Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
19/02/2019
1
Audit Service Provider Briefing
Portside Conference Centre19 February 2019
AgendaItem Time
Welcome 9:30am
Address by the Deputy Auditor-General
Lessons learnt and Government reporting and compliance developments
Morning tea 10:30am
Audit oversight – key changes
Key contract requirements
Data analytics and innovation
Information Security and data breaches
Other business
Close workshop / Lunch 12:30pm
19/02/2019
2
Agenda – Local Government SessionItem Time
• Local Government IS audit strategy• Debrief on 2017-18 audits• Key areas of focus for 2018-19 audits• Local Government accounting and audit issues• Potential topics for Report to Parliament, performance
audits
1:30pm
Close workshop 3:00pm
Address by the Deputy Auditor-General
Ian GoodwinDeputy Auditor-General
19/02/2019
3
Reflections on 2017‐18
Progress on 2017-2020 corporate plan –strategic
objectives
Our activity is driven by our Corporate Plan, which includes six strategic initiatives:
• local government• influencing for impact• reporting process• working better, working
together• data analytics• technology and process
innovation
19/02/2019
4
Working better, working together
This initiative is focused on defining what our work will look like into the future, what capabilities we require and the culture and conditions we need to create.
Lessons learnt and Government reporting and compliance developments
David Daniels, Director Financial Audit
Karen Taylor, Director Financial Audit
19/02/2019
5
Contents
• Lessons learned from prior audits• Prior period error themes• Asset revaluation considerations• Monitoring review findings
• Government Reporting and Compliance Developments• Mandatory early close procedures• Government Sector Finance Reforms• NSW Cyber Security Policy
Lessons learnt
19/02/2019
6
Prior period error themes
• There were 40 prior period errors for 30 June 2018 audits• Key financial statement line items impacted:
Common causes of prior period errors
• Valuation and record keeping of physical assets:o management assessed the asset could
not be measured reliablyo errors in comprehensive revaluationso assets not carried at fair valueo accuracy and completeness of asset registers
• Incorrect discount rates to measure provisions underAASB 137
19/02/2019
7
Asset revaluations
Important matters to consider:Starting out• Early engagement with all stakeholders
including auditors
Management’s role• Start revaluations early• Compare pre and post valuation results on an individual basis.
Document explanations from the valuer for significant / unusualchanges
Asset revaluations
Using experts• Documented Terms of engagement clearly detailing the valuation
methodology• Valuation report should detail key assumptions, valuation approach
adopted, how use of relevant observable inputs is maximised
Intervening years• Revaluations performed with sufficient regularity to ensure carrying
values reflect fair value.
Communication• Management meets regularly with auditors to discuss progress and
outcomes
19/02/2019
8
Monitoring review findings (for year ending 30 June 2017)
Systemic findings across both inhouse and ASP audit files:• Response to identified ITGC deficiencies, arising from:o application and database security configurationso privileged user access
• In addition to reporting the deficiencies in the management letter, needto respond by:o assessing the risk and likelihood of exploitation of those riskso impact on the audit approach and resulting procedures to target
assessed risk
Monitoring review findings (for year ending 30 June 2017)
Systemic findings across both inhouse and ASP audit files:• ASA 315 requires an understanding of the information system,
including the business processes, relevant to the financial reporting,including:o classes of transactionso transaction process flowso month and year end close processeso related controls.
• Adopting a purely substantive audit approach doesn’t mean we canopt-out of ASA 315
19/02/2019
9
Monitoring review findings (for year ending 30 June 2017)
Systemic findings across both inhouse and ASP audit files:• For journals testing, teams should:
o understand the types of journals, including automated journals andrationale for its exclusion
o document and evaluate controlso ensure the population of journals is completeo respond to issues identified e.g. segregation of duties in the system,
privileged user accesso apply appropriate filterso sort downo test the selectiono perform update testing
Government reporting and compliance developments
19/02/2019
10
Mandatory early close procedures
• Contained in TC19-01• Applies to all NSW public
sector entities includingState Owned Corporations(SOCs)
• Agencies should engageearly with the Audit Office toconfirm the nature andtiming of procedures to beperformed
31 May
Audit Office provides observations and feedback on early close procedures to the agency
23 April
Agency provides results to the Audit Office and Treasury
31 March
Agency performs all early close procedures in Appendix B
2018-19 Asset revaluation timetable
• Applies to NSW publicsector entities, includingSOCs
• Applies to assets:• requiring comprehensive
valuations• not currently recorded as
they do not meet thereliably measurablecriteria
23 April
Agency provides final valuation report with management’s review report.
January
Agency provides listing & position paper on assets not recorded in financial statements.
Agency mandatory deliverables to the Audit Office
19/02/2019
11
Treasury mandates circular
• Mandates the options agencies must apply when Australian Accounting Standards allow certain accounting policy choices
• Applies to all entities that prepare general purpose financial statements under the Public Finance and Audit Act 1983, including SOCs
• Likely key changes:• includes new mandates under AASB 9 and AASB 15 (for-
profit entities)• updates the list of Standards issued but not yet effective.
Government Sector Finance reforms
• Formerly known as the Public Finance and Audit Act 1983
• Addresses the audit of government sector finances and governance of the Public Accounts Committee
• Recognises the independence of the Auditor-General and the Audit Office.
• Will become effective for the 2019/20 financial year
Government Sector Audit Act 1983 (GSA Act)
Government Sector Finance Act 2018 (GSF Act)
• New framework for government sector financial and resource management
• Aims to simplify and modernise agency management, responsibility and accountability, financial reporting, governance and performance
• Movement to a principle based approach
• Became law in November 2018. Elements of the Act came into force from 1 December. For example, expenditure, delegations, financial arrangements and performance information
• The financial reporting, audit and annual reporting elements of the Act have not yet come into force. They are proposed to commence progressively from the 2019/20 financial year (inclusive)
19/02/2019
12
GSF Act – key reforms• Information sharing: Treasurer and Ministers can request information held by agencies
relevant to resource allocation to facilitate better informed budget and State financial management decisions
• Performance Information: Treasurer authorised to give directions on performance information agencies are required to keep. This reform supports outcome budgeting
• Clusters: Cluster Ministers can access relevant agency financial and non-financial information. The reforms also codify the Cluster Minister’s authority to set terms and conditions on spending from appropriations when delegating the power to agencies
• Delegations: Broader range of responsibilities and powers can be delegated (and sub-delegated) than is permitted under the existing framework
Further information on the reforms is available on NSW Treasury’s website:
https://www.treasury.nsw.gov.au/budget-financial-management/reform/government-sector-finance-act-2018-0
NSW Cyber security policy
• Must be adopted by all NSW Public Service Agencies from 1 February 2019
• Recommended adoption by SOCs, local councils and universities
• Introduces new mandatory cyber security requirements
• Requires agencies to provide a cyber security attestation in their annual reports
19/02/2019
13
Questions?
Morning Tea10:30 – 11:00am
19/02/2019
14
Audit Oversight – Key Changes
Karen TaylorDirector Financial Audit
New Audit Oversight Approach
• Commencing for the 2018-19 cycle
• Reduction in duplication and number of forms
• Improved efficiency - timeliness of review and lower administration costs
• More focus on risk areas
19/02/2019
15
Previous Audit Engagement Approach
Audit planning
Deliverables
• Form A: Audit planning• Form C: Calendar of events• Drafted Audit Engagement Plan
Audit execution
Deliverables
Drafted: • Management Letter(s)• Letter of Observations on Early Close
Audit completion
DeliverablesDrafted: • Management Letter(s)• Engagement Closing Report• Statutory Audit Report(s) • Report on the Conduct of the Audit• Form B: Audit completion and recommend
opinion
New Audit Engagement Approach
Audit planning
Deliverables
• Progressive involvement record • Drafted Annual Engagement Plan
Audit execution
Deliverables
Drafted: • Management Letter(s)• Letter of Observations on Early Close
Audit completion
Deliverables
Drafted: • Management Letter(s) • Engagement Closing Report• Statutory Audit Report(s)• Report on the Conduct of the Audit• Progressive involvement record• ASP Representation Letter
19/02/2019
16
Allocation of Audit Office Directors
Tracking Deliverables
• Internal audit recommendation
• Actual vs target dates will be tracked for key deliverables• Annual Engagement Plan• Management Letters• Key forms and reports• Audit file backup
19/02/2019
17
Expectations for the 2018-19 Audit Cycle
• Timing of key deliverables
• Communications protocols
• Roles and responsibilities
Independent Commission Against Corruption
• First report on corruption and integrity in the NSW Public Sector released 4 December 2018
• Risks identified by the report
oBlurred lines between government non-government sectors
oPoorly managed organisational change
oRules can unintentionally encourage corrupt conduct
19/02/2019
18
New Accounting Standards
AASB 9 ‘Financial Instruments’
AASB 15 ‘Revenue fromContracts with Customers’(for-profit agencies)
AASB 16 ‘Leases’
AASB 1058 ‘Income ofNot-for-Profit Entities’
AASB 15 ‘Revenue fromContracts with Customers’(not-for-profit agencies)
30 JUNE 2019 30 JUNE 202030 JUNE 2018
KEY DATES
Working together
19/02/2019
19
Key contract requirements
Peter CoulogeorgiouChief Financial Officer
Contracting out audits - why we do it• tap into expertise in the marketplace
• to learn and benchmark what we do
• promote innovation
• cost effectiveness
• help meet statutory deadlines
• drive efficiency and productivity gains
• manage risks
19/02/2019
20
What do we want to achieve from these arrangements?
• True, long-term partnerships
• Partnerships that contribute towards the Audit Office’s vision
• Partnerships that deliver high quality audits the public expect from an Auditor-General
• Work practices that align with the Audit Office’s Corporate Plan, strategic initiatives and operating principles
Changes to standard agreement – September 2018
ASP agreement
ASPs to attend key meetings
(clauses 10.3 and 10.4)
Compliance with ASP manual (clause 7.2(f)
ASP representation letter (clause
10.8(a)Access to quality monitoring
records (clause 11.8)
WHS obligations (clause 14.4)
Contribute AG report content clause (10.8(d)
19/02/2019
21
General expectations • Recognise and promote the Auditor-General as the
appointed auditor
• Understand and act in a way that is consistent with the principles set out in the Audit Office’s:
• Audit and Assurance policies • Governance policies
• Observe ethical standards and professional independence requirements including APES 110 ‘Code of Ethics for Professional Accountants’
• Obtain the Auditor-General’s written approval to provide any other service
• Comply with the Audit Office’s Gifts, Benefits and Hospitality policy.
Additional Services
• Written approval required
• Form available on our website at:
• https://www.audit.nsw.gov.au/work-with-us/audit-service-providers/resources-for-audit-service-providers
• Separate forms for audit related and non-audit related services
• Important to address the independence threats in the context of APES 110
19/02/2019
22
Admin/reporting requirements • Invoices need to include a purchase order reference
number • Invoices must separately show disbursements e.g.
travel costs • Invoices should be emailed to the finance team at
• The Audit Office must support additional recoveries by ASPs
• Firms must notify us of use of subcontractors (clause 7.15)
• Firms must notify us of any cancellation of workers compensation cover (clause 14.3)
• Firms must notify us immediately should a conflict of interest or the risk of a conflict of interest arise
• Firms must notify us immediately where a partner is the subject of disciplinary action
Performance Monitoring• We are redeveloping our existing
performance framework
• Expect to release an update to previous ‘Form D’ before 30 June 2019
• Performance evaluation will include:
• Timeliness – audits and reporting to the Audit Office
• Audit quality • Quality of reporting • Communication and
relationships • Innovation
Performance framework
ASP annual workshop (Feb)
Mid-year performance check-in
(May-June)
Mid-year ASP Workshop (if
required)
(May-June)
Formal performance review – post audit
(Oct-Dec)
Quality monitoring program
(Dec-Feb)
19/02/2019
23
Future opportunities to work for the Auditor-General and Audit Office
• 20 audits currently contracted out expire at the end of the 30 June 2019 and 31 December 2019 audit cycles
• We will be evaluating our audit portfolio in the coming months to determine whether the audits remain contracted out or come in-house. We will also look at the audits we currently do in-house.
Questions?
19/02/2019
24
Data analytics and innovation
Chris ClaytonExecutive Director, Quality and
Innovation
Innovation
19/02/2019
25
Our insights inform and challenge government to improve outcomes for citizens to help parliament hold government accountable for its use of public resources
Our vision
To develop dynamic and new approaches that create relevant insights and valuable outcomes for our stakeholders
Our innovation ambition
19/02/2019
26
Our innovation objectives
Inte
rnal
More efficient• Become time efficient to
free up capacity
• Invest time in planning and challenge last year’s approach
• Rebalance time from low to high risk areas
More effective• Nurture cross-team sharing
• Continue a high degree ofassurance
• Shift from substantive based to controls based
Ext
ern
al
Better experience• Collaborate with clients to
plan the audit
• Allow our talent to flourish and realise their potential
More insights• Provide points for parliament
to focus on
• Create insights for agencies to increase their impact
Process Output
Innovation capability• Structures to support and nourish innovation
• Empower people to innovate
• Invest for the future and improve in the now
Our innovation roadmap
Innovation capability to foster and realise new ideas
Collaboration culture to unleash the capability of our people
Data and technology to enable insight driven audits
Planning and approach to focus and rebalance
Defining the foundations
0 – 18 months
Changing the way we work
18 – 36 months
Building the future
36 + months
19/02/2019
27
Our innovation mindset
Investment focus
People and capability Process Data and
technology
Quality and risk appetite
Data and Analytics
19/02/2019
28
Strategic Intent
Our strategic intent with our data initiative is to deliver more effective audits with improved assurance that generate reportable insights.
Use of Data on Financial Audits – 2021
Continuous Financial Statement auditing
Automation of testing
Big Data
Data Visualisation
Curate and standardise
data collection and basic
analysis (risk assessment)
Standardisation and centralisation of collection and curation + embedding
basic data analytics
Data rich visualisations in reports + visualisation to
support audit planning risk assessment
Leveraging open source and operational data sets
on audits
Automating substantive and control procedures
Conducting continuous audit procedures over automated flow of data
19/02/2019
29
Use of Data on Performance Audits – 2021
Unstructured Data
Data Visualisation
Dedicated data team involved in all
scoping
Data rich visualisations in reports + opportunities for
readers to engage in underlying report data
Involvement of Data & Analytics Team to identify
and capitalise on data opportunities
Use of unstructured data mining to harvest all
relevant agency data + improved environmental
scanning
Information security and data breaches
Sean BrycelandChief Information Officer
19/02/2019
30
Loss of confidential information (including client and personal staff information) and integrity resulting in legal or regulatory breaches, unable to continue business or reputational damage.
Our strategic risk
Our data security journey
ISMS Policy Refresh
Information Security Policy
Third Party Security Policy
Security Incident
Handling Policy
Data Breach Protection
Infrastructure Managed Service
Data Breach Management
Policy
AI supported recipient verification
Third Party Assessments
Software as a Service (SaaS)
risk assessments
Self‐Service Security
Assessments
19/02/2019
31
Our Data Breach Management Approach
Data breach discovered or suspected
Contain the BreachNotify the Deputy Auditor‐General
Response coordinator identified
Evaluate associated risks
Consider notifying affected individuals/organisations
Prevent a repeat
1
2
3
4
5
ASPs should consider seeking independent legal advice on their liability under the Privacy Act 1988 (Cth). ASPs must also be aware of their responsibility to comply with the secrecy provisions in section 38 of the Public Finance and Audit Act 1983.
ASPs, on discovery of a breach related to data collected on behalf of the Audit Office must immediately contact [email protected].
ASP Data Breach Notification
19/02/2019
32
The following principles are recognised as fundamental to ensuring relationships with third parties support the Audit Office requirements for the security of its data:
• Audit Office information shall be protected in accordance with applicable laws
• formal agreements shall be used to manage all third party arrangements
• responsibility for protecting Audit Office information ultimately resides with the Audit Office
• third party management is an ongoing process throughout the relationship.
Third Party Security Policy: Principles
Self Assessment
• The new self assessment questionnaire for ASPs will soon be issued
• It helps the Audit Office to identify any shared areas of risk in line with our Third Party Security Policy and our Information Security Management System (ISMS)
• It will take about 1 hour to complete
19/02/2019
33
Self Assessment System
Self Assessment System
19/02/2019
34
Other business
Lunch
Local Government Session commences: 1:30pm
19/02/2019
35
Local Government Session
Gerry CoyDirector, Information Systems Audit
PrinciplesThe fundamentals of our approach to audits should be consistent across the sector:
• within each sector e.g. Metro/Regionals/Rural Councils• regardless of resourcing arrangements e.g. in-house/CAAs
This will drive the quality of our audits and the value of our insights. A single workstream feeding two products – audit opinions and the AG’s report.
Area Control areas for Councils – FY19
Governance Policy framework & currency of policies
Management and reporting to business of IT Risks and Incidents
Access to Programs & Data
Starters/Transfers/Leavers
User Access Reviews
Managing & monitoring privileged user activity
Unique user IDs
Passwords
Program Change
Approval of changes
Testing of changes
Segregation of Duties between promoting change to PROD and developing/initiating change
Computer Operation
Disaster Recovery Planning
Nature of workDesign effectiveness assessed per ASA 315?
Operating effectiveness assessed?
Potentially
Potentially
Potentially
Potentially
Potentially
Potentially
Potentially
Potentially
Potentially
Potentially
Potentially
Rationale
As per ASA 315:“In understanding the entity’s control activities, the auditor shall obtain an understanding of how the entity has responded to risks arising from IT”.
Given the pervasive nature of IT and its importance to the financial reporting process, all entities should therefore have these IT control activities (or similar) in place and they are relevant to the audit (regardless of approach).
As such, a design effectiveness assessment should be performed over these controls “by performing procedures in addition to enquiry of the entity’s personnel”, as per ASA 315, for all audit relevant systems.
Key points• Outcomes of design effectiveness testing must be reported to the Audit Office Local
Government team• Design effectiveness weaknesses must be reported in management letters• All decisions to test operating effectiveness are at the discretion of the audit team.
2018–19: Local Government IT strategy
19/02/2019
36
Area Control areas for Councils – FY19
Governance Policy framework & currency of policies
Management and reporting to business of IT Risks and Incidents
Access to Programs & Data
Starters/Transfers/Leavers
User Access Reviews
Managing & monitoring privileged user activity
Unique user IDs
Passwords
Program Change
Approval of changes
Testing of changes
Segregation of Duties between promoting change to PROD and developing/initiating change
Computer Operation
Disaster Recovery Planning
Example of Issue
No formal IT Security policyThe Council does not have a formal IT Security policy.
An IT Security policy sets out the Council’s security requirements for digital information. The policy and supporting procedure documents provide guidelines for both standard user and privileged access management.
Inadequate reporting of IT risks & incidents to managementThe Council has no formal process in place to ensure that known and emerging IT risks and issues are regularly communicated to senior management (i.e. outside of the IT department).
For example, our audit found that the operating system hosting the general ledger has passed end-of-life support. The associated risks this brings were not communicated to management and those charged with governance.
Area Control areas for Councils – FY19
Governance Policy framework & currency of policies
Management and reporting to business of IT Risks and Incidents
Access to Programs & Data
Starters/Transfers/Leavers
User Access Reviews
Managing & monitoring privileged user activity
Unique user IDs
Passwords
Program Change
Approval of changes
Testing of changes
Segregation of Duties between promoting change to PROD and developing/initiating change
Computer Operation
Disaster Recovery Planning
Example of Issue
User access provisioning process needs to be enhancedOur audit identified that [insert number] users were granted access to council systems where no evidence of appropriate prior approval could be provided.
Untimely access removalThe Council has no formal controls in place to ensure that user account privileges for financially relevant systems are removed when no longer required.
Periodic user access review process needs to be formalised.User access review is a key management control ensuring currency (accounts belong to staff currently employed) and appropriateness of user access on the business applications. There is no formal and periodic process to review users with access to financially relevant systems.
Privileged user key activities should be recorded and reviewedOur review of IT access controls identified that while audit logs of privileged IT access activities within the system are maintained and secured from amendment, they are not reviewed.
Unsupervised use of generic user accountsDuring our audit, we noted that when posting manual journals, [insert number] finance staff could access the general ledger system using a shared user account. All actions performed using this user account are logged but not reviewed.
Insufficient password configurationOur audit identified that general ledger password parameters did not comply with the Council’s IT Security policy or good practice guidelines. The following settings are not enforced:• maximum password age• minimum password age• password history• number of unsuccessful login attempts.
19/02/2019
37
Area Control areas for Councils – FY19
Governance Policy framework & currency of policies
Management and reporting to business of IT Risks and Incidents
Access to Programs & Data
Starters/Transfers/Leavers
User Access Reviews
Managing & monitoring privileged user activity
Unique user IDs
Passwords
Program Change
Approval of changes
Testing of changes
Segregation of Duties between promoting change to PROD and developing/initiating change
Computer Operation
Disaster Recovery Planning
Example of Issue
Program change management requires improvement Our audit noted that there is no formal procedure to ensure that all changes made to [insert name of system] are subject to appropriate testing and approval prior to implementation.
For a sample change selected, management could not provide any supporting documentation as evidence that changes to [insert name of system] were appropriately tested and approved prior to being implemented.
Segregation of duties need to be implemented in program change management processOur audit noted that a member of the IT team responsible for developing changes to the general ledger system can migrate their own changes from the [development/test] environments to the production with no intervention or oversight from other users.
Area Control areas for Councils – FY19
Governance Policy framework & currency of policies
Management and reporting to business of IT Risks and Incidents
Access to Programs & Data
Starters/Transfers/Leavers
User Access Reviews
Managing & monitoring privileged user activity
Unique user IDs
Passwords
Program Change
Approval of changes
Testing of changes
Segregation of Duties between promoting change to PROD and developing/initiating change
Computer Operation
Disaster Recovery Planning
Example of Issue
Disaster recovery plan should be formalised and testedCouncil’s Information Technology Disaster Recovery Plan (DRP) has not been reviewed or tested since 2012.
19/02/2019
38
Local Government Session
Lawrissa ChanDirector, Financial Audit
Agenda – Local Government SessionItem Time
• Debrief on 2017-18 audits• Key areas of focus for 2018-19 audits• Local Government IS audit strategy• Local Government accounting and audit issues• Potential topics for Report to Parliament, performance
audits
1:30pm
Close workshop 3:00pm
19/02/2019
39
Roundtable: Topics for discussion
• Debrief 2017–18 audits / council feedback
• Key areas of focus for 2018–19 audits
• Sector accounting issues
• Audit methodology / audit approach
• IT audit
• Audit fees
• Report to Parliament
• Performance audits
• Joint Organisations
2018–19: Key areas of focus
• Quality and timeliness of financial reporting
• Information Technology General Controls
• Crown Land
• IPP&E: Asset valuations & fair value assessments
• New Accounting standards
• Credit cards
Annual Engagement Plans are due: 28 February 2019
19/02/2019
40
Questions?