The Queensland Audit Office’s annual update for chief financial officers, and entity staff who are involved in preparing financial statements, helps us collaborate on emerging issues and any changes to financial reporting or auditing requirements.
This month, more than 500 attendees came along or live-streamed our latest session. In this blog, we highlight takeaways from the presentations by Queensland’s Auditor-General, our team of experts, and guest presenters from Queensland Treasury and the Department of Transport and Main Roads (DTMR).
The presentation slides are available on our website: www.qao.qld.gov.au/reports-resources/events.
Recent reports to parliament and forward work planning
The Auditor-General opened this year’s event with an overview of our recently tabled and upcoming reports to parliament, and introduced our new report, Information systems 2025 (Report 6: 2025–26). This new, yearly report assesses information systems controls that state government entities use and recognises the collective need across government for more focus on the security of information.
We highlighted the insights from our latest status of Auditor-General’s recommendations report. Each year, we ask entities to self-assess their progress in implementing the performance audit recommendations we have made in our reports. We bring together information on this progress, and share the common types of recommendations we make, those that entities are finding challenging to implement, and provide learnings for all entities to consider.
Some of the common types of recommendations we made in our reports tabled between 2016–17 and 2023–24 are outlined below.
| Number of recommendations by category | Underlying issues |
|---|---|
163 governance arrangements and oversight recommendations |
|
145 information systems and data management recommendations |
|
137 performance monitoring and reporting recommendations |
|
Source: Figure 1B, from 2025 status of Auditor-General’s recommendations (Report 3: 2025–26). Compiled by the Queensland Audit Office, using data self-reported by entities.
This report to parliament includes an accompanying interactive data dashboard which allows users to explore entities’ self-assessed progress, and tailor their search by year, report, entity, parliamentary committee, and implementation status. The report and dashboard can be particularly helpful for any entity involved in machinery of government (MoG) changes where functions, with related outstanding recommendations, have moved. Officers at responsible departments following a MoG change can better understand recommendations and progress made before the change.
We also discussed our process for selecting future audit topics and gave an update on our upcoming 2026–29 forward work plan. We are currently consulting with clients and stakeholders on the plan, with a draft plan to be issued for consultation in April, and the final plan published by 30 June 2026.
Expenditure and procurement deep dives
Our next presentation centred on our examination of how entities use public sector resources. In our audit work, we consider the ethical decision making of senior executives and other officials, if value for money is being achieved, and whether appropriate systems of internal control are in place.
Through our audits of state entities over the past year, we have seen a significant increase in opportunities for entities to strengthen policies and practices in contract management and procurement, including conflicts of interest, and the use of procurement exemptions such as single supplier exemptions.
In our work with local governments, we identified opportunities to strengthen procurement policies and practices related to maintaining contract registers, compliance with delegations, and demonstrating value for money.
Without well established and effective policies and practices in these areas, entities risk non-compliance with policies and applicable laws and regulations, and the inappropriate or indefensible use of public resources.
Controls assurance reports – outsourcing, third-party systems
Many government entities are relying on outsourced systems or third-party service providers to deliver services. In our presentation on controls assurance reports, we discussed why it is important for entities to understand the controls that their third-party providers have in place for ensuring secure systems, what their provider’s obligations are, and what this means for the entity’s own control environment.
The main risks when outsourcing systems relate to understanding the control environment, ineffective data security, inadequate privacy management, lack of business continuity resilience, the subservice and outsourcing chain, and compliance and regulation requirements.
We outlined how entities can obtain from their provider what is known as an ASAE 3402 ‘Assurance report on controls at a service organisation’. These reports are prepared by the service organisation and include an assurance opinion on the report from the service organisation’s auditor. We explained how to use these reports, including assessing whether the provider’s control objectives align with the entity’s risk profile, and whether the auditor identified where controls were not appropriately designed or were not operating effectively and remediation needs. We also discussed how these reports should be used to identify the complementary controls that user entities need to implement to ensure there are no gaps across the combined control environment.
In our latest performance audit on Managing third-party cyber security risks (Report 13: 2025–26), we examined how effectively selected public sector entities identify and manage cyber security risks posed by third-party vendors.
Fraud controls
We started our session on fraud with a profile of fraudsters and perpetrators, and we outlined the common contextual and environmental challenges that can increase instances of fraud. These include high trust levels, high staff turnover, cost of living pressures, complexity of supply chains, the increase in cyber attacks, and higher levels of drug and gambling addiction.
From across our audit work, we continue to find that instances of fraud are commonly due to poor controls over updates to employee and supplier information. For example, failing to have an effective process for changing supplier bank account details, such as independently verifying the change to a known reliable source.
We also referred to our Information systems 2025 (Report 6: 2025–26) report mentioned above, which reminds entities to secure their systems to prevent unauthorised access that may result in fraud or error.
We outlined our Fraud risk assessment and planning model that helps entities document their assessments of fraud risk, and how they will control, monitor, and report those risks. Our Fraud and corruption self-assessment tool helps entities identify the areas where they can improve fraud controls.
Financial reporting outcomes and streamlining financial statements
At the start of the technical presentations, we noted that around 10 years ago, there was a significant focus from the Australian Accounting Standards Board (AASB), Queensland Treasury, and preparers on streamlining financial statements. However, the length of financial statements has begun to grow again.
Both the AASB and Queensland Treasury (and Department of Local Government, Water and Volunteers for councils) have embedded materiality as a central principle in effective financial reporting. The expectation is not maximum disclosure – it is meaningful disclosure.
We reminded our event attendees of the broad concepts; that boilerplate disclosures can be removed, and that they should focus on enhancing user understanding.
Finance automation
We were joined by our presenter from DTMR, who covered a customer-focused finance automation project that is transforming the department’s planning, budgeting, and forecasting processes. Our guest presenter spoke about how he led his team to deliver real-time insights and optimise performance focusing on forward looking information.
Queensland Treasury update – accounting standards
Queensland Treasury updated attendees on new and future accounting standards. While the changes for the current and next financial year are not expected to have a significant effect on most entities, the Treasury presentation focused on areas for entities to consider when determining if they are affected.
Queensland Treasury also emphasised that departments and statutory bodies within whole-of-government (WOG) are not to apply the AASB sustainability standard S2 Climate-related Disclosures. AASB S2 is only mandatory for certain entities reporting under the Corporations Act 2001.
The internal WOG emissions reporting to Queensland Treasury required for departments and large statutory bodies was generally well completed in 2024–25 and will be undertaken again in 2025–26.
Local governments and universities are not required to prepare public climate-related financial disclosures. Though if they have borrowings with QTC they may be required to provide relevant climate related information to it.
QAO technical matters
We then discussed AASB 18 Presentation and disclosure in financial statements. AASB 18 is expected to commence from 1 January 2027 for for-profit entities and 1 January 2028 for not-for-profit entities.
This standard is expected to involve significant changes to the way the profit and loss statement is presented for for-profit entities. The main change involves classifying revenue and expenses into operating, investing, and financing activities. The AASB is currently proposing this change is not required for not-for-profit entities.
We reminded attendees about QAO’s fact sheet on Preparing position papers for accounting matters and valuation. It provides:
- accounting advice – entities should consider alternate approaches, and not just the desired outcome, challenge the advice, and apply to their scenario
- valuations – the need for management assessment, and that entities with good asset managers with sufficient capacity and skills are likely to be able to undertake interim valuations themselves.
We also outlined a common issue we have seen entities encounter in the planning, design, and construction of major projects. Our latest blog: Insights on determining the capitalisation point of major projects, provides more information on our approach.
Climate risks governance
In our final presentation, we shared that while most entities are not required to report climate-related emissions and financial disclosures, managing climate-related risks and opportunities is an important part of effective entity governance. We covered the key considerations each public sector industry should be discussing with their management teams and incorporating into their risk management framework.
Resources
Related article
As the end of the year draws closer, now is the time to think about the fundamentals of your internal control environment and ensure staff working over the holiday break are fraud aware.