Observations from our 2016/17 central government audits
16 May 2018
Letter sent on 16 May 2018 to chief executives of government departments and Crown entities by Greg Schollum, Deputy Controller and Auditor-General sharing some observations on common issues and noteworthy practice from our 2016/17 annual audits.

Tēnā koe

I am writing to you and all other chief executives of government departments and Crown entities to share some observations on common issues and noteworthy practice from our 2016/17 annual audits.

As you know, the public sector environment is rapidly changing, including changes in public expectations and technology. There is also a stronger focus on cross-sector outcomes. Doing the basics well in this fast-paced and changing environment is challenging. Our audits indicate that, collectively, chief executives have done a good job maintaining a high standard of public sector management. However, there are some matters that need attention.

The fundamentals are working well

Most central government entities continue to have sound management and financial control environments. Our auditors reported, overall, that entities are better prepared than previous years and provided information on time for audit.

However, there are aspects that some entities need to focus more on:
• Strategic financial management remains one of the bigger challenges. We encourage entities to share their practice and, where possible, work together to improve capability.
• Staff who use the financial system in your organisation, particularly those holding financial and operating delegations, need a clear understanding of their entity’s internal control framework, including their roles and responsibilities.
• New entities, or entities that take on new functions, need to make financial management integral, rather than considering it as an afterthought. There were instances where entities realised this too late with functions or assets that they took on.
• Throughout the public sector, there are still significant challenges related to resolving historical holiday pay issues. Although we accepted entities recording contingent liabilities when the holiday pay obligation could not be reliably measured, it would be preferable if entities could quickly bring this issue to a conclusion.

• We recommend that entities have a system that enables transparent and reliable reporting on a day-to-day basis, supported by a process of checking for exceptions by experts. Our auditors noted that some independent reviews of financial transactions were handled too casually, not done, done manually, or not documented in a timely fashion.
• Supporting documentation for journals needs improvement and we encourage entities to have processes in place to ensure that all journals are appropriately supported. Journals are at risk of manipulation because they can be used to mask other transactions.
• Reconciliations of important control accounts are not being universally done well, which makes budget monitoring more challenging.
• Revenue recognition caused difficulties for several entities. In some instances, this was related to externally funded projects.
Information communications technology presents risks
Information Communications Technology (ICT) deserves a special mention, in part because our auditors continue to find basic issues, but also because of the growing seriousness of ICT-related risks and their potentially pervasive adverse impact. Our auditors found that entities have a greater awareness of cyber security and fraud access issues and have generally improved their practices. However, on the whole, entities would benefit from enhanced controls when it comes to preventing Information Technology (IT) fraud and mitigating risks of business interruption.

Some entities rely too much on contractors to manage ICT risks. Using external expertise should support internal capability, not replace it. Entities are still accountable for the risks. We suggest that entities spend time and resources on identifying their highest ICT risks. Some of this might require detailed work, for example, conducting an independent review of all virus signature updates.

Governance is generally sound

Many entities have appropriate governance arrangements, and the benefits are apparent in day-to-day operational oversight, reporting, and risk management. Significant change projects have also run well in part because of strong governance arrangements.

Good governance for large projects enables better oversight
Robust governance processes help ensure oversight at the main stages of project delivery. This includes the complicated area of IT project management. An appropriate governance setup might include an investment board, external risk and assurance committee, a focus on integrating risk management in the investment portfolio, and developing benefits reporting.

Managing change

Even when significant organisational changes were being implemented, our auditors found that most entities managed the immediate transition well.

Financial and general IT controls that we rely on for our audit work continued to operate during the organisational changes. The long-term challenge is benefits realisation. We are less certain about whether entities are always clear about what they want to achieve and are appropriately measuring benefits.

Below we make some observations on good practice in managing change:

• Entities need to have a good understanding of the risks that changes could present to the control environment and ensure that there are effective control and assurance measures in place to prevent and detect unauthorised or inappropriate activity. This applies particularly if there is significant change to staff roles and the operating culture.
• When core corporate teams (Finance, Human Resources, and Risk Assurance) are heavily affected by organisational changes, entities need to be aware of the particular risks that come from this, including the loss of critical institutional and financial knowledge.
• Taking a staged approach to managing change can help manage the risks inherent in delivering complex programmes compared to implementing change all at once.
• When restructuring is likely to result in liabilities, entities need to remain alert to the threshold for recognition of a liability being met, because this matter is likely to have implications for financial reporting in future periods.
• Entities need to be aware of the need to have sound processes for severance payments.
Performance reporting

Effective performance reporting has become a more complex task in an environment where organisations are seeking to achieve sector and system outcomes with other agencies. We are seeing some good examples of individual performance frameworks, but a lot more remains to be done to report effectively on outcomes achieved by more than one entity.

Below we make some observations on good practice in performance reporting:
• Performance reporting needs to align with the main strategies, and work is needed to improve the links between strategic priorities and measures of success.
• Entities should identify the main measures that reflect their overarching focus and objectives. If it is not clear to the reader what service an entity delivers, then important information is missing.
• Good performance reporting often needs to draw on a combination of data, case studies, and commentary integrated in the performance story.
• External measures and measures used for management decision-making should align.
• There needs to be an appropriate balance of timeliness, quantity, quality and, where appropriate, cost effectiveness measures.
• Sophisticated performance reporting provides trends over time and uses well calibrated benchmarks for performance, where possible drawing on comparator entities.
• Compiling a data dictionary can help entities understand if measures are fit for purpose.
• If your performance measures rely on third-party information, ensure that the information is independently verified and appropriate controls are in place.

Asset valuations

We have concerns about some entities’ asset valuation practices. These concerns are less about actual control deficiencies and more about entities’ substantive assessment of what they own and look after. Valuations are important for some entities because of the size of the asset, which feeds into the Crown’s balance sheet.

Even for entities without significant asset valuation issues, there are some general lessons that might usefully be applied to other functional aspects:
• The quality of information matters.
• Data collected needs to be suitable for the purpose it is collected.
• Methodologies are important for assessing condition, planning maintenance, and expenditure.
• Maintain ownership. You might contract out an activity such as asset valuations, but you are still accountable. We suggest that you mitigate the risk by keeping in touch with the contractor to ensure the resulting valuation reflects the environment in which you are operating.
• Maintain organisational oversight, consider an analytical review of main assets, and explain significant movements or lack of expected movements. This will help identify potential errors.
• If there is a time-lapse between asset valuations, we suggest entities analyse where values may have moved significantly and whether this could be material.

Procurement – reflecting on current strengths and what might still need attention

Our Office proposes to start a multi-year work programme on procurement in 2018/19. Our 2016/17 audits confirmed that entities generally follow appropriate procurement and contracting practices and have adequate processes for doing so.

However, we are less certain that procurement is well embedded in entities’ strategic planning. For our future work programme, we intend to focus more on how entities’ decisions reflect their strategic direction. We will also look at whether entities are clear about the benefits sought, well placed to monitor and report on benefits realisation, and making any needed changes to procurement arrangements.

We are aware of the changes in delivery models. Some entities have expanded their capability, including using private sector expertise so they can have more effective relationships with partners from the private sector and non-governmental organisations. However, recruiting staff who are new to the public sector poses challenges. We encourage entities to put in place thorough induction processes and ongoing support for these staff to ensure that private expertise can be harnessed effectively.

Below we list some of the foundations for effective procurement:
• Robust governance, independent assurance, and monitoring. There is a strong relationship between good governance, project management, and ability to conduct procurement effectively.
• Pre-tender market engagement that is commensurate with the complexity and risks of the envisaged commissioning.
• An overriding framework, supported by guidelines, which allows all the parties to procurement contracts to measure their performance consistently and accurately.
• Initiatives to build internal capability, such as undertaking procurement “health checks” throughout the organisation and creating a “community” of people who are regularly involved in procurement to analyse and learn from their practices.
• For complex procurement cases, preparing for possible outcomes and test whether the evaluation process and criteria are indeed suitable for securing desirable outcomes.
We have emphasised in the past our expectation to see procurement expertise embedded throughout entities as part of a core skill set. This will allow specialists to focus on difficult or highly technical cases. It is also becoming more important to have commercial and technical expertise on decision-making panels for large projects, especially for ICT infrastructure.
Grants
Because there is no specific accounting standard for grant accounting, policies have been prepared using other accounting standards and liability definition and recognition principles. This has resulted in different accounting practices for similar grant arrangements in the public sector. We acknowledge the challenges this has posed, but we encourage public entities to improve their management of grants. When grants are seen as not constituting procurement, they are often not treated with the same rigour, yet there are often significant amounts of money involved. Two main deficiencies we have found relate to:

• a lack of clear policies and guidance for grant activity; and
• failure to exercise an overview across different operating functions.
Please stay in touch
I encourage you to discuss this letter with your appointed auditor. I would also welcome dialogue with our Office. I suggest you contact the relevant sector manager in the first instance.
Nāku noa, nā

Greg Schollum
Deputy Controller and Auditor-General

© Scoop Media