Results of 2016–17 Audits: Local Government

Tabled: 29 November 2017

3 Internal controls

Effective internal controls help entities meet their objectives reliably and cost‑effectively. Entities also require strong internal controls to deliver reliable, accurate and timely external and internal financial reports.

In our annual financial audits, we consider the internal controls relevant to financial reporting and assess whether entities have managed the risk that their financial reports may not be complete and accurate. Poor internal controls make it more difficult for entities to comply with relevant legislation and increase the risk of fraud and error.

3.1 Assessment of internal controls

As part of our audit, we assess the design and implementation of councils' internal controls and, where we identify ones that we intend to rely on, we test how effectively they are operating. If we assess an entity's internal controls as not being well designed, not operating as intended or missing, we communicate this finding to the entity's management and audit committee.

In 2016–17, we reported 359 extreme-, high- and medium-risk internal control issues across the 79 councils, comprising:

  • 110 newly identified issues
  • updates on 249 issues identified through previous years' financial audits.

Figure 3A summarises these control issues by area and risk. Appendix D provides additional information on our risk ratings and our expected time lines for councils to resolve issues.

Figure 3A
Reported internal control issues, by area and risk rating, 2016–17

Area of issue

Extreme

High

Medium

Total

Governance

2

48

50

Information systems

4

36

69

109

General ledger

10

10

Revenue and receivables

20

20

Expenditure and payables

2

33

35

Employee benefits

23

23

Infrastructure, property, plant and equipment

1

8

91

100

Cash and other assets

1

11

12

Total

5

49

305

359

Note: We reported 339 low-risk internal control issues in 2016–17, made up of 93 newly identified issues and an update on 246 previously reported ones. As these matters are minor and/or may present opportunities to improve existing processes, they have been excluded from this figure.

Source: VAGO.

Extreme-risk issues

Figure 3B shows the extreme-risk issues we identified and their current status. There were two extreme-risk issues carried forward from 2015–16 and three new issues raised in 2016–17.

Extreme-risk issues are internal control issues that could cause severe disruption to operations and/or result in a material misstatement in the financial report.

Figure 3B
Summary of extreme-risk issues reported in 2016–17

Council

Description of finding

Year raised

Current status

Cardinia Shire Council

Insufficient software patch and support management

2015–16

Closed

Casey City Council

Insufficient software patch and support management

2015–16

Closed

Bayside City Council

Inappropriate password management controls

2016–17

Closed

Bayside City Council

Weak user access management controls

2016–17

Closed

West Wimmera Shire Council

Lack of a detailed asset register

2016–17

Open

Source: VAGO.

Cardinia Shire Council and Casey City Council

Both Cardinia Shire Council and Casey City Council had severe weaknesses relating to their IT. Specifically:

  • critical software patches had not been applied to numerous devices
  • some devices had been missing software patches since 2007
  • council was still using software that was no longer supported by the vendor.

We note that unsupported and unpatched software increases the risk that a cyber attacker may gain access to systems and sensitive information.

We confirmed that these deficiencies were resolved in 2016–17. These councils have since implemented procedures to address these controls in the future.

Bayside City Council

Our review of the Bayside City Council's IT environment identified internal control issues regarding password and user access management.

Key issues concerning password management included:

  • passwords being maintained insecurely on the network
  • active account passwords being configured to never expire
  • system password settings and an organisational policy that did not comply with industry better practices.

If passwords are not stored securely, there is a high risk that accounts might be exploited—particularly those with 'super user' privileges. Additionally, permitting users to select weak passwords that are not changed periodically increases the risk of unauthorised access to systems.

Key issues concerning user access management included:

  • accounts being assigned 'super user' privileges when they were not required
  • 'super user' access being assigned to shared accounts, which limited the ability to make individual users accountable for their usage.

Inappropriate and excessive user access rights may result in unauthorised access to data and programs or potential financial fraud.

The council has undertaken corrective actions for password and user access management to strengthen its IT environment.

West Wimmera Shire Council

West Wimmera Shire Council does not have a detailed fixed asset register that lists individual items such as bridges, road segments and drainage assets. As a result, we determined movements for each asset class by referring to other supporting documentation or calculations.

West Wimmera Shire Council accepted this finding and is currently arranging a complete network revaluation to the segment level. This will provide a new detailed asset register that should improve asset management in 2017–18 and beyond.

High-risk issues are internal control issues that could cause a major disruption to operations or are likely to result in a material misstatement in the financial report.

High-risk issues

We reported 49 high-risk internal control issues, comprising:

  • 13 newly identified issues
  • updates on 36 issues identified in previous years' financial audits.

Figure 3C shows these high-risk issues by council and area.

Figure 3C
Summary of high-risk issues reported in 2016–17

Council

Issue type

Issue status(a)

IT controls

Fixed assets

Other

Total

Resolved

Unresolved

Ballarat City Council

3

3

3

Bayside City Council

3

3

3

Benalla Rural City Council

2

2

2

Boroondara City Council

2

2

2

Borough of Queenscliffe

1

1

2

2

Campaspe Shire Council

1

1

1

Cardinia Shire Council

2

2

2

Casey City Council

1

1

1

Central Goldfields Shire Council

1

1

1

East Gippsland Shire Council

1

1

1

Frankston City Council

1

1

1

Greater Dandenong City Council

3

3

2

1

Greater Geelong City Council

2

2

2

Hobsons Bay City Council

2

2

2

Mitchell Shire Council

1

1

2

2

Moonee Valley City Council

4

4

1

3

Moreland City Council

1

1

1

Mornington Peninsula Shire Council

1

1

1

Port Phillip City Council

1

1

1

South Gippsland Shire Council

2

2

1

1

Southern Grampians Shire Council

1

1

2

1

1

Strathbogie Shire Council

1

1

2

2

West Wimmera Shire Council

1

1

2

1

1

Whitehorse City Council

4

4

4

Wodonga City Council

2

2

2

Total

36

8

5

49

32

17

(a) Status of issue as reported to management.

Source: VAGO.

A cyber attack is a deliberate act by a third party to gain unauthorised access to an entity's data, with the objective to damage, deny, manipulate or steal information. To reduce the risk of a successful cyber attack, it is imperative that IT control issues are addressed in a timely manner.

Poor IT controls and cyber risk

IT control activities support the operating capability of an IT system. Strong IT controls ensure smooth day-to-day operations of councils and the reliability of data used for financial reporting and preparing performance statements. They reduce the risk that employees or third parties can circumvent processes and help maintain the integrity of information and the security of data.

In our audits of the 79 councils, we identified 18 with high-risk IT control issues related to:

  • unsupported systems and software
  • user access controls
  • software patch management controls
  • other general IT controls.

Appendix E lists IT control issues for each council.

The severity of these IT control issues determined whether they were rated extreme, high or medium.

Medium-risk issues are internal control issues that could cause moderate disruption to operations or a misstatement that is not material in the financial report.

Poorly designed and implemented IT controls increase the risk of unauthorised access to systems, which may result in the destruction of data or recording of non-existent transactions. They also increase the risk of a successful cyber attack.

Medium-risk issues

We reported 305 medium risk internal control issues, comprising:

  • 94 newly identified issues
  • updates on 211 issues identified through previous years' financial audits.

Figure 3D shows the number of issues by area and current status.

Figure 3D
Summary of medium-risk issues reported in 2016–17

Graph showing a summary of medium-risk issues reported in 2016–17

Source: VAGO.

Information systems and fixed assets continue to be areas of major internal control weakness across the sector. Nevertheless, it is pleasing to note that councils resolved a number of issues during the 2016–≠17 audits.

3.2 Status of matters raised in previous audits

We monitor the status of prior-year internal control issues in our management letters, to ensure they are resolved. Figure 3E shows the status of these issues, as reported in our management letters to councils.

Figure 3E
Status of prior-period internal control issues, by risk rating, 2016–17

Issue status

Extreme

High

Medium

Total

Resolved

2

28

121

151

Unresolved

8

90

98

Total

2

36

211

249

Note: Issues rated as low risk are excluded from this analysis.

Source: VAGO.

We found that councils showed significant improvement in resolving extreme- and high-risk internal control issues. The eight remaining unresolved high-risk matters primarily relate to six IT control issues that councils are still addressing.

While there was an improvement in resolving medium-risk issues, further work is required to address these matters within the recommended six-month time frame.

Back to Top