Good internal controls provide reasonable assurance that an entity is achieving its operational, reporting, and compliance objectives. They also serve to protect an entity from fraud or error. Accordingly, it is important that entities regularly assess their controls to ensure they are appropriately designed, implemented, and operating as intended.
Under section 77 of the Financial Accountability Act 2009, chief financial officers (CFOs) of government departments are delegated responsibility for:
- establishing, maintaining, and reviewing financial internal controls
- providing advice on the effectiveness of accounting and financial management information systems and financial controls in meeting the department’s requirements.
Each financial year, departmental CFOs are required to give the accountable officer a statement about whether the financial internal controls are operating efficiently, effectively, and economically. This statement must be provided before, or at the same time as, the CFO certifies the annual financial statements. Statutory bodies—such as hospital and health services—also do this to demonstrate better practice financial governance. We encourage them, and all public sector entities, to undertake this practice.
In preparing the statement on internal controls, CFOs are required to consider whether the entity:
- properly maintained its financial records
- had risk management systems that operated efficiently, effectively, and economically
- had any material changes that effected the operation of its internal controls since the last statement was provided
- obtained assurance over its operating processes and its controls that external service providers implemented on its behalf.
CFO statement framework
Given the extent of financial internal controls that may exist at an entity, in particular within departments, it is not practical or cost effective for the CFO to attest to each one every year. We recommend adopting a risk-based approach focusing on key financial internal controls that:
- ensure the entity’s financial resources are being used efficiently, effectively, economically, and in compliance with applicable legislation or policy requirements
- ensure the entity prepares its annual financial statements in a timely manner and that they are reliable
- help the entity prevent or detect fraud.
To support this, we recommend that CFOs develop an overarching framework for identifying and assessing the key financial internal controls that the statement covers.
The framework should identify:
- the legislative requirements for the CFO statement
- the key financial internal controls they will seek assurance over
- where the key financial internal controls are–either in the business or operated by a shared service provider–and who is responsible for implementing and operating them
- how the entity will obtain assurance over the operation of the controls, including required supporting evidence.
Preparing the CFO statement
The format of the statement and level of assurance should be discussed and agreed with the accountable officer early.
While there is no prescribed format for the statement, we recommend that, as a minimum, it addresses:
- the entity’s internal control and assurance framework
- significant areas of concern and their potential impact, and what action the entity has been taking to address them
- the status of issues reported in prior years
- changes and improvements to internal controls that the entity has identified and implemented.
It is important that there is appropriate documentary evidence to support the CFO’s assessments. While this may include information the CFO has prepared, they should also seek to rely on information that is readily available, including:
- results of internal audits conducted during the financial year
- results of continuous control monitoring processes
- assurance reports from external service providers, including reports prepared using the Australian Standard on Assurance Engagements ASAE 3402 Assurance Reports on Controls at a Service Organisation
- results of audits conducted by the Queensland Audit Office (QAO)—however, QAO is not the third line of defence in an entity’s control environment, and the results of an external financial audit over the general purpose financial statements should not be a key piece of the CFO assurance statement.
Where the CFO does not have direct visibility over key financial internal controls, they should seek separate assurances from the person responsible for the relevant business areas. This is particularly relevant for CFOs at continuing departments who have received new functions under the last machinery of government changes. CFOs will also need to consider how they will obtain assurance for controls that the former department continued to operate on their behalf for a period of time after the machinery of government change.
Audit committees can also play a key role in the development of the CFO assurance statement process. This includes providing feedback on the framework the CFO develops, the proposed format of the statement, and reviewing the statement prior to the CFO presenting it to the accountable officer. The audit committee may also benefit from this process by gaining a better understanding of the entity, and its processes and risks.