Universities: 2016 Audit Snapshot

Tabled: 7 June 2017

3 Internal controls

Effective internal controls help entities to meet their objectives reliably and cost‑effectively. Strong internal controls are a prerequisite for delivering reliable, accurate and timely external and internal financial reports.

In our annual financial audits, we consider the internal controls relevant to financial reporting, and assess whether entities have managed the risk that their financial reports will not be complete and accurate. Poor internal controls make it more difficult for entity management to comply with relevant legislation, and increase the risk of fraud and error.

3.1 Internal control observations

To the extent we tested them, universities' internal controls for financial reporting were adequate for ensuring their financial reporting is reliable. However, some important internal controls need to be strengthened and financial reporting matters need to be addressed.

During 2016, we identified 47 internal control weaknesses and financial reporting issues, and reported them to management and university audit committees.

Figure 3A shows the risk rating of the issues we identified, excluding the 16 low-risk issues we reported. These low-risk issues were minor control weaknesses or opportunities to improve existing processes or internal controls. We define each risk rating in Appendix C.

Figure 3A
Reported issues by area and risk rating

Area of issue

Risk rating









Expenditure/accounts payable




Financial reporting







IT controls














Source: VAGO.

Forty-two per cent of the issues raised related to the information technology (IT) control environment at the universities. Universities, as with other public sector entities, rely heavily on IT systems. Common areas of concern include poor user access, poor password controls, and weaknesses in disaster recovery programs. Weaknesses in security and automated controls make material errors and fraud more likely and harder to detect.

Status of matters raised in previous audits

As part of our financial audit process, we monitor the resolution of previously reported control weaknesses and financial reporting issues. We provide information to university managers and their respective audit committees about the status of these issues.

Seventy issues remained open at the start of 2016. Encouragingly, 80 per cent of these matters were resolved during 2016.

Figure 3B shows the internal control weaknesses and financial reporting issues raised in previous audits, with the resolution status by risk.

Figure 3B
Prior year issues by resolution status at 31 December 2016

Status of prior period issue

Risk rating

















Source: VAGO.

Most unresolved issues relate to IT controls, with universities not properly dealing with the root causes of problems and consequently only partially implementing our recommendations.

The universities' failure to resolve these problems reduces the effectiveness of their internal control environments.

3.2 Fraud controls

Each year we select one area of internal control and perform a more detailed review of the controls and related operating environment. For our 2016 audits we reviewed the fraud control frameworks in place at universities—a key component of the internal control environment.

The risk of fraud is inherent in all entities. When fraud occurs in public sector entities such as universities, public money is lost.

Australian Standard 8001:2008 Fraud and Corruption Control (AS 8001) identifies three clear activities that are considered to be fraud:

  • theft of money or property
  • deliberate falsification, concealment, destruction or use of falsified documentation
  • improper use of information or position for personal financial benefit.

Universities should be alert to opportunities for fraud to occur, given the nature of their business. They need to design and implement frameworks to mitigate any risks as part of their routine risk management activities.

The Independent Broad Based Anti-Corruption Commission (IBAC) has published a checklist to help public entities assess whether their fraud risk management is better practice. This checklist is included in Appendix E. Figure 3C summarises the key aspects of better practice that should be included in a fraud control framework, based on the checklist.

Figure 3C
Key elements of an effective fraud control framework

Managing the risk of fraud

Practice and culture

  • Assess and identify fraud risks
  • Implement and maintain an integrity framework
  • Develop and implement fraud control governance arrangements
  • Have good internal controls to detect potential fraud
  • Conduct pre-employment screening
  • Undertake supplier and client vetting
  • Ensure management is committed to controlling fraud risks
  • Create a culture that supports ethical behaviour
  • Build up line management accountability for appropriate culture
  • Have training to build employee awareness of fraud control
  • Ensure client and community awareness of fraud control framework
  • Put in place clear avenues for reporting suspect incidents in place
  • Ensure protections for disclosers are in place

Source: VAGO, based on Controlling fraud and corruption: a prevention checklist, IBAC, 2013.

We assessed the fraud risk management framework at the eight Victorian universities against better practice criteria, including the IBAC checklist, AS8001 and the Standing Directions of the Minister for Finance 2016.

3.2.1 Managing the risk of fraud

Most universities have sound policies and procedures in place to manage their fraud risks. Overall, the policies and procedures underpinning the fraud control frameworks are up to date, and there is evidence of recent management review.

All universities defined fraud to include the three components outlined above, consistent with AS 8001. This means the universities have a comprehensive view of fraud.

The following key elements of an effective fraud control framework were evident at most universities:

  • corruption prevention principles form part of strategic planning, project planning and business processes
  • management, internal audit and audit committees conduct ongoing scrutiny of internal controls
  • independent reviews are conducted of the operation and effectiveness of internal controls to prevent, deter and or detect frauds
  • a member of management is responsible for fraud control, including communicating to employees the university's commitment to controls, and management's approach to preventing, detecting and responding to fraud and corruption
  • fraud control is monitored and reported on at least annually
  • procedures are in place to guide the conduct of high-risk activities such as tendering, accounts payable and managing assets
  • the university has a policy on the acceptance of gifts and benefits, which it communicates to staff
  • pre-employment screening is conducted of qualifications, credit history, criminal history and potential factors that may raise a fraud risk
  • credentials of new suppliers and customers are checked.

Although universities have the key elements of a fraud control framework, there is scope for improvement.

3.2.2 Areas for improvement

Documented fraud control plan

Frauds risks are being identified and managed within the strategic risk register at most of the universities. However, none of the eight universities had a documented fraud control plan to support and manage this risk.

A fraud control plan is a key operational document that explains how the university's fraud policy, risk register, and strategies for prevention, detection and response are integrated, and how they are put into practice and reviewed. Fraud control plans should include:

  • a summary of the university's major fraud risks, identified by conducting a fraud risk assessment and incorporating knowledge of fraud trends
  • treatment strategies or controls in place to mitigate material fraud risks
  • roles and responsibilities identified for implementing and monitoring key prevention, detection and response initiatives
  • performance measures in place, including procedures for assessing the plan's effectiveness.

A well prepared fraud control plan can provide a university with assurance that they are aware of all major fraud risks, and that they have adequate prevention, detection and response initiatives in place.

Not having a fraud control plan could mean that significant areas of fraud risk are not identified and controlled, putting a university at risk of financial loss.

Practice and culture

Fraud awareness and a university's designated fraud control framework should be communicated to and embedded throughout the university to be effective. Staff must be trained to understand the fraud control framework, and training should be refreshed and delivered periodically to maintain staff awareness.

We found that most universities include fraud awareness and reporting in induction training for new staff. Refresher training is generally provided every two to three years. Specific training is also designed and provided to employees more likely to encounter fraud, such as procurement officers and executives.

To support this, universities should have a code of conduct, and create a culture that supports ethical behaviour. This is in place at all universities, is communicated to employees, and sets out the values employees are expected to uphold.

Universities engage a large number of external resources such as contractors and volunteers. As these external resources are acting on behalf of a university, it is important that they are aware of and trained in the universities' fraud policies—just like directly employed staff members—to reduce the risk of fraud. This would also increase the likelihood of potential fraud being identified and reported.

Currently, no university has fraud training in place for contractors and volunteers. Universities have an opportunity to reduce their risk of fraud in this area.

Reporting of fraud

A reporting system that records all allegations of fraud, investigations and outcomes can provide an overview of the nature, extent and location of fraud that is occurring. It can also form the basis for developing an intelligence capability and risk profiles of potential fraud suspects, and provide data to identify trends.

All universities have in place reporting mechanisms for employees to report suspected fraud and other improper conduct. Most universities also have established procedures for supporting and protecting disclosures as required by the Protected Disclosure Act 2012 (Vic).

Universities, as public bodies under the Financial Management Act 1994, are required to notify the Minister for Finance, their audit committee, the relevant government department and the Auditor-General when they become aware of significant or systemic fraud, whether actual or suspected. This is a new requirement that came in to effect on 1 July 2016. Before this, all instances of fraud, theft or loss had to be reported to the Minister and the Auditor-General annually, subject to certain thresholds.

Two universities are not maintaining adequate records of all actual and suspected fraud, corruption and other losses, including remedial action planned or taken. Further, only two universities made a report of fraud, thefts and losses to the Auditor-General during 2016.

Given the size and complexity of university operations, this indicates to us that there is insufficient reporting of suspected and actual fraud occurring across the universities, and universities are not complying with their legislative requirements.

In a recent example, an incident of attempted cyber fraud perpetrated by an external party for $3.4 million and instances of contracts worth $0.4 million awarded to undeclared related parties were not reported to the Auditor-General. This limits our ability to effectively assess the risk in the sector when conducting our financial audits.

Back to Top