Report 13: 2020–21

State entities 2020

Audit objective

This report summarises the financial audit results of Queensland state government entities for 2019–20, including the 22 government departments.

Overview

Most public sector entities, including departments, statutory bodies, government owned corporations, and the entities they all control, prepare annual financial statements and table these in parliament. This report summarises their audit results; evaluates the quality and timeliness of financial reporting; and explores how entities addressed the risks of rapidly delivering new pandemic-related programs in 2020.

Tabled 11 February 2021. 

Elim Beach

Auditor-General’s foreword

This year, Queensland state government and local government entities all tackled the challenges of delivering their services during a period of rapid change and emerging risk. Entities faced more complex community service needs, and continued pressure on their efficient use of resources.

During this period, the Queensland Audit Office (QAO) continued to work closely with entities to deliver audit opinions on the accuracy and reliability of their financial statements. Working together, and the insights we share, continued as an essential part of our state’s integrity system.

I wish to recognise and thank the significant efforts entities took during our audits. Most of our clients completely adapted how they provided their information and data to us, so that we could deliver our services and reports to parliament.

Many of my upcoming reports to parliament were finalised throughout September and October 2020, however, consistent with my tabling protocols under the Auditor-General Auditing Standards, I chose to wait until after the state election caretaker period before sending them out for comment. I generally do not table reports during the caretaker period or estimates hearings.

I also wish to thank my workforce—QAO staff and our contracted audit service providers—for their commitment and dedication during this busy and unique period.

Notwithstanding the hard work by entities and QAO to achieve compliance with statutory reporting deadlines at a time of disruption, delays continue between the date state entity financial statements are certified and the date they are tabled in parliament by the relevant minister as part of the entity's annual report.

Given the uncertainties of what 2021 may bring, QAO will continue to work with entities to further refine our respective processes based on our learnings from 2020. I anticipate a demanding year ahead for many; and my staff and I will be here to support.

Brendan Worrall
Auditor-General

Elim Beach

Report on a page

Financial statements are reliable

This report summarises the results of 2019–20 financial audits of Queensland state government entities, including the 22 government departments. Most financial statements were signed on time, which was a significant achievement given the challenges presented by COVID-19.

The financial statements of all departments and government owned corporations, most statutory bodies, and the entities they all control, are reliable and comply with reporting requirements. The Queensland Rural and Industry Development Authority (QRIDA) was unable to reliably estimate the loans that will be repaid in the future under the COVID-19 Jobs Support Loan Scheme. This aspect of its financial statements could not be relied on.

Most government departments have processes and systems that allow them to produce good quality financial statements. Departments can continue to strengthen their financial reporting processes, particularly in relation to monthly reporting and use of automation.

The rapid response to COVID-19 brings risk

The COVID-19 pandemic has required fast delivery of new government programs, including payments to businesses and individuals. This has provided timely support to the community but increased the risk that some payments may not go to the most appropriate people.

Our recent report to parliament—Queensland Government response to COVID-19 (Report 3: 2020–21)—highlighted the importance of government-led programs being supported by sound controls to manage additional risks, as well as effective governance and leadership.

QRIDA has provided almost $1 billion in loans under the COVID-19 Jobs Support Loan Scheme to businesses in need. Given the uncertain economic conditions, it is difficult to estimate the ability of these businesses to repay the loans.

More than 11,000 applications were received over five days for round one of another pandemic‑related program—Small Business COVID-19 Adaption Grants, provided by the Department of Employment, Small Business and Training. Additional support and new processes were established to respond to the demand for the grants.

Also, to help businesses with cash flow, the government has reduced the time it takes to pay non‑government suppliers—from 19 days to four days.

Strong information systems controls are critical

The number of cyber attacks has doubled this year. Cyber criminals are attempting to take advantage of the disruption caused by COVID-19 to steal sensitive information and valuable assets. Information systems must be protected by people and processes with strong security practices.

This continues to be the area where we identify most issues, particularly in relation to access to systems. Entities cannot take a ‘set and forget’ approach. They must update their systems promptly to respond to changes within their entity and to remain protected from external threats.

Elim Beach

Recommendations for entities

Use recent financial statement preparation experiences, including responses to the COVID-19 pandemic, to identify improvements and plan for the year ahead (all entities)

REC 1

We recommend all entities use their recent financial statement preparation experiences to update their initial self-assessment against the maturity model available on our website. This should include reflection on the process changes made in response to the COVID-19 pandemic, and planning early for the 2020–21 financial statements, given the uncertainty about what challenges the year ahead might bring. Where areas for improvement are identified, each entity should establish an implementation plan, with oversight by its audit committee.

Where a machinery of government change has resulted in functions moving between departments, departments should conduct a review to align their financial statement preparation processes within the new department and reassess the maturity of those processes.

Improve timeliness of financial statements being made publicly available (relevant ministers and central agencies)

REC 2 We continue to encourage relevant ministers and central agencies to explore opportunities for releasing the audited financial statements of public sector entities in a more timely way. This could be by specifying the maximum number of days between financial statement certification and tabling (as has been done for Queensland local governments, with one month to table their annual report in council), or by allowing entities to publish financial statements on their websites prior to the tabling of their annual reports in parliament.

Strengthen the security of information systems (all entities)

REC 3

We recommend all entities strengthen the security of their information systems. They rely heavily on technology, and increasingly, they must be prepared for cyber attacks. Any unauthorised access could result in fraud or error, and significant reputational damage.

Their workplace culture, through their people and processes, must emphasise strong security practices to provide a foundation for the security of information systems.

Entities should:

  • provide security training for employees so they understand the importance of maintaining strong information systems, and their roles in keeping them secure
  • assign employees only the minimum access required to perform their job, and ensure important stages of each process are not performed by the same person
  • regularly review user access to ensure it remains appropriate
  • monitor activities performed by employees with privileged access (allowing them to access sensitive data and create and configure within the system) to ensure they are appropriately approved
  • implement strong password practices and multifactor authentication (for example, a username and password, plus a code sent to a mobile), particularly for systems that record sensitive information
  • encrypt sensitive information to protect it
  • patch vulnerabilities in systems in a timely manner, as upgrades and solutions are made available by software providers to address known security weaknesses that could be exploited by external parties.
Entities should also self-assess against all of the recommendations in Managing cyber security risks (Report 3: 2019–20) to ensure their systems are appropriately secured.

Verify changes to supplier and employee information to prevent fraud (all entities)

REC 4 We recommend all entities ensure requests to change employee and supplier bank account details are verified using independently sourced information and reviewed by a person who is not involved in processing the change.

Promptly review employee payments (all entities)

REC 5 All entities need to ensure managers: have ready access to payroll reports that are easy to use and contain all required information; understand the importance of reviewing these reports in a timely manner each fortnight; and have a consistent and efficient process for documenting their review.

Automate financial approvals and monitoring of internal controls (all entities)

REC 6 All entities need to ensure their systems and processes (internal controls) are set up so financial approval occurs correctly in the financial system. They also need to invest in tools that will promptly detect breakdowns in internal controls.

Ongoing compliance with financial accountability requirements following a machinery of government change (departments)

REC 7 When a machinery of government change occurs and functions move between departments, departments should promptly conduct a review to ensure consistency of fundamental processes (such as approvals) and compliance with the Financial Accountability Act 2009 and the Financial Accountability Handbook.
1
Elim Beach

1. Entities in this report

This report includes the results of financial audits for all Queensland government entities. These entities are listed in appendices C and G. Given the effect the COVID-19 pandemic has had in 2020, this report also explores how Queensland government entities have addressed the risks of rapidly delivering new pandemic-related programs.

FIGURE 1A
Queensland state government entities
Queensland state government entities_report 2020-21_Figure 1A

Note: * This does not include entities exempted from audit by the Auditor-General under Appendix E and entities not preparing financial reports under Appendix F.

Queensland Audit Office.

1

The report includes our evaluation of the financial reporting of departments, and our assessment of their controls over financial systems and processes—with learnings for all state government entities.

FIGURE 1B
Queensland government departments as at 30 June 2020*

Note: *Department names and responsibilities were changed by Administrative Arrangements Order (No.2) 2020 made by Governor in Council on 12 November 2020. This report reflects the departments that existed during 2019–20.

Queensland Audit Office.

1

Our assessment of the financial reporting and internal controls of water, energy, transport and health entities are included in our sector reports on our website.

Elim Beach

2. Rapid response to support business through COVID-19

The Queensland Government announced a range of measures in response to the COVID‑19 pandemic. Our report to parliament—Queensland Government response to COVID‑19 (Report 3: 2020–21)—gave an overview of measures announced up to 21 August 2020.

These include two significant initiatives designed to support businesses in Queensland—the COVID‑19 Jobs Support Loan Scheme and the Small Business COVID-19 Adaption Grants. These two initiatives were delivered by two entities included in this report. In this chapter, we assess how they have addressed the risk of delivering new programs in a short time frame during the pandemic.

Chapter snapshot

Image showing Support for businesses-more than $4.6 bil. COVID-19 Jobs Support Loan Scheme-$1 bil. program: 6,928 loans have been approved as at 31 Oct 2020; cafes and restaurants were the largest beneficiaries receiving 441 loans ($63.3 mil.) as at 31 Oct 2020; the risk of loans not being repaid is higher due to uncertain economic conditions. This risk could not be reliably estimated as at 30 June 2020. Small business COVID-19 Adaption Grants-$196 mil. program: round one was over-subscribed, and applicati
1

Rapid delivery of COVID-19 Jobs Support Loan Scheme

The Queensland Government provided the $1 billion COVID-19 Jobs Support Loan Scheme to help Queensland businesses and non-profit organisations financially impacted by COVID-19. A priority of the scheme, administered by the Queensland Rural and Industry Development Authority (QRIDA), was to assist businesses as quickly as possible so they could retain employees and continue operations under the extraordinary economic conditions.

To achieve this, the processes were simplified and QRIDA temporarily expanded its workforce to rapidly assess the high volume of loan applications received.

The scheme opened to applications on 26 March 2020 and by 30 June 2020 QRIDA had approved 6,825 applications (88.1 per cent of total applications were approved) for $982.4 million.

FIGURE 2A
Overview of COVID-19 Jobs Support Loan Scheme
State entities 2020_Figure 2A

Note: Loans reported per industry are as at 30 June 2020.

Queensland Audit Office.

1

While loans were provided across the state, there was a high concentration of approved loans in South East Queensland, as shown in Figure 2B. This is in line with the high concentration of Queensland’s registered businesses in South East Queensland.

FIGURE 2B
Location of approved applicants
Loans by locality and size. Funding provided across 54 local government areas. Top five local government  areas to receive loans as at  31 October 2020: Brisbane—$340.89 mil. Gold Coast—$159.96 mil. Sunshine Coast—$74.96 mil. Moreton Bay—$60.74 mil. Logan—$45.71 mil.

Queensland Audit Office.

1

Risk of loans not being fully repaid due to uncertain economic conditions

When governments provide immediate relief in response to disasters and emerging events, it is not unusual for them to streamline regular assessment processes to allow for faster payment. While QRIDA still applied eligibility criteria for the COVID-19 Jobs Support Loan Scheme, it had a greater tolerance than usual for applicants with a high risk of not being able to repay the loan.    

In undertaking its assessment, QRIDA reviewed loan documentation including financial information provided, contacted applicants directly to discuss their business and COVID-19 impact, and also obtained the credit risk rating of applicants from an independent data provider. Figure 2C shows the percentage of approved loans grouped by credit risk rating. A lower risk rating suggests a good chance of repayment, while other ratings indicate that this may prove more challenging. While most loans were approved to businesses with a low to moderate risk rating, five per cent of businesses assessed as high risk or worse received loans, as shown in Figure 2C.

FIGURE 2C
Breakdown of number of loans issued by credit risk rating at 30 June 2020
Image of a doughnut graph, showing Minimal to Low: 45%; Average to Moderate: 51%; High: 3%; Very high: 1%; Severe: less than 1%.

Queensland Audit Office.

1

As the COVID-19 Jobs Support Loan Scheme was only launched in March 2020, and no repayments are required during the first year of the loan, the impact of the COVID-19 pandemic on the future financial viability of the loan recipients is not yet known.

QRIDA provided analysis and an estimate of the loans that would be repaid in the future. Given the uncertain economic conditions, we determined this estimate could not be relied on and qualified our audit opinion on QRIDA’s 2019–20 financial statements.

High demand for Small Business COVID-19 Adaption Grants

The Small Business COVID-19 Adaption Grants program provided up to $10,000 for small businesses subject to closure or highly impacted by the COVID-19 shutdown restrictions. It was intended to assist those businesses to adapt and sustain their operations and build resilience.

To achieve this, the grants had to be assessed and paid quickly. However, given strong demand for the program, the applications also had to be assessed fairly, so the right businesses received the available funding.

The Department of Employment, Small Business and Training (the department) managed the first round of funding, which opened on 19 May 2020, with $96 million available. The department aimed to achieve a balance between speed and accuracy in assessing applications by:

  • using its existing grants system and reassigning employees from across the department and other government entities to assist with assessing the high volume of grant applications
  • developing clear program guidelines, including eligibility criteria against which each application was assessed, to ensure criteria were met before payments were approved.

Applications for round one closed within five days, with 11,702 applications submitted and over 100 per cent of the available funds requested. The department made payments promptly once the required documentation was provided and grants were approved. Most payments were made progressively over the three months after the funding round was closed to applications, as shown in Figure 2D.

FIGURE 2D
Applications received and payments made under round one of the Small Business COVID-19 Adaption Grants program
Applications received and payments made under  round one of the Small Business Adaption Grants program

Queensland Audit Office.

1

The department had difficulties gathering the information it needed to assess the applications. Also, not all employees had experience in assessing these types of grant applications. To simplify matters, the department made arrangements with other government entities to access information they held about the applicants. This reduced the information applicants had to provide and improved the automation of the assessment process. The department also implemented additional review processes.

In response to the high demand, a second round of funding was opened on 1 July 2020, with $100 million available. Half of this funding will be directed to regional small businesses located outside of South East Queensland. The Queensland Rural and Industry Development Authority is administering this round on behalf of the department.

Faster payment of supplier invoices 

In response to the COVID-19 pandemic, the Queensland Government reduced government payment times to small business to assist with their cash flow. Figure 2E shows the significant decrease in the time departments took to pay non-government suppliers in the final months of 2019–20.

FIGURE 2E
Decrease in days between invoices and payments by departments to non-government suppliers by quarter over the last two financial years
Image showing column graph that shows 2019-20 Qtr 4 is much lower than the other quarters

Queensland Audit Office, compiled from department invoices and payments.

1
Elim Beach

3. Results of our audits

This chapter provides an overview of the audit opinions we issued for each Queensland state government entity. It assesses the maturity of departments’ processes for preparing financial statements. It also evaluates the timeliness with which departments’ financial statements are made public.

Chapter snapshot

image showing 209 unmodified opinions issued (Financial statements of most entities are reliable). All departments have mature financial statement preparation processes. 32 days to make departments' financial statements public (no change from prior year)
1

Audit opinion results for all state entities

This year, most Queensland state government entities continued to prepare good quality financial statements that were certified by their legislative deadline. This was a significant achievement in light of the disruption caused by the COVID-19 pandemic. This was the result of sound financial reporting practices established over many years. Entities should continue to build on these practices, as they plan for an uncertain year ahead.

We issued unmodified audit opinions for 95 per cent of the 2019–20 financial statements audited (2018–19: 96 per cent) at 31 October 2020. All the departments, government owned corporations, and most of the statutory bodies received unmodified audit opinions, which indicates the results reported in their financial statements can be relied upon. Appendix C lists the audit opinions we issued for 220 entities in 2020.

Definition

We express an unmodified opinion when the financial statements are prepared in accordance with the relevant legislative requirements and Australian accounting standards.

We express a modified opinion when financial statements do not comply with the relevant legislative requirements and Australian accounting standards and, as a result, are not accurate and reliable.

FIGURE 3A
Audit opinions issued for Queensland state public sector entities for 2019–20
Entity type Unmodified opinions Modified opinions Opinions not yet issued
Departments and entities they control (controlled entities) 32 0 0
Government owned corporations and controlled entities 16 0 0
Statutory bodies and controlled entities 114 11 8
Jointly controlled entities 34 0 1
Entities audited by arrangement 13 0 0
Total 209 11 9

Queensland Audit Office.

1

Modified audit opinions

We issued 11 modified opinions in 2019–20 (2018–19: eight). These included three disclaimers (meaning the financial statements cannot be relied on) and eight qualified opinions (issued when the financial statements are fairly presented, with the exception of a specified area).

The disclaimers relate to small water boards, while the qualified opinions relate to two hospital foundations, four water entities, a training college, and a development authority. The qualifications relate to incorrect values of property, plant and equipment; unrecorded liabilities; inability to confirm the accuracy and completeness of revenue; and inability to reliably estimate the recoverability of loans.

Emphasis of matter

We included an emphasis of matter in our audit reports on 40 financial statements (2018–19: 40), to highlight areas we believe users need to be aware of. This did not modify the audit opinion. We highlighted that:

  • only certain accounting standards were used in the preparation of the reports, and the reports were not intended for other users
  • uncertainty exists over whether an entity is going to be able to pay its debts as and when they fall due
  • an entity has been dissolved.

Opinions not yet issued

Appendix G lists those entities whose audits are not yet complete. Most of these entities are water boards or improvement trusts that did not meet the legislative deadline of 31 August.

Finalisation of overdue financial statements

We also issued 19 of the 30 audit opinions for financial statements from prior years that were outstanding as at 31 October 2019. The remaining 11 continued to be outstanding as at 31 October 2020. The 19 audit opinions we issued included two qualified and two disclaimed opinions on small water boards, relating to the valuation of property, plant and equipment assets, and the basis of financial statement preparation. Appendix H provides details about these audit opinions.

Entities exempted from audit by the Auditor-General

This year, six Queensland state government entities were exempted from audit by the Auditor‑General (2018–19: 12). This occurs where the Auditor-General deems an entity to be small and of low risk to the Queensland Government as a whole. Exempt entities are still required to engage an appropriately qualified person to audit their financial statements. Appendix E lists the entities, and the reasons for their exemptions.

Entities not preparing financial statements

Not all Queensland public sector entities produce financial statements. This year, 140 entities were not required, either by legislation or the accounting standards, to prepare financial statements (2018–19: 184). We have identified them in Appendix F.

Departments have mature financial statement preparation processes in place

This year, we worked with state government entities as they undertook an initial self-assessment of their financial statement preparation processes using the maturity model on our website. Departments assessed their preparation processes as mature, which means they support the timely preparation of good quality financial statements.

FIGURE 3B
Self-assessments against the financial statement preparation maturity model for 22 departments
Self-assessments against the financial statement preparation maturity model_Figure 3B

Note: Assessments were performed during 2019–20 for departments that existed at the beginning of that financial year. Since these assessments were performed, machinery of government changes were announced in May and November 2020 that changed department names and responsibilities.

Queensland Audit Office.

1

Most of the large and well-established departments have more mature processes in place. Some smaller departments, and those more recently affected by machinery of government changes (prior to 2020), assessed their processes as being less mature, but appropriate for them. Processes are often tailored to suit the size of the entity.

Strengths across the sector included:

  • timely valuations for property, plant and equipment and infrastructure assets, with clear instructions provided to valuation experts and robust reviews of their reports
  • continuous refinement of financial statements to reflect operations and the needs of users
  • good engagement with auditors on financial reporting issues, improvements to processes, and upcoming accounting standards.

Almost half of the departments identified an opportunity to improve their monthly reporting through analysis that provides better insights into the reason for differences between budgeted and actual financial results. This is particularly challenging for large entities with diverse operations across the state.

Financial statements are commonly prepared using spreadsheets and word processing tools. Most entities consider these to be fit for purpose, but they recognise there may be opportunities to further automate the preparation of financial statements.

Recommendation for all entities

Use recent financial statement preparation experiences, including responses to the COVID-19 pandemic, to identify improvements and plan for the year ahead (REC 1)

We recommend all entities use their recent financial statement preparation experiences to update their initial self-assessment against the maturity model available on our website. This should include reflection on the process changes made in response to the COVID-19 pandemic, and planning early for the 2020–21 financial statements, given the uncertainty about what challenges the year ahead might bring. Where areas for improvement are identified, each entity should establish an implementation plan, with oversight by its audit committee.

Where a machinery of government change has resulted in functions moving between departments, departments should conduct a review to align their financial statement preparation processes within the new department and reassess the maturity of those processes.

1

Delay in public release of financial statements

Despite the significant disruption caused by the COVID-19 pandemic, all departments and most state government entities managed to prepare good quality financial statements that were certified by the legislative deadline of 31 August 2020.

Notwithstanding the hard work by entities and QAO to achieve compliance with statutory reporting deadlines at a time of disruption, delays continue between the date state entity financial statements are certified and the date they are tabled in parliament by the relevant minister as part of the entity’s annual report.

A delay in publishing the financial statements can mean the information is no longer as relevant as it could be, because time has moved on. Events may occur between the date of signing and the date of tabling that require the financial statements to be reassessed and possibly re-signed.

Ministers are required to table the annual reports of departments and statutory bodies (including their financial statements) in parliament within three months of year end. Until they do this, departments and statutory bodies are not able to publish their financial statements.

There was no change from the previous year in the average time taken to make departments’ financial statements public by tabling the annual report in parliament (being 32 days after the statements were certified). Once ministers received departmental annual reports, on average they took 21 days to review the reports before tabling them in parliament. Similar delays also exist in making the financial statements of statutory bodies and government owned corporations publicly available.

These averages exclude one department’s annual report, which was tabled on 15 December 2020—after the legislative tabling deadline of 30 September and 109 days after its annual financial statements were certified.

All but one of the departmental annual reports were tabled over a six-day period at the end of September 2020, starting two days earlier than in 2019.

FIGURE 3C
Dates for certification and publication of financial statements for 22 departments
Graph showing Figure 3C dates for certification and publication of financial statements for 22 departments

Queensland Audit Office.

1

Recommendation for relevant ministers and central agencies

Improve timeliness of financial statements being made publicly available (REC 2)

We continue to encourage relevant ministers and central agencies to explore opportunities for releasing the audited financial statements of public sector entities in a more timely way. This could be by specifying the maximum number of days between financial statement certification and tabling (as has been done for Queensland local governments, with one month to table their annual report in council), or by allowing entities to publish financial statements on their websites prior to the tabling of their annual reports in parliament.

1
Elim Beach

4. Internal controls at state entities

We assessed whether the systems and processes (internal controls) entities use to prepare financial statements are effective. The strength of an entity’s internal controls is driven by the quality of its people, systems, and processes. Strong internal controls can ensure an entity achieves its objectives, prepares reliable financial reports, and complies with applicable laws. Key features of an effective internal control framework include:

  • strong governance that promotes accountability and supports strategic and operational objectives
  • secure information systems that maintain data integrity
  • comprehensive, relevant policies and procedures that are clear and concise
  • regular monitoring and internal audit reviews.

While we focus primarily on departments, we have identified common issues that all entities should consider.

In this chapter, we also consider how government entities have maintained their internal controls during a time of changing work arrangements and increasing cyber attacks.

Chapter snapshot

Image of chapter 4 snapshot
1

Maintaining internal controls during a period of significant change

Most entities made the transition to staff working from home in March 2020 to comply with COVID-19 restrictions and support social distancing. We are now seeing a combination of staff working from home and in the office as restrictions ease.

These changes in working arrangements increased the risk of controls failing, due to changes in business processes (including increased reliance on technology—for example, allowing remote access, and using electronic signatures) and reduced capacity for oversight.

The government shared service provider adapted well to staff working from home

Queensland Shared Services (QSS) provides a range of payroll, accounts payable and information systems services to the vast majority of the departments. As such, it had a major role to play in dealing with the changes associated with staff working from home.

QSS enacted plans in March 2020 to ensure services were maintained and Queensland Government employees and suppliers continued to be paid during the pandemic. These plans involved:

  • prioritising critical activities to be performed by a combination of remotely working and socially distanced, office-based staff
  • modifying business processes so they could be performed remotely
  • implementing secure technologies to facilitate remote access
  • engaging widely with customers, stakeholders, and partners to ensure there was a shared understanding of these plans, and that all suppliers had appropriate strategies in place to respond to COVID-19.

These actions meant that, from a service delivery perspective, QSS was able to maintain business as usual. Our testing of its internal controls confirmed that they continued to be implemented appropriately as at 30 June 2020.

Internal controls are generally effective, but common weaknesses continue

We assessed the internal controls used by departments and found most can be relied on for preparing financial statements. However, we identified and reported more issues to departments this year than we did last year. They are the same types of issues as last year. Entities need to ensure they have established appropriate internal controls in these areas.

Strengthen security of information systems

FIGURE 4A
Identified weaknesses in information systems
Strengthen security of information systems

Queensland Audit Office.

1

An entity’s information systems are used extensively to process the information for preparing financial statements. Weaknesses in information systems controls increase the risk of undetected errors or potential financial loss, including from fraud.

All entities across the public sector need their people and processes to have strong security practices, so that information systems are promptly updated—to respond to changes within their entity and to ensure the systems remain protected from external threats.

Most weaknesses in information systems occur because entities do not have well established processes to keep their systems up to date. Entities cannot take a ‘set and forget’ approach to information systems. They must be vigilant, and respond promptly to change, for example:

  • when an employee resigns or their responsibilities change, their access to information systems needs to be removed or updated
  • most systems have regular updates from the system supplier. These need to be tested and installed to ensure known security weaknesses are removed.

This year there has been a dramatic increase in external attacks, as cyber criminals attempt to take advantage of changes in working arrangements necessitated by the COVID-19 pandemic. Figure 4B shows the increase in cyber attacks since September 2019, with a significant and sustained escalation since the start of the pandemic in February 2020.

FIGURE 4B
Monthly cyber attacks have doubled over the 12 months to August 2020
Image showing graph of Figure 4B monthly cyber attacks over the 12 months to August 2020

CITEC—whole-of-government internet gateway monitoring.

1

There has also been a significant increase in phishing across the private and public sectors. Phishing scams trick people into providing confidential information through email or message platforms. For the year to July 2020, the average number of phishing attacks increased by nearly 200 per cent, with attacks in August 2020 increasing by more than 800 per cent to over 8 million—the highest number recorded in a month in the Queensland public sector.

CITEC’s Queensland Government Cyber Security Operations Centre provides the first defence in the Queensland Government’s cyber protection and plays a role in coordinating incident responses across agencies. CITEC reported that it has:

  • successfully blocked an average of 66,000 malicious domain name system requests per minute. These attempt to divert internet traffic away from legitimate servers toward fake ones
  • defended against an average of 30,000 cyber attacks per day that aim to shut down a system or network
  • implemented a service that monitors departmental networks and generates alerts for any potential incident.

Cyber threats will continue and are likely to increase. Protecting the Queensland Government from them requires all entities to remain vigilant in managing their cyber security risks. Security is like a chain: one weak point can disrupt the integrity of the whole structure. Cyber security is only as strong as the weakest link.

Recommendation for all entities

Strengthen the security of information systems (REC 3)

We recommend all entities strengthen the security of their information systems. They rely heavily on technology, and increasingly, they must be prepared for cyber attacks. Any unauthorised access could result in fraud or error, and significant reputational damage.

Their workplace culture, through their people and processes, must emphasise strong security practices to provide a foundation for the security of information systems.

Entities should:

  • provide security training for employees so they understand the importance of maintaining strong information systems, and their roles in keeping them secure
  • assign employees only the minimum access required to perform their job, and ensure important stages of each process are not performed by the same person
  • regularly review user access to ensure it remains appropriate
  • monitor activities performed by employees with privileged access (allowing them to access sensitive data and create and configure within the system) to ensure they are appropriately approved
  • implement strong password practices and multifactor authentication (for example, a username and password, plus a code sent to a mobile), particularly for systems that record sensitive information
  • encrypt sensitive information to protect it
  • patch vulnerabilities in systems in a timely manner, as upgrades and solutions are made available by software providers to address known security weaknesses that could be exploited by external parties.

Entities should also self-assess against all of the recommendations in Managing cyber security risks (Report 3: 2019–20) to ensure their systems are appropriately secured.

1

Independently check changes to supplier and employee details

Fraudsters continue to target the Queensland public sector. As mentioned earlier, there has been a significant increase in phishing scams noted since the start of the COVID-19 pandemic. These scams often involve emails requesting fraudulent changes to bank account details for both employees and suppliers. We continue to identify weaknesses in entities’ controls for independently verifying and regularly monitoring changes to supplier and employee bank account details.

Recommendation for all entities

Verify changes to supplier and employee information to prevent fraud (REC 4)

We recommend all entities ensure requests to change employee and supplier bank account details are verified using independently sourced information and reviewed by a person who is not involved in processing the change.

1

Review payroll monitoring reports

Payroll reports are used across departments to assist managers in ensuring the validity and accuracy of employee payments. We commonly find these reports are not checked in a timely manner, or at all. This increases the risk that errors, or fraudulent transactions such as invalid payments for overtime or allowances, will not be detected.

Recommendation for all entities

Promptly review employee payments (REC 5)

All entities need to ensure managers: have ready access to payroll reports that are easy to use and contain all required information; understand the importance of reviewing these reports in a timely manner each fortnight; and have a consistent and efficient process for documenting their review.

1

Address weaknesses in supplier payment processes

We identified instances where payments were not approved in accordance with an entity’s financial delegations, and duplicate payments to suppliers had occurred.

Most finance systems are set up to automatically send transactions to a financial delegate for approval. But this is dependent on systems being promptly updated when employees change positions, so their financial delegations in the systems are correct. These automated processes must be consistently used and not overridden based on approvals that occur outside the system.

Entities should also invest in tools to promptly detect errors or fraudulent payments, including duplicate transactions and those that have not been correctly approved.

Recommendation for all entities

Automate financial approvals and monitoring of internal controls (REC 6)

All entities need to ensure their systems and processes (internal controls) are set up so financial approval occurs correctly in the financial system. They also need to invest in tools that will promptly detect breakdowns in internal controls.

1

Machinery of government changes can impact the effective operation of internal controls

Machinery of government changes were announced on 12 November 2020 that changed department names and responsibilities. This resulted in two departments being abolished and one new department created, with a total of 21 functions transferred between departments. Six departments were not impacted by these machinery of government changes.

The transfer of functions between departments can include the transfer of employees, assets and liabilities, information technology (IT) systems and applications, and controlled entities. It can take many months (and sometimes years) for the receiving department to fully integrate new functions into the department through the updating of policies, procedures and processes, and the alignment of IT systems.

While departments are experienced in managing machinery of government changes, during any period of change there is an increased risk of governance processes and internal controls not operating effectively, particularly when different systems and processes continue to be used within an entity.

Recommendation for departments

Ongoing compliance with financial accountability requirements following a machinery of government change (REC 7)

When a machinery of government change occurs and functions move between departments, departments should promptly conduct a review to ensure consistency of fundamental processes (such as approvals) and compliance with the Financial Accountability Act 2009 and the Financial Accountability Handbook.

1