Audit Service Provider Briefing Portside Conference Centre 19 - - PDF document

19/02/2019 1

Audit Service Provider Briefing

Portside Conference Centre 19 February 2019

Agenda

Item Time Welcome 9:30am Address by the Deputy Auditor-General Lessons learnt and Government reporting and compliance developments Morning tea 10:30am Audit oversight – key changes Key contract requirements Data analytics and innovation Information Security and data breaches Other business Close workshop / Lunch 12:30pm

19/02/2019 2

Agenda – Local Government Session

Item Time

• Local Government IS audit strategy
• Debrief on 2017-18 audits
• Key areas of focus for 2018-19 audits
• Local Government accounting and audit issues
• Potential topics for Report to Parliament, performance

audits 1:30pm Close workshop 3:00pm

Address by the Deputy Auditor-General

Ian Goodwin Deputy Auditor-General

19/02/2019 3

Reflections

• n 2017‐18

Progress on 2017-2020 corporate plan –strategic

• bjectives

Our activity is driven by our Corporate Plan, which includes six strategic initiatives:

• local government
• influencing for impact
• reporting process
• working better, working

together

• data analytics
• technology and process

innovation

19/02/2019 4

Working better, working together

This initiative is focused on defining what our work will look like into the future, what capabilities we require and the culture and conditions we need to create.

Lessons learnt and Government reporting and compliance developments

David Daniels, Director Financial Audit Karen Taylor, Director Financial Audit

19/02/2019 5

Contents

• Lessons learned from prior audits
• Prior period error themes
• Asset revaluation considerations
• Monitoring review findings
• Government Reporting and Compliance Developments
• Mandatory early close procedures
• Government Sector Finance Reforms
• NSW Cyber Security Policy

Lessons learnt

19/02/2019 6

Prior period error themes

• There were 40 prior period errors for 30 June 2018 audits
• Key financial statement line items impacted:

Common causes of prior period errors

• Valuation and record keeping of physical assets:
• management assessed the asset could

not be measured reliably

• errors in comprehensive revaluations
• assets not carried at fair value
• accuracy and completeness of asset registers
• Incorrect discount rates to measure provisions under

AASB 137

19/02/2019 7

Asset revaluations

Important matters to consider: Starting out

• Early engagement with all stakeholders

including auditors Management’s role

• Start revaluations early
• Compare pre and post valuation results on an individual basis.

Document explanations from the valuer for significant / unusual changes

Asset revaluations

Using experts

• Documented Terms of engagement clearly detailing the valuation

methodology

• Valuation report should detail key assumptions, valuation approach

adopted, how use of relevant observable inputs is maximised Intervening years

• Revaluations performed with sufficient regularity to ensure carrying

values reflect fair value. Communication

• Management meets regularly with auditors to discuss progress and
• utcomes

19/02/2019 8

Monitoring review findings (for year ending 30 June 2017)

Systemic findings across both inhouse and ASP audit files:

• Response to identified ITGC deficiencies, arising from:
• application and database security configurations
• privileged user access
• In addition to reporting the deficiencies in the management letter, need

to respond by:

• assessing the risk and likelihood of exploitation of those risks
• impact on the audit approach and resulting procedures to target

assessed risk

Monitoring review findings (for year ending 30 June 2017)

Systemic findings across both inhouse and ASP audit files:

• ASA 315 requires an understanding of the information system,

including the business processes, relevant to the financial reporting, including:

• classes of transactions
• transaction process flows
• month and year end close processes
• related controls.
• Adopting a purely substantive audit approach doesn’t mean we can
• pt-out of ASA 315

19/02/2019 9

Monitoring review findings (for year ending 30 June 2017)

Systemic findings across both inhouse and ASP audit files:

• For journals testing, teams should:
• understand the types of journals, including automated journals and

rationale for its exclusion

• document and evaluate controls
• ensure the population of journals is complete
• respond to issues identified e.g. segregation of duties in the system,

privileged user access

• apply appropriate filters
• sort down
• test the selection
• perform update testing

Government reporting and compliance developments

19/02/2019 10

Mandatory early close procedures

• Contained in TC19-01
• Applies to all NSW public

sector entities including State Owned Corporations (SOCs)

• Agencies should engage

early with the Audit Office to confirm the nature and timing of procedures to be performed

31 May

Audit Office provides observations and feedback on early close procedures to the agency

23 April

Agency provides results to the Audit Office and Treasury

31 March

Agency performs all early close procedures in Appendix B

2018-19 Asset revaluation timetable

• Applies to NSW public

sector entities, including SOCs

• Applies to assets:
• requiring comprehensive

valuations

• not currently recorded as

they do not meet the reliably measurable criteria

23 April

Agency provides final valuation report with management’s review report.

January

Agency provides listing & position paper on assets not recorded in financial statements.

Agency mandatory deliverables to the Audit Office

19/02/2019 11

Treasury mandates circular

• Mandates the options agencies must apply when Australian

Accounting Standards allow certain accounting policy choices

• Applies to all entities that prepare general purpose financial

statements under the Public Finance and Audit Act 1983, including SOCs

• Likely key changes:
• includes new mandates under AASB 9 and AASB 15 (for-

profit entities)

• updates the list of Standards issued but not yet effective.

Government Sector Finance reforms

• Formerly known as the Public Finance and Audit Act 1983
• Addresses the audit of government sector finances and governance of the Public Accounts Committee
• Recognises the independence of the Auditor-General and the Audit Office.
• Will become effective for the 2019/20 financial year

Government Sector Audit Act 1983 (GSA Act) Government Sector Finance Act 2018 (GSF Act)

• New framework for government sector financial and resource management
• Aims to simplify and modernise agency management, responsibility and accountability, financial reporting,

governance and performance

• Movement to a principle based approach
• Became law in November 2018. Elements of the Act came into force from 1 December. For example, expenditure,

delegations, financial arrangements and performance information

• The financial reporting, audit and annual reporting elements of the Act have not yet come into force. They are

proposed to commence progressively from the 2019/20 financial year (inclusive)

19/02/2019 12

GSF Act – key reforms

• Information sharing: Treasurer and Ministers can request information held by agencies

relevant to resource allocation to facilitate better informed budget and State financial management decisions

• Performance Information: Treasurer authorised to give directions on performance

information agencies are required to keep. This reform supports outcome budgeting

• Clusters: Cluster Ministers can access relevant agency financial and non-financial
• information. The reforms also codify the Cluster Minister’s authority to set terms and conditions
• n spending from appropriations when delegating the power to agencies
• Delegations: Broader range of responsibilities and powers can be delegated (and sub-

delegated) than is permitted under the existing framework Further information on the reforms is available on NSW Treasury’s website: https://www.treasury.nsw.gov.au/budget-financial-management/reform/government- sector-finance-act-2018-0

NSW Cyber security policy

• Must be adopted by all NSW Public Service Agencies from 1

February 2019

• Recommended adoption by SOCs,

local councils and universities

• Introduces new mandatory cyber

security requirements

• Requires agencies to provide a cyber

security attestation in their annual reports

19/02/2019 13

Questions? Morning Tea

10:30 – 11:00am

19/02/2019 14

Audit Oversight – Key Changes

Karen Taylor Director Financial Audit

New Audit Oversight Approach

• Commencing for the 2018-19 cycle
• Reduction in duplication and number of forms
• Improved efficiency - timeliness of review and

lower administration costs

• More focus on risk areas

19/02/2019 15

Previous Audit Engagement Approach

Audit planning Deliverables

• Form A: Audit planning
• Form C: Calendar of events
• Drafted Audit Engagement Plan

Audit execution Deliverables

Drafted:

• Management Letter(s)
• Letter of Observations on Early Close

Audit completion Deliverables

Drafted:

• Management Letter(s)
• Engagement Closing Report
• Statutory Audit Report(s)
• Report on the Conduct of the Audit
• Form B: Audit completion and recommend
• pinion

New Audit Engagement Approach

Audit planning Deliverables

• Progressive involvement record
• Drafted Annual Engagement Plan

Audit execution Deliverables

Drafted:

• Management Letter(s)
• Letter of Observations on Early Close

Audit completion Deliverables

Drafted:

• Management Letter(s)
• Engagement Closing Report
• Statutory Audit Report(s)
• Report on the Conduct of the Audit
• Progressive involvement record
• ASP Representation Letter

19/02/2019 16

Allocation of Audit Office Directors Tracking Deliverables

• Internal audit recommendation
• Actual vs target dates will be tracked for key deliverables
• Annual Engagement Plan
• Management Letters
• Key forms and reports
• Audit file backup

19/02/2019 17

Expectations for the 2018-19 Audit Cycle

• Timing of key deliverables
• Communications protocols
• Roles and responsibilities

Independent Commission Against Corruption

• First report on corruption and integrity in the NSW Public Sector

released 4 December 2018

• Risks identified by the report
• Blurred lines between government non-government

sectors

• Poorly managed organisational change
• Rules can unintentionally encourage corrupt conduct

19/02/2019 18

New Accounting Standards

AASB 9 ‘Financial Instruments’ AASB 15 ‘Revenue from Contracts with Customers’ (for-profit agencies) AASB 16 ‘Leases’ AASB 1058 ‘Income of Not-for-Profit Entities’ AASB 15 ‘Revenue from Contracts with Customers’ (not-for-profit agencies)

30 JUNE 2019 30 JUNE 2020 30 JUNE 2018

KEY DATES

Working together

19/02/2019 19

Key contract requirements

Peter Coulogeorgiou Chief Financial Officer

Contracting out audits - why we do it

• tap into expertise in the marketplace
• to learn and benchmark what we do
• promote innovation
• cost effectiveness
• help meet statutory deadlines
• drive efficiency and productivity gains
• manage risks

19/02/2019 20

What do we want to achieve from these arrangements?

• True, long-term partnerships
• Partnerships that contribute towards the

Audit Office’s vision

• Partnerships that deliver high quality audits

the public expect from an Auditor-General

• Work practices that align with the Audit

Office’s Corporate Plan, strategic initiatives and operating principles

Changes to standard agreement – September 2018

ASP agreement

ASPs to attend key meetings (clauses 10.3 and 10.4) Compliance with ASP manual (clause 7.2(f) ASP representation letter (clause 10.8(a) Access to quality monitoring records (clause 11.8) WHS

• bligations

(clause 14.4) Contribute AG report content clause (10.8(d)

19/02/2019 21

General expectations

• Recognise and promote the Auditor-General as the

appointed auditor

• Understand and act in a way that is consistent with

the principles set out in the Audit Office’s:

• Audit and Assurance policies
• Governance policies
• Observe ethical standards and professional

independence requirements including APES 110 ‘Code of Ethics for Professional Accountants’

• Obtain the Auditor-General’s written approval to

provide any other service

• Comply with the Audit Office’s Gifts, Benefits and

Hospitality policy.

Additional Services

• Written approval required
• Form available on our website at:
• https://www.audit.nsw.gov.au/work-

with-us/audit-service- providers/resources-for-audit-service- providers

• Separate forms for audit related and

non-audit related services

• Important to address the independence

threats in the context of APES 110

19/02/2019 22

Admin/reporting requirements

• Invoices need to include a purchase order reference

number

• Invoices must separately show disbursements e.g.

travel costs

• Invoices should be emailed to the finance team at

accounts.payable@audit.nsw.gov.au

• The Audit Office must support additional recoveries by

ASPs

• Firms must notify us of use of subcontractors (clause

7.15)

• Firms must notify us of any cancellation of workers

compensation cover (clause 14.3)

• Firms must notify us immediately should a conflict of

interest or the risk of a conflict of interest arise

• Firms must notify us immediately where a partner is

the subject of disciplinary action

Performance Monitoring

• We are redeveloping our existing

performance framework

• Expect to release an update to

previous ‘Form D’ before 30 June 2019

• Performance evaluation will

include:

• Timeliness – audits and

reporting to the Audit Office

• Audit quality
• Quality of reporting
• Communication and

relationships

• Innovation

Performance framework

ASP annual workshop (Feb) Mid-year performance check-in (May-June) Mid-year ASP Workshop (if required) (May-June) Formal performance review – post audit (Oct-Dec) Quality monitoring program (Dec-Feb)

19/02/2019 23

Future opportunities to work for the Auditor-General and Audit Office

• 20 audits currently contracted out expire at the

end of the 30 June 2019 and 31 December 2019 audit cycles

• We will be evaluating our audit portfolio in the

coming months to determine whether the audits remain contracted out or come in-house. We will also look at the audits we currently do in-house.

Questions?

19/02/2019 24

Data analytics and innovation

Chris Clayton Executive Director, Quality and Innovation

Innovation

19/02/2019 25

Our insights inform and challenge government to improve outcomes for citizens to help parliament hold government accountable for its use of public resources Our vision To develop dynamic and new approaches that create relevant insights and valuable

• utcomes for our stakeholders

Our innovation ambition

19/02/2019 26

Our innovation objectives

Internal More efficient

• Become time efficient to

free up capacity

• Invest time in planning and

challenge last year’s approach

• Rebalance time from low to

high risk areas

More effective

• Nurture cross-team sharing
• Continue a high degree of

assurance

• Shift from substantive based

to controls based

External Better experience

• Collaborate with clients to

plan the audit

• Allow our talent to flourish

and realise their potential

More insights

• Provide points for parliament

to focus on

• Create insights for agencies to

increase their impact

Process Output Innovation capability

• Structures to support and nourish innovation
• Empower people to innovate
• Invest for the future and improve in the now

Our innovation roadmap

Innovation capability to foster and realise new ideas Collaboration culture to unleash the capability of

• ur people

Data and technology to enable insight driven audits Planning and approach to focus and rebalance

Defining the foundations

0 – 18 months

Changing the way we work

18 – 36 months

Building the future

36 + months

19/02/2019 27

Our innovation mindset

Investment focus People and capability Process Data and technology Quality and risk appetite

Data and Analytics

19/02/2019 28

Strategic Intent Our strategic intent with our data initiative is to deliver more effective audits with improved assurance that generate reportable insights. Use of Data on Financial Audits – 2021

Continuous Financial Statement auditing Automation of testing Big Data Data Visualisation Curate and standardise data collection and basic analysis (risk assessment)

Standardisation and centralisation of collection and curation + embedding basic data analytics Data rich visualisations in reports + visualisation to support audit planning risk assessment Leveraging open source and operational data sets

• n audits

Automating substantive and control procedures Conducting continuous audit procedures over automated flow of data

19/02/2019 29

Use of Data on Performance Audits – 2021

Unstructured Data Data Visualisation Dedicated data team involved in all scoping

Data rich visualisations in reports + opportunities for readers to engage in underlying report data Involvement of Data & Analytics Team to identify and capitalise on data

• pportunities

Use of unstructured data mining to harvest all relevant agency data + improved environmental scanning

Information security and data breaches

Sean Bryceland Chief Information Officer

19/02/2019 30

Loss of confidential information (including client and personal staff information) and integrity resulting in legal or regulatory breaches, unable to continue business or reputational damage. Our strategic risk Our data security journey

ISMS Policy Refresh

Information Security Policy Third Party Security Policy Security Incident Handling Policy

Data Breach Protection

Infrastructure Managed Service Data Breach Management Policy AI supported recipient verification

Third Party Assessments

Software as a Service (SaaS) risk assessments Self‐Service Security Assessments

19/02/2019 31

Our Data Breach Management Approach

Data breach discovered or suspected Contain the Breach Notify the Deputy Auditor‐General Response coordinator identified Evaluate associated risks Consider notifying affected individuals/organisations Prevent a repeat

1 2 3 4 5

ASPs should consider seeking independent legal advice on their liability under the Privacy Act 1988 (Cth). ASPs must also be aware of their responsibility to comply with the secrecy provisions in section 38 of the Public Finance and Audit Act 1983. ASPs, on discovery of a breach related to data collected on behalf of the Audit Office must immediately contact governance@audit.nsw.gov.au.

ASP Data Breach Notification

19/02/2019 32

The following principles are recognised as fundamental to ensuring relationships with third parties support the Audit Office requirements for the security of its data:

• Audit Office information shall be protected in accordance with applicable laws
• formal agreements shall be used to manage all third party arrangements
• responsibility for protecting Audit Office information ultimately resides with the

Audit Office

• third party management is an ongoing process throughout the relationship.

Third Party Security Policy: Principles Self Assessment

• The new self assessment questionnaire for ASPs will soon be issued
• It helps the Audit Office to identify any shared areas of risk in line with our Third

Party Security Policy and our Information Security Management System (ISMS)

• It will take about 1 hour to complete

19/02/2019 33

Self Assessment System Self Assessment System

19/02/2019 34

Other business

Lunch

Local Government Session commences: 1:30pm

19/02/2019 35

Local Government Session

Gerry Coy Director, Information Systems Audit

Principles

The fundamentals of our approach to audits should be consistent across the sector:

• within each sector e.g. Metro/Regionals/Rural Councils
• regardless of resourcing arrangements e.g. in-house/CAAs

This will drive the quality of our audits and the value of our insights. A single workstream feeding two products – audit opinions and the AG’s report.

Area Control areas for Councils – FY19

Governance Policy framework & currency of policies Management and reporting to business of IT Risks and Incidents Access to Programs & Data Starters/Transfers/Leavers User Access Reviews Managing & monitoring privileged user activity Unique user IDs Passwords Program Change Approval of changes Testing of changes Segregation of Duties between promoting change to PROD and developing/initiating change Computer Operation Disaster Recovery Planning

Nature of work

Design effectiveness assessed per ASA 315? Operating effectiveness assessed?

        Potentially Potentially Potentially Potentially Potentially Potentially Potentially Potentially Potentially Potentially Potentially

Rationale

As per ASA 315: “In understanding the entity’s control activities, the auditor shall obtain an understanding of how the entity has responded to risks arising from IT”. Given the pervasive nature of IT and its importance to the financial reporting process, all entities should therefore have these IT control activities (or similar) in place and they are relevant to the audit (regardless of approach). As such, a design effectiveness assessment should be performed over these controls “by performing procedures in addition to enquiry of the entity’s personnel”, as per ASA 315, for all audit relevant systems.

Key points

• Outcomes of design effectiveness testing must be reported to the Audit Office Local

Government team

• Design effectiveness weaknesses must be reported in management letters
• All decisions to test operating effectiveness are at the discretion of the audit team.

  

2018–19: Local Government IT strategy

19/02/2019 36

Area Control areas for Councils – FY19

Governance Policy framework & currency of policies Management and reporting to business of IT Risks and Incidents Access to Programs & Data Starters/Transfers/Leavers User Access Reviews Managing & monitoring privileged user activity Unique user IDs Passwords Program Change Approval of changes Testing of changes Segregation of Duties between promoting change to PROD and developing/initiating change Computer Operation Disaster Recovery Planning

Example of Issue

No formal IT Security policy The Council does not have a formal IT Security policy. An IT Security policy sets out the Council’s security requirements for digital information. The policy and supporting procedure documents provide guidelines for both standard user and privileged access management. Inadequate reporting of IT risks & incidents to management The Council has no formal process in place to ensure that known and emerging IT risks and issues are regularly communicated to senior management (i.e. outside of the IT department). For example, our audit found that the operating system hosting the general ledger has passed end-of-life support. The associated risks this brings were not communicated to management and those charged with governance.

Area Control areas for Councils – FY19

Governance Policy framework & currency of policies Management and reporting to business of IT Risks and Incidents Access to Programs & Data Starters/Transfers/Leavers User Access Reviews Managing & monitoring privileged user activity Unique user IDs Passwords Program Change Approval of changes Testing of changes Segregation of Duties between promoting change to PROD and developing/initiating change Computer Operation Disaster Recovery Planning

Example of Issue

User access provisioning process needs to be enhanced Our audit identified that [insert number] users were granted access to council systems where no evidence of appropriate prior approval could be provided. Untimely access removal The Council has no formal controls in place to ensure that user account privileges for financially relevant systems are removed when no longer required. Periodic user access review process needs to be formalised. User access review is a key management control ensuring currency (accounts belong to staff currently employed) and appropriateness of user access on the business

• applications. There is no formal and periodic process to review users with access to

financially relevant systems. Privileged user key activities should be recorded and reviewed Our review of IT access controls identified that while audit logs of privileged IT access activities within the system are maintained and secured from amendment, they are not reviewed. Unsupervised use of generic user accounts During our audit, we noted that when posting manual journals, [insert number] finance staff could access the general ledger system using a shared user account. All actions performed using this user account are logged but not reviewed. Insufficient password configuration Our audit identified that general ledger password parameters did not comply with the Council’s IT Security policy or good practice guidelines. The following settings are not enforced:

• maximum password age
• minimum password age
• password history
• number of unsuccessful login attempts.

19/02/2019 37

Area Control areas for Councils – FY19

Governance Policy framework & currency of policies Management and reporting to business of IT Risks and Incidents Access to Programs & Data Starters/Transfers/Leavers User Access Reviews Managing & monitoring privileged user activity Unique user IDs Passwords Program Change Approval of changes Testing of changes Segregation of Duties between promoting change to PROD and developing/initiating change Computer Operation Disaster Recovery Planning

Example of Issue

Program change management requires improvement Our audit noted that there is no formal procedure to ensure that all changes made to [insert name of system] are subject to appropriate testing and approval prior to implementation. For a sample change selected, management could not provide any supporting documentation as evidence that changes to [insert name of system] were appropriately tested and approved prior to being implemented. Segregation of duties need to be implemented in program change management process Our audit noted that a member of the IT team responsible for developing changes to the general ledger system can migrate their own changes from the [development/test] environments to the production with no intervention or oversight from other users.

Area Control areas for Councils – FY19

Governance Policy framework & currency of policies Management and reporting to business of IT Risks and Incidents Access to Programs & Data Starters/Transfers/Leavers User Access Reviews Managing & monitoring privileged user activity Unique user IDs Passwords Program Change Approval of changes Testing of changes Segregation of Duties between promoting change to PROD and developing/initiating change Computer Operation Disaster Recovery Planning

Example of Issue

Disaster recovery plan should be formalised and tested Council’s Information Technology Disaster Recovery Plan (DRP) has not been reviewed or tested since 2012.

19/02/2019 38

Local Government Session

Lawrissa Chan Director, Financial Audit

Agenda – Local Government Session

Item Time

• Debrief on 2017-18 audits
• Key areas of focus for 2018-19 audits
• Local Government IS audit strategy
• Local Government accounting and audit issues
• Potential topics for Report to Parliament, performance

audits 1:30pm Close workshop 3:00pm

19/02/2019 39

Roundtable: Topics for discussion

• Debrief 2017–18 audits / council feedback
• Key areas of focus for 2018–19 audits
• Sector accounting issues
• Audit methodology / audit approach
• IT audit
• Audit fees
• Report to Parliament
• Performance audits
• Joint Organisations

2018–19: Key areas of focus

• Quality and timeliness of financial reporting
• Information Technology General Controls
• Crown Land
• IPP&E: Asset valuations & fair value assessments
• New Accounting standards
• Credit cards

Annual Engagement Plans are due: 28 February 2019

19/02/2019 40

Questions?