Results of audit: Internal control systems ?· chief finance officer (CFO) certifications internal audit…

Download Results of audit: Internal control systems ?· chief finance officer (CFO) certifications internal audit…

Post on 13-Mar-2019

212 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

Results of audit: Internal control

systems

Report to Parliament 6 : 201314

Queensland Audit Office

Location Level 14, 53 Albert Street, Brisbane Qld 4000

PO Box 15396, City East Qld 4002

Telephone (07) 3149 6000

Email qao@qao.qld.gov.au

Online www.qao.qld.gov.au

The State of Queensland. Queensland Audit Office (2013)

Copyright protects this publication except for purposes permitted by the Copyright Act 1968.

Reproduction by whatever means is prohibited without the prior written permission of the

Auditor-General of Queensland. Reference to this document is permitted only with

appropriate acknowledgement.

Front cover image is an edited photograph of Queensland Parliament, taken by QAO.

ISSN 1834-1128

Contents Summary .................................................................................................................................. 1

Conclusions ....................................................................................................................... 1

Findings from selective control testing .............................................................................. 1

Findings about monitoring controls ................................................................................... 4

Recommendations ............................................................................................................ 6

Reference to comments .................................................................................................... 6

1. Context ............................................................................................................................. 7

1.1 Internal controls .................................................................................................... 7

1.2 Management responsibility ................................................................................... 8

1.3 Audit responsibility ................................................................................................ 8

1.4 Structure of the report ......................................................................................... 10

1.5 Department acronyms......................................................................................... 10

2. Chief finance officer certification ................................................................................ 11

2.1 Context ................................................................................................................ 12

2.2 Audit objectives ................................................................................................... 14

2.3 Conclusions ........................................................................................................ 14

2.4 Findings summary ............................................................................................... 14

2.5 Design ................................................................................................................. 15

2.6 Application .......................................................................................................... 17

2.7 Report form and content ..................................................................................... 20

3. Internal audit .................................................................................................................. 23

3.1 Background ......................................................................................................... 24

3.2 Audit objectives ................................................................................................... 24

3.3 Conclusions ........................................................................................................ 24

3.4 Findings summary ............................................................................................... 25

3.5 Operating principles ............................................................................................ 25

3.6 Resources ........................................................................................................... 26

3.7 Audit plans .......................................................................................................... 31

3.8 Performance of internal audit .............................................................................. 33

4. Audit committees .......................................................................................................... 37

4.1 Background ......................................................................................................... 38

4.2 Audit objectives ................................................................................................... 39

4.3 Conclusions ........................................................................................................ 39

4.4 Findings summary ............................................................................................... 40

4.5 Operating principles ............................................................................................ 40

4.6 Committee structure ............................................................................................ 41

4.7 Key responsibilities ............................................................................................. 42

4.8 Proceedings ........................................................................................................ 44

5. Corporate card control ................................................................................................. 45

5.1 Background ......................................................................................................... 46

5.2 Audit objectives ................................................................................................... 47

5.3 Conclusions ........................................................................................................ 47

5.4 Findings summary ............................................................................................... 47

5.5 Policies and procedures...................................................................................... 48

5.6 Issue and return .................................................................................................. 48

5.7 Acquittal and monitoring ..................................................................................... 49

5.8 Effective use ....................................................................................................... 51

Appendices ............................................................................................................................ 57

Appendix AAgency comments..................................................................................... 59

Report 6 : 201314 | Queensland Audit Office 1

Summary

Internal financial controls are the structures, organisational capabilities, systems, processes,

procedures and activities within an entity that together operate to reduce the risk of fraud and error

in financial reports. They do not and cannot eliminate such risks altogether: the cost of attempting to

do so would outweigh any benefits in terms of matters such as improving the reliability of the annual

financial statements.

The Director-General of each department is responsible for establishing and effectively maintaining

adequate financial control throughout the financial year. The external auditor needs to consider the

internal controls capability of each entity when planning our financial audits. We do this by first

evaluating their design and implementation. Depending on the outcome of our initial evaluation we

may then decide also to test the operation of selected financial controls, but only if we consider it is

efficient and effective to rely on them.

This report summarises the results of our initial control evaluations and of our selective testing of the

financial reporting controls that operated within the 20 government departments during the 201213

financial year. These departments represent the bulk of the General Government Sector revenues

and expenses.

While the controls tested in each department will vary between agencies and years, this year we

also considered the control over the use of corporate cards in all departments. The major thrust of

the report however is the results of our detailed assessment of the three primary mechanisms used

by the Director-General of each department to monitor the health of their own internal control

frameworks:

chief finance officer (CFO) certifications

internal audit activities

audit committee oversight.

Conclusions During 201213 we continued to identify and report on a range of significant control weaknesses

across a number of departments relating to their control environment, information systems and

control activities. While the total number of control weaknesses identified has declined, internal

control structures are not yet as strong as they need to be for risk of fraud and material error to be

reduced to acceptable levels.

The continuation of relatively high numbers of significant control activity findings points also to

weaknesses in the mechanisms for monitoring of controls by departments. Greater attention to

strengthening the monitoring of key controls, within a top-down risk approach, will pay dividends by

better balancing risk and control; focusing on strengthening those controls that are important and

reducing or eliminating unnecessary control.

Findings from selective control testing Across all departments, excluding issues identified at Queensland Shared Services, we reported

103 high or moderate risk control weaknesses to management during 201213, relating to their

control environments, control activities and information systems.

2 Report 6 : 201314 | Queensland Audit Office

Figure A High or moderate control weaknesses reported to management

Control element 201112 201213

Departments Issues Departments Issues

Control environment 9 23 8 15

Control activities 8 47 15 66

Information systems 11 67 7 22

137 103

Source: QAO

Control environment

The control environment sets the context within which control activities are undertaken. It

establishes the control culture and includes matters such as the assignment of authority; the

capacity and capability of staff; and the comprehensive and currency of the strategies, plans,

policies and procedures that guide operations.

While most aspects of the control environment in departments were sound, we observed in eight

departments that selected policies and strategies could be improved.

A high risk issue was raised with the Department of Community Safety about the department's

corporate card policies and procedures, which are tailored to their routine operations rather than

management of procurement of essential services in times of major emergency events like cyclones

and floods. This is a high risk issue as management of these events is a prime function of the

department. Systems need to be designed to enable the procurement of services and goods under

these conditions and still retain individual accountability for transactions incurred. The department is

aware of this matter and taking steps to address it.

The other 14 control environment issues identified during our financial audits were rated as

moderate risk. These related primarily to lack of corporate procurement strategies and an IT security

strategy.

Control activities

Control activities are the checks and balances over financial transactions and other events that

operate to prevent fraud or error, or to detect it and correct it, should it occur. They include controls

such as separating duties that are in potential conflictlike issuing invoices, recording and banking

receipts, and providing for doubtful debts. They also include activities like reconciling general ledger

accounts to bank statements; and having purchasing officers verify and certify that the goods and

services they ordered have been received, before another independent officer approves and pays

the supplier.

We identified control activity weaknesses in 15 departments this year (eight last year) relating to

various aspects of their accounting and supporting systems and processes.

Report 6 : 201314 | Queensland Audit Office 3

The major control activity deficiencies we identified were:

inadequate segregation of key duties across expenditure and payables; employee expenses and

benefits; and revenue and receivables. This increases the risk of users having access to two or

more functions within a process that may lead to inappropriate activities such as fraudulent

payments or misappropriation.

lack of evidence of review of reconciliation and verification reports.

While no high risk issues were identified, which is positive, the increase in the number of moderate-

risk rated weaknesses reported to management this year compared to last, is cause for some

concern. It should be taken as an "early warning" signal that greater attention needs to be paid by

management to making sure the controls they have designed and implemented are operating as

they intended. As alluded to in last year's internal control report, the turnover and loss of corporate

staff, combined with changes in organisation structures, increase the risk that controls will break

down. This year's results indicate that this has been the case.

Information systems

Information systems (IS) are integral to a department's internal controls, as they are used to produce

financial management information and external reports. Information system controls operate at two

levels:

general controls that relate to the entire information system, such as logical security controls and

controls over software development

application-specific controls over data validation, authorisation, monitoring and reporting, such as

in-built edit checks and the automated restriction of access to certain functions only to those with

delegated authority.

Together these controls operate to restrict access to systems, data and programs to authorised

users, and to properly align their access rights with their authority and responsibility. Without

adequate controls, it is difficult to safeguard information against unauthorised use, disclosure or

modification, damage or loss, and the integrity of t...

Recommended

View more >