State entities 2020

This year, Queensland state government and local government entities all tackled the challenges of delivering their services during a period of rapid change and emerging risk. Entities faced more complex community service needs, and continued pressure on their efficient use of resources.

During this period, the Queensland Audit Office (QAO) continued to work closely with entities to deliver audit opinions on the accuracy and reliability of their financial statements. Working together, and the insights we share, continued as an essential part of our state’s integrity system.

I wish to recognise and thank the significant efforts entities took during our audits. Most of our clients completely adapted how they provided their information and data to us, so that we could deliver our services and reports to parliament.

Many of my upcoming reports to parliament were finalised throughout September and October 2020, however, consistent with my tabling protocols under the Auditor-General Auditing Standards, I chose to wait until after the state election caretaker period before sending them out for comment. I generally do not table reports during the caretaker period or estimates hearings.

I also wish to thank my workforce—QAO staff and our contracted audit service providers—for their commitment and dedication during this busy and unique period.

Notwithstanding the hard work by entities and QAO to achieve compliance with statutory reporting deadlines at a time of disruption, delays continue between the date state entity financial statements are certified and the date they are tabled in parliament by the relevant minister as part of the entity's annual report.

Given the uncertainties of what 2021 may bring, QAO will continue to work with entities to further refine our respective processes based on our learnings from 2020. I anticipate a demanding year ahead for many; and my staff and I will be here to support.

Brendan Worrall
Auditor-General

Financial statements are reliable

This report summarises the results of 2019–20 financial audits of Queensland state government entities, including the 22 government departments. Most financial statements were signed on time, which was a significant achievement given the challenges presented by COVID-19.

The financial statements of all departments and government owned corporations, most statutory bodies, and the entities they all control, are reliable and comply with reporting requirements. The Queensland Rural and Industry Development Authority (QRIDA) was unable to reliably estimate the loans that will be repaid in the future under the COVID-19 Jobs Support Loan Scheme. This aspect of its financial statements could not be relied on.

Most government departments have processes and systems that allow them to produce good quality financial statements. Departments can continue to strengthen their financial reporting processes, particularly in relation to monthly reporting and use of automation.

The rapid response to COVID-19 brings risk

The COVID-19 pandemic has required fast delivery of new government programs, including payments to businesses and individuals. This has provided timely support to the community but increased the risk that some payments may not go to the most appropriate people.

Our recent report to parliament—Queensland Government response to COVID-19 (Report 3: 2020–21)—highlighted the importance of government-led programs being supported by sound controls to manage additional risks, as well as effective governance and leadership.

QRIDA has provided almost $1 billion in loans under the COVID-19 Jobs Support Loan Scheme to businesses in need. Given the uncertain economic conditions, it is difficult to estimate the ability of these businesses to repay the loans.

More than 11,000 applications were received over five days for round one of another pandemic‑related program—Small Business COVID-19 Adaption Grants, provided by the Department of Employment, Small Business and Training. Additional support and new processes were established to respond to the demand for the grants.

Also, to help businesses with cash flow, the government has reduced the time it takes to pay non‑government suppliers—from 19 days to four days.

Strong information systems controls are critical

The number of cyber attacks has doubled this year. Cyber criminals are attempting to take advantage of the disruption caused by COVID-19 to steal sensitive information and valuable assets. Information systems must be protected by people and processes with strong security practices.

This continues to be the area where we identify most issues, particularly in relation to access to systems. Entities cannot take a ‘set and forget’ approach. They must update their systems promptly to respond to changes within their entity and to remain protected from external threats.

This report includes the results of financial audits for all Queensland government entities. These entities are listed in appendices C and G. Given the effect the COVID-19 pandemic has had in 2020, this report also explores how Queensland government entities have addressed the risks of rapidly delivering new pandemic-related programs.

The report includes our evaluation of the financial reporting of departments, and our assessment of their controls over financial systems and processes—with learnings for all state government entities.

Our assessment of the financial reporting and internal controls of water, energy, transport and health entities are included in our sector reports on our website.

The Queensland Government announced a range of measures in response to the COVID‑19 pandemic. Our report to parliament—Queensland Government response to COVID‑19 (Report 3: 2020–21)—gave an overview of measures announced up to 21 August 2020.

These include two significant initiatives designed to support businesses in Queensland—the COVID‑19 Jobs Support Loan Scheme and the Small Business COVID-19 Adaption Grants. These two initiatives were delivered by two entities included in this report. In this chapter, we assess how they have addressed the risk of delivering new programs in a short time frame during the pandemic.

Chapter snapshot

Rapid delivery of COVID-19 Jobs Support Loan Scheme

The Queensland Government provided the $1 billion COVID-19 Jobs Support Loan Scheme to help Queensland businesses and non-profit organisations financially impacted by COVID-19. A priority of the scheme, administered by the Queensland Rural and Industry Development Authority (QRIDA), was to assist businesses as quickly as possible so they could retain employees and continue operations under the extraordinary economic conditions.

To achieve this, the processes were simplified and QRIDA temporarily expanded its workforce to rapidly assess the high volume of loan applications received.

The scheme opened to applications on 26 March 2020 and by 30 June 2020 QRIDA had approved 6,825 applications (88.1 per cent of total applications were approved) for $982.4 million.

While loans were provided across the state, there was a high concentration of approved loans in South East Queensland, as shown in Figure 2B. This is in line with the high concentration of Queensland’s registered businesses in South East Queensland.

Risk of loans not being fully repaid due to uncertain economic conditions

When governments provide immediate relief in response to disasters and emerging events, it is not unusual for them to streamline regular assessment processes to allow for faster payment. While QRIDA still applied eligibility criteria for the COVID-19 Jobs Support Loan Scheme, it had a greater tolerance than usual for applicants with a high risk of not being able to repay the loan.    

In undertaking its assessment, QRIDA reviewed loan documentation including financial information provided, contacted applicants directly to discuss their business and COVID-19 impact, and also obtained the credit risk rating of applicants from an independent data provider. Figure 2C shows the percentage of approved loans grouped by credit risk rating. A lower risk rating suggests a good chance of repayment, while other ratings indicate that this may prove more challenging. While most loans were approved to businesses with a low to moderate risk rating, five per cent of businesses assessed as high risk or worse received loans, as shown in Figure 2C.

As the COVID-19 Jobs Support Loan Scheme was only launched in March 2020, and no repayments are required during the first year of the loan, the impact of the COVID-19 pandemic on the future financial viability of the loan recipients is not yet known.

QRIDA provided analysis and an estimate of the loans that would be repaid in the future. Given the uncertain economic conditions, we determined this estimate could not be relied on and qualified our audit opinion on QRIDA’s 2019–20 financial statements.

High demand for Small Business COVID-19 Adaption Grants

The Small Business COVID-19 Adaption Grants program provided up to $10,000 for small businesses subject to closure or highly impacted by the COVID-19 shutdown restrictions. It was intended to assist those businesses to adapt and sustain their operations and build resilience.

To achieve this, the grants had to be assessed and paid quickly. However, given strong demand for the program, the applications also had to be assessed fairly, so the right businesses received the available funding.

The Department of Employment, Small Business and Training (the department) managed the first round of funding, which opened on 19 May 2020, with $96 million available. The department aimed to achieve a balance between speed and accuracy in assessing applications by:

• using its existing grants system and reassigning employees from across the department and other government entities to assist with assessing the high volume of grant applications
• developing clear program guidelines, including eligibility criteria against which each application was assessed, to ensure criteria were met before payments were approved.

Applications for round one closed within five days, with 11,702 applications submitted and over 100 per cent of the available funds requested. The department made payments promptly once the required documentation was provided and grants were approved. Most payments were made progressively over the three months after the funding round was closed to applications, as shown in Figure 2D.

The department had difficulties gathering the information it needed to assess the applications. Also, not all employees had experience in assessing these types of grant applications. To simplify matters, the department made arrangements with other government entities to access information they held about the applicants. This reduced the information applicants had to provide and improved the automation of the assessment process. The department also implemented additional review processes.

In response to the high demand, a second round of funding was opened on 1 July 2020, with $100 million available. Half of this funding will be directed to regional small businesses located outside of South East Queensland. The Queensland Rural and Industry Development Authority is administering this round on behalf of the department.

Faster payment of supplier invoices 

In response to the COVID-19 pandemic, the Queensland Government reduced government payment times to small business to assist with their cash flow. Figure 2E shows the significant decrease in the time departments took to pay non-government suppliers in the final months of 2019–20.

This chapter provides an overview of the audit opinions we issued for each Queensland state government entity. It assesses the maturity of departments’ processes for preparing financial statements. It also evaluates the timeliness with which departments’ financial statements are made public.

Chapter snapshot

Audit opinion results for all state entities

This year, most Queensland state government entities continued to prepare good quality financial statements that were certified by their legislative deadline. This was a significant achievement in light of the disruption caused by the COVID-19 pandemic. This was the result of sound financial reporting practices established over many years. Entities should continue to build on these practices, as they plan for an uncertain year ahead.

We issued unmodified audit opinions for 95 per cent of the 2019–20 financial statements audited (2018–19: 96 per cent) at 31 October 2020. All the departments, government owned corporations, and most of the statutory bodies received unmodified audit opinions, which indicates the results reported in their financial statements can be relied upon. Appendix C lists the audit opinions we issued for 220 entities in 2020.

Modified audit opinions

We issued 11 modified opinions in 2019–20 (2018–19: eight). These included three disclaimers (meaning the financial statements cannot be relied on) and eight qualified opinions (issued when the financial statements are fairly presented, with the exception of a specified area).

The disclaimers relate to small water boards, while the qualified opinions relate to two hospital foundations, four water entities, a training college, and a development authority. The qualifications relate to incorrect values of property, plant and equipment; unrecorded liabilities; inability to confirm the accuracy and completeness of revenue; and inability to reliably estimate the recoverability of loans.

Emphasis of matter

We included an emphasis of matter in our audit reports on 40 financial statements (2018–19: 40), to highlight areas we believe users need to be aware of. This did not modify the audit opinion. We highlighted that:

• only certain accounting standards were used in the preparation of the reports, and the reports were not intended for other users
• uncertainty exists over whether an entity is going to be able to pay its debts as and when they fall due
• an entity has been dissolved.

Opinions not yet issued

Appendix G lists those entities whose audits are not yet complete. Most of these entities are water boards or improvement trusts that did not meet the legislative deadline of 31 August.

Finalisation of overdue financial statements

We also issued 19 of the 30 audit opinions for financial statements from prior years that were outstanding as at 31 October 2019. The remaining 11 continued to be outstanding as at 31 October 2020. The 19 audit opinions we issued included two qualified and two disclaimed opinions on small water boards, relating to the valuation of property, plant and equipment assets, and the basis of financial statement preparation. Appendix H provides details about these audit opinions.

Entities exempted from audit by the Auditor-General

This year, six Queensland state government entities were exempted from audit by the Auditor‑General (2018–19: 12). This occurs where the Auditor-General deems an entity to be small and of low risk to the Queensland Government as a whole. Exempt entities are still required to engage an appropriately qualified person to audit their financial statements. Appendix E lists the entities, and the reasons for their exemptions.

Entities not preparing financial statements

Not all Queensland public sector entities produce financial statements. This year, 140 entities were not required, either by legislation or the accounting standards, to prepare financial statements (2018–19: 184). We have identified them in Appendix F.

Departments have mature financial statement preparation processes in place

This year, we worked with state government entities as they undertook an initial self-assessment of their financial statement preparation processes using the maturity model on our website. Departments assessed their preparation processes as mature, which means they support the timely preparation of good quality financial statements.

Most of the large and well-established departments have more mature processes in place. Some smaller departments, and those more recently affected by machinery of government changes (prior to 2020), assessed their processes as being less mature, but appropriate for them. Processes are often tailored to suit the size of the entity.

Strengths across the sector included:

• timely valuations for property, plant and equipment and infrastructure assets, with clear instructions provided to valuation experts and robust reviews of their reports
• continuous refinement of financial statements to reflect operations and the needs of users
• good engagement with auditors on financial reporting issues, improvements to processes, and upcoming accounting standards.

Almost half of the departments identified an opportunity to improve their monthly reporting through analysis that provides better insights into the reason for differences between budgeted and actual financial results. This is particularly challenging for large entities with diverse operations across the state.

Financial statements are commonly prepared using spreadsheets and word processing tools. Most entities consider these to be fit for purpose, but they recognise there may be opportunities to further automate the preparation of financial statements.

Delay in public release of financial statements

Despite the significant disruption caused by the COVID-19 pandemic, all departments and most state government entities managed to prepare good quality financial statements that were certified by the legislative deadline of 31 August 2020.

Notwithstanding the hard work by entities and QAO to achieve compliance with statutory reporting deadlines at a time of disruption, delays continue between the date state entity financial statements are certified and the date they are tabled in parliament by the relevant minister as part of the entity’s annual report.

A delay in publishing the financial statements can mean the information is no longer as relevant as it could be, because time has moved on. Events may occur between the date of signing and the date of tabling that require the financial statements to be reassessed and possibly re-signed.

Ministers are required to table the annual reports of departments and statutory bodies (including their financial statements) in parliament within three months of year end. Until they do this, departments and statutory bodies are not able to publish their financial statements.

There was no change from the previous year in the average time taken to make departments’ financial statements public by tabling the annual report in parliament (being 32 days after the statements were certified). Once ministers received departmental annual reports, on average they took 21 days to review the reports before tabling them in parliament. Similar delays also exist in making the financial statements of statutory bodies and government owned corporations publicly available.

These averages exclude one department’s annual report, which was tabled on 15 December 2020—after the legislative tabling deadline of 30 September and 109 days after its annual financial statements were certified.

All but one of the departmental annual reports were tabled over a six-day period at the end of September 2020, starting two days earlier than in 2019.

We assessed whether the systems and processes (internal controls) entities use to prepare financial statements are effective. The strength of an entity’s internal controls is driven by the quality of its people, systems, and processes. Strong internal controls can ensure an entity achieves its objectives, prepares reliable financial reports, and complies with applicable laws. Key features of an effective internal control framework include:

• strong governance that promotes accountability and supports strategic and operational objectives
• secure information systems that maintain data integrity
• comprehensive, relevant policies and procedures that are clear and concise
• regular monitoring and internal audit reviews.

While we focus primarily on departments, we have identified common issues that all entities should consider.

In this chapter, we also consider how government entities have maintained their internal controls during a time of changing work arrangements and increasing cyber attacks.

Chapter snapshot

Maintaining internal controls during a period of significant change

Most entities made the transition to staff working from home in March 2020 to comply with COVID-19 restrictions and support social distancing. We are now seeing a combination of staff working from home and in the office as restrictions ease.

These changes in working arrangements increased the risk of controls failing, due to changes in business processes (including increased reliance on technology—for example, allowing remote access, and using electronic signatures) and reduced capacity for oversight.

The government shared service provider adapted well to staff working from home

Queensland Shared Services (QSS) provides a range of payroll, accounts payable and information systems services to the vast majority of the departments. As such, it had a major role to play in dealing with the changes associated with staff working from home.

QSS enacted plans in March 2020 to ensure services were maintained and Queensland Government employees and suppliers continued to be paid during the pandemic. These plans involved:

• prioritising critical activities to be performed by a combination of remotely working and socially distanced, office-based staff
• modifying business processes so they could be performed remotely
• implementing secure technologies to facilitate remote access
• engaging widely with customers, stakeholders, and partners to ensure there was a shared understanding of these plans, and that all suppliers had appropriate strategies in place to respond to COVID-19.

These actions meant that, from a service delivery perspective, QSS was able to maintain business as usual. Our testing of its internal controls confirmed that they continued to be implemented appropriately as at 30 June 2020.

Internal controls are generally effective, but common weaknesses continue

We assessed the internal controls used by departments and found most can be relied on for preparing financial statements. However, we identified and reported more issues to departments this year than we did last year. They are the same types of issues as last year. Entities need to ensure they have established appropriate internal controls in these areas.

Strengthen security of information systems

An entity’s information systems are used extensively to process the information for preparing financial statements. Weaknesses in information systems controls increase the risk of undetected errors or potential financial loss, including from fraud.

All entities across the public sector need their people and processes to have strong security practices, so that information systems are promptly updated—to respond to changes within their entity and to ensure the systems remain protected from external threats.

Most weaknesses in information systems occur because entities do not have well established processes to keep their systems up to date. Entities cannot take a ‘set and forget’ approach to information systems. They must be vigilant, and respond promptly to change, for example:

• when an employee resigns or their responsibilities change, their access to information systems needs to be removed or updated
• most systems have regular updates from the system supplier. These need to be tested and installed to ensure known security weaknesses are removed.

This year there has been a dramatic increase in external attacks, as cyber criminals attempt to take advantage of changes in working arrangements necessitated by the COVID-19 pandemic. Figure 4B shows the increase in cyber attacks since September 2019, with a significant and sustained escalation since the start of the pandemic in February 2020.

There has also been a significant increase in phishing across the private and public sectors. Phishing scams trick people into providing confidential information through email or message platforms. For the year to July 2020, the average number of phishing attacks increased by nearly 200 per cent, with attacks in August 2020 increasing by more than 800 per cent to over 8 million—the highest number recorded in a month in the Queensland public sector.

CITEC’s Queensland Government Cyber Security Operations Centre provides the first defence in the Queensland Government’s cyber protection and plays a role in coordinating incident responses across agencies. CITEC reported that it has:

• successfully blocked an average of 66,000 malicious domain name system requests per minute. These attempt to divert internet traffic away from legitimate servers toward fake ones
• defended against an average of 30,000 cyber attacks per day that aim to shut down a system or network
• implemented a service that monitors departmental networks and generates alerts for any potential incident.

Cyber threats will continue and are likely to increase. Protecting the Queensland Government from them requires all entities to remain vigilant in managing their cyber security risks. Security is like a chain: one weak point can disrupt the integrity of the whole structure. Cyber security is only as strong as the weakest link.

Independently check changes to supplier and employee details

Fraudsters continue to target the Queensland public sector. As mentioned earlier, there has been a significant increase in phishing scams noted since the start of the COVID-19 pandemic. These scams often involve emails requesting fraudulent changes to bank account details for both employees and suppliers. We continue to identify weaknesses in entities’ controls for independently verifying and regularly monitoring changes to supplier and employee bank account details.

Review payroll monitoring reports

Payroll reports are used across departments to assist managers in ensuring the validity and accuracy of employee payments. We commonly find these reports are not checked in a timely manner, or at all. This increases the risk that errors, or fraudulent transactions such as invalid payments for overtime or allowances, will not be detected.

Address weaknesses in supplier payment processes

We identified instances where payments were not approved in accordance with an entity’s financial delegations, and duplicate payments to suppliers had occurred.

Most finance systems are set up to automatically send transactions to a financial delegate for approval. But this is dependent on systems being promptly updated when employees change positions, so their financial delegations in the systems are correct. These automated processes must be consistently used and not overridden based on approvals that occur outside the system.

Entities should also invest in tools to promptly detect errors or fraudulent payments, including duplicate transactions and those that have not been correctly approved.

Machinery of government changes can impact the effective operation of internal controls

Machinery of government changes were announced on 12 November 2020 that changed department names and responsibilities. This resulted in two departments being abolished and one new department created, with a total of 21 functions transferred between departments. Six departments were not impacted by these machinery of government changes.

The transfer of functions between departments can include the transfer of employees, assets and liabilities, information technology (IT) systems and applications, and controlled entities. It can take many months (and sometimes years) for the receiving department to fully integrate new functions into the department through the updating of policies, procedures and processes, and the alignment of IT systems.

While departments are experienced in managing machinery of government changes, during any period of change there is an increased risk of governance processes and internal controls not operating effectively, particularly when different systems and processes continue to be used within an entity.