Auditor-General’s Report on the Annual Financial Report of the State of Victoria: 2017–18

Tabled: 24 October 2018

4 Internal controls

Effective internal controls help entities reliably and cost-effectively meet their objectives. Good financial reporting controls are also a prerequisite for delivering sound, accurate and timely external financial reports.

In our annual financial audits, we consider the internal controls relevant to financial reporting and assess whether entities have managed the risk that their financial reports will not be complete and accurate. Poor internal controls make it more difficult for management to comply with relevant legislation, and increase the risk of fraud and errors.

As part of our audit of the AFR, we assess the impact that internal control deficiencies identified at state-controlled entities may have on DTF's ability to prepare a complete and accurate AFR.

Where we identify issues, we report them to management and audit committees as required by auditing standards. Our risk ratings for control weaknesses are defined in Appendix E, along with recommended time lines for resolving the issues.

4.1 Overall findings

Overall, the internal controls implemented by DTF to support the preparation of a complete and accurate AFR are effective, although there are areas for improvement—summarised in Figure 2B.

The internal control frameworks at the 265 state-controlled entities adequately support the preparation of complete and accurate financial reports. However, some agencies need to strengthen some important internal controls.

4.2 Internal control deficiencies

The Standing Directions of the Minister for Finance 2016 require the accountable officer of each entity to establish an effective internal control system for the entity's financial management, performance and sustainability. The internal control system must include the elements shown in Figure 4A.

Figure 4A
Elements of an internal control system

Figure 4A shows elements of an internal control system

Source: VAGO.

The control environment includes:

  • integrity and ethical values
  • governance
  • organisational structure and reporting lines
  • qualifications and competence of people
  • accountability.

Entities establish audit committees to help them with governance and assurance over internal controls. Under Standing Direction 3.2.1 Oversight and assurance: Audit Committee, one of the audit committee's responsibilities is to regularly review the implementation of management actions in response to internal or external audits, including remedial actions to mitigate future instances of noncompliance.

Control environment

The control environment is the attitudes, awareness and actions of management. It is the 'tone at the top'.

As part of a financial audit, we evaluate whether:

  • management has created and maintained a culture of honesty and ethical behaviour
  • the control environment provides an appropriate foundation for the other components of internal control.

We found the larger the government entity, the greater the strength of the control environment, as controls were layered across every facet of the business. However, the smaller government entities, with fewer staff, relied heavily on boards and audit committees for effective monitoring and oversight. This is evident in entities with smaller finance teams.

The case study in Figure 4B describes the impact of a weak control environment.

Figure 4B
Case study: Control environment at the Royal Children's Hospital

The Royal Children's Hospital implemented a new payroll system in May 2017. The hospital has a workforce of approximately 3 300 full-time equivalent (FTE) employees. Employee benefits make up about 70 per cent of the hospital's total expenditure relating to operating activities.

Our previous audits have identified poor controls within the hospital's payroll system and processes. These became weaker with the implementation of the new system, as past control issues we had identified were not fully addressed.

As a result, in 2017–18 some employees received incorrect salary and superannuation payments, with errors totalling about $600 000.

Key weaknesses identified in our previous audit work included:

  • key human resources and payroll processing controls not operating effectively
  • over- and under-payment of employee salary and superannuation
  • lack of assurance reporting over the effectiveness of controls outsourced to a payroll system provider.

We communicated these weaknesses to the hospital's board and audit committee as part of our previous audits, however, they were not all addressed promptly by management. In 2017−18, we continued to report that these weaknesses had not been resolved, and we have identified further weaknesses over the payroll system and controls.

In its 2017–18 financial report, the Royal Children's Hospital stated that it has identified all payment errors and has committed to resolving them by 30 June 2019.

Source: VAGO.

Risk assessment

Risk assessment includes:

  • strategic risk assessment
  • operational risk assessment
  • financial risk assessment.

Risk assessment relates to management's processes for identifying, analysing, mitigating and controlling risks that may prevent an entity from achieving its objectives.

As part of a financial audit, we seek to understand whether management has a process for:

  • identifying business risks relevant to financial reporting objectives
  • estimating the significance of risks
  • assessing the likelihood of risks occurring
  • deciding on actions to address those risks.

Only one small entity in the GGS did not have a risk register in place.

Entities' IT systems are at different stages of their life cycle. As entities develop business cases to support investment in new systems, management should ensure they have assessed risks to properly identify, analyse, mitigate and control risks associated with the implementation of a new system and its impact on the business. This is particularly relevant as entities move towards cloud‑based IT environments.

Control activities

Control activities include:

  • policies and procedures
  • security
  • change management
  • business continuity
  • outsourcing.

Control activities are the policies, procedures and practices that management implements to help meet the entity's objectives. These activities operate at all levels and in all functions, can be manual or automated and, if operating effectively, can prevent or detect errors in financial information.

As part of a financial audit we seek to understand the control activities that support the preparation of accurate financial statements and those that do not.

We separate control activities into manual and IT control activities.

Manual control activities

Employees manually perform these control activities to assess the reasonableness and appropriateness of transactions—for example, by manually validating, calculating or reviewing something. These controls may be less reliable than IT controls because they are susceptible to human error and can be more easily bypassed or overridden.

Forty state-controlled entities had medium-rated control deficiencies in this area, which primarily related to:

  • payroll—duties not being segregated, employee master files not being kept up to date, and staff not using system-generated exception reports
  • expenses—purchase orders not being used, delegations being breached, and changes to vendor master files not being approved.

These themes are consistent with our findings in previous years.

Information technology control activities

A cyber-attack is a deliberate act by a third party to gain unauthorised access to an entity's data with the objective of damaging, denying, manipulating or stealing information.

IT control activities support the operating capability of an IT system. Strong IT controls are a prerequisite for the smooth day-to-day operations of entities and the reliability of financial information. They reduce the risk that employees or third parties can circumvent processes and that unauthorised users can access systems, which may result in the destruction of data or recording of non‑existent transactions.

IT controls can also reduce the risk of a successful cyber-attack. To achieve this, it is imperative that IT control deficiencies are addressed in a timely manner.

Twelve state-controlled entities had medium-rated IT control deficiencies, which primarily related to:

  • user access management—users being assigned inappropriate privileged access, and users and their system access requirements not being reviewed periodically
  • system software—software being configured inappropriately, system updates and patches not being applied in a timely manner, software still being used even though it is no longer supported by the vendor
  • disaster recovery plans—plans not being updated or tested in a timely manner.

These themes are consistent with our findings in previous years.

The case study in Figure 4C describes the impact of an IT control deficiency.

Figure 4C
Case study: IT deficiency at the Department of Education and Training

The Department of Education and Training (DET) outsources the hosting and maintenance of its purchasing system to a service provider. The system manages all aspects of the purchasing process, including contract management, vendor setup and purchasing.

The service provider delivers several IT services to DET including:

  • daily and weekly backups with email notifications when the backup is complete
  • twice-yearly backup restoration testing
  • an annual disaster recovery test.

As part of DET's annual disaster recovery test, the service provider attempted to simulate recovery of the system by restoring the live environment using data from the backup site. The database was successfully restored, however, 39 608 documents supporting financial delegation approvals for various procurement and payment‑related transactions were lost. No other data was impacted.

This loss was caused by a storage replication software bug. Recovery of lost data was further complicated as:

  • daily and weekly backups had not been operating since November 2017
  • the email notifications about the completion of backups were being sent to an employee of the service provider who was no longer working on DET's systems, thus no longer monitoring whether backups were successful.

The service provider has since remediated these IT control deficiencies. DET has recovered approximately 50 per cent of the documents and is working towards recovering the remainder.

The impact of the loss could have been worse if other data was also affected, or if management had difficulties in its recovery activity. This serves as a reminder of the importance of effective IT internal controls.

Source: VAGO.

Monitoring of controls

Monitoring of controls includes:

  • management supervision
  • self-assessment
  • internal audit.

Monitoring activities are the methods management uses to observe internal controls in practice and assess their effectiveness. This may be through ongoing supervision, periodic self-assessments or separate evaluations.

As part of a financial audit, we seek to gain an understanding of the major activities management uses to monitor the internal controls that are relevant to financial reporting, and how management initiates remedial actions to address deficiencies.

Six state-controlled entities had medium-rated control deficiencies in this area. These were related to how management oversees excessive leave balances and monitors other internal controls.

Outsourced service providers

Some state-controlled entities use outsourced service providers to process transactions on their behalf, or to house and run their IT systems.

Management is responsible for ensuring that service providers implement and operate effective controls. Management remains accountable for the quality of the information it stores in the service provider's systems.

To help management discharge its responsibilities, entities generally engage an independent auditor to review, test and report on the design and operating effectiveness of outsourced controls.

As entities implement cloud-based solutions through outsourced service providers, it is important for management to assure itself that the service provider's controls are operating effectively.

Information and communication

Information and communication includes:

  • systems
  • quality of information
  • effectiveness of communication.

Information and communication involves providing information in a form and time frame that allows staff to effectively and efficiently discharge their responsibilities and effectively transmit control tasks throughout the entity.

As part of a financial audit, we seek to understand the entity's information systems and related business processes relevant to financial reporting, as well as how management communicates financial reporting roles and responsibilities and other significant matters to interested parties.

The case study in Figure 4D describes the impact of a deficiency in information and communication.

Figure 4D
Case study: Information availability at the Department of Justice and Regulation

The Department of Justice and Regulation (DJR) is responsible, through Fines Victoria, for infringement processing and enforcement activities.

On 31 December 2017, Fines Victoria was established as part of a range of legislative reforms. This required a new IT system to replace the existing legacy system and the procurement of a new external service provider. The Victorian Infringement Enforcement Warrant (VIEW) system replaced the Victorian Infringement Management System (VIMS) on that date.

In our financial audit of DJR, we identified the following issues:

  • VIEW relies on data from a number of external agencies. The VIEW interface with systems at Court Services Victoria (CSV) was not working. As a result, DJR was unable to receive the data files being transmitted by CSV and approximately $33.5million of court fines revenue was not processed into the system.
  • VIEW was not able to produce all the required reports to enable DJR to complete its normal month-end reconciliation procedures.
  • There was a significant backlog in processing infringement review requests, driver nominations and payment arrangement plans.
  • The new system had a number of control weaknesses, including limited oversight controls, and instances of incorrect user access.
  • DJR's arrangements for gaining assurance over the operating effectiveness of the controls at the third-party service provider were only finalised after 30June2018.

These issues mean that, from the implementation of VIEW, DJR:

  • was unable to complete its normal month-end reconciliation process to confirm revenue and debt figures for inclusion in its financial statements for the year ended 30 June 2018
  • was unable to issue court-related infringement notices promptly or collect the fines
  • was unable to issue reminders to pay an infringement notice in the required time frames, increasing the risk that collection will be more difficult
  • deferred issuing penalties for late payment of fines for a period of time
  • incurred additional costs as extra staff were employed by the service provider to address the transaction backlogs.

DJR had to undertake extra work in August 2018 to ensure these issues did not impact its financial statements at 30 June 2018. This included engaging a professional services firm to assist with their reconciliation of infringement revenue and debt from 1 January 2018 to 30 June 2018.

DJR has materially reconciled the revenue and debt numbers by verifying them against external source data, historical trends and predictive analytics.

Some issues are still unresolved, and DJR is working to resolve those issues with VIEW. This serves as a reminder on the importance of effective internal controls for the operations of critical business processes.

Source: VAGO.

Back to Top