Annual Report 2018–19
5 Leading by example
|
Our objectives |
Our directions | What success looks like | |
|---|---|---|---|
 |
Model exemplary performance in everything we do |
Simplify our business Embrace new technology Better intelligence to drive decisions |
Workforce productivity has increased Our internal practices set the benchmark for public sector entities and other audit offices |
VAGO's credibility depends on us being, and being seen to be, independent, competent and publicly accountable for our operations. To make this possible we need to lead by example.
The more we simplify our business, the more efficient we become and the more time we can dedicate to our audits. This year we have continued to streamline and automate core business processes. We implemented new technological solutions and improved our information security practices. Our improvements to human resources and payroll systems will save staff time and increase our productivity.
We continued to establish business intelligence systems that will give us simple and timely access to performance information. Our focus on fraud and corruption and improving our communications set an example for the broader public sector.
5.1 Technology updates
As in other recent years, we focused this year on updating our technology to address process issues, increase productivity and simplify operations. As mentioned in Section 2.2, we needed this capability improvement for specific projects, such as the financial audit dashboard, but there have also been several IT projects affecting the entire organisation.
To enable a more collaborative environment and allow our staff to work remotely, we have moved to using Microsoft Teams across the organisation. This change, as well as other improvements to our network, have made file sharing easier and allowed us to make the most of our investment in Microsoft Office 365.
This is one way we are harnessing new technologies and new ways of working to improve our capabilities, which is the intention of our refreshed IT strategy. The two-year strategy is shaped by industry insights and technology trends and reflects our future requirements.
We are now working with Azure, Microsoft's public cloud computing platform. It provides a range of cloud services, including those for computing, analytics, storage and networking. We use this service as Microsoft invests far more in information security than state government agencies can. Microsoft's cybersecurity budget exceeds USD 1 billion annually and our approach enables us to benefit from this investment.
This year we upgraded our human resources and payroll systems. Our old systems operated independently, which required multiple interfaces and the duplication of data. We replaced these programs with a cloud-based, integrated and easy-to-use system called SuccessFactors.
The new program has greater data capability and is a more flexible and configurable system. It will speed our payroll run, improve our data accuracy and integrity, improve our performance development process and be easier for staff to use. This was a key project for simplifying our business and is another good example of how we are using new IT solutions.
Another way that we are making the most of our new technologies is by gathering information that better informs our decision-making. We have a new project portfolio tool to prioritise investment and monitor progress, and managers are now able to access real-time information about their team's productivity.
5.2 Data protection
One of our major projects this year was reviewing our data protection practices and establishing an IT security framework.
We assessed all our information assets and classified them by considering the potential compromise to confidentiality, integrity and availability. We developed an information management framework to establish, implement and maintain information security controls. We ensure that only authorised people access information through approved processes, consistent with the Victorian Protective Data Security Standards and Australian Auditing Standards.
We have aligned our information security approach to the Australian Government Secure Cloud Strategy, 2017. This strategy recognises that appropriately certified cloud providers are significantly better placed than internal teams to implement and monitor security controls and achieve compliance.
We are increasing our compliance with the Victorian Protective Data Security Framework and also use the Australian Government's Protective Security Policy Framework and Information Security Manual.
Consistent with this guidance we focus on information security across the following domains:
|
security governance |
ICT security |
information security |
personnel security |
physical security |
With the introduction of the revised Audit Act 1994, the Auditor-General now has greater discretion to share information with a broader range of persons and bodies, including ministers, public bodies, statutory office holders, law enforcement agencies and prosecutorial bodies. We can also share information with other Australian Auditors-General when it is in the public interest, excluding Cabinet‑in-Confidence or commercially sensitive information.
Our new IT security framework will allow us to ensure that the information we gather is securely stored and responsibly shared. Part of this is ensuring that our staff engage in safe online behaviour. In March we ran a month‑long cybersecurity campaign to educate staff about phishing and other cybersecurity threats.
This year we have also enforced the application of protective markings to all VAGO documents, which is a method of classifying the sensitivity of information. This is required of all Victorian Government agencies under the Privacy and Data Protection Act 2014.
5.3 Clear communication
In an increasingly digital environment, the way people engage with information is changing. As an organisation that works in the public interest, we aim for all members of the public to be able to access our work, and easily comprehend our findings and recommendations.
To highlight our key messages, we have introduced more infographics and other vitalisations into our reports. These can be useful for clarifying complex information and turning it into something more easily understood. Conversely, these diagrams can also show where systems are particularly complicated.
This example from our Child and Youth Mental Health report illustrates the complexity of the oversight and performance monitoring system for child and youth mental health services.
We increased the graphic elements in our presentations, both those for parliamentarians and those available to the public on our website.
This year we also investigated new approaches to digital communication to plan for the future. We have researched better practice examples to make our work more accessible and engaging. While we are required to produce a printed report for tabling in parliament, we know that most people access our reports online and we aim for them to be easy to navigate and share. Our most popular report this year was viewed more than 3 500 times and our most popular video was viewed more than 1 000 times.
|
Top 10 most viewed videos in 2018–19 |
Top 10 most viewed reports on our website in 2018–19 |
|
|
Melbourne Metro Tunnel Project—Phase 1: Early Works |
1 |
Access to Mental Health Services |
|
School Councils in Government Schools |
2 |
Results of 2017–18 Audits: Local Government |
|
Access to Mental Health Services |
3 |
School Councils in Government Schools |
|
Recovering and Reprocessing Resources from Waste |
4 |
Delivering Local Government Services |
|
Delivering Local Government Services |
5 |
Child and Youth Mental Health |
|
Managing Rehabilitation Services in Youth Detention |
6 |
Auditor-General's Report on the Annual Financial Report of the State of Victoria: 2017–18 |
|
Outcomes of Investing in Regional Victoria |
7 |
Recovering and Reprocessing Resources from Waste |
|
Results of 2017–18 Audits: Local Government |
8 |
Outcomes of Investing in Regional Victoria |
|
Child and Youth Mental Health |
9 |
Reporting on Local Government Performance |
|
Contract Management Capability in DHHS: Service Agreements |
10 |
Local Government Insurance Risks |
For this Annual Report we developed more dynamic, interactive elements for our website as we start to test some of our ideas and the technologies available.
We have also considered accessibility to our information on our website, assessed our level of compliance with the Web Content Accessibility Guidelines 2.0 and explored options to improve our compliance with this standard.
5.4 Governance initiatives
VAGO is enhancing its governance and compliance systems and improving policies and procedures registers. We have also ensured we are meeting our obligations under the Financial Compliance Management Framework and the Victorian Protective Data Security Framework.
We have had several new initiatives across the organisation to develop our governance maturity and improve corporate knowledge of risk and compliance.
|
We developed a new project portfolio with enhanced internal reporting and controls as well as the ability to better track project costs. |
|
We continued to develop our business intelligence systems by automating data extraction and improving our data visualisation, making our systems more user friendly. |
|
We continued our ongoing review of policies and procedures including targeted updates required by the Audit Amendment Act 2019. |
|
We updated our gifts, benefits and hospitality policy and our independence policy. |
|
We created a new coercive powers policy and associated procedure, as well as a new information gathering policy and procedure to respond to the changes to the Audit Act 1994. |
Improving our risk management systems has been a key activity. VAGO refreshed its risk profile and implemented updated controls. VAGO also developed a risk appetite statement, consulting with risk owners for input. We added a 'risk outlook' for each VAGO enterprise risk to improve the risk management report.
As one of Victoria's integrity agencies, VAGO is committed to proper use of public money, information and property, and safeguarding our own integrity and reputation. This year we finalised our new Fraud and Corruption Control Plan. The plan addresses internal and external fraud and corruption risks and shows how we manage these risks and the associated controls, including steps to minimise and manage the risk of fraud and detection and discovery systems.
VAGO has a regular training and development program on our policies and procedures to support our governance and compliance frameworks.
5.5 Assuring our audit quality
To provide the best value to Victorians through our insights we must ensure that we maintain our high standards. We aim to set the benchmark for other audit offices, and we believe our audit quality processes demonstrate exemplary practices.
This diagram shows our financial audit quality assurance and continuous improvement processes.
This diagram shows our rigorous framework of similar processes for our performance audits.
Note: The below is an accessible version of the above diagrams.
This diagram shows our rigorous framework of similar processes for our performance audits.
|
|
Establish and plan the audit, including risk assessment, independence assessments and agreeing with the audited agency to the terms of engagement |
|
● EQCR point Engagement quality control reviewer (EQCR) |
|
|
Audit strategy issued to the audited agency |
|
|
Interim audit activity |
|
|
● EQCR point |
|
|
● AAFR point Active audit file reviews (AAFR) and post-audit and assurance quality reviews (PAAQR) |
|
|
Interim management letter issued to the audited agency |
|
|
Year-end audit activity |
|
|
● EQCR point |
|
|
Conclude the audit |
|
|
● EQCR point |
|
|
Closing report issued to the audited agency |
|
|
Audit opinions issued on signed financial statements and, for some agencies and councils, performance statements also. |
|
|
Final management letter issued to the audited agency |
|
|
● PAAQR point |
Some financial audit quality assurance processes do not occur at specific times during an audit, and may not occur for all audits:
|
Technical panel |
Audit report modification panel |
|---|---|
|
The technical panel, which consists of the Auditor-General, the Assistant Auditor-General of Financial Audit, the Director, Audit Quality and the Director, Financial Reporting Advisory, maintains and considers a register of significant accounting matters. The register of significant matters and the panel provide a forum for discussing and considering technical issues facing the public sector and audit teams. |
A modified audit opinion is one that includes, for example, an emphasis of matter paragraph, a qualification or a disclaimer. The audit report modification panel considers and recommends whether these modifications should be made to the Auditor-General. The panel includes the Assistant Auditor-General of Financial Audit and independent members of the technical team. Issuing a modified opinion requires the approval of the Auditor-General. |
|
Technical consultation |
Client surveys |
|
In our technical team we employ subject-matter experts. At any time during an audit, if the audit team requires impartial advice on an audit or financial reporting matter, they can consult our technical subject-matter experts. |
Each year we survey our clients, alternating between chief financial officers and audit committee chairs, to measure our performance against their expectations. The results of this year’s surveys are discussed on page 26. |
This diagram illustrates our rigorous framework of similar processes for our performance audits.
|
|
Audit initiation |
|
●AAG/AG point Assistant Auditor-General (AAG) and Auditor-General (AG) approval |
|
|
Audit planning |
|
|
●EQCR point Engagement quality control reviewer (EQCR) |
|
|
●AAG/AG point |
|
|
Audit conduct |
|
|
●EQCR point |
|
|
●AAG/AG point |
|
|
End of conduct brief sent out to agencies for consultation |
|
|
●EQCR point |
|
|
●AAG/AG point |
|
|
Provisional draft of Parliamentary report sent out to agencies for consultation |
|
|
●EQCR point |
|
|
●AAG/AG point |
|
|
Proposed draft of Parliamentary report sent out to agencies for consultation |
|
|
●EQCR point |
|
|
●AAG/AG point |
|
|
Preparation of final Parliamentary report |
|
|
Report tabled |
|
|
Client surveys |
|
|
Post audit and assurance quality reviews |