foi 11/38 internal audit report - review of consolidated financial

Department of Finance and Deregulation

Internal Audit Report

Review of Consolidated Financial Statements Controls 2009

Reference: A101/ P002

Period of review: September - October 2009

Date of final report: November 2009

Review Sponsor: Tim Youngberry, A/g General Manager, Financial Management Group

Circulation: Matthew King, Branch Manager, Financial Reporting Branch Greg Feeney, A/g Division Manager, Financial Reporting and Cash Management Division Audit Committee

This report and PricewaterhouseCoopers deliverables are intended solely for the Department of Finance and Deregulation’s internal use and benefit and may not be relied on by any other party. This report may not be distributed to, discussed with, or otherwise disclosed to any other party without PricewaterhouseCooper’s prior written consent. PricewaterhouseCoopers accept no liability or responsibility to any other party who gains access to this report.

Rating for Audit Committee Reporting: Low Exposure

Liability limited by a scheme approved under Professional Standards Legislation

Contents

1. Introduction.......................................................................................................................................... 3

2. Background .......................................................................................................................................... 3

3. Scope ..................................................................................................................................................... 5

4. Summary of findings............................................................................................................................ 5

5. Summary of work performed ............................................................................................................. 7

6. Findings and agreed management actions ......................................................................................... 8

Appendix A – Internal Audit Review – Commonwealth Financial Statement (CFS) Process Review – Scope of Work................................................................................................................................................ 9

Appendix B – Review priority and control rating keys............................................................................ 10

Appendix C – CFS Key Controls Framework .......................................................................................... 13

Appendix D – Detailed Approach .............................................................................................................. 19

Appendix E – Key personnel interviewed.................................................................................................. 21

Appendix F – Key documentation reviewed.............................................................................................. 22

Appendix G - Process Maps........................................................................................................................ 24

Glossary

Priority ratings have been assigned to issues raised in this report as follows:

Rating scale for individual findings

A Active management required as an extreme priority. Controls are not adequate to address the associated risk.

B Active management required as a high priority. Controls are not adequate to address the associated risk.

C Active management required as a moderate priority. Controls are not adequate to address the associated risk.

BPI Business Process Improvement opportunity. A suggested improvement in efficiency or better practice.

Rating scale for overall report

Control is inadequate Control is adequate

E H M L CC

Extreme priority High priority Moderate priority Low priority Control Critical

Test controls regularly

Note: The overall review rating is the residual exposure to Finance after consideration of all findings highlighted in this report. More detail on the rating scales used throughout this report can be found at Appendix B.

Limitations Our Internal Audit work was limited to that described in this report and was performed in accordance with International Standards for the Professional Practice of Internal Auditing from the Institute of Internal Auditors. It did not constitute an examination or a review in accordance with generally accepted auditing standards or assurance standards. Accordingly, we provide no opinion or other form of assurance with regard to our work or the information upon which our work was based. We did not audit or otherwise verify the information supplied to us in connection with this engagement, except to the extent specified in this report or our approved objectives and scope.

Internal Audit Report Review of Business Continuity Management of 34

1. Introduction

As part of the Internal Audit Work Plan for 2008/09, PricewaterhouseCoopers (PwC) reviewed the Internal Controls Framework surrounding the Consolidated Financial Statements (CFS) process.

The purpose of the review is to check the integrity of processes and controls in place which support the accuracy and timely production of the CFS.

The review of the Internal Controls Framework focused on the following key areas: preparation of core CFS components

preparation of Agency Cash Activity reports

validation and quality assurance of annual financial statements

preparation of annual financial statements by sector

preparation of Whole of Government annual financial statements and commentary.

Note: no Administrative Arrangement Orders (AAOs) to restructure the General Government Agencies were issued during the financial year under review, therefore no additional supplementary controls testing for the AAO process was required.

A copy of the CFS key controls framework is attached at Appendix C.

2. Background

Under Section 55 of the Financial Management and Accountability Act 1997, the Minister for Finance and Deregulation is required to prepare the Consolidated Financial Statements (CFS) for the Australian Government.

The CFS are prepared in accordance with the Australian Accounting Standards and all other financial reporting regulatory requirements and reflects a consolidation of the financial statements of all Commonwealth controlled reporting entities.

These annual statements are prepared on behalf of the Minister of Finance and Deregulation by the Financial Management Branch of the Department of Finance and Deregulation (Finance) as soon as practicable following the end of the financial year. These financial statements are audited by the Australian National Audit Office.

The process is currently conducted using the AIMS system. However, it is expected that a transition to the Central Budge Management System (CBMS) during the next year will take place and the AIMS system will be decommissioned.

In 2008/09 the CFS is being prepared for the first time in accordance with the Australian Accounting Standard 1049 Whole of Government and General Government Financial Reporting (AASB 1049). The objective of AASB 1049 is to specify requirements for the financial reporting by whole of government and General Government Sector. It became applicable for annual reporting periods beginning on or after 1 July 2008. The introduction of this standard has resulted in no significant changes to the CFS process.

Internal Audit Report Review of Consolidated Financial Statements Controls 2009 of 34

Internal Audit first performed a controls based agreed-upon procedures review to assist Finance in preparing the CFS for the 2003/04 financial year. This identified a number of process and control improvements for CFS preparation in future years. Internal Audit have since performed controls based agreed-upon procedures to assist Finance in preparing the CFS for each of the subsequent financial years. The following table illustrates the number of control weaknesses outstanding at the end of each annual review and their rating:

Year of review Number of priority issues

A B C

Number of control weaknesses identified in 2003 review

0 6 6

Number of control weaknesses unresolved in 2005 review

0 0 3


0 0 1


0 0 0


0 0 0


0 0 1

The following diagram summarises the CFS preparation process considered as part of this review. Detailed CFS preparation process maps are provided in Appendix G of this report.

Prepare Consolidation Adjust and Publish

Input Capture QA consolidated calculations aggregate statements

statements

MS Excel

Cpack from agencies

AIMS

Working Data 1

and Working Data 2

AIMS

GG, PFC, PNFC

MS Excel Journal

and elimination workbooks

GG, PFC, PNFC

MS Excel

P&L, B/S, Derived

Cash Flow and Notes

for GG, PFC, PNFC

MS Word

P&L, B/S, Derived

Cash Flow and Notes

for GG, PFC, PNFC

MS Excel

Analytical Workbooks

and

Column Reports

AIMS

WoG

MS Excel Journal

and elimination workbooks

WoG

MS Excel

P&L, B/S, Derived

Cash Flow and Notes for WoG

MS Word

P&L, B/S, Derived

Cash Flow and Notes for WoG

Diagram 1: The Whole of Government (WoG) Consolidated Financial Statements (CFS) comprise the sum of General Government (GG), Public Finance Corporations (PFC) and Public Non-Finance Corporations (PNFC).


3. Scope

A copy of the approved objectives and scope of this review is attached at Appendix A. Specific limitations to the scope of this review are detailed below: controls over business continuity and contingency arrangements were not within

the scope of agreed-upon procedures for this review.

4. Summary of findings

Our work has identified that the controls originally identified in the 2003/04 audit continue to be in place and operating as intended, however one opportunity for improvement has been identified. This finding relates to: a back-up of the data of the AIMS system is occurring on a nightly basis, however

there is currently no confirmation that these backups are occurring and are complete.

Overall, Internal Audit considers that the controls identified in 2003-04 remain adequate and appropriate for today's operating environment. Business requirements in terms of accuracy and timeliness of the preparation of the CFS remain comparable, whilst the observed stability and robustness of the process and its controls have in aggregate improved each successive year of review.

It is worth noting that the scheduled replacement of the legacy AIMS system with CBMS for next year's CFS process will require a re-evaluation and re-mapping of the risks and controls for the updated aspects of the process.

A listing of the key controls over the CFS process is provided in Appendix C of this report.

David Murphy Partner PricewaterhouseCoopers 4 November 2009


Summary of ratings and issues

The review of Business Continuity Management has been rated a Low priority for Finance due to the number and nature of the priority issues identified. The sliding scale diagram that follows explains the system used to rate the overall review.

Appendix B provides more detail on the rating scales used throughout this report.

Extreme priority

High priority

Moderate priority

Low exposure

Control Critical - Test controls regularly

E

H

M

L

C

This review

Number of priority issues

A B C BPI

0 0 1 0


5. Summary of work performed

A summary of the work performed against in reviewing the processes and controls over the preparation of the 2008/09 CFS is outlined in the table below.

Ref Summary of work performed

1 Review existing process maps (documented in 2003) that describe the CFS preparation process.

2 Perform process walkthroughs with relevant Finance staff to reconfirm process flow and the presence of key controls.

3 Review the controls map delivered in our 2003/04 review that describes and links the identified controls with the existing CFS preparation process maps. We will update these control maps for changes in processes of key controls made since our 2003/04 review.

4 Execute sample based audit tests (previously developed as part of 2003/04 review) to confirm the effectiveness of controls.

5 Conclude on the effectiveness of controls considered key to the CFS preparation process in the report.

The detailed approach is presented in Appendix D.


6. Findings and agreed management actions

6.1. Notification of backups of the AIMS data being performed (CS9)

Observation

A backup of the AIMS database was previously conducted on an hourly basis. However, these are no longer being supported due to the decommissioning of AIMS. Instead a backup of the system is occurring on a nightly basis. However, there is no confirmation received by the System Administrator that the backup process is successful and complete.

It is also acknowledged that on an ad hoc basis backups are tested by loading them into the AIMS test environment.

Risk

In the event of a major outage or loss or system data, the ability of System Administrators to recover the most up to date AIMS data may be compromised by missing or incomplete backups.

Recommendation

Finance will introduce a daily automated email notification produced from the system to confirm the completion of the backup process. This should be received by the AIMS System Administrator and reviewed to ensure that no errors were detected.

Further to this a formal schedule of testing backups should be defined and followed.

Priority: Low

Management Response

Management agrees to the recommendation. However, email confirmation of the backup is not available. The AIMS System Administrator will review the TSM reports on a daily basis to confirm successful completion.

AIMS will be decommissioned subsequent to production of the Consolidated Financial Statements and the data will be archived. There is no requirement to put in place a formal schedule of testing the backup.

Management will ensure that a notification and formal testing process of the replacement to AIMS is put in place for the 2009-10 CFS process.

Responsibility: Matthew King, Branch Manager, Financial Reporting Branch Implementation date: 31 December 2009


Appendix A – Internal Audit Review – Commonwealth Financial Statement (CFS) Process Review – Scope of Work

Objective

The objective is to prepare a report annually to the CFS Audit Committee reviewing the processes within Finance for the preparation of the Commonwealth’s annual consolidated financial statements including any difficulties encountered and suggesting improvements.

Approach

We will consult with Financial Reporting Branch (FRB) to validate our proposed approach to update our understanding of any material changes that have occurred since our last review that may impact the approach. Specifically we will:

Update our approach as required by our initial consultation.

Review any updated process and control documentation held by the Branch.

Through discussion, observation and review of evidence we will document and review the processes and controls in place to support the accurate and timely production of the CFS.

Perform process walkthroughs with relevant Finance staff to reconfirm process flow and presence of key controls.

We will recommend specific and practical updates required to the process and control documentation held by the Branch.

We will prepare a report for the CFS Audit Committee on our findings and recommendations.

We will regularly liaise with FRB throughout the review to ensure that any issues raised are discussed and that progress is known and clear.

Resources – Seniority and Skills of proposed personnel

The review of the CFS processes and controls requires specialist knowledge that PwC is well place to provide the Department. We have undertaken similar reviews for the Department for each of the last five years and propose a team that understands the processes, is well known and respected by the CFS team and has contributed significantly to the improvement of process and controls over that time.

Staff Audit Days*

Partner 2

Director 3

Senior Consultant 8

Appropriate Consultant 10

Total 23

*Our approach is based upon the current systems and processes that Finance utilise to produce the CFS. We understand that a new system and processes are currently being developed with an implementation timeframe that is yet to be determined. We anticipate that the first year of this review under the new system and process would require approximately 7 days more effort.


Appendix B – Review priority and control rating keys

The keys used in this report are based on the Finance Risk Management Framework for inherent risks. Likelihood involves an assessment of the probability or frequency of occurrence of a risk event.

Likelihood Likelihood of occurrence

Rare The event type would occur only in exceptional circumstances and has not occurred within Commonwealth Government.

Unlikely The event type could occur but has not occurred in Finance before.

Average The event type might occur or has occurred at least once within Finance.

Likely The event type will probably occur or has occurred in Finance within the last two years.

Almost certain The event type has occurred within the last 12 months or is expected to occur.

Impact involves the consequences of a risk event, and may be in terms of, for example, financial or human cost, business disruption, environmental damage or damage to reputation. Each consequence/impact can be rated, in terms of its severity.

Impact

Consequence/impact area

Financial Human resources

Business interruption

Outputs Integrity/ reputation and image

Insignificant Up to $100K

First Aid. Leave of absence.

Loss of service capability for up to half a day.

Up to 1% impact on targets.

Internal impact only.

Minor Up to $500K

Injury to staff. Temporary loss of key staff.

Loss of service capability for up to two days.


Adverse comments in local press.

Medium Up to $5M

Major injury to staff. Permanent loss of key staff.

Loss of service capability for up to one week. Interruption of four hours during budget.


Senate Estimates. Other external scrutiny, ANAO, national media. Moderate damage to Finance’s reputation.

Major Up to $20M

Permanent injury to multiple staff. Loss of critical mass of staff.

Loss of service capability for up to one month. Interruption of two days during Budget. Serious medium term business/environmenta l effects.


Questions in Parliament. External scrutiny. Serious public, political and/or media outcry.


Impact

Consequence/impact area

Financial Human resources

Business interruption

Outputs Integrity/ reputation and image

Extreme Above $100M.

Multiple deaths of staff. Loss of critical mass of key staff.

Loss of service capability for more than one month. Inability to get Budget completed in timeframe. Very serious long term effects on Department’s business.

Greater than 10% impact on targets.

Royal Commission. Judicial inquiry. Other form of Parliamentary inquiry. Possible litigation. Very serious legislative noncompliance.

The intersection of the likelihood and consequence ratings determines the overall inherent risk rating as shown in the table below.

Impact

Likelihood Extreme Major Medium Minor Insignificant

Almost certain Extreme Extreme High Significant Moderate

Likely Extreme High Significant Moderate Low

Average High High Significant Moderate Low

Unlikely High Significant Moderate Low Low

Rare Significant Moderate Low Low Low

From this, a level of inherent risk can be determined using the table below.

Level of risk Description

Extreme Immediate action required. Move resources from other areas.

High Action required. Prioritise resources to complete as soon as possible.

Significant Action required as soon as resources become available, include as a priority on work plans

Moderate No immediate action required but to be scheduled for action as part of program or business plan.

Low No action required but monitor for worsening of the risk.


Lik

elih

oo

d

We then assess the effectiveness of controls that management have in place to manage the risk according to the table below.

Rating* Description

Sa

tisf

act

ory

Excellent Controls have reduced the level of risk to an acceptable level (designed appropriately). Controls are in operation, applied consistently, documented, communicated and monitored.

Good Controls have reduced the level of risk to an acceptable level. Controls are in operation, applied consistently, documented, communicated and monitored although minor improvements could be made.

Un

sati

sfa

cto

ry

Incomplete Control is designed to only partially address the risk. Control documentation/communication and/or application require improvement.

Unsatisfactory Control is poorly designed and does not fully address the risk. Documentation/communication and/or application need improvement.

Poor Control is poorly designed and does not address the risk. Both control documentation/communication and application need improvement.

Residual risk is the level of risk faced after considering the controls in place. Residual risks are rated on the same likelihood and consequence/impact ratings as inherent risks above but are then considered in conjunction with the adequacy of controls. Based on the level of residual risk, management can prioritise the allocation of resources to address these risks through mitigating actions or investments in improving controls. Or areas where management should continue to test controls where residual risks are low, but without the controls, inherent risk would be high – that is, areas where controls are critical, as illustrated in the following diagram:

Extreme

E

CC Control Critical

Active Management

(Extreme priority)

No Major Concern

Control critical - control is adequate but critical due to high inherent risks; continued monitoring of controls required. Active management - extreme priority. Controls not adequate; risks exist which require urgent management.

Active Active management - high priority. HManagement Controls not adequate; requires active (High priority) management.

Periodic monitoring - moderate priority. M Controls not strong but risk impact is not

Periodic high. Consider improving control or

Monitoring monitoring to ensure the residual risk

(Moderate priority) rating does not increase over time. Low priority. Control is adequate. Consider L excess or redundant controls. Low

Satisfactory Unsatisfactory

Control rating

Inhere

nt

risk r

ating


Appendix C – CFS Key Controls Framework The following table describes the risks that are present in the CFS process and the key controls in place addressing each risk. A key control is considered to be one that if absent could significantly affect the completeness, accuracy and validity of the annual CFS reporting process.

Ref Risk Key controls

CS1 CFS project plan

The CFS process is performed in an unplanned and unstructured manner potentially leading to:

- timeframes not being met

- poor quality of outcome

- key controls circumvented

- key components of the process incomplete or not undertaken.

A project plan is prepared for the annual CFS process which provides a framework around the process, including:

- timeframes

- details of procedures expected to be performed

- allocation of resources and responsibilities

- documentation requirements.

CS2 CFS tracking database

Communication with agencies is not recorded or followed up on a timely basis. This may hinder Finance’s ability to report on the reporting timeliness statistics required under the BEFR implementation.

The preparation team have a database in which they record the dates and details of key communication and file transfer receipt with agencies. This database also keeps a record of which Quality Assurance (QA) checklists have been completed.

Analytical workbooks are also maintained for each agency which includes provision for the storage of all communications with agencies.

CS3 Management exception reporting and oversight

The CFS creation process and the final statements are not subject to an appropriate level of

All statements are reviewed by the Branch Head of the Financial Reporting Branch, the Division Head of the Financial Reporting and Cash Management Division, the General Manager of the Financial Management Group and the CFS Audit Committee prior to publication.

management review prior to publishing.

An analysis of movements between the current statements and prior year and budget is also provided to assist management with their review of the draft financial statements.

All journals are signed off by CFS team member and reviewed by CFS Manager and Finance Team Leader.

CS4 Succession planning

The CFS production process is highly manual and complex and therefore relies heavily on individuals with detailed knowledge. Loss of key team members is likely to reduce Finance’s ability to produce the CFS in a timely manner to an acceptable standard.

The risk has been identified by management and appropriate measures have been implemented to address the risk going forward including having some redundancy in the team and providing training to a number of staff. Finance has contracted support arrangements to assist in the preparation of current and future CFS.



CS5 Change control over spreadsheet components

Changes to the CFS spreadsheets are not subject to robust change controls which could lead to inaccurate or unauthorised changes to CFS components such as:

Changes to the chart of accounts in AIMS are subject to change control procedures. These changes would be replicated in the Cpacks to maintain consistency with AIMS.

The process for making changes to the Cpacks is documented.

A list is produced each year during the Chart of Accounts review that identifies which templates in the Cpack will need to be changed for the current year.

- Chart of Accounts

- Cpack

- Cpack manual

- Shell CFS financial statements

- Excel templates such as the Journal workbook, elimination workbook and the cash flow derivation model.

A change management system has been implemented which tracks changes in a spreadsheet. Finance management provides approval for each change.

The CFS Audit Committee is advised of changes to the accounting standards, and how this impacts on the CFS, including how the information will be collated.

CS6 Access control

Unauthorised people can access CFS files on the Treasury and Finance network drives or make changes to the core CFS components.

Finance undertakes regular review of the appropriateness of access rights to the Finance CFS network folders.

All Cpacks cells except agency input cells are locked and password protected.

Other CFS components such as the Excel spreadsheets are password protected.

The AIMS system is subject to both smartcard and password controls.

CS7 Version control of spreadsheet systems and templates

Incorrect versions of core CFS components will be used thereby introducing data inaccuracies into the CFS process.

Controls such as directory structures and naming conventions are in place.

A spreadsheet inventory is maintained that describes the purpose, location, current version and dependencies relevant to each spreadsheet component in the system.

CS8 System and procedure documentation

Robust procedure and system documentation does not exist potentially leading to:

- over-reliance on key team

System documentation is maintained, including coverage of the following areas:

- system overview, objective and purpose

- system technical and functional design including dependencies and linkages

members

- important systems knowledge not being captured within the organisation

- increased difficulty in knowledge transfer to new team members

- documentation of business rules including detailed formulas, macros and calculations.

- separate user manuals for use of the Cpack and AIMS by agencies.

Process documentation is maintained including coverage of detailed procedure guidelines for all CFS processes.

- increased difficulty in making accurate changes to the system due to lack of documentation of system functionality and linkages.



CS9 Back-up of data and spreadsheets stored on the network

Core data and spreadsheet systems associated with the CFS processes is stored on the Finance network drive. There is a risk that this data and spreadsheet functionality could be lost.

The Finance network drive is backed up on a daily basis. Spreadsheets and data are kept on the Finance network drives.

CS10 ACM extract reconciliation

Cash activity reports generated for each agency do not accurately reflect the agency data in ACM. Therefore agencies are reconciling their own accounts to inaccurate central data.

A reconciliation is performed between the Cash Activity reports and ACM prior to sending the reports to the agencies.

CS11 Cpack submission

The agency data contained in the Cpack is modified or viewed by unauthorised people, intentionally or unintentionally, while in transit.

A process of submitting the Cpack through either AIMS Mail or the use of express post courier is in place to ensure that any classified information is sent by an appropriately secure mechanism.

CS12 Agency input

The agency data received by Finance through the Cpack is inaccurate, incomplete, invalid or subject to unauthorised access.

The Cpack template used to capture agency information has inbuilt controls, including:

- Accounting business rules are enforced prior to submission to Finance through the inbuilt validation checks

- A checklist of quality assurance measures is undertaken to validate agency information

- All non-input cells are locked and password protected in the Cpack.

CS13 AIMS validation

The agency data uploaded by Finance from the Cpack into AIMS is inaccurate, incomplete, invalid or subject to unauthorised access.

Automated AIMS system validation checks are performed when the data is in the temporary holding database called Working Data 1. These validation checks must pass to permit transfer of the data into the Working Data 2 database. Only selected members of the CFS team are authorised to transfer data in to Working Data 2. Any outstanding variances are further investigated in the Analytical Workbook (refer ‘CS15 – Accuracy and completeness of AIMS data inputs and outputs’ below).

CS14 Integrity of AIMS data

Working Data 2 is vulnerable to reductions in integrity through invalid data changes or data corruption.

AIMS uses two logically separated databases for current year agency data. These are Working Data 1 and Working Data 2. No changes are made directly to Working Data 2. All changes are first made to Working Data 1 then uploaded to Working Data 2 through the validation checks and authorisation process.



CS15 Accuracy and completeness of AIMS data inputs and outputs

System input/output errors result in discrepancies between the Cpacks and that stored in AIMS Working Data 2. These errors may also cause discrepancies between AIMS and the information extracted from AIMS to the Analytical Workbooks or Column Reports.

A reconciliation is performed between the Analytical Workbooks and the agency’s audited financial statements at the subtotal level.

The Column Report has inbuilt QA checks that identify discrepancies between AIMS and the spreadsheet on a total account basis.

Also, a variance analysis is performed on a line by line basis between the Analytical Workbooks and budget estimates and prior years’ agency data. The Analytical Workbook uses formulas and macros to identify material differences (>$10 million) which are then followed up to determine if misclassifications have occurred.

QA checklists over the CFS process are used to ensure that all processes and related steps for each agency are conducted.

CS16 Official Public Account reconciliation (General Government only)

Agency reported transfers to and from the Official Public Account may not agree to ACM data.

A reconciliation is performed between the ACM report and the agency financial statements.

CS17 Consolidation journals

Consolidation journals are inaccurate, incomplete, invalid or not subject to appropriate approval.

The following controls are in place over consolidation journals:

- a full audit trail is maintained of all adjustments and journals

- all journals are compared to prior year journals for completeness. Checks are in place to establish any additional journals required in the current year

- the sum of consolidation adjustments and journals for each account is reconciled to the adjustment entity in AIMS. The adjustment entities are consolidation entities in AIMS that holds the sum of all consolidation adjustments and journals. It is included in the final aggregation process that is used to produce the consolidated balances

- management review any variances identified by the automated reconciliation between the Journal workbook and the adjustment entity

- all journals are signed off by CFS team member and reviewed by CFS Manager and Finance Team Leader.



CS18 Cash flow statement journals

Cash flow statement journals are incomplete, inaccurate, invalid or subject to unauthorised approval.

The following controls are in place over consolidation journals:

- a full audit trail of cash flow journals is maintained in the cash flow derivation workbook

- all journals are compared to prior year journals for completeness. Checks are in place to establish any additional journals required in the current year

- completeness of cash flow journals is validated by creating derived cash flow for each individual agency and checking them against the audited cash flow statement provided by the agency. Missing material cash flow journals will be identified during this process and can be added to the master cash flow statement that is derived from the consolidated operating statement and balance sheet.

CS19 Cash flow statement data

Cash flow statement data is incomplete, inaccurate or invalid.

The master cash flow statement is linked to source data and contains variance checks between the Cash Flow and the Cash Flow reconciliation and relevant notes.

The consolidated cash flow statement is derived from the consolidated operating statement and balance sheet. This statement is then updated for additional cash flow statement journals identified during the check against each agencies audited cash flow statements.

CS20 Reconciliation of WoG consolidated financial statements

The WOG consolidated financial statements in the Excel spreadsheets does not agree to that stored in AIMS Working Data 2. Variances may be due to system input/output errors.

Balance sheet and operating statements in the master Excel templates are stored in AIMS and retrieved directly into the statements. This information is also retrieved in its disaggregated form from AIMS into individual notes tabs in the spreadsheet. The disaggregated total is reconciled to the total figure in AIMS to ensure that all of the notes are being grossed up into the total.

CS21 Notes to the WoG financial statements

Notes to the WoG financial statements are inaccurate, incomplete or invalid.

The notes to the financial statements are consolidated using the same methodology as consolidation of the face statements. Therefore the key controls are:

- Cpack validations

- AIMS validations

- agreement to agency’s audited financial statements

- management review and authorisation of consolidations journals.

CS22 Narrative notes to the WoG financial statements

Notes to the WoG financial statements are inaccurate, incomplete or invalid.

The narrative notes to the financial statements are consolidated manually. The key control over this process is agreement of the consolidated note to each agency’s audited financial statements by a person independent of the Note 1 consolidation process.

Other narrative notes go through a CFS team’s own three tier review process.



CS23 CFS publication

The CFS publication may be inaccurate or incomplete.

The CFS publication is independently reconciled to supporting spreadsheets which include a series of automated quality assurance checks in additional manual checks are also conducted, these reviews are conducted at all levels culminating in a final review by the CFS Audit Committee.

Material movements between the current period and the previous years audited data are investigated and explained to the Audit Committee.


Appendix D – Detailed Approach

The following work plan details the steps we will perform in reviewing the systems, processes and controls in preparing the 2008/09 Consolidated Financial Statements.

1. Review existing process maps (documented in 2003) that describe the CFS preparation process.

2. Perform process walkthroughs with relevant Finance staff to reconfirm process flow and the presence of key controls. Based on the content of the 2003 process maps, we will perform our walkthrough on the following processes:

a. Preparation of CFS Plan, CPacks and Templates, including: i. Chart of Accounts update

ii. CPack update iii. Preparation of shell financial statements & update Excel templates.

b. Preparation of Agency Cash Activity Reports, including ACM extract to Excel.

c. Validation/QA of GG, PFC and PNFC Annual Statements, including: i. Upload of CPack and Small Agency statements into AIMS WD1,

ii. Validate data through AIMS WD2 iii. Extraction of agency statements from AIMS, iv. Download of AIMS information into Analytical Workbook v. Reconciliation of workbooks with ACM

vi. QA of Agency Financial Statements.

d. Preparation of GG, PFC and PNFC Consolidated Annual Statements, including: i. Preparation of consolidation journals

ii. Execution of aggregation scripts to update AIMS WD2 iii. Download of consolidated data from AIMS WD2 into spreadsheets iv. Download of consolidated data into Cash flow model, review of Analytical v. Workbooks and preparation of cash flow adjustments

vi. Preparation of cash flow statement vii. Allocation of elimination by functions in Function Allocation Workbook.

e. Preparation of WoG Annual Statements & Comments, including: i. Preparation of consolidation journals

ii. Execution of aggregation scripts to update AIMS WD2 iii. Download of consolidated data into Excel spreadsheets iv. Review of Analytical Workbooks and preparation of cash flow adjustments v. Preparation of consolidated cash flow statement

vi. Allocation of elimination by functions vii. Execution of aggregation scripts to update AIMS WD2

viii. Retrieval of functional data and production of AAS31 CFS ix. Extraction of financial note data from AIMS WD2 x. Preparation of financial and narrative notes.

3. Review the controls map delivered in our 2003/04 review that describes and links the identified controls with the existing CFS preparation process maps. We will update


these control maps for changes in processes of key controls made since our 2003/04 review.

a. Execute sample based audit tests (previously developed as part of 2003/04 review) to confirm the effectiveness of controls.

b. Conclude on the effectiveness of controls considered key to the CFS preparation process in the report.


Appendix E – Key personnel interviewed

Name Role

Matthew King Branch Manager, Financial Reporting Branch

Tom Maloney Finance Contractor (KPMG)

Denise Rambow Team Leader, Financial Reporting Branch

Simon Vellnagel-Dunn AIMS System Administrator, FeSG

Shane Jasprizza Finance Contractor (KPMG)

Jenny Morris Finance Contractor (KPMG)


Appendix F – Key documentation reviewed

Document Version Dated Source

CFS Process Diagrams (KPMG) – 26/05/2009 Denise Rambow

CFS 2008-09 Production Plan 1.3 1/06/2009 Denise Rambow

Internal Audit Report – Comment on CFS 200809 Production Plan

– 22/05/2009 Matthew King

CFS 2008-09 Risk Management Plan 1.1 18/06/2009 Denise Rambow

Internal Audit Report – Comment on CFS 200809 Risk Management Plan

– 1/06/2009 Matthew King

CFS 2008-09 Qualitative Risk Assessment Matrix

– 15/04/2009 Denise Rambow

AIMS User Manual - Table of contents – 12/2003 Denise Rambow

AIMS User Manual - Table of contents (small agencies)


Secure Remote Access Services (SRAS) User Guide

2.0 16/11/2004 Denise Rambow

File Catalogue - Change Register and File Log 2008-09


Change Request Forms (signed) – – Denise Rambow

Spreadsheet Change Register 2008-09 – 14/09/2009 Denise Rambow

2008-09 Chart of Accounts listing report – 9/09/2009 Denise Rambow

2008-09 Revised AIMS Variable Dimensions – – Jenny Morris

Material Agencies CPack Navigation Manual – 22/06/2009 Denise Rambow

CFS Accounting Policies & Procedures 01 to 17 – 29/6/2009 Denise Rambow

Effective Folder Permissions Report (extract) – 15/09/2009 Denise Rambow

QA / Analytical Review Checklist – template – – Denise Rambow

QA / Analytical Review Checklists 2008-09 – ACS (Departmental & Administered) AFP (Departmental & Administered) ASIC (Departmental & Administered) DH&A (Departmental & Administered) DEWHA (Departmental & Administered) DIAC (Departmental & Administered) DPS (Departmental & Administered) DVA (Departmental & Administered) Infrastructure (Departmental &

Administered) Medicare Australia (Departmental)

– – Jenny Morris

Financial Statement QA Checklist – AFP (Departmental & Administered) AusAID (Departmental & Administered) DFAT (Departmental & Administered) DIAC (Departmental & Administered)


All Agencies ACM Variance Report – – Jenny Morris

Spreadsheet Procedures – – – Jenny Morris


Document Version Dated Source

Elimination Journal and Function Allocation 2008-09

Cash Flow Analysis spreadsheet 2008-09

Balanced Journal Spreadsheets AFP (Departmental) AusAID (Departmental & Administered) DFAT (Departmental & Administered) DIAC (Departmental & Administered)


AIMS Primary Statement Validations – ACS (Departmental) AOFM (Departmental) DoFD (Departmental) DPS (Departmental) NLA (Departmental)



Appendix G - Process Maps

We have used CFS process maps provided by the CFS team to summarise the CFS process into 5 flow diagrams by combining the Public Non-Financial Corporations (PNFC), Public Financial Corporations (PFC) and General Government (GG) sector processes into single diagrams. The processes, systems and controls surrounding the PNFC, PFC and GG are essentially the same.

We confirmed the process flow and understanding of key controls through interviews with Shane Jasprizza and Jenny Morris (Finance – contractor). We also interviewed Denise Rambow and Simon Vellnagel-Dunn (Finance) to confirm processes and controls surrounding AIMS.

Audit symbols used in the sub-process diagrams

The symbol on the diagrams refers to a key control that was identified during our work. A key control is any factor that plays an important role in managing risk inherent in the process. The absence or ineffective operation of a key control will give rise to a reportable control weakness. These controls are listed in the sub-process descriptions below and are also described in more detail in Appendix A of this report.

The x symbol indicates an internal audit finding that may be either a control weakness or a process improvement suggestion. Note that one process improvement has been identified in the course of this review.


Phase A – Preparation of core CFS components

Central Systems & Data Stores

Preparation of Agency Cash

Activity Reports

Section 55 FMA Act

Preparation of letter to CFOs advising CFS

timetable

Letter to CFOs advising CFS

timetable

Update Annual

Chart of Accounts to send to

agencies

AIMS Actuals

Update Cpack &

Manual for Year End Financial

Statements

Elimination Adjustment and

Elimination Workbook

Preparation of CFS Plan

CFS Project Plan

Timetable letter sent to Agencies

CPacks and Manuals sent to Agencies

AIMS (Estimates)

Prepare shell Financial

Statements

Update Excel Templates

Journal Workbook

CashFlow Derivation Workbook

Variance Analysis

Workbook

Agency QA workbook

CFS Shell Financial

Statements

Agency CPack Cpack Manual

CS6

CS8 CS9

CS1

CS7

CS4

CS5

x


Summary of Phase A controls Summary of findings

The following table summarises the key controls identified in Phase A, No review findings were identified in this process. the preparation of core CFS components.

Control reference

Control description

CCSS11

CFS project plan

CCSS44

Succession planning

CCSS55

Change control over spreadsheet components

CCSS66

Access control

CCSS77

Version control of spreadsheet systems and templates

CCSS88

System and procedure documentation

CCSS99

Back-up of data and spreadsheets stored on the network


6

0

Phase B – Preparation of Agency Cash Activity Reports

Validation & QA of GG Agency Annual

Financial Statements

Cash Draw Down Preparation of OPA

Statements

ACM receipts, payments & transactions

Run queries to format

transactions by Agency

ACM


Financial Reporting

Financial Reporting

Preparation of Small Agency Statements

CS1

CS1

ACM MS Access

database


Summary of Phase B controls Summary of findings

The following table summarises the key controls identified in Phase B, No review findings were identified in this process. the preparation of agency cash activity reports.

Control reference

Control description

CS10

ACM extract reconciliation

CS16

Official Public Account reconciliation (General Government only)


PassSystem

validations

Yes

No

-

Budget EstimatesUpdate

Annual CFSReporting (Previou

Year) -

Phase C – Validation and quality assurance of annual financial statements


21SC

CS12

Extract Agency

Statements

Financial ReportingCentral Systems & Data StoresAgency

Material audit cleared financial statements Submitte d

via CPack

AIMS (Actuals)(WD1)

Preparation ofAgency Cash

Activity Reports

AnalyticalWorkbooks

AIMS (Estimates)Archived (AIMS)

ReconcileAgency

Statements toCAMM

Financial Reporting

Automatedsystem

validationsperformed

Statementsvalidated by

AIMSAIMS (Actuals)

Validated(WD2)

AIMS (Actuals)(AIMS) Yr1

AgencyCpackUploadCpackinto AIMS and

authorise

QA of AgencyAnnual Financial

Statements

Annual Final BudgetOutcome (FBO)

Reporting

s

CS2

CS14

CS15

CS16

CW9

CW12

CW13

CS17

CS13

Extract Agency Statements

Financial ReportingCentral Systems & Data StoresAgency

Material audit cleared financial statements submitted via CPack

AIMS (Actuals) (WD1)


Activity Reports

Analytical Workbooks

AIMS (Estimates)Archived (AIMS)

Reconcile Agency

Statements to ACM

Financial Reporting

Pass System

validations

Automated system

validations performed

Statements validated by

AIMS AIMS (Actuals)

Validated (WD2)

Yes

No

AIMS (Actuals)(AIMS) Yr1

AgencyCpack UploadCpack into AIMS and

authorise

Budget Estimates Update

QA of Agency Annual Financial

Statements

Annual Final Budget Outcome (FBO)

Reporting

Annual CFS Reporting (Previous

Year)

CS2

CS2

CS13

CS14

CS15

CS16

CS12

CS11

Summary of Phase C controls Summary of findings

The following table summarises the key controls identified in Phase C, No review findings were identified in this process. the validation and quality assurance of annual financial statements.

Control reference

Control description

CCSS22

CFS Tracking database

CS11

Cpack submission

CS12

Agency input

CS13

AIMS validation

CS14

Integrity of AIMS data

CS15

Accuracy and completeness of AIMS data inputs and outputs

CS16

Official Public Account reconciliation (General Government only)


Phase D – Preparation of annual financial statements by sector (GG, PFC, PNFC)


CentralSystems &Data Stores

Preparation of WoGAnnual Statements &

comments

Preparation ofAgency Cash

Activity Reports

Annual FBOReporting

Preparation ofSmall Agency

Statements

Prep. ofconsolidated AAS

31 Tables (incl CF)

Financial Reporting

QA of AgencyAnnual Financial

Statements

AIMSActuals

Validation & QA of GGAgency Statements

(Small Agency)

Budget EstimatesUpdate

Validation & QA of AnnualFinancial Statements

CS3

CS3

CS18

CS19

CS20


Preparation of WoG Annual Statements &

comments


Activity Reports

Annual FBO Reporting

Preparation of Small Agency

Statements

Prep. of consolidated AASB

1049 Tables (incl CF)

Financial Reporting

QA of Agency Annual Financial

Statements

AIMS Actuals

Validation & QA of GG Agency Statements

Budget Estimates Update

Validation & QA of Annual Financial Statements

CS3

CS3

CS17

CS18

CS19

Summary of Phase D controls Summary of findings

The following table summarises the key controls identified in Phase D, No review findings were identified in this process. preparation of annual financial statements by sector (GG, PFC, PNFC).

Control reference

Control description

CCSS33

Management exception reporting and oversight

CS17

Consolidation journals

CS18

Cash flow statement journals

CS19

Cash flow statement data


Phase E – Preparation of Whole of Government annual financial statements and commentary


CentralSystems &Data Stores

Preparation ofNotes to the

Accounts

Preparation ofConsolidatedAAS 31 WoG

Tables

4

Preparation AnnualFinancial Statements

CFSCommentary and

Preface

Financial Reporting

Preparation ofCommentaryand Preface

Consolidated AAS 31 Financial

Statements

CFS Notes to theAccounts

CFS Publication(Aggregate)

AIMSActuals

CFS Audit CFS Sign-off

CS21

CS22

CS23

CS24


Preparation of Notes to the

Accounts

Preparation of Consolidated AASB 1049 WOG Tables

Preparation Annual Financial Statements

CFS Commentary and

Preface

Financial Reporting

Preparation of Commentary and Preface

Consolidated AASB 1049 Financial

Statements

CFS Notes to the Accounts

CFS Publication (Aggregate)

AIMS Actuals

CFS Audit CFS Sign-off

CS20

CS21

CS22

CS23

Summary of Phase E controls

The following table summarises the key controls identified in Phase E, preparation of Whole of Government annual financial statements and commentary.

Control reference

Control description

CS20

Reconciliation of WoG consolidated financial statements

CS21

Notes to the WoG financial statements

CS22

Narrative notes to the WoG financial statements

CS23

CFS publication

Summary of findings

No review findings were identified in this process.


foi 11/38 internal audit report - review of consolidated financial

Documents