3. Knowing your entity’s business

The financial statements team’s ability to prepare high-quality financial statements on time is enhanced if they possess a sound knowledge of the entity, its operations, legislative, governance and business environments, including but not limited to the corporate plan, portfolio budget statements and the annual report.

As the environment within which an entity operates is continually changing, it is critical to monitor changes on an ongoing basis particularly in legislation, government policy and accounting requirements.

A comprehensive regime of internal control is essential for effectively managing the risks that may affect the financial statements preparation process.

To ensure the business and financial management information systems produce complete, timely and accurate information for inclusion in the financial statements, entities need to have in place appropriate and fully documented:

• governance arrangements
• systems of internal control
• risk management and oversight
• educational and learning and development programs that provide relevant staff with sufficient knowledge and understanding of their specific responsibilities.

3.1 Audit and other management committees

Audit committees - are integral to good corporate governance of Commonwealth entities. Subsection 17(2) of the PGPA Rule stipulates functions that audit committees must undertake including review of the appropriateness of the entity’s financial reporting. Better practice entities actively engage with their audit committee throughout the financial statement process and ensure audit committee members are provided with accounting position papers, shell and first draft financial statements with sufficient time for members to provide timely feedback to the financial statement team.

Other management committees - most entities will operate various management committees as part of the governance arrangements. In the context of an entity’s financial statements, financial statements sub-committees may be established and given overall management responsibility for their preparation. Often a member of the audit committee chairs the financial statements sub-committee, which assists in streamlining information back to the audit committee. Use of a financial statements sub-committee does not reduce or diminish the audit committee’s responsibilities. In establishing financial statements sub-committees, audit committee members should ensure that they are not delegating their responsibilities or independence and that they continue to meet their obligations under the PGPA Rule.

To ensure the independence of the audit committee, it is not appropriate for the roles of a financial statements sub-committee and an audit committee to be combined, and it is important that the respective roles of these committees are well-defined and there are agreed lines of communication between them.

The following publications and guides assist entities in clarifying applicable requirements:

• Governance structures in the public sector - provides an overview of the types of structures used across the Commonwealth public sector
• PGPA Flipchart and entity list - a reference to all entities subject to the PGPA Act, the position title for each accountable authority (for the purpose of the PGPA Act) and whether the entity is currently classified as ‘material’
• Governance policy - considerations and decisions influencing the design of a body’s governance structure. A comprehensive regime of internal control is essential for effectively managing the risks that may affect the financial statements preparation process. Entities need to have in place appropriate governance arrangements including:
  • control activities - activities such as delegations, authorisations, reconciliations, segregation of duties, physical security of assets, systems access and security are important controls that individually or in combination with others, can help prevent, or detect and correct misstatements in classes of transactions, account balances, or note disclosures
  • policies - well defined policies should be developed to:
    • set clear directions on how an entity approaches and discharges its external accountability responsibilities
    • provide a link between the financial statements process and other business processes such as budgeting and business operations
    • clearly defines roles and responsibilities, structures, plans, performance and management oversight arrangements
  • training and recruitment - the selection and training of staff, a clear understanding of roles and responsibilities, and an understanding of financial reporting, legislative, policy and accountability requirements are important factors in preventing non-compliance with legislation and ensure sound financial management and reporting
  • procedures - clearly documented procedures provide guidance for all those who have financial management responsibilities. In this context, procedures include Accountable Authority Instructions (AAIs) or their equivalent, standard financial and administrative operating procedures, financial management information system manuals, checklists and templates. Entities often refer to these procedures as Standard Operating Procedures (SOPs). To be effective, these should be kept up-to-date and readily accessible to staff
  • information systems - better practice entities have financial management information systems (FMISs) capable of producing complete, accurate and reliable financial and related information. It is also important that system functionality supports processing and information requirements for the financial statements.
• RMG-126 Government Business Enterprises (RMG-126) is relevant to Government Business Enterprises (GBEs) that are Commonwealth entities or wholly owned Commonwealth companies. RMG-126 outlines the oversight arrangements for entity GBEs and company GBEs that are prescribed in the PGPA Rule, and provides guidance regarding board and corporate governance, planning and reporting, financial governance and other governance matters.

3.1.1 Additional resources

3.2 Knowing the entity’s financial reporting structure and dependencies

Section 42 of the PGPA requires all Commonwealth entities’ accountable authorities to:

• prepare annual financial statements
• certify whether, in their opinion, the financial statements:
  • comply with the AAS and any other requirements prescribed by the rules
  • present fairly the entity’s financial position, financial performance and cash flows.

In addition accountable authorities of government business enterprise must state whether, in their opinion, there are reasonable grounds to believe that the entity will be able to pay its debts as and when they fall due.

In practice, responsibility for preparation of the financial statements resides with the CFO. It is important that the accountable authority ensures that the CFO’s responsibility for preparing the financial statements is well understood by senior management.

3.3 The Chief Financial Officer (CFO) and financial statements team

The CFO and the financial statements team have primary carriage of the preparation and coordination of the annual financial statements. Their financial statements responsibilities include:

• preparing the financial statements within the required timeframe, which involves:
  • ensuring that the statements are supported by an entity’s accounts and records
  • that all figures and information are capable of audit verification
  • that the financial statements comply with relevant legislative, policy and professional requirements
• explaining major variances of reported amounts from budgeted and previous year actual amounts
• providing leadership in developing financial management strategies and policies
• providing periodic (generally monthly) financial reports and related analysis to the accountable authority, other levels of management and the Department of Finance (Finance)
• conducting quality assurance reviews of information provided by business areas and external parties
• ensuring shared services providers provide appropriate evidence to confirm that their internal controls have operated effectively throughout the financial year and can be relied on to provide complete and accurate information
• managing and monitoring the timely remediation of financial statement audit findings
• promoting sound accounting policies and practices, including implementing and providing guidance on applicable accounting standards
• maintaining the entity’s FMIS.

The CFO and financial statements team rely on input from business areas, shared services providers and other entities that perform numerous functions on the entity’s behalf in preparing the financial statements. These functions could include, but not limited to, collecting and/or expending money, processing and reporting. It is therefore essential that the CFO and financial statements team have well-established relationships with these areas and entities.

It is the responsibility of the CFO and financial statements team to identify, in consultation with the relevant business areas and those other entities the nature and timing of the necessary information flows between the finance area and business areas/other entities. Demonstrating positive leadership and adopting an open and constructive approach, rather than a policing role, is more likely to lead to business areas and other entities meeting their responsibilities in the context of the entity’s financial statements.

As entities continue to be accountable for the quality of data that is processed/recorded by other entities under shared services arrangements, it is also essential that the CFO and financial statements teams establish and maintain close working relationships with shared services providers, including agreement on the content and timing of complete and accurate data, plus provision of assurances over the effectiveness of the service provider’s internal controls. More information is included at: 7. Development processes and procedures and 7.9. Shared services.

3.3.1 Additional responsibilities of portfolio department CFOs and financial statements teams

In addition to the responsibilities for preparation of their entity’s financial statements detailed above, portfolio department CFOs and financial statements teams should also:

• develop strong working relationships with their portfolio entities’ CFOs and financial statements teams that encourages free exchange within the portfolio of information on accounting policies and/or issues
• promote sound, consistent accounting policies and practices by all portfolio entities including providing guidance on applicable accounting standards to other portfolio entities
• agree timing for provision plus monitor delivery of, draft financial statements of portfolio entities’ financial statements
• provide training and/or second staff to portfolio entities to assist them with skill or resource gaps.

3.4 Officials of the entity

Financial management is the responsibility of all officials who exercise delegations, authorisations and expend relevant moneys. In doing so, it is important that officials in Commonwealth entities are aware of their responsibility to comply with relevant legislative and policy requirements, including any instructions/directions from their accountable authority, and maintain records in accordance with an entity’s recordkeeping policies as provided in their AAIs and the entity’s delegations.

Officials should also:

• read, understand and focus upon the contents of financial reports
• consider whether the financial statements are consistent with their knowledge of the entity’s financial position and performance
• consider the statutory requirements
• apply their knowledge of the affairs of the entity
• where appropriate, challenge unusual or unexpected trends or balances
• make further enquiries if matters revealed in the financial statements call for such enquiries.

Accountable authorities (or members of accountable authorities such as board members, business area managers and financial delegates) should acquire a degree of financial literacy, including a knowledge of the entity’s finance polices, as well as accounting practices and standards, so they are able to appropriately review and monitor the financial statements.

3.5 Audit committees

A strong audit committee can significantly assist the accountable authority in meeting their duties and responsibilities under the PGPA Act, particularly in relation to financial reporting.

• The audit committee is expected to actively review the entity’s processes and systems for preparing financial reporting. As part of this active process, the entity has to stay informed and advise the audit committee of changed requirements in relation to financial reporting throughout the year.

In reviewing the entity’s year-end financial statements, the audit committee may provide written advice to the accountable authority on the outcome of its review. To support the audit committee in performing this function effectively, it is important that the committee is kept informed throughout the year (not just at year-end), of all significant issues that may directly or indirectly affect the entity’s resource management and financial reporting arrangements.

The relationship between the CFO and the audit committee is an important one in the context of the committee’s function to review the appropriateness of financial statements. The CFO is not permitted to be a member of the audit committee but is often an ‘advisor’ with a key responsibility to provide assurance (generally by way of sign-off) that the financial statements are accurate. Arrangements should be in place for the CFO to advise the audit committee, in a timely manner, of:

• significant accounting and financial reporting issues that may affect the financial statements
• the underlying systems of internal control
• actions taken to address issues.

To ensure the independence of the audit committee, it is not appropriate for the roles of the financial statements sub-committee and the audit committee to be combined, and it is important that the respective roles of these committees are well-defined and there are agreed lines of communication between them.

For more information see RMG-202 Audit committees (RMG-202).

3.6 The entity’s internal audit function

The internal audit function can assist in providing assurance to the accountable authority and management of an entity that risk management, governance and internal control processes are operating effectively, and also provide recommendations to improve such processes.

Areas where internal audit can support the preparation of the financial statements include:

• reviewing new systems during the implementation stage to help ensure that adequate control mechanisms and governance arrangements are put in place
• providing objective assistance in developing financial systems to ensure compliance with relevant accounting requirements and the provision of timely and reliable information for financial reporting purposes
• reviewing the effectiveness of the entity’s internal controls to ensure the existence/occurrence, completeness/accuracy, valuation/measurement, rights and obligations, classification and cut-off of higher risk financial statement balances
• reviewing high risk financial statements items
• reviewing the robustness of management sign-offs
• following up remedial actions by management to assess whether they have been implemented in a timely manner
• conducting periodic checks to monitor progress against the financial statements preparation timetable
• undertaking quality assurance reviews of data quality and financial statements processes. This may include reviewing working papers (which contain the evidence and judgements used to prepare the financial statements), other supporting documentation and the draft financial statements for compliance with the FRR and relevant entity policies
• providing assurances about the effective and ethical use of resources and legal compliance, specifically targeting high risk issues that may have a material effect on the financial statements
• seconding individual staff to the financial statements preparation team to fill skill and/or resource gaps within the financial statements team.

3.6.1 Additional resources

3.7 Knowing your entity’s risks and assurance processes

Section 16 of the PGPA Act provides that accountable authorities of all Commonwealth entities must establish and maintain appropriate systems of risk oversight, management and internal control for the entity.

CCEs, whilst not required to comply with the Commonwealth Risk Management Policy, should review and align their risk management frameworks and systems with this policy as a matter of good practice.

A risk assessment process enables an entity to understand how much risk it is exposed to, and defining risk appetite and tolerance allows them to articulate how much risk the entity is willing to accept, and potential impacts to its financial management, position and performance. Only when both risk appetite and tolerance are clearly understood can the entity understand if its risk exposure is acceptable.

Some key questions that financial statements teams should consider are:

• What types of risk are unacceptable?
• What does good risk-taking look like in our entity?
• Under what circumstances do we accept risk?

For more information see RMG-211 Implementing the Commonwealth Risk Management Policy (RMG-211) and Comcover’s Risk Resources.

3.7.1 Fraud control

Fraud is a threat that affects every Commonwealth entity in all areas of business, including benefits, taxation, procurement, grants and internal procedures.

The misappropriation of assets, for example, the theft of physical assets or payment for fictitious goods and services, will diminish the financial resources of an entity and can lead to a lack of confidence in public sector administration. In addition, fraudulent financial reporting, such as the falsification of accounting records, the intentional omission of transactions or the misapplication of accounting principles, has the potential to mislead users of the financial statements.

Entities should ensure they have appropriate internal controls in place to identify, monitor and manage fraud risks. To assist entities to manage fraud related risks, the Government has developed the Commonwealth Fraud Control Framework, which provides further detail of the fraud control requirements set out under section 10 of the PGPA Act (the Fraud Rule).

RMG-201 Preventing, detecting and dealing with fraud (RMG-201) also provides guidance on better practice for fraud control arrangements within all Commonwealth entities.

Procedures designed to prevent the occurrence of fraud may include:

• control activities - activities such as delegations, authorisations, reconciliations, segregation of duties, physical security of assets, systems access and security are important controls that individually or in combination with others, can help prevent and detect fraud
• training and recruitment - the selection and training of staff, a clear understanding of roles and responsibilities, and an understanding of financial reporting, legislative, policy and accountability requirements are important factors in detecting fraud
• information systems - better practice entities have FMISs that reduce manual processing which reduces the risk of fraud.

3.7.2 Knowing your entity’s information and communication technology controls

Both good risk management practices and ICT controls have a direct impact on the preparation of financial statements and the quality of the final product.
In preparing the financial statements, entities need to design, implement and maintain risk management practices and internal controls to:

• comply with relevant legislative and policy requirements
• accurately record all relevant financial transactions
• prevent or detect and correct misstatements, whether due to fraud or error.

Auditing Standard ASA 315 Identifying and Assessing the Risks of Material Misstatement (ASA 315), issued by the Auditing and Assurance Standards Board (AUASB), provides guidance to auditors on identifying and assessing the risks of material misstatement of financial statements, including risks associated with an entity’s ICT environment. Where an entity identifies significant and/or high risks of material misstatement of its financial statements, the entity should implement appropriate controls to mitigate those risks.

3.7.3 Protective security and ICT controls

The Protective Security Policy Framework (PSPF) and Australian Government Information Security Manual (ISM) set out the security and ICT control requirements for Commonwealth entities. The ISM specifies a broad set of ICT controls, designed to encompass the wide range of potential implementation scenarios for ICT systems. It is considered an entity’s responsibility to filter this list of ICT controls based on the functionality and componentry of ICT systems.

The entities need to implement and make risk-based assessments on the application of those ICT controls within the context of each specific ICT system as well as the broader networks or environments which house them. Where scenarios are found to exist that are not described or covered within the ICT controls detailed in the ISM, vendor and industry better practice is also used to inform the approach to applying ICT controls.

3.7.4 Additional resources

3.8 Anticipating and responding to change

The CFO, the financial statements team and other key staff should keep abreast of developments affecting financial statements so that new or changed requirements are incorporated into revised procedures and practices as early as possible. To ensure that any changes to the entity’s operating environment are identified and their impact on the financial statements assessed in a timely manner, the financial statements team should monitor any changes in:

• legislation that the entity is required to comply with, including legislation the entity administers, particularly as a result of machinery of government changes
• government policy, in particular any new policy initiatives
• both financial and business management information systems
• the entity’s organisational structure.

It is equally important that the financial statements team identifies new or varied requirements arising from changes in financial reporting legislation and accounting standards. They should assess their effect on the entity’s financial statements and implement appropriate changes to accounting policies and/or financial statement presentation and disclosure where required.

3.8.1 Changes to the entity’s operating environment

The operating environment of Commonwealth entities is continually changing. It is therefore critical to constantly monitor changes in areas such as legislation, Government policy and accounting requirements.

Changes in an entity’s business environment can affect the preparation of an entity’s financial statements. It is therefore important that the financial statements team keeps abreast of changes or potential changes to an entity’s operations, to determine if decisions need to be made about the accounting and/or financial reporting implications.

Important sources of information include:

• AASB pronouncements (standards and interpretations)
• Finance guidance, including the annual Changes to standards relevant to financial statements summary
• CFO and officer-level forums and working groups run by Finance
• the ANAO’s CFO Forum.

3.8.2 Implementing changes to accounting requirements

The following steps can be taken to assist an entity in identifying and implementing changes in accounting requirements:

• assign specific responsibility for monitoring, identifying and assessing new and revised requirements
• where changes to accounting requirements will affect, in a substantive way, the entity’s accounting policies and presentation and disclosure in the financial statements, position papers should be prepared outlining the implications of the changes, including how those changes will be implemented. The auditor should be consulted promptly to obtain early agreement
• conduct reviews of the accounting policies at least annually, and assess whether the most appropriate accounting policies have been selected and whether presentation can be improved. Changes to an accounting policy should be made only if required by an AAS, or if they would result in the financial statements providing more reliable or more relevant information about the effects of transactions, other events or conditions on the entity’s financial position, financial performance or cash flows
• prepare draft statements including accounting policy notes for review and agreement by the auditor well in advance of the year-end
• brief the accountable authority, as required, on any changes that are likely to have significant implications on the financial statements, how these affect the financial performance and position of the entity, and obtain approval of proposed changes, where appropriate.

The timely and comprehensive identification and assessment of risks, both financial and operational, that may give rise to misstatements in the financial statements is critical to the production of good quality financial information. Better practice entities have robust internal control systems and practices in place to detect, prevent, and mitigate the risk of misstatement of an entity’s financial statements.

3.8.3 Additional resources