King, Branch Manager, Financial Reporting Branch
Greg Feeney, A/g Division Manager, Financial Reporting and Cash
Management Division
Audit Committee
This report and PricewaterhouseCoopers deliverables are intended solely for the Department of Finance and
Deregulations internal use and benefit and may not be relied on by any other party. This report may not be
distributed to, discussed with, or otherwise disclosed to any other party without PricewaterhouseCoopers prior
written consent. PricewaterhouseCoopers accept no liability or responsibility to any other party who gains access to
this report.
Rating for Audit Committee Reporting:

Low Exposure
Liability limited by a scheme approved under Professional Standards Legislation

Contents
1. Introduction.......................................................................................................................................... 3
2. Background .......................................................................................................................................... 3
3. Scope ..................................................................................................................................................... 5
4. Summary of findings............................................................................................................................ 5
5. Summary of work performed ............................................................................................................. 7
6. Findings and agreed management actions ......................................................................................... 8
Appendix A Internal Audit Review Commonwealth Financial Statement (CFS) Process Review
Scope of Work................................................................................................................................................ 9
Appendix B Review priority and control rating keys............................................................................ 10
Appendix C CFS Key Controls Framework .......................................................................................... 13
Appendix D Detailed Approach .............................................................................................................. 19
Appendix E Key personnel interviewed.................................................................................................. 21
Appendix F Key documentation reviewed.............................................................................................. 22
Appendix G - Process Maps........................................................................................................................ 24
Glossary
Priority ratings have been assigned to issues raised in this report as follows:
Rating scale for individual findings

Active management required as an extreme priority. Controls are not adequate to address the associated
A
risk.
B Active management required as a high priority. Controls are not adequate to address the associated risk.
Active management required as a moderate priority. Controls are not adequate to address the associated
C
risk.
BPI Business Process Improvement opportunity. A suggested improvement in efficiency or better practice.
Rating scale for overall report

Control is inadequate Control is adequate
E H M L CC
Control Critical
Extreme priority High priority Moderate priority Low priority
Test controls regularly
Note: The overall review rating is the residual exposure to Finance after consideration of all findings
highlighted in this report. More detail on the rating scales used throughout this report can be found at
Appendix B.
Limitations
Our Internal Audit work was limited to that described in this report and was performed in accordance with International
Standards for the Professional Practice of Internal Auditing from the Institute of Internal Auditors. It did not constitute
an examination or a review in accordance with generally accepted auditing standards or assurance standards.
Accordingly, we provide no opinion or other form of assurance with regard to our work or the information upon which
our work was based. We did not audit or otherwise verify the information supplied to us in connection with this
engagement, except to the extent specified in this report or our approved objectives and scope.

Review of Business Continuity Management
Page 2 of 34
1. Introduction
As part of the Internal Audit Work Plan for 2008/09, PricewaterhouseCoopers (PwC)
reviewed the Internal Controls Framework surrounding the Consolidated Financial
Statements (CFS) process.
The purpose of the review is to check the integrity of processes and controls in place
which support the accuracy and timely production of the CFS.
The review of the Internal Controls Framework focused on the following key areas:
preparation of core CFS components
preparation of Agency Cash Activity reports
validation and quality assurance of annual financial statements
preparation of annual financial statements by sector
preparation of Whole of Government annual financial statements and commentary.
Note: no Administrative Arrangement Orders (AAOs) to restructure the General
Government Agencies were issued during the financial year under review, therefore no
additional supplementary controls testing for the AAO process was required.
A copy of the CFS key controls framework is attached at Appendix C.
2. Background
Under Section 55 of the Financial Management and Accountability Act 1997, the
Minister for Finance and Deregulation is required to prepare the Consolidated Financial
Statements (CFS) for the Australian Government.
The CFS are prepared in accordance with the Australian Accounting Standards and all
other financial reporting regulatory requirements and reflects a consolidation of the
financial statements of all Commonwealth controlled reporting entities.
These annual statements are prepared on behalf of the Minister of Finance and
Deregulation by the Financial Management Branch of the Department of Finance and
Deregulation (Finance) as soon as practicable following the end of the financial year.
These financial statements are audited by the Australian National Audit Office.
The process is currently conducted using the AIMS system. However, it is expected that a
transition to the Central Budge Management System (CBMS) during the next year will
take place and the AIMS system will be decommissioned.
In 2008/09 the CFS is being prepared for the first time in accordance with the Australian
Accounting Standard 1049 Whole of Government and General Government Financial
Reporting (AASB 1049). The objective of AASB 1049 is to specify requirements for the
financial reporting by whole of government and General Government Sector. It became
applicable for annual reporting periods beginning on or after 1 July 2008. The
introduction of this standard has resulted in no significant changes to the CFS process.

Review of Consolidated Financial Statements Controls 2009
Page 3 of 34
Internal Audit first performed a controls based agreed-upon procedures review to assist
Finance in preparing the CFS for the 2003/04 financial year. This identified a number of
process and control improvements for CFS preparation in future years. Internal Audit
have since performed controls based agreed-upon procedures to assist Finance in
preparing the CFS for each of the subsequent financial years. The following table
illustrates the number of control weaknesses outstanding at the end of each annual review
and their rating:
Year of review Number of priority issues

A B C
Number of control weaknesses 0 6 6

identified in 2003 review
unresolved in 2005 review
The following diagram summarises the CFS preparation process considered as part of this
review. Detailed CFS preparation process maps are provided in Appendix G of this
report.
Prepare
Consolidation Adjust and Publish
Input Capture QA consolidated
calculations aggregate statements
statements
MS Excel AIMS MS Excel MS Excel AIMS MS Excel MS Word

Journal
Cpack from Working and GG, PFC, P&L, B/S, P&L, B/S,
agencies Data 1 elimination PNFC Derived Derived
and workbooks Cash Flow Cash Flow
Working and Notes and Notes
Data 2 Analytical GG, PFC, for GG, for GG,
Workbooks PNFC PFC, PNFC PFC, PNFC
and
Column
Reports
MS Excel AIMS MS Excel MS Word

Journal
and WoG P&L, B/S, P&L, B/S,
elimination Derived Derived
workbooks Cash Flow Cash Flow
and Notes and Notes
WoG for WoG for WoG
Diagram 1: The Whole of Government (WoG) Consolidated Financial Statements (CFS) comprise
the sum of General Government (GG), Public Finance Corporations (PFC) and Public Non-Finance
Corporations (PNFC).

Page 4 of 34
3. Scope
A copy of the approved objectives and scope of this review is attached at Appendix A.
Specific limitations to the scope of this review are detailed below:
controls over business continuity and contingency arrangements were not within
the scope of agreed-upon procedures for this review.
4. Summary of findings
Our work has identified that the controls originally identified in the 2003/04 audit
continue to be in place and operating as intended, however one opportunity for
improvement has been identified. This finding relates to:
a back-up of the data of the AIMS system is occurring on a nightly basis, however
there is currently no confirmation that these backups are occurring and are
complete.
Overall, Internal Audit considers that the controls identified in 2003-04 remain adequate
and appropriate for today's operating environment. Business requirements in terms of
accuracy and timeliness of the preparation of the CFS remain comparable, whilst the
observed stability and robustness of the process and its controls have in aggregate
improved each successive year of review.
It is worth noting that the scheduled replacement of the legacy AIMS system with CBMS
for next year's CFS process will require a re-evaluation and re-mapping of the risks and
controls for the updated aspects of the process.
A listing of the key controls over the CFS process is provided in Appendix C of this
report.
David Murphy
Partner
PricewaterhouseCoopers
4 November 2009

Page 5 of 34
Summary of ratings and issues
The review of Business Continuity Management has been rated a Low priority for
Finance due to the number and nature of the priority issues identified. The sliding scale
diagram that follows explains the system used to rate the overall review.
Appendix B provides more detail on the rating scales used throughout this report.
E Extreme priority
H High priority
M Moderate priority
This review L Low exposure
Control Critical - Test controls regularly

C
Number of priority issues

A B C BPI
0 0 1 0

Page 6 of 34
5. Summary of work performed
A summary of the work performed against in reviewing the processes and controls over
the preparation of the 2008/09 CFS is outlined in the table below.
Ref Summary of work performed

1 Review existing process maps (documented in 2003) that describe the CFS
preparation process.
2 Perform process walkthroughs with relevant Finance staff to reconfirm process
flow and the presence of key controls.
3 Review the controls map delivered in our 2003/04 review that describes and links
the identified controls with the existing CFS preparation process maps. We will
update these control maps for changes in processes of key controls made since our
2003/04 review.
4 Execute sample based audit tests (previously developed as part of 2003/04 review)
to confirm the effectiveness of controls.
5 Conclude on the effectiveness of controls considered key to the CFS preparation
process in the report.
The detailed approach is presented in Appendix D.

Page 7 of 34
6. Findings and agreed management actions
6.1. Notification of backups of the AIMS data being performed (CS9)
Observation
A backup of the AIMS database was previously conducted on an hourly basis. However,
these are no longer being supported due to the decommissioning of AIMS. Instead a
backup of the system is occurring on a nightly basis. However, there is no confirmation
received by the System Administrator that the backup process is successful and complete.
It is also acknowledged that on an ad hoc basis backups are tested by loading them into
the AIMS test environment.
Risk
In the event of a major outage or loss or system data, the ability of System Administrators
to recover the most up to date AIMS data may be compromised by missing or incomplete
backups.
Recommendation
Finance will introduce a daily automated email notification produced from the system to
confirm the completion of the backup process. This should be received by the AIMS
System Administrator and reviewed to ensure that no errors were detected.
Further to this a formal schedule of testing backups should be defined and followed.
Priority: Low
Management Response
Management agrees to the recommendation. However, email confirmation of the backup

is not available. The AIMS System Administrator will review the TSM reports on a daily
basis to confirm successful completion.
AIMS will be decommissioned subsequent to production of the Consolidated Financial

Statements and the data will be archived. There is no requirement to put in place a formal
schedule of testing the backup.
Management will ensure that a notification and formal testing process of the replacement
to AIMS is put in place for the 2009-10 CFS process.
Responsibility: Matthew King, Branch Manager, Financial Reporting Branch

Implementation date: 31 December 2009

Page 8 of 34
Appendix A Internal Audit Review Commonwealth Financial
Statement (CFS) Process Review Scope of Work
Objective
The objective is to prepare a report annually to the CFS Audit Committee reviewing the
processes within Finance for the preparation of the Commonwealths annual consolidated
financial statements including any difficulties encountered and suggesting improvements.
Approach
We will consult with Financial Reporting Branch (FRB) to validate our proposed
approach to update our understanding of any material changes that have occurred since
our last review that may impact the approach. Specifically we will:
Update our approach as required by our initial consultation.
Review any updated process and control documentation held by the Branch.
Through discussion, observation and review of evidence we will document and
review the processes and controls in place to support the accurate and timely
production of the CFS.
Perform process walkthroughs with relevant Finance staff to reconfirm process
flow and presence of key controls.
We will recommend specific and practical updates required to the process and
control documentation held by the Branch.
We will prepare a report for the CFS Audit Committee on our findings and
recommendations.
We will regularly liaise with FRB throughout the review to ensure that any issues
raised are discussed and that progress is known and clear.
Resources Seniority and Skills of proposed personnel

The review of the CFS processes and controls requires specialist knowledge that PwC is
well place to provide the Department. We have undertaken similar reviews for the
Department for each of the last five years and propose a team that understands the
processes, is well known and respected by the CFS team and has contributed significantly
to the improvement of process and controls over that time.
Staff Audit Days*
Partner 2
Director 3
Senior Consultant 8
Appropriate Consultant 10
Total 23
*Our approach is based upon the current systems and processes that Finance utilise to
produce the CFS. We understand that a new system and processes are currently being
developed with an implementation timeframe that is yet to be determined. We anticipate
that the first year of this review under the new system and process would require
approximately 7 days more effort.

Page 9 of 34
Appendix B Review priority and control rating keys
The keys used in this report are based on the Finance Risk Management Framework for
inherent risks. Likelihood involves an assessment of the probability or frequency of
occurrence of a risk event.
Likelihood Likelihood of occurrence

Rare The event type would occur only in exceptional circumstances and has not occurred
within Commonwealth Government.
Unlikely The event type could occur but has not occurred in Finance before.
Average The event type might occur or has occurred at least once within Finance.
Likely The event type will probably occur or has occurred in Finance within the last two
years.
Almost certain The event type has occurred within the last 12 months or is expected to occur.
Impact involves the consequences of a risk event, and may be in terms of, for example,
financial or human cost, business disruption, environmental damage or damage to
reputation. Each consequence/impact can be rated, in terms of its severity.
Consequence/impact area
Impact Integrity/
Human Business
Financial Outputs reputation and
resources interruption
image
Insignificant Up to First Aid. Loss of service Up to 1% Internal impact
$100K Leave of capability for up to impact on only.
absence. half a day. targets.
Minor Up to Injury to Loss of service Up to 2% Adverse
$500K staff. capability for up to impact on comments in
Temporary two days. targets. local press.
loss of key
staff.
Medium Up to Major injury Loss of service Up to 5% Senate
$5M to staff. capability for up to impact on Estimates.
Permanent one week. targets. Other external
loss of key Interruption of four scrutiny,
staff. hours during budget. ANAO, national
media.
Moderate
damage to
Finances
reputation.
Major Up to Permanent Loss of service Up to 10% Questions in
$20M injury to capability for up to impact on Parliament.
multiple one month. targets. External
staff. Loss of Interruption of two scrutiny.
critical mass days during Budget. Serious public,
of staff. Serious medium term political and/or
business/environmenta media outcry.
l effects.

Page 10 of 34
Consequence/impact area
Impact Integrity/
Human Business
Financial Outputs reputation and
resources interruption
image
Extreme Above Multiple Loss of service Greater than Royal
$100M. deaths of capability for more 10% impact Commission.
staff. Loss of than one month. on targets. Judicial inquiry.
critical mass Inability to get Budget Other form of
of key staff. completed in Parliamentary
timeframe. Very inquiry.
serious long term Possible
effects on litigation. Very
Departments serious
business. legislative non
compliance.
The intersection of the likelihood and consequence ratings determines the overall inherent
risk rating as shown in the table below.
Impact
Likelihood Extreme Major Medium Minor Insignificant
Almost certain Extreme Extreme High Significant Moderate
Likely Extreme High Significant Moderate Low
Average High High Significant Moderate Low
Unlikely High Significant Moderate Low Low
Rare Significant Moderate Low Low Low
From this, a level of inherent risk can be determined using the table below.
Level of risk Description
Extreme Immediate action required. Move resources from other areas.
High Action required. Prioritise resources to complete as soon as possible.
Action required as soon as resources become available, include as a priority on work

Significant
plans
No immediate action required but to be scheduled for action as part of program or

Moderate
business plan.
Low No action required but monitor for worsening of the risk.

Page 11 of 34
We then assess the effectiveness of controls that management have in place to manage the
risk according to the table below.
Rating* Description
Excellent Controls have reduced the level of risk to an acceptable level (designed
Satisfactory
appropriately). Controls are in operation, applied consistently,

documented, communicated and monitored.
Good Controls have reduced the level of risk to an acceptable level. Controls
are in operation, applied consistently, documented, communicated and
monitored although minor improvements could be made.
Incomplete Control is designed to only partially address the risk. Control
Unsatisfactory
documentation/communication and/or application require improvement.

Unsatisfactory Control is poorly designed and does not fully address the risk.
Documentation/communication and/or application need improvement.
Poor Control is poorly designed and does not address the risk. Both control
documentation/communication and application need improvement.
Residual risk is the level of risk faced after considering the controls in place. Residual
risks are rated on the same likelihood and consequence/impact ratings as inherent risks
above but are then considered in conjunction with the adequacy of controls. Based on the
level of residual risk, management can prioritise the allocation of resources to address
these risks through mitigating actions or investments in improving controls. Or areas
where management should continue to test controls where residual risks are low, but
without the controls, inherent risk would be high that is, areas where controls are
critical, as illustrated in the following diagram:
Extreme
Control critical - control is adequate but
Active CC critical due to high inherent risks;
Control
Management continued monitoring of controls required.
Critical
(Extreme priority) Active management - extreme priority.
Inherent risk rating
E Controls not adequate; risks exist which

require urgent management.
Active
Likelihood
Active management - high priority.

Management H Controls not adequate; requires active
(High priority) management.
No Major Periodic monitoring - moderate priority.
Concern M Controls not strong but risk impact is not

Periodic high. Consider improving control or
Monitoring monitoring to ensure the residual risk
(Moderate priority) rating does not increase over time.
Low priority. Control is adequate. Consider
L excess or redundant controls.
Low
Satisfactory Unsatisfactory
Control rating

Page 12 of 34
Appendix C CFS Key Controls Framework
The following table describes the risks that are present in the CFS process and the key
controls in place addressing each risk. A key control is considered to be one that if absent
could significantly affect the completeness, accuracy and validity of the annual CFS
reporting process.
Ref Risk Key controls

CS1 CFS project plan A project plan is prepared for the annual CFS process which
provides a framework around the process, including:
The CFS process is performed in
an unplanned and unstructured - timeframes
manner potentially leading to:
- details of procedures expected to be performed
- timeframes not being met
- poor quality of outcome - allocation of resources and responsibilities
- key controls circumvented - documentation requirements.
- key components of the process
incomplete or not undertaken.
CS2 CFS tracking database The preparation team have a database in which they record the
dates and details of key communication and file transfer
Communication with agencies is
receipt with agencies. This database also keeps a record of
not recorded or followed up on a
which Quality Assurance (QA) checklists have been
timely basis. This may hinder
completed.
Finances ability to report on the
reporting timeliness statistics Analytical workbooks are also maintained for each agency
required under the BEFR which includes provision for the storage of all
implementation. communications with agencies.
CS3 Management exception All statements are reviewed by the Branch Head of the
reporting and oversight Financial Reporting Branch, the Division Head of the
Financial Reporting and Cash Management Division, the
The CFS creation process and the
General Manager of the Financial Management Group and the
final statements are not subject to
CFS Audit Committee prior to publication.
an appropriate level of
management review prior to An analysis of movements between the current statements and
publishing. prior year and budget is also provided to assist management
with their review of the draft financial statements.
All journals are signed off by CFS team member and reviewed
by CFS Manager and Finance Team Leader.
CS4 Succession planning The risk has been identified by management and appropriate
measures have been implemented to address the risk going
The CFS production process is
forward including having some redundancy in the team and
highly manual and complex and
providing training to a number of staff. Finance has contracted
therefore relies heavily on
support arrangements to assist in the preparation of current
individuals with detailed
and future CFS.
knowledge. Loss of key team
members is likely to reduce
Finances ability to produce the
CFS in a timely manner to an
acceptable standard.

Page 13 of 34
CS5 Change control over Changes to the chart of accounts in AIMS are subject to
spreadsheet components change control procedures. These changes would be replicated
in the Cpacks to maintain consistency with AIMS.
Changes to the CFS spreadsheets
are not subject to robust change The process for making changes to the Cpacks is documented.
controls which could lead to
A list is produced each year during the Chart of Accounts
inaccurate or unauthorised
review that identifies which templates in the Cpack will need
changes to CFS components such
to be changed for the current year.
as:
- Chart of Accounts A change management system has been implemented which
- Cpack tracks changes in a spreadsheet. Finance management
provides approval for each change.
- Cpack manual
- Shell CFS financial statements The CFS Audit Committee is advised of changes to the
- Excel templates such as the accounting standards, and how this impacts on the CFS,
Journal workbook, elimination including how the information will be collated.
workbook and the cash flow
derivation model.
CS6 Access control Finance undertakes regular review of the appropriateness of
access rights to the Finance CFS network folders.
Unauthorised people can access
CFS files on the Treasury and All Cpacks cells except agency input cells are locked and
Finance network drives or make password protected.
changes to the core CFS
Other CFS components such as the Excel spreadsheets are
components.
password protected.
The AIMS system is subject to both smartcard and password
controls.
CS7 Version control of spreadsheet Controls such as directory structures and naming conventions
systems and templates are in place.
Incorrect versions of core CFS A spreadsheet inventory is maintained that describes the
components will be used thereby purpose, location, current version and dependencies relevant
introducing data inaccuracies into to each spreadsheet component in the system.
the CFS process.
CS8 System and procedure System documentation is maintained, including coverage of
documentation the following areas:
Robust procedure and system - system overview, objective and purpose
documentation does not exist
- system technical and functional design including
potentially leading to:
dependencies and linkages
- over-reliance on key team
members - documentation of business rules including detailed
- important systems knowledge formulas, macros and calculations.
not being captured within the - separate user manuals for use of the Cpack and AIMS by
organisation agencies.
- increased difficulty in
Process documentation is maintained including coverage of
knowledge transfer to new team
members detailed procedure guidelines for all CFS processes.
- increased difficulty in making
accurate changes to the system
due to lack of documentation of
system functionality and
linkages.

Page 14 of 34
CS9 Back-up of data and The Finance network drive is backed up on a daily basis.
spreadsheets stored on the Spreadsheets and data are kept on the Finance network drives.
network
Core data and spreadsheet systems
associated with the CFS processes
is stored on the Finance network
drive. There is a risk that this data
and spreadsheet functionality
could be lost.
CS10 ACM extract reconciliation A reconciliation is performed between the Cash Activity
reports and ACM prior to sending the reports to the agencies.
Cash activity reports generated for
each agency do not accurately
reflect the agency data in ACM.
Therefore agencies are reconciling
their own accounts to inaccurate
central data.
CS11 Cpack submission A process of submitting the Cpack through either AIMS Mail
or the use of express post courier is in place to ensure that any
The agency data contained in the
classified information is sent by an appropriately secure
Cpack is modified or viewed by
mechanism.
unauthorised people, intentionally
or unintentionally, while in transit.
CS12 Agency input The Cpack template used to capture agency information has
inbuilt controls, including:
The agency data received by
Finance through the Cpack is - Accounting business rules are enforced prior to submission
inaccurate, incomplete, invalid or to Finance through the inbuilt validation checks
subject to unauthorised access.
- A checklist of quality assurance measures is undertaken to
validate agency information
- All non-input cells are locked and password protected in the
Cpack.
CS13 AIMS validation Automated AIMS system validation checks are performed
when the data is in the temporary holding database called
The agency data uploaded by
Working Data 1. These validation checks must pass to permit
Finance from the Cpack into
transfer of the data into the Working Data 2 database. Only
AIMS is inaccurate, incomplete,
selected members of the CFS team are authorised to transfer
invalid or subject to unauthorised
data in to Working Data 2. Any outstanding variances are
access.
further investigated in the Analytical Workbook (refer CS15
Accuracy and completeness of AIMS data inputs and
outputs below).
CS14 Integrity of AIMS data AIMS uses two logically separated databases for current year
agency data. These are Working Data 1 and Working Data 2.
Working Data 2 is vulnerable to
No changes are made directly to Working Data 2. All changes
reductions in integrity through
are first made to Working Data 1 then uploaded to Working
invalid data changes or data
Data 2 through the validation checks and authorisation
corruption.
process.

Page 15 of 34
CS15 Accuracy and completeness of A reconciliation is performed between the Analytical
AIMS data inputs and outputs Workbooks and the agencys audited financial statements at
the subtotal level.
System input/output errors result
in discrepancies between the The Column Report has inbuilt QA checks that identify
Cpacks and that stored in AIMS discrepancies between AIMS and the spreadsheet on a total
Working Data 2. These errors may account basis.
also cause discrepancies between
Also, a variance analysis is performed on a line by line basis
AIMS and the information
between the Analytical Workbooks and budget estimates and
extracted from AIMS to the
prior years agency data. The Analytical Workbook uses
Analytical Workbooks or Column
formulas and macros to identify material differences (>$10
Reports.
million) which are then followed up to determine if
misclassifications have occurred.
QA checklists over the CFS process are used to ensure that all
processes and related steps for each agency are conducted.
CS16 Official Public Account A reconciliation is performed between the ACM report and the
reconciliation (General agency financial statements.
Government only)
Agency reported transfers to and
from the Official Public Account
may not agree to ACM data.
CS17 Consolidation journals The following controls are in place over consolidation
journals:
Consolidation journals are
inaccurate, incomplete, invalid or - a full audit trail is maintained of all adjustments and journals
not subject to appropriate
- all journals are compared to prior year journals for
approval.
completeness. Checks are in place to establish any
additional journals required in the current year
- the sum of consolidation adjustments and journals for each
account is reconciled to the adjustment entity in AIMS. The
adjustment entities are consolidation entities in AIMS that
holds the sum of all consolidation adjustments and journals.
It is included in the final aggregation process that is used to
produce the consolidated balances
- management review any variances identified by the
automated reconciliation between the Journal workbook and
the adjustment entity
- all journals are signed off by CFS team member and reviewed
by CFS Manager and Finance Team Leader.

Page 16 of 34
CS18 Cash flow statement journals The following controls are in place over consolidation
journals:
Cash flow statement journals are
incomplete, inaccurate, invalid or - a full audit trail of cash flow journals is maintained in the
subject to unauthorised approval. cash flow derivation workbook
- all journals are compared to prior year journals for
completeness. Checks are in place to establish any
additional journals required in the current year
- completeness of cash flow journals is validated by creating
derived cash flow for each individual agency and checking
them against the audited cash flow statement provided by
the agency. Missing material cash flow journals will be
identified during this process and can be added to the master
cash flow statement that is derived from the consolidated
operating statement and balance sheet.
CS19 Cash flow statement data The master cash flow statement is linked to source data and
contains variance checks between the Cash Flow and the Cash
Cash flow statement data is
Flow reconciliation and relevant notes.
incomplete, inaccurate or invalid.
The consolidated cash flow statement is derived from the
consolidated operating statement and balance sheet. This
statement is then updated for additional cash flow statement
journals identified during the check against each agencies
audited cash flow statements.
CS20 Reconciliation of WoG Balance sheet and operating statements in the master Excel
consolidated financial templates are stored in AIMS and retrieved directly into the
statements statements. This information is also retrieved in its
disaggregated form from AIMS into individual notes tabs in
The WOG consolidated financial
the spreadsheet. The disaggregated total is reconciled to the
statements in the Excel
total figure in AIMS to ensure that all of the notes are being
spreadsheets does not agree to that
grossed up into the total.
stored in AIMS Working Data 2.
Variances may be due to system
input/output errors.
CS21 Notes to the WoG financial The notes to the financial statements are consolidated using
statements the same methodology as consolidation of the face statements.
Therefore the key controls are:
Notes to the WoG financial
statements are inaccurate, - Cpack validations
incomplete or invalid.
- AIMS validations
- agreement to agencys audited financial statements
- management review and authorisation of consolidations
journals.
CS22 Narrative notes to the WoG The narrative notes to the financial statements are
financial statements consolidated manually. The key control over this process is
agreement of the consolidated note to each agencys audited
Notes to the WoG financial
financial statements by a person independent of the Note 1
statements are inaccurate,
consolidation process.
incomplete or invalid.
Other narrative notes go through a CFS teams own three tier
review process.

Page 17 of 34
CS23 CFS publication The CFS publication is independently reconciled to supporting
spreadsheets which include a series of automated quality
The CFS publication may be
assurance checks in additional manual checks are also
inaccurate or incomplete.
conducted, these reviews are conducted at all levels
culminating in a final review by the CFS Audit Committee.
Material movements between the current period and the
previous years audited data are investigated and explained to
the Audit Committee.

Page 18 of 34
Appendix D Detailed Approach
The following work plan details the steps we will perform in reviewing the systems,
processes and controls in preparing the 2008/09 Consolidated Financial Statements.
1. Review existing process maps (documented in 2003) that describe the CFS
preparation process.
2. Perform process walkthroughs with relevant Finance staff to reconfirm process flow
and the presence of key controls. Based on the content of the 2003 process maps, we
will perform our walkthrough on the following processes:
a. Preparation of CFS Plan, CPacks and Templates, including:
i. Chart of Accounts update
ii. CPack update
iii. Preparation of shell financial statements & update Excel templates.
b. Preparation of Agency Cash Activity Reports, including ACM extract to Excel.
c. Validation/QA of GG, PFC and PNFC Annual Statements, including:
i. Upload of CPack and Small Agency statements into AIMS WD1,
ii. Validate data through AIMS WD2
iii. Extraction of agency statements from AIMS,
iv. Download of AIMS information into Analytical Workbook
v. Reconciliation of workbooks with ACM
vi. QA of Agency Financial Statements.
d. Preparation of GG, PFC and PNFC Consolidated Annual Statements, including:
i. Preparation of consolidation journals
ii. Execution of aggregation scripts to update AIMS WD2
iii. Download of consolidated data from AIMS WD2 into spreadsheets
iv. Download of consolidated data into Cash flow model, review of Analytical
v. Workbooks and preparation of cash flow adjustments
vi. Preparation of cash flow statement
vii. Allocation of elimination by functions in Function Allocation Workbook.
e. Preparation of WoG Annual Statements & Comments, including:
i. Preparation of consolidation journals
ii. Execution of aggregation scripts to update AIMS WD2
iii. Download of consolidated data into Excel spreadsheets
iv. Review of Analytical Workbooks and preparation of cash flow adjustments
v. Preparation of consolidated cash flow statement
vi. Allocation of elimination by functions
vii. Execution of aggregation scripts to update AIMS WD2
viii. Retrieval of functional data and production of AAS31 CFS
ix. Extraction of financial note data from AIMS WD2
x. Preparation of financial and narrative notes.
3. Review the controls map delivered in our 2003/04 review that describes and links the
identified controls with the existing CFS preparation process maps. We will update

Page 19 of 34
these control maps for changes in processes of key controls made since our 2003/04
review.
a. Execute sample based audit tests (previously developed as part of 2003/04
review) to confirm the effectiveness of controls.
b. Conclude on the effectiveness of controls considered key to the CFS preparation
process in the report.

Page 20 of 34
Appendix E Key personnel interviewed
Name Role
Matthew King Branch Manager, Financial Reporting Branch
Tom Maloney Finance Contractor (KPMG)
Denise Rambow Team Leader, Financial Reporting Branch
Simon Vellnagel-Dunn AIMS System Administrator, FeSG
Shane Jasprizza Finance Contractor (KPMG)
Jenny Morris Finance Contractor (KPMG)

Page 21 of 34
Appendix F Key documentation reviewed
Document Version Dated Source

CFS Process Diagrams (KPMG) 26/05/2009 Denise Rambow
CFS 2008-09 Production Plan 1.3 1/06/2009 Denise Rambow
Internal Audit Report Comment on CFS 2008 22/05/2009 Matthew King
09 Production Plan
CFS 2008-09 Risk Management Plan 1.1 18/06/2009 Denise Rambow
Internal Audit Report Comment on CFS 2008 1/06/2009 Matthew King
09 Risk Management Plan
CFS 2008-09 Qualitative Risk Assessment 15/04/2009 Denise Rambow
Matrix
AIMS User Manual - Table of contents 12/2003 Denise Rambow
AIMS User Manual - Table of contents (small 31/07/2002 Denise Rambow
agencies)
Secure Remote Access Services (SRAS) User 2.0 16/11/2004 Denise Rambow
Guide
File Catalogue - Change Register and File Log 28/08/2009 Denise Rambow
2008-09
Change Request Forms (signed) Denise Rambow
Spreadsheet Change Register 2008-09 14/09/2009 Denise Rambow
2008-09 Chart of Accounts listing report 9/09/2009 Denise Rambow
2008-09 Revised AIMS Variable Dimensions Jenny Morris
Material Agencies CPack Navigation Manual 22/06/2009 Denise Rambow
CFS Accounting Policies & Procedures 01 to 17 29/6/2009 Denise Rambow
Effective Folder Permissions Report (extract) 15/09/2009 Denise Rambow
QA / Analytical Review Checklist template Denise Rambow
QA / Analytical Review Checklists 2008-09 Jenny Morris
ACS (Departmental & Administered)
AFP (Departmental & Administered)
ASIC (Departmental & Administered)
DH&A (Departmental & Administered)
DEWHA (Departmental & Administered)
DIAC (Departmental & Administered)
DPS (Departmental & Administered)
DVA (Departmental & Administered)
Infrastructure (Departmental &
Administered)
Medicare Australia (Departmental)
Financial Statement QA Checklist Jenny Morris
AFP (Departmental & Administered)
AusAID (Departmental & Administered)
DFAT (Departmental & Administered)
All Agencies ACM Variance Report Jenny Morris
Spreadsheet Procedures Jenny Morris

Page 22 of 34
Document Version Dated Source
Elimination Journal and Function Allocation
2008-09
Cash Flow Analysis spreadsheet 2008-09
Balanced Journal Spreadsheets Jenny Morris
AFP (Departmental)
AusAID (Departmental & Administered)
DFAT (Departmental & Administered)
AIMS Primary Statement Validations Jenny Morris
ACS (Departmental)
AOFM (Departmental)
DoFD (Departmental)
DPS (Departmental)
NLA (Departmental)

Page 23 of 34
Appendix G - Process Maps
We have used CFS process maps provided by the CFS team to summarise the CFS process into 5 flow diagrams by combining the
Public Non-Financial Corporations (PNFC), Public Financial Corporations (PFC) and General Government (GG) sector processes into
single diagrams. The processes, systems and controls surrounding the PNFC, PFC and GG are essentially the same.
We confirmed the process flow and understanding of key controls through interviews with Shane Jasprizza and Jenny Morris (Finance
contractor). We also interviewed Denise Rambow and Simon Vellnagel-Dunn (Finance) to confirm processes and controls
surrounding AIMS.
Audit symbols used in the sub-process diagrams
The symbol on the diagrams refers to a key control that was identified during our work. A key control is any factor that plays an
important role in managing risk inherent in the process. The absence or ineffective operation of a key control will give rise to a
reportable control weakness. These controls are listed in the sub-process descriptions below and are also described in more detail in
Appendix A of this report.
The x symbol indicates an internal audit finding that may be either a control weakness or a process improvement suggestion. Note
that one process improvement has been identified in the course of this review.

Page 24 of 34
Phase A Preparation of core CFS components
Central
Section 55 Systems &
FMA Act

x
Data Stores
Preparation of Update Annual CS1 CS4 CS5 CS6 CS7 CS8 CS9
Preparation of letter to CFOs Chart of Accounts
AIMS
CFS Plan advising CFS to send to
agencies Actuals
timetable
Letter to CFOs Update Cpack &

Prepare shell AIMS
CFS Project Plan advising CFS Manual for Year Update Excel
End Financial
Financial (Estimates)
timetable Templates
Statements Statements
Preparation of
Agency Cash
Activity Reports
Agency CPack Cpack Manual

Timetable letter sent to
Agencies
CFS Shell
Financial
Statements
CPacks and Manuals

sent to Agencies
Elimination
Variance CashFlow
Agency QA Adjustment and Journal
Analysis Derivation
workbook Elimination Workbook
Workbook Workbook
Workbook

Page 25 of 34
Summary of Phase A controls Summary of findings
The following table summarises the key controls identified in Phase A, No review findings were identified in this process.
the preparation of core CFS components.
Control
Control description
reference
CFS project plan

CS1
Succession planning
CS4
Change control over spreadsheet components

C S5
Access control
CS6
Version control of spreadsheet systems and templates

CS7
System and procedure documentation

CS8
Back-up of data and spreadsheets stored on the network

CS9

Page 26 of 34
Phase B Preparation of Agency Cash Activity Reports
Financial Central Financial Reporting

Reporting Systems &
Data Stores

CS1
CS1 0 ACM receipts, Run queries to
6 ACM payments & ACM MS format
transactions Access transactions by
database Agency
Cash Draw Down
Preparation of OPA
Statements
Preparation of Small Validation & QA of GG

Agency Statements Agency Annual
Financial Statements

Page 27 of 34
Summary of Phase B controls Summary of findings
The following table summarises the key controls identified in Phase B, No review findings were identified in this process.
the preparation of agency cash activity reports.
Control
Control description
reference
ACM extract reconciliation

CS10
Official Public Account reconciliation (General Government only)

CS16

Page 28 of 34
Phase C Validation and quality assurance of annual financial statements
Agency Financial Reporting Central Systems & Data Stores Financial Reporting
CW9
Upload Cpack Preparation of
AgencyCpack into AIMS and Agency Cash CW12
authorise AIMS (Actuals) Activity Reports

Material audit cleared (WD1)
Material
financialaudit cleared
statements
financial
Submittestatements
submitted
via CPack
via CPack
CS17
CS16 CW13

d
CS2 CS14
CS13
Automated
system
validations
CS15
CS14 Extract Agency
Statements
Analytical
Workbooks
CS11 performed
CS13
CS12 CS12
CS12 Annual Final Budget
Outcome (FBO)
Reporting
Reconcile
Pass No Agency
System

validations Statements to
CAMM
ACM
Yes
CS16
CS15
QA of Agency
Statements
Annual Financial
validated by AIMS (Actuals) Statements
AIMS Validated
(WD2)
Annual CFS
Reporting (Previou
(Previouss
AIMS (Actuals)
Year)
(AIMS) Yr-1
Budget Estimates AIMS (Estimates)

Update Archived (AIMS)

Page 29 of 34
Summary of Phase C controls Summary of findings
The following table summarises the key controls identified in Phase C, No review findings were identified in this process.
the validation and quality assurance of annual financial statements.
Control
Control description
reference
CFS Tracking database

CS2
Cpack submission
CS11
Agency input
CS12
AIMS validation
CS13
Integrity of AIMS data

CS14
Accuracy and completeness of AIMS data inputs and outputs

CS15
Official Public Account reconciliation (General Government only)

CS16

Page 30 of 34
Phase D Preparation of annual financial statements by sector (GG, PFC, PNFC)
Financial Reporting Central

Systems &
Data Stores
Budget Estimates
Update

CS3 CS19
CS18
Preparation of AIMS
Agency Cash
Activity Reports
CS3 CS18
CS17 CS20
CS19 Actuals
Preparation of Prep. of
consolidated
consolidatedAASB
AAS
Small Agency 31 Tables
1049 Tables
Statements (incl CF)
Validation & QA of Annual
Validation & QA of GG
Agency Statements
Annual FBO
(Small Agency)
Reporting
QA of Agency
Annual Financial
Statements
Preparation of WoG
Annual Statements &
comments

Page 31 of 34
Summary of Phase D controls Summary of findings
The following table summarises the key controls identified in Phase D, No review findings were identified in this process.
preparation of annual financial statements by sector (GG, PFC, PNFC).
Control
Control description
reference
Management exception reporting and oversight

CS3
Consolidation journals
CS17
Cash flow statement journals

CS18
Cash flow statement data

CS19

Page 32 of 34
Phase E Preparation of Whole of Government annual financial statements and commentary
Financial Reporting Central

Systems &
Data Stores
AIMS
Actuals
CS21
CS20 CS22 CS22
CS21 CS23
Preparation of
Preparation of Preparation of
Consolidated
4 Notes to the Commentary
AASB
AAS 311049
WoG
WOG Tables Accounts and Preface
Tables
Preparation Annual
Consolidated
Consolidated CFS
AASB 1049 CFS Notes to the
AAS 31 Financial Commentary and
Financial Accounts
Statements
Statements Preface

CS24
CS23
CFS Publication
(Aggregate)
CFS Audit CFS Sign-off

Page 33 of 34
Summary of Phase E controls
The following table summarises the key controls identified in Phase E, preparation of
Whole of Government annual financial statements and commentary.
Control
Control description
reference
Reconciliation of WoG consolidated financial statements

CS20
Notes to the WoG financial statements

CS21
Narrative notes to the WoG financial statements

CS22
CFS publication
CS23
Summary of findings
No review findings were identified in this process.

Page 34 of 34

Foi-11-38-Review of Consolidated Financial Statements Controls 2009 PDF

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Foi-11-38-Review of Consolidated Financial Statements Controls 2009 PDF

Enviado por

Direitos autorais:

Formatos disponíveis

Department of Finance and Deregulation

Internal Audit Report

Review of Consolidated Financial Statements Controls

Reference: A101/ P002

Rating for Audit Committee Reporting:

Liability limited by a scheme approved under Professional Standards Legislation

5. Summary of work performed ............................................................................................................. 7

6. Findings and agreed management actions ......................................................................................... 8

Appendix B Review priority and control rating keys............................................................................ 10

Appendix C CFS Key Controls Framework .......................................................................................... 13

Appendix D Detailed Approach .............................................................................................................. 19

Appendix E Key personnel interviewed.................................................................................................. 21

Appendix F Key documentation reviewed.............................................................................................. 22

Appendix G - Process Maps........................................................................................................................ 24

Rating scale for individual findings

Rating scale for overall report

Internal Audit Report

A copy of the CFS key controls framework is attached at Appendix C.

Internal Audit Report

Year of review Number of priority issues

Number of control weaknesses 0 6 6

MS Excel AIMS MS Excel MS Excel AIMS MS Excel MS Word

MS Excel AIMS MS Excel MS Word

Internal Audit Report

Internal Audit Report

This review L Low exposure

Control Critical - Test controls regularly

Number of priority issues

Internal Audit Report

Ref Summary of work performed

The detailed approach is presented in Appendix D.

Internal Audit Report

Management agrees to the recommendation. However, email confirmation of the backup

AIMS will be decommissioned subsequent to production of the Consolidated Financial

Responsibility: Matthew King, Branch Manager, Financial Reporting Branch

Internal Audit Report

Through discussion, observation and review of evidence we will document and

Resources Seniority and Skills of proposed personnel

Internal Audit Report

Likelihood Likelihood of occurrence

Internal Audit Report

Likelihood Extreme Major Medium Minor Insignificant

Almost certain Extreme Extreme High Significant Moderate

Likely Extreme High Significant Moderate Low

Average High High Significant Moderate Low

Unlikely High Significant Moderate Low Low

Rare Significant Moderate Low Low Low

Level of risk Description

Extreme Immediate action required. Move resources from other areas.

High Action required. Prioritise resources to complete as soon as possible.

Action required as soon as resources become available, include as a priority on work

No immediate action required but to be scheduled for action as part of program or

Low No action required but monitor for worsening of the risk.

Internal Audit Report

appropriately). Controls are in operation, applied consistently,

documentation/communication and/or application require improvement.

E Controls not adequate; risks exist which

Active management - high priority.

No Major Periodic monitoring - moderate priority.

Concern M Controls not strong but risk impact is not

Internal Audit Report

Ref Risk Key controls

Internal Audit Report