19/02/2019

1

Audit Service Provider Briefing

Portside Conference Centre19 February 2019

AgendaItem Time

Welcome 9:30am

Address by the Deputy Auditor-General

Lessons learnt and Government reporting and compliance developments

Morning tea 10:30am

Audit oversight – key changes

Key contract requirements

Data analytics and innovation

Information Security and data breaches

Other business

Close workshop / Lunch 12:30pm

19/02/2019

2

Agenda – Local Government SessionItem Time

• Local Government IS audit strategy• Debrief on 2017-18 audits• Key areas of focus for 2018-19 audits• Local Government accounting and audit issues• Potential topics for Report to Parliament, performance

audits

1:30pm

Close workshop 3:00pm

Address by the Deputy Auditor-General

Ian GoodwinDeputy Auditor-General

19/02/2019

3

Reflections on 2017‐18

Progress on 2017-2020 corporate plan –strategic

objectives

Our activity is driven by our Corporate Plan, which includes six strategic initiatives:

• local government• influencing for impact• reporting process• working better, working

together• data analytics• technology and process

innovation

19/02/2019

4

Working better, working together

This initiative is focused on defining what our work will look like into the future, what capabilities we require and the culture and conditions we need to create.

Lessons learnt and Government reporting and compliance developments

David Daniels, Director Financial Audit

Karen Taylor, Director Financial Audit

19/02/2019

5

Contents

• Lessons learned from prior audits• Prior period error themes• Asset revaluation considerations• Monitoring review findings

• Government Reporting and Compliance Developments• Mandatory early close procedures• Government Sector Finance Reforms• NSW Cyber Security Policy

Lessons learnt

19/02/2019

6

Prior period error themes

• There were 40 prior period errors for 30 June 2018 audits• Key financial statement line items impacted:

Common causes of prior period errors

• Valuation and record keeping of physical assets:o management assessed the asset could

not be measured reliablyo errors in comprehensive revaluationso assets not carried at fair valueo accuracy and completeness of asset registers

• Incorrect discount rates to measure provisions underAASB 137

19/02/2019

7

Asset revaluations

Important matters to consider:Starting out• Early engagement with all stakeholders

including auditors

Management’s role• Start revaluations early• Compare pre and post valuation results on an individual basis.

Document explanations from the valuer for significant / unusualchanges

Asset revaluations

Using experts• Documented Terms of engagement clearly detailing the valuation

methodology• Valuation report should detail key assumptions, valuation approach

adopted, how use of relevant observable inputs is maximised

Intervening years• Revaluations performed with sufficient regularity to ensure carrying

values reflect fair value.

Communication• Management meets regularly with auditors to discuss progress and

outcomes

19/02/2019

8

Monitoring review findings (for year ending 30 June 2017)

Systemic findings across both inhouse and ASP audit files:• Response to identified ITGC deficiencies, arising from:o application and database security configurationso privileged user access

• In addition to reporting the deficiencies in the management letter, needto respond by:o assessing the risk and likelihood of exploitation of those riskso impact on the audit approach and resulting procedures to target

assessed risk

Monitoring review findings (for year ending 30 June 2017)

Systemic findings across both inhouse and ASP audit files:• ASA 315 requires an understanding of the information system,

including the business processes, relevant to the financial reporting,including:o classes of transactionso transaction process flowso month and year end close processeso related controls.

• Adopting a purely substantive audit approach doesn’t mean we canopt-out of ASA 315

19/02/2019

9

Monitoring review findings (for year ending 30 June 2017)

Systemic findings across both inhouse and ASP audit files:• For journals testing, teams should:

o understand the types of journals, including automated journals andrationale for its exclusion

o document and evaluate controlso ensure the population of journals is completeo respond to issues identified e.g. segregation of duties in the system,

privileged user accesso apply appropriate filterso sort downo test the selectiono perform update testing

Government reporting and compliance developments

19/02/2019

10

Mandatory early close procedures

• Contained in TC19-01• Applies to all NSW public

sector entities includingState Owned Corporations(SOCs)

• Agencies should engageearly with the Audit Office toconfirm the nature andtiming of procedures to beperformed

31 May

Audit Office provides observations and feedback on early close procedures to the agency

23 April

Agency provides results to the Audit Office and Treasury

31 March

Agency performs all early close procedures in Appendix B

2018-19 Asset revaluation timetable

• Applies to NSW publicsector entities, includingSOCs

• Applies to assets:• requiring comprehensive

valuations• not currently recorded as

they do not meet thereliably measurablecriteria

23 April

Agency provides final valuation report with management’s review report.

January

Agency provides listing & position paper on assets not recorded in financial statements.

Agency mandatory deliverables to the Audit Office

19/02/2019

11

Treasury mandates circular

• Mandates the options agencies must apply when Australian Accounting Standards allow certain accounting policy choices

• Applies to all entities that prepare general purpose financial statements under the Public Finance and Audit Act 1983, including SOCs

• Likely key changes:• includes new mandates under AASB 9 and AASB 15 (for-

profit entities)• updates the list of Standards issued but not yet effective.

Government Sector Finance reforms

• Formerly known as the Public Finance and Audit Act 1983

• Addresses the audit of government sector finances and governance of the Public Accounts Committee

• Recognises the independence of the Auditor-General and the Audit Office.

• Will become effective for the 2019/20 financial year

Government Sector Audit Act 1983 (GSA Act)

Government Sector Finance Act 2018 (GSF Act)

• New framework for government sector financial and resource management

• Aims to simplify and modernise agency management, responsibility and accountability, financial reporting, governance and performance

• Movement to a principle based approach

• Became law in November 2018. Elements of the Act came into force from 1 December. For example, expenditure, delegations, financial arrangements and performance information

• The financial reporting, audit and annual reporting elements of the Act have not yet come into force. They are proposed to commence progressively from the 2019/20 financial year (inclusive)

19/02/2019

12

GSF Act – key reforms• Information sharing: Treasurer and Ministers can request information held by agencies

relevant to resource allocation to facilitate better informed budget and State financial management decisions

• Performance Information: Treasurer authorised to give directions on performance information agencies are required to keep. This reform supports outcome budgeting

• Clusters: Cluster Ministers can access relevant agency financial and non-financial information. The reforms also codify the Cluster Minister’s authority to set terms and conditions on spending from appropriations when delegating the power to agencies

• Delegations: Broader range of responsibilities and powers can be delegated (and sub-delegated) than is permitted under the existing framework

Further information on the reforms is available on NSW Treasury’s website:

https://www.treasury.nsw.gov.au/budget-financial-management/reform/government-sector-finance-act-2018-0

NSW Cyber security policy

• Must be adopted by all NSW Public Service Agencies from 1 February 2019

• Recommended adoption by SOCs, local councils and universities

• Introduces new mandatory cyber security requirements

• Requires agencies to provide a cyber security attestation in their annual reports

19/02/2019

13

Questions?

Morning Tea10:30 – 11:00am

19/02/2019

14

Audit Oversight – Key Changes

Karen TaylorDirector Financial Audit

New Audit Oversight Approach

• Commencing for the 2018-19 cycle

• Reduction in duplication and number of forms

• Improved efficiency - timeliness of review and lower administration costs

• More focus on risk areas

19/02/2019

15

Previous Audit Engagement Approach

Audit planning

Deliverables

• Form A: Audit planning• Form C: Calendar of events• Drafted Audit Engagement Plan

Audit execution

Deliverables

Drafted: • Management Letter(s)• Letter of Observations on Early Close

Audit completion

DeliverablesDrafted: • Management Letter(s)• Engagement Closing Report• Statutory Audit Report(s) • Report on the Conduct of the Audit• Form B: Audit completion and recommend

opinion

New Audit Engagement Approach

Audit planning

Deliverables

• Progressive involvement record • Drafted Annual Engagement Plan

Audit execution

Deliverables

Drafted: • Management Letter(s)• Letter of Observations on Early Close

Audit completion

Deliverables

Drafted: • Management Letter(s) • Engagement Closing Report• Statutory Audit Report(s)• Report on the Conduct of the Audit• Progressive involvement record• ASP Representation Letter

19/02/2019

16

Allocation of Audit Office Directors

Tracking Deliverables

• Internal audit recommendation

• Actual vs target dates will be tracked for key deliverables• Annual Engagement Plan• Management Letters• Key forms and reports• Audit file backup

19/02/2019

17

Expectations for the 2018-19 Audit Cycle

• Timing of key deliverables

• Communications protocols

• Roles and responsibilities

Independent Commission Against Corruption

• First report on corruption and integrity in the NSW Public Sector released 4 December 2018

• Risks identified by the report

oBlurred lines between government non-government sectors

oPoorly managed organisational change

oRules can unintentionally encourage corrupt conduct

19/02/2019

18

New Accounting Standards

AASB 9 ‘Financial Instruments’

AASB 15 ‘Revenue fromContracts with Customers’(for-profit agencies)

AASB 16 ‘Leases’

AASB 1058 ‘Income ofNot-for-Profit Entities’

AASB 15 ‘Revenue fromContracts with Customers’(not-for-profit agencies)

30 JUNE 2019 30 JUNE 202030 JUNE 2018

KEY DATES

Working together

19/02/2019

19

Key contract requirements

Peter CoulogeorgiouChief Financial Officer

Contracting out audits - why we do it• tap into expertise in the marketplace

• to learn and benchmark what we do

• promote innovation

• cost effectiveness

• help meet statutory deadlines

• drive efficiency and productivity gains

• manage risks

19/02/2019

20

What do we want to achieve from these arrangements?

• True, long-term partnerships

• Partnerships that contribute towards the Audit Office’s vision

• Partnerships that deliver high quality audits the public expect from an Auditor-General

• Work practices that align with the Audit Office’s Corporate Plan, strategic initiatives and operating principles

Changes to standard agreement – September 2018

ASP agreement

ASPs to attend key meetings 

(clauses 10.3 and 10.4)

Compliance with ASP  manual (clause 7.2(f)

ASP representation letter (clause 

10.8(a)Access to quality monitoring  

records  (clause 11.8)

WHS obligations (clause 14.4)

Contribute AG report content clause (10.8(d)

19/02/2019

21

General expectations • Recognise and promote the Auditor-General as the

appointed auditor

• Understand and act in a way that is consistent with the principles set out in the Audit Office’s:

• Audit and Assurance policies • Governance policies

• Observe ethical standards and professional independence requirements including APES 110 ‘Code of Ethics for Professional Accountants’

• Obtain the Auditor-General’s written approval to provide any other service

• Comply with the Audit Office’s Gifts, Benefits and Hospitality policy.

Additional Services

• Written approval required

• Form available on our website at:

• https://www.audit.nsw.gov.au/work-with-us/audit-service-providers/resources-for-audit-service-providers

• Separate forms for audit related and non-audit related services

• Important to address the independence threats in the context of APES 110

19/02/2019

22

Admin/reporting requirements • Invoices need to include a purchase order reference

number • Invoices must separately show disbursements e.g.

travel costs • Invoices should be emailed to the finance team at

accounts.payable@audit.nsw.gov.au

• The Audit Office must support additional recoveries by ASPs

• Firms must notify us of use of subcontractors (clause 7.15)

• Firms must notify us of any cancellation of workers compensation cover (clause 14.3)

• Firms must notify us immediately should a conflict of interest or the risk of a conflict of interest arise

• Firms must notify us immediately where a partner is the subject of disciplinary action

Performance Monitoring• We are redeveloping our existing

performance framework

• Expect to release an update to previous ‘Form D’ before 30 June 2019

• Performance evaluation will include:

• Timeliness – audits and reporting to the Audit Office

• Audit quality • Quality of reporting • Communication and

relationships • Innovation

Performance framework

ASP annual workshop (Feb)

Mid-year performance check-in

(May-June)

Mid-year ASP Workshop (if

required)

(May-June)

Formal performance review – post audit

(Oct-Dec)

Quality monitoring program

(Dec-Feb)

19/02/2019

23

Future opportunities to work for the Auditor-General and Audit Office

• 20 audits currently contracted out expire at the end of the 30 June 2019 and 31 December 2019 audit cycles

• We will be evaluating our audit portfolio in the coming months to determine whether the audits remain contracted out or come in-house. We will also look at the audits we currently do in-house.

Questions?

19/02/2019

24

Data analytics and innovation

Chris ClaytonExecutive Director, Quality and

Innovation

Innovation

19/02/2019

25

Our insights inform and challenge government to improve outcomes for citizens to help parliament hold government accountable for its use of public resources

Our vision

To develop dynamic and new approaches that create relevant insights and valuable outcomes for our stakeholders

Our innovation ambition

19/02/2019

26

Our innovation objectives

Inte

rnal

More efficient• Become time efficient to

free up capacity

• Invest time in planning and challenge last year’s approach

• Rebalance time from low to high risk areas

More effective• Nurture cross-team sharing

• Continue a high degree ofassurance

• Shift from substantive based to controls based

Ext

ern

al

Better experience• Collaborate with clients to

plan the audit

• Allow our talent to flourish and realise their potential

More insights• Provide points for parliament

to focus on

• Create insights for agencies to increase their impact

Process Output

Innovation capability• Structures to support and nourish innovation

• Empower people to innovate

• Invest for the future and improve in the now

Our innovation roadmap

Innovation capability to foster and realise new ideas

Collaboration culture to unleash the capability of our people

Data and technology to enable insight driven audits

Planning and approach to focus and rebalance

Defining the foundations

0 – 18 months

Changing the way we work

18 – 36 months

Building the future

36 + months

19/02/2019

27

Our innovation mindset

Investment focus

People and capability Process Data and

technology

Quality and risk appetite

Data and Analytics

19/02/2019

28

Strategic Intent

Our strategic intent with our data initiative is to deliver more effective audits with improved assurance that generate reportable insights.

Use of Data on Financial Audits – 2021

Continuous Financial Statement auditing

Automation of testing

Big Data

Data Visualisation

Curate and standardise

data collection and basic

analysis (risk assessment)

Standardisation and centralisation of collection and curation + embedding

basic data analytics

Data rich visualisations in reports + visualisation to

support audit planning risk assessment

Leveraging open source and operational data sets

on audits

Automating substantive and control procedures

Conducting continuous audit procedures over automated flow of data

19/02/2019

29

Use of Data on Performance Audits – 2021

Unstructured Data

Data Visualisation

Dedicated data team involved in all

scoping

Data rich visualisations in reports + opportunities for

readers to engage in underlying report data

Involvement of Data & Analytics Team to identify

and capitalise on data opportunities

Use of unstructured data mining to harvest all

relevant agency data + improved environmental

scanning

Information security and data breaches

Sean BrycelandChief Information Officer

19/02/2019

30

Loss of confidential information (including client and personal staff information) and integrity resulting in legal or regulatory breaches, unable to continue business or reputational damage.

Our strategic risk

Our data security journey

ISMS Policy Refresh

Information Security Policy

Third Party Security Policy

Security Incident 

Handling Policy

Data Breach Protection

Infrastructure Managed Service

Data Breach Management 

Policy

AI supported recipient verification

Third Party Assessments

Software as a Service (SaaS) 

risk assessments

Self‐Service Security 

Assessments

19/02/2019

31

Our Data Breach Management Approach

Data breach discovered or suspected

Contain the BreachNotify the Deputy Auditor‐General

Response coordinator identified

Evaluate associated risks

Consider notifying affected individuals/organisations

Prevent a repeat

1

2

3

4

5

ASPs should consider seeking independent legal advice on their liability under the Privacy Act 1988 (Cth). ASPs must also be aware of their responsibility to comply with the secrecy provisions in section 38 of the Public Finance and Audit Act 1983.

ASPs, on discovery of a breach related to data collected on behalf of the Audit Office must immediately contact governance@audit.nsw.gov.au.

ASP Data Breach Notification

19/02/2019

32

The following principles are recognised as fundamental to ensuring relationships with third parties support the Audit Office requirements for the security of its data:

• Audit Office information shall be protected in accordance with applicable laws

• formal agreements shall be used to manage all third party arrangements

• responsibility for protecting Audit Office information ultimately resides with the Audit Office

• third party management is an ongoing process throughout the relationship.

Third Party Security Policy: Principles

Self Assessment

• The new self assessment questionnaire for ASPs will soon be issued

• It helps the Audit Office to identify any shared areas of risk in line with our Third Party Security Policy and our Information Security Management System (ISMS)

• It will take about 1 hour to complete

19/02/2019

33

Self Assessment System

Self Assessment System

19/02/2019

34

Other business

Lunch

Local Government Session commences: 1:30pm

19/02/2019

35

Local Government Session

Gerry CoyDirector, Information Systems Audit

PrinciplesThe fundamentals of our approach to audits should be consistent across the sector:

• within each sector e.g. Metro/Regionals/Rural Councils• regardless of resourcing arrangements e.g. in-house/CAAs

This will drive the quality of our audits and the value of our insights. A single workstream feeding two products – audit opinions and the AG’s report.

Area Control areas for Councils – FY19

Governance Policy framework & currency of policies

Management and reporting to business of IT Risks and Incidents

Access to Programs & Data

Starters/Transfers/Leavers

User Access Reviews

Managing & monitoring privileged user activity

Unique user IDs

Passwords

Program Change

Approval of changes

Testing of changes

Segregation of Duties between promoting change to PROD and developing/initiating change

Computer Operation

Disaster Recovery Planning

Nature of workDesign effectiveness assessed per ASA 315?

Operating effectiveness assessed?

Potentially

Potentially

Potentially

Potentially

Potentially

Potentially

Potentially

Potentially

Potentially

Potentially

Potentially

Rationale

As per ASA 315:“In understanding the entity’s control activities, the auditor shall obtain an understanding of how the entity has responded to risks arising from IT”.

Given the pervasive nature of IT and its importance to the financial reporting process, all entities should therefore have these IT control activities (or similar) in place and they are relevant to the audit (regardless of approach).

As such, a design effectiveness assessment should be performed over these controls “by performing procedures in addition to enquiry of the entity’s personnel”, as per ASA 315, for all audit relevant systems.

Key points• Outcomes of design effectiveness testing must be reported to the Audit Office Local

Government team• Design effectiveness weaknesses must be reported in management letters• All decisions to test operating effectiveness are at the discretion of the audit team.

2018–19: Local Government IT strategy

19/02/2019

36

Area Control areas for Councils – FY19

Governance Policy framework & currency of policies

Management and reporting to business of IT Risks and Incidents

Access to Programs & Data

Starters/Transfers/Leavers

User Access Reviews

Managing & monitoring privileged user activity

Unique user IDs

Passwords

Program Change

Approval of changes

Testing of changes

Segregation of Duties between promoting change to PROD and developing/initiating change

Computer Operation

Disaster Recovery Planning

Example of Issue

No formal IT Security policyThe Council does not have a formal IT Security policy.

An IT Security policy sets out the Council’s security requirements for digital information. The policy and supporting procedure documents provide guidelines for both standard user and privileged access management.

Inadequate reporting of IT risks & incidents to managementThe Council has no formal process in place to ensure that known and emerging IT risks and issues are regularly communicated to senior management (i.e. outside of the IT department).

For example, our audit found that the operating system hosting the general ledger has passed end-of-life support. The associated risks this brings were not communicated to management and those charged with governance.

Area Control areas for Councils – FY19

Governance Policy framework & currency of policies

Management and reporting to business of IT Risks and Incidents

Access to Programs & Data

Starters/Transfers/Leavers

User Access Reviews

Managing & monitoring privileged user activity

Unique user IDs

Passwords

Program Change

Approval of changes

Testing of changes

Segregation of Duties between promoting change to PROD and developing/initiating change

Computer Operation

Disaster Recovery Planning

Example of Issue

User access provisioning process needs to be enhancedOur audit identified that [insert number] users were granted access to council systems where no evidence of appropriate prior approval could be provided.

Untimely access removalThe Council has no formal controls in place to ensure that user account privileges for financially relevant systems are removed when no longer required.

Periodic user access review process needs to be formalised.User access review is a key management control ensuring currency (accounts belong to staff currently employed) and appropriateness of user access on the business applications. There is no formal and periodic process to review users with access to financially relevant systems.

Privileged user key activities should be recorded and reviewedOur review of IT access controls identified that while audit logs of privileged IT access activities within the system are maintained and secured from amendment, they are not reviewed.

Unsupervised use of generic user accountsDuring our audit, we noted that when posting manual journals, [insert number] finance staff could access the general ledger system using a shared user account. All actions performed using this user account are logged but not reviewed.

Insufficient password configurationOur audit identified that general ledger password parameters did not comply with the Council’s IT Security policy or good practice guidelines. The following settings are not enforced:• maximum password age• minimum password age• password history• number of unsuccessful login attempts.

19/02/2019

37

Area Control areas for Councils – FY19

Governance Policy framework & currency of policies

Management and reporting to business of IT Risks and Incidents

Access to Programs & Data

Starters/Transfers/Leavers

User Access Reviews

Managing & monitoring privileged user activity

Unique user IDs

Passwords

Program Change

Approval of changes

Testing of changes

Segregation of Duties between promoting change to PROD and developing/initiating change

Computer Operation

Disaster Recovery Planning

Example of Issue

Program change management requires improvement Our audit noted that there is no formal procedure to ensure that all changes made to [insert name of system] are subject to appropriate testing and approval prior to implementation.

For a sample change selected, management could not provide any supporting documentation as evidence that changes to [insert name of system] were appropriately tested and approved prior to being implemented.

Segregation of duties need to be implemented in program change management processOur audit noted that a member of the IT team responsible for developing changes to the general ledger system can migrate their own changes from the [development/test] environments to the production with no intervention or oversight from other users.

Area Control areas for Councils – FY19

Governance Policy framework & currency of policies

Management and reporting to business of IT Risks and Incidents

Access to Programs & Data

Starters/Transfers/Leavers

User Access Reviews

Managing & monitoring privileged user activity

Unique user IDs

Passwords

Program Change

Approval of changes

Testing of changes

Segregation of Duties between promoting change to PROD and developing/initiating change

Computer Operation

Disaster Recovery Planning

Example of Issue

Disaster recovery plan should be formalised and testedCouncil’s Information Technology Disaster Recovery Plan (DRP) has not been reviewed or tested since 2012.

19/02/2019

38

Local Government Session

Lawrissa ChanDirector, Financial Audit

Agenda – Local Government SessionItem Time

• Debrief on 2017-18 audits• Key areas of focus for 2018-19 audits• Local Government IS audit strategy• Local Government accounting and audit issues• Potential topics for Report to Parliament, performance

audits

1:30pm

Close workshop 3:00pm

19/02/2019

39

Roundtable: Topics for discussion

• Debrief 2017–18 audits / council feedback

• Key areas of focus for 2018–19 audits

• Sector accounting issues

• Audit methodology / audit approach

• IT audit

• Audit fees

• Report to Parliament

• Performance audits

• Joint Organisations

2018–19: Key areas of focus

• Quality and timeliness of financial reporting

• Information Technology General Controls

• Crown Land

• IPP&E: Asset valuations & fair value assessments

• New Accounting standards

• Credit cards

Annual Engagement Plans are due: 28 February 2019

19/02/2019

40

Questions?