State entities 2021

Public sector entities are responsible for the use of a significant amount of public resources to deliver services that the Queensland community relies on every day. As I have reflected in previous reports to parliament, and in my forward work plan, the demand for services and the multitude of risks that entities face also continue to increase.  

State public sector entities are accountable to parliament and the public for how they use public resources. This is generally achieved by them preparing annual financial statements, which are tabled in parliament as part of their annual reports.

By auditing and providing an independent opinion on entities’ financial statements, the Queensland Audit Office (QAO) provides assurance to parliament and the public on the reliability of the information contained within. However, for the information in the financial statements to be truly useful to readers, it must not only be reliable – it must also be timely.

Financial statements are prepared at a point in time, so the relevance of the information they contain reduces the longer it takes for entities to publish them. Accordingly, delays in tabling an entity’s annual report reduces the usefulness of the financial statements to parliament and the public.

In recent years, we have worked collegiately with the preparers of financial statements to improve timeliness. I believe entities are now well placed to prepare their financial statements and have them audited by QAO in a timely manner, even when faced with significant challenges such as the impact of COVID-19 and major machinery of government changes. However, the timeliness of financial statements being made publicly available has deteriorated since 2019. This serves to weaken transparency and accountability.

In my report last year, State entities 2020 (Report 13: 2020–21), I included recommendations to improve the timeliness of financial statements being made publicly available. I have again made similar recommendations in this year’s report. Acting on these recommendations will inform and assure Queenslanders, maintaining their confidence in entities’ financial performance.

Brendan Worrall
Auditor-General

Financial statements are reliable

The financial statements of all departments, government owned corporations, most statutory bodies, and the entities they control are reliable and comply with relevant laws and standards.

Delays in financial statements being made public

There are continued delays between when financial statements are signed as audited and when they are released publicly through the tabling of annual reports. Most annual reports were tabled just in time to meet the legislative deadline – on average over a month after the financial statements were signed. In the health portfolio, most annual reports were tabled almost 3 months after the financial statements were signed. This was after the minister extended the tabling period, on the department’s recommendation.

Queensland Treasury’s action to our recommendation from last year has not improved the timeliness of financial statements being made public. Ongoing delays in tabling annual reports reduce the ability of parliament and the public to meaningfully assess the financial performance of public sector entities and contribute to less trust in the integrity of government.

Restructuring is a distraction and comes at a cost

Seventeen departments were restructured as part of the machinery of government changes announced on 12 November 2020. These restructures are an accepted practice of government, with many functions moved over the past 10 years. This creates confusion when trying to compare financial and performance information for departments over time. The costs of implementing significant restructures are both direct and indirect. It takes many months to transfer finance and payroll systems to match the restructured departments. Many departments continue to operate on multiple networks, and have not yet established consistent financial policies, approval processes or risk management practices. These changes are a distraction for entities, reducing their ability to continuously improve their systems and processes.

Rapid response led to weaknesses in internal controls

The Queensland Rural and Industry Development Authority (QRIDA) administered the delivery of the COVID-19 Jobs Support Loan Scheme in 2019–20 as part of the Queensland Government’s Economic Recovery Plan. QRIDA was temporarily expanded for this purpose. The rapid response caused some breakdowns in its systems and processes (internal controls). Entities experiencing rapid growth need to review the strength of their internal controls and ensure they can address the increased risk.

Same weaknesses in internal controls as last year

The internal controls entities have in place are generally effective, but the same common weaknesses have arisen over the last 2 years. These include entities not securing their information systems, checking changes to supplier details or reviewing payroll reports. Entities also need to ensure there are clear policies and manuals for payroll and procurement processes, and that grants are approved by people with the appropriate financial delegations. These actions will help to prevent fraud and accidental overpayments and ensure value for money is achieved.

Prior year recommendations need further action

Entities have taken some corrective action to address recommendations made in our report last year. Despite this, we continue to identify control weaknesses that require further action for procurement, payroll processes, and the security of information systems.

The timeliness of annual report tabling has not improved, with delays in the publication of financial reports. We have re-raised the recommendation to consider opportunities to improve timeliness in the current report.

We have included a full list of prior year recommendations and their status in Appendix C.

Reference to comments

In accordance with s.64 of the Auditor-General Act 2009, we provided a copy of this report to relevant entities. In reaching our conclusions, we considered their views and represented them to the extent we deemed relevant and warranted. Any formal responses from the entities are at Appendix A.

This report includes the results of financial audits for all Queensland state government entities. These entities are listed in appendices E and I.

On 12 November 2020, the government announced changes to departmental names and responsibilities (machinery of government changes). This resulted in 2 departments being abolished and one new department being created, with a total of 23 functions transferred between departments. In Chapter 2, we explore the impact of government restructuring.

We also include our assessment of the 21 core departments’ controls over financial systems and processes, identifying learnings for all state government entities. Core departments are entities gazetted as departments under the Public Service Act 2008 and the Public Safety Business Agency, which is classified as a department under the Financial Accountability Act 2009. They are the departments primarily responsible for the majority of services provided within the general government sector. Other departments are established under the Financial Accountability Act 2009, for example Electoral Commission of Queensland, Legislative Assembly and Parliamentary Service, Office of the Governor and Public Service Commission.

Our assessment of the financial reporting and internal controls of water, energy, transport, and health entities are included in our sector reports on our website at www.qao.qld.gov.au/reports-resources/reports-parliament.

Providing services across Queensland

The departments in Figure 1B provide services across the state. Regions outside of the south-east corner account for approximately one-third of the state’s total economic output and around 28 per cent of the population.

Different government services divide these regions up in various ways. For example, 77 local governments work across 7 education regions, 15 police districts, and 16 hospital and health service areas. Statewide planning can also use different boundaries, with 13 Regional Action Plans supporting the Queensland Budget 2021–22 and 7 Regional Infrastructure Plans being developed as part of the new State Infrastructure Strategy. This can have repercussions in terms of driving government policy on a regional basis, including coordination of and cooperation between services and governments.

The Queensland Audit Office’s (QAO) dashboard, QAO Queensland dashboard, which brings together important information about the finances and services of Queensland state and local government entities, uses 3 common regional boundaries – local government areas; statistical areas (used by the Australian Bureau of Statistics and by state entities to collect and report on information, including the state budget); and hospital and health service areas. This allows users to search by an address and understand the services and the financial results for their local area, including for councils, education, health, water, and electricity. The dashboard is available on our website at www.qao.qld.gov.au/reports-resources/interactive-dashboards.

For many years, in both financial and performance audits, the Queensland Audit Office has seen evidence of challenges arising from or exacerbated by machinery of government changes. This has included poor use of and access to information within and across agencies, ineffective regulatory management and lack of consistent interagency governance. This chapter provides an overview of changes that occurred in 2020, and analyses the impact these have had on government operations, including the time and cost associated with changes to people, systems, and processes, and the risks these changes present.  

Overview of recent machinery of government changes

It is the prerogative of the government of the day to decide how best to organise its executive functions.

Restructures of government functions (and associated reallocation of resources and people between departments) are usually referred to as machinery of government changes. These are not uncommon under the Westminster system of government. While they usually follow elections, they can occur at any time based on an order made by Governor in Council (which is the Governor acting on advice of the Executive Council to approve the decisions of Cabinet). The restructures can seek to align services with the government’s objectives and ministers’ skills and backgrounds while allowing for ministerial oversight. However, they are rarely quick, inexpensive, or simple.

Following the most recent Queensland state election on 31 October 2020, a machinery of government change was announced and enacted on 12 November 2020. This restructure affected 17 of the core departments and moved 23 functions. Only 6 core departments were not affected by this change.

Machinery of government changes in the last 12 years have resulted in over 190 functions being transferred between departments. The majority (183) of the changes occurred following Queensland Government general elections, as shown in Figure 2B.

Machinery of government changes can cause significant disruption to the operations of the services they affect. It can often take considerable time for a transferring function to fully integrate, if at all, into a new department, creating inefficiencies and increasing costs.

In Appendix D, we have analysed the services of government as at 30 June 2021, by function. Some departments have a clear focus on a common purpose, while other departments include services that are not aligned. The latter can result in competing priorities and can mean it takes longer to integrate services into a new department.

Where service delivery is purely internal to government, the cost of restructuring can quickly outweigh the benefit. Six departments are responsible for 11 areas that provide services internal to government, with 6 of the 11 areas changing departments following the last election. This included the Corporate Administration Agency, which provides corporate services for some statutory bodies, and QBuild, which builds and maintains government-owned assets. These areas aim to continuously increase the efficiency of their services. Any restructuring should aim to increase efficiency, with efficiency gains expected to exceed the estimated cost to implement the restructure.

Machinery of government changes are determined by the Premier and are made by order of the Governor in Council. The public service is responsible for providing high-quality, independent, and evidence-based advice to government, which includes briefs for the incoming or returning government on the functions of government that can help inform decisions on machinery of government changes. The public service is then responsible for implementing the government’s decisions efficiently, effectively and ethically. 

No measures are set centrally or at individual departmental level to track the benefits of the restructures. As stated in a UK National Audit Office report Reorganising central government in 2010, this makes it ‘impossible for them to demonstrate that eventual benefits outweigh costs’. There would be value in outlining the benefits that are expected to be achieved through these restructures and capturing the costs associated, so these can be actively monitored and managed. This would also provide clarity on the purpose of combining areas within government that do not have natural compatibility and policy alignment, and the cost benefit in making changes to functions that only provide services within government.

Changes affect entities’ cultures and internal controls, and come at a cost

When merging multiple functions across departments, the relevant governance structures are often reorganised, which results in leadership changes at multiple management levels. The culture of an entity will be driven by its new leaders and will often change so that values and behaviours align with what the new entity is required to do. Differences may be subtle, but they will significantly impact the focus a department puts on internal controls (its people, systems and processes).

The 2020 machinery of government changes resulted in 23 government services being transferred between departments, affecting ministerial portfolios and directors-general leadership arrangements. Figure 2C shows the changes in leadership.

From a cultural perspective, functions that frequently move between departments are more likely to become insular and to resist fully integrating into their new departments, as they expect it will be a short time until the next restructure. This can affect the flow of information, including how risks are managed and decisions made, with functions often continuing to operate independently for years. This contributed to issues identified in the approval of sports grants in 2017 and 2018, as noted in our report to parliament Awarding of sports grants (Report 6: 2020–21), as Sport and Recreation continued to use the policies of its former department for over 2 years.

Seventeen functions have been transferred between departments at least 3 and up to 6 times in the last 12 years, as shown in Figure 2D.

Each change requires entities to re-establish their cultures and internal controls, with regular structural changes reducing the ability for them to develop and mature.

Once changes are announced, the impacted departments start the process of reviewing the transferred functions and negotiating with other departments for the transfer of employees, assets and liabilities, information systems, and records. These transfers can take years to complete, and are sometimes not resolved before the next machinery of government change is announced.

Figure 2E shows the time taken to agree changes and transfer employees between payroll systems.

While all finance and payroll system changes were made within 12 months of the machinery of government change, network changes can take much longer. This is often because of old systems that operate on those networks, the cost involved in migrating them to a new network, and the continued availability of skilled employees to manage those systems in the new department.

One department that received new functions in December 2017 has continued to operate across multiple networks for this reason, although a plan is in place to migrate to one network in 2022. In late 2021, of 15 departments affected by changes in November 2020 (excluding the 2 that were abolished), 8 were operating on one network, 5 were on 2 networks, and one each on 3 and 4 networks. Using multiple networks can increase a department’s information security risk, as well as impact on employees’ ability to easily access the information and systems they need to perform their job.

While departments promptly ratified pre-existing delegations when the 2020 machinery of government changes occurred, as of late 2021, some departments are still in the process of aligning their delegations to their new organisational structures. Many are planning to update their policies and procedures in 2022.

The cost of updating systems for machinery of government changes reduces when departments use the same systems

Queensland Shared Services (QSS), the shared service provider for most departments’ payroll, expenditure, and general ledger services, tracks the costs of machinery of government changes. It processes most transactional and system changes to people and financial systems, including moving staff records and assets to their new department, and building ledgers to match the new department’s functions. Its main cost is hours of staff time to process and validate transactions.

The cost for QSS to execute the system changes and transfers for the 2020 machinery of government changes is approximately $2.2 million, which equates to 17,000 hours. This does not include the time spent by departments to implement these changes. QSS’s cost can vary based on the size and nature of machinery of government changes, and has trended down in recent years with more common finance and payroll systems being used across government.

Considerable efforts have been made to move towards single finance and payroll systems for government departments. But even when the same system is used, moving between systems is more complicated when the versions are different, or the general ledger design has not anticipated the next restructure.

Over time, many functions within government have acquired their own systems, either because they are specific to their operations or because of the procurement decisions of their previous department. In 2016–17, 2 departments moved off the QSS-supported finance system (SAP ECC 6) to a new, self‑supported system (S/4 HANA). Each of these departments made this decision based on the needs of its entity, but this single-entity perspective did not adequately consider future changes to its structures and functions.

The 2 departments have both since been affected by machinery of government changes, and have received and lost functions. The process for integration of 2 completely separate systems is complex and costly. The most recent machinery of government change saw one function on S/4 HANA moved to a department on SAP ECC 6. A year after the restructure, a decision is yet to be made on integrating it or migrating it.

It is not compulsory for departments to use the systems and services of QSS, which can mean even more challenges in restructures.

Financial and performance information is hard to assess over time

Machinery of government changes also mean it is difficult to assess the financial and performance information of departments over time. This is because the nature of their operations, and therefore the composition of their financial results, change with each restructure of government. This reduces the meaningfulness of this information and the transparency of government, as any unusual trends over a longer period cannot be easily identified or explained.

Internal restructuring is a distraction from other priorities and external engagement

While machinery of government changes have ranged in scale over the years, from creating ‘super’ departments to abolishing others, even minor changes can have significant impacts and require a lot of resources to implement. During implementation, resources and attention are naturally directed to the restructure, and agencies can be distracted from their other responsibilities. For some functions that are transferred often, the time between finalising one restructure and commencing the next can be minimal, reducing the time they can focus on other priorities.

Departments are often managed using different regional boundaries. These regional boundaries are established by departments to support their service delivery, and are aligned with their organisational structure. A machinery of government change can result in the different functions that come together within a new department operating across different regional boundaries, which can impact the coordination of service delivery.

How each department engages with its key stakeholders – whether they are the public, businesses and non-government organisations, or community groups – will affect how well it delivers services. This can also be affected by machinery of government changes, because of the impact on relationships with suppliers and customers through changes to department names, to people in executive positions, and to employee contact details.

We will perform a future audit on management of machinery of government changes

We acknowledge that it is the prerogative of the government of the day to decide how best to organise its executive functions, but there are many repercussions. Given the significant disruption caused by the restructures, in 2021–22 we will perform an audit of the change management processes that departments have used to implement machinery of government changes. We will identify learnings and better practice that can be applied in future.

Each year, Queensland government entities pay more than $3 billion of grants and subsidies to private and public sector entities to further the government’s objectives. In addition to this normal activity, the Queensland Government, as part of its response to the COVID-19 pandemic, provided significant grants and loans to businesses.

In this chapter, we assess the challenges experienced by one entity included in this report that administers these grants and loans.

Rapid response to support businesses during COVID-19

The Queensland Rural and Industry Development Authority (QRIDA) administers grant and loan programs on behalf of the state, working in partnership with and at the direction of the program owners to deliver money to small businesses, individuals, and farmers. 

Prior to 2020, Queensland Treasury was QRIDA’s main program owner, providing the funding for the Natural Disaster Relief and Recovery Arrangements and Disaster Recovery Funding Arrangements loans. QRIDA’s average expenditure on loans and grants over the 3 financial years ending 2018–19 was $177 million annually.

However, since the start of the COVID-19 pandemic, QRIDA has delivered multiple programs and millions of dollars in business assistance as part of the Queensland Government’s Economic Recovery Plan. This has included the $1 billion COVID-19 Jobs Support Loan Scheme through the Department of Agriculture and Fisheries, and the Small Business COVID-19 Adaption Grant Program (Round 2) at the direction of the Department of Employment, Small Business and Training.

QRIDA was chosen to deliver these programs due to its experience in loan and grant assessment, but the volume and number of loans and grants it paid out in 2020 and 2021 was unprecedented, as can be seen in Figure 3A.

There is more certainty about the repayment of COVID-19 Jobs Support Loans

In 2020–21, QRIDA paid $926 million in COVID-19 Jobs Support Loans, spread across almost 7,000 Queensland businesses. These loans are repayable by loan recipients over a 10-year period.

In 2019–20, we qualified our opinion on QRIDA’s financial statements due to QRIDA’s inability to reliably estimate how recoverable the loans provided under the COVID-19 Jobs Support Loan Scheme were. This was due to the unknown impact of the COVID-19 pandemic on the credit outlook for these loan recipients and a lack of historical and future performance indicators about them. (We qualify our audit opinion when the financial statements are fairly presented, with the exception of a specified area.)

This year, we were able to verify the estimates made by QRIDA of the recoverability of the loans as at 30 June 2021. QRIDA has adopted a model that includes both historical and future performance indicators of the COVID-19 Jobs Support Loan recipients. It was able to obtain specific information about them, such as their credit ratings, interest repayment history, Australian Securities and Investments Commission (ASIC) data, geographical data, and industry data, all of which fed into its estimates to support its model.

In addition, since the first repayments on most of these loans became due in late March 2021, QRIDA was able to analyse which loan recipients were making repayments and which were defaulting. This provided insight into the likely recoverability of the loans.

The majority of the COVID-19 Jobs Support Loan recipients are currently complying with the repayment schedules, with $71.7 million of loans fully repaid before 30 June 2021.

The estimate of COVID-19 Jobs Support Loans that will not be repaid in the future was $96.4 million (8 per cent of total loans) as at 30 June 2021, with 14 loans valued at $1.6 million assessed as irrecoverable during 2020–21. The estimate has improved from $105.8 million (8.8 per cent of total loans) at 30 June 2020. The change was supported by the various assumptions used in the model and generally reflects a more positive credit outlook for the COVID-19 Jobs Support Loan recipients.

Figure 3B shows the percentage of approved loans, by credit risk rating. A lower risk rating suggests a good chance of repayment, while other ratings indicate it may prove more challenging.

During 2020–21, only 478 applications were approved, compared to 6,450 applications in the previous year. While most loans were approved to businesses with a low to moderate risk rating (95 per cent), 5 per cent of the loans were approved to businesses with a high to severe risk rating. These loans were issued at a specific point in time to provide support to businesses and stimulate the economy. QRIDA is regularly monitoring them to assess their recoverability.

The rapid expansion exposed weaknesses in internal controls

In order to assess, process, and pay the increased volume of loans and grants, QRIDA needed to scale up its workforce in 2020 (when it delivered the COVID-19 Jobs Support Loan Scheme). Temporary employees were rapidly recruited and trained to meet program demands, with the workforce increasing to 201 full-time equivalent (FTE – the number of staff, measured in terms of what proportion of full-time hours they work) employees as at 30 June 2020 (from 118 as at 30 June 2019).

After the COVID-19 Jobs Support Loan Scheme was closed in September 2020, QRIDA was also delegated the responsibility for administrating the Small Business COVID-19 Adaption Grant Program (SBAG). This resulted in a significant increase in the number of grants/loans being processed during the 2020–21 financial year despite a slight decrease in FTE employee numbers available to process grant and loan applications (189 FTE employees as at 30 June 2021). This is shown in Figure 3C.

While QRIDA provided training to employees during this period of rapid expansion, it did not adhere to some policies and procedures. In addition, the systems and processes (internal controls) it had in place, which were appropriate for a smaller entity, were not adapted as the size, complexity, and risk of the entity increased.

After this surge period, as part of our 2020–21 financial audit, we identified 10 internal control deficiencies (which is when internal controls are either ineffective or missing), of which 5 were deemed significant (of higher risk, requiring immediate action by management). These related to the following:

• We found a lack of documentation supporting a merit-based appointment process. Conflict of interest declarations had not been completed by recruitment panel members, and people were appointed who were closely related to existing employees.
• One contract was not approved in line with the QRIDA procurement policy, and there was no evidence of adequate conflict of interest declarations being undertaken. This increases the risk of inappropriate contracts being entered into and value for money not being obtained.
• Grant applications were approved by staff for amounts that exceeded the amount they were allowed to approve. Approvals are processed manually, which can lead to mistakes or lack of compliance. (An automated workflow system would enforce compliance with approved thresholds.)
• Access to supplier information was not appropriately restricted, and there was no evidence of independent review of changes to supplier information, increasing the risk of errors or fraud occurring and not being detected.
• Payment files were not encrypted or password protected prior to payment. This increases the risk of fraudulent payments, as it allows an opportunity for users to make unauthorised changes.

Since we completed our audit, QRIDA has implemented our recommendations for 8 of the 10 control deficiencies, and is working to resolve the remaining one significant control deficiency and one control deficiency. 

QRIDA has identified learnings from the COVID-19 Jobs Support Loan Scheme and is in the process of implementing improved practices to alleviate the pressure put on the entity during future surge periods.

As the government wants to respond quickly to the challenges faced by the community and support businesses in the pandemic, administrators and program owners must ensure that controls can adapt to changes in the nature and volume of services they deliver.

This chapter provides an overview of the audit opinions we issued for Queensland state government entities. It also looks at the time taken to table annual reports and make financial statements available to the Queensland community.

Chapter snapshot

Audit opinion results

We issued unmodified opinions for 96 per cent of the 2020–21 financial statements we audited (2019–20: 95 per cent) as at 31 December 2021. All the departments, government owned corporations, and most of the statutory bodies received unmodified audit opinions, which indicates the results reported in their financial statements can be relied upon. Most entities (89 per cent) reported their results within their legislative deadlines. Appendix E provides detail about the audit opinions we issued for the 229 entities in 2021.

We included an emphasis of matter in our audit reports on 44 financial statements (2019–20: 40).

We did this to highlight that:

• only certain accounting standards were used in the preparation of 35 reports, and these reports were not intended for other users
• 6 entities face uncertainty as to whether they will be able to pay their debts as and when they fall due
• 6 entities had been dissolved.

Modified audit opinions

We issued 8 modified opinions in 2020–21 (2019–20: 11).

These included 3 disclaimers (meaning the financial statements cannot be relied on) and 5 qualified opinions (issued when the financial statements are fairly presented, with the exception of a specified area).

The disclaimers were for small water authorities; while the qualified opinions were for a hospital foundation, a development authority, and 3 other small water authorities.

The qualified opinions relate to incorrect valuation of property, plant and equipment; inability to confirm the accuracy and completeness of 2019–20 revenue disclosed in a 2020–21 financial report; inability to confirm receivables (amounts owed by a debtor) are fully collectible; and inability to reliably estimate how much will be recovered from prior year loans disclosed in a 2020–21 financial report.

Opinions not yet issued

Appendix I lists those entities whose audits are not yet complete. Most of these are water boards or authorities and river improvement trusts that did not meet the legislative deadline of 31 August.

Finalisation of overdue financial statements

We also issued 7 of the 24 audit opinions for financial statements from prior years that were outstanding as at 31 October 2020. The remaining 17 continued to be outstanding as at 31 December 2021. Of these, 2 water authorities are outstanding since 2015–16, one river improvement trust is outstanding since 2016–17, and another river improvement trust is outstanding since 2017–18.

The 7 audit opinions we issued included a disclaimed opinion on a small water board, relating to the valuation of property, plant and equipment, and the basis of financial statement preparation. Appendix J provides details about these audit opinions.

Other audit certifications

Appendix F lists the other audit and assurance opinions we issued. Six audits provided assurance to Queensland state entities that controls were operating at shared service providers – who process transactions on their behalf.

Two audits fulfilled reporting requirements for national disaster relief and recovery funding arrangements, one covered payment made to local governments by the state government, and 2 fulfilled reporting requirements for a department’s financial statements.  

We also provided assurance over Australian financial services licences.

Entities exempted from audit by the Auditor-General

This year, 6 Queensland state government entities were exempted from audit by the Auditor-General (2019–20: 6). This occurs where the Auditor-General deems an entity to be small and of low risk to the Queensland Government as a whole. Exempt entities are still required to engage an appropriately qualified person to audit their financial statements. Appendix G lists the entities, and the reasons for their exemptions.

Entities not preparing financial statements

Not all Queensland public sector entities produce financial statements. This year, 145 entities were not required, either by legislation or the accounting standards, to prepare financial statements (2019–20: 140). We have identified them in Appendix H. 

Departmental financial statement preparation processes will need to be revisited

Departments affected by machinery of government changes have had their financial statement preparation processes disrupted this year. Our report last year recommended they revisit their processes to align them with their new operating structures, but some departments were not able to do this in 2020–21 as employee and system changes were still being finalised.  

We will reassess financial statement maturity in 2021–22 to see how departments have adapted their financial statement processes, and what progress has been made on addressing previous recommendations. Appendix C provides the full recommendation and status as at 30 June 2021.

Almost all annual reports tabled in the last week of September, or after the legislative deadline 

Queensland public sector entities have made continuous improvements to their financial reporting processes. This has resulted in most financial statements being signed well before the legislative deadline – on average, 25 August 2021 for departments and statutory bodies (excluding category 2 water boards, river improvement trusts and drainage boards due to their small size). However, in 2020–21, financial statements for these entities were published an average of 56 days after they were certified, with 98 per cent of annual reports tabled in the last week of September 2021 or after the legislative deadline.

This delay of well over a month in releasing information is not consistent with the community’s expectations of timeliness and transparency in government, especially at a time of increased demand for services and declining financial performance arising from the COVID-19 pandemic.

This delay arises for departments and statutory bodies because ministers are required by legislation to table the annual reports of these entities – including their financial statements – in parliament within 3 months of the end of the financial year. Until they do this, departments and statutory bodies are not able to publish their financial information.

Ministers often receive all annual reports for their portfolio at the same time, after they have been reviewed by their department. This review process ensures all annual reports comply with the annual report requirements. This is in addition to the letter of compliance and compliance checklist provided by each entity within the portfolio. It also allows the department to provide a brief to the minister on the activities and results of the portfolio. This means that any entities who sign their financial statements and prepare their annual reports earlier must wait until all annual reports in the same portfolio have been received and reviewed by the department. They are then provided to the minister and tabled together.

In 2019–20, we recommended ministers and central agencies explore opportunities for releasing audited financial statements of public sector entities in a more timely way, given we sign these statements by 31 August. Although Queensland Treasury encouraged chief finance officers to table their 2020–21 annual reports at their earliest opportunity, the process and deadline for tabling annual reports have not changed. Figure 4B shows that across the last 3 years, the timeliness of tabling reports for departments and statutory bodies has reduced.

These delays result in information becoming less relevant and reliable as time moves on, reducing the ability of parliament and the public to meaningfully assess the financial performance of public sector entities. The delays can also mean events occur that require the financial statements to be reassessed, as our professional auditing obligations require our audit to continue until the financial statements are publicly available.

Just as entities have continuously improved their financial statement processes, action is required by entities and ministers to streamline the process for publishing financial statements and improve the timely release of information. This could include changing departmental processes so annual reports are provided to the minister progressively, and legislative change to specify the maximum number of days between financial statement certification and tabling.

Delays in tabling annual reports in the health portfolio

A minister may extend the period for tabling an annual report beyond the legislative deadline, as the Minister for Health and Ambulance Services has done for 3 of the last 4 years. The Financial Accountability Handbook published by Queensland Treasury indicates this should only occur in exceptional circumstances, but does not provide any guidance or examples of what an exceptional circumstance might be. We would expect this would only occur when external events impact the entity’s preparation of the annual report so that it cannot be tabled in parliament within the legislative deadline.

Delays in tabling annual reports in the health portfolio are explored further in Case study 1 (Figure 4C).

The minister’s role in annual reports is not consistently defined

Ministers are accountable to parliament for the administration of their departments, and for statutory bodies established under the legislation they administer. While a minister’s specific responsibilities for entities within the ministerial portfolio may vary, the minister is required to table all annual reports within their portfolio in parliament. The role of the minister in doing this is not clearly and consistently defined in accountability requirements. The different requirements are outlined in Appendix K and include the:

• Financial Accountability Act 2009
• Financial and Performance Management Standard 2019
• Annual report requirements for Queensland Government agencies published by the Department of the Premier and Cabinet
• Financial Accountability Handbook published by Queensland Treasury.

Most consistently, the accountable officer or statutory body is required to approve the annual report, while the minister is required to table the annual report in parliament. The Financial Accountability Handbook is the only document that refers to ministers reviewing the annual reports, but the nature or purpose of the review is not defined. The annual report guidelines do not refer to the minister reviewing or approving annual reports prior to tabling.

Clarifying the minister’s role in tabling annual reports will help to inform the time required by the minister between receiving an entity’s annual report and tabling it in parliament.

Internal controls are the people, systems, and processes that ensure an entity can achieve its objectives, prepare reliable financial reports, and comply with applicable laws. Features of an effective internal control framework include:

• strong governance that promotes accountability and supports strategic and operational objectives
• secure information systems that maintain data integrity
• robust policies and procedures, including appropriate financial delegations
• regular monitoring and internal audit reviews.

This chapter reports on the effectiveness of state entities’ internal controls and provides areas of focus for entities to improve their internal controls. While we concentrate mainly on large departments, we have identified common issues that all entities should consider.

When we identify weaknesses in the controls, we categorise them as either deficiencies or significant deficiencies.

Chapter snapshot

Internal controls are generally effective, but common weaknesses continue

We assess whether the internal controls used by entities to prepare financial statements are reliable and we report any deficiencies in their design or operation to management for action.

Overall, we found the internal controls that entities have in place are generally effective, but can be improved. We identified and reported less deficiencies to departments this year than we did last year but the same common weaknesses arose as last year. Entities need to ensure they have established appropriate internal controls to address these.

Figure 5A shows the types of deficiencies we identified at departments.

We have received responses from each entity on planned corrective action for the internal control issues raised. We are satisfied with the responses and proposed implementation time frames.

Of the 78 deficiencies raised, 29 have been resolved, and work is underway to address the remaining 49.

Information systems need to be protected from external attacks

The most common control issue we reported to departments this year related to weaknesses in information systems. This is consistent with last year.

These systems are used to deliver public services and prepare financial statements, so there must be strong controls over who has access to them and the information they contain. Weaknesses in these systems increase the risk of undetected errors or financial loss, including fraud.

Most weaknesses in information systems occur because entities do not have well established processes to promptly update their systems. The control weaknesses we identified mainly related to:

• staff access to systems not being restricted to the minimum required to perform their job
• access not being updated when people left the department or changed their responsibilities within the department
• the activities of users with privileged access (allowing them to access sensitive data and create and configure within the system) not being monitored
• the security configuration not being kept up to date with the entity’s latest security policy or better practices.  

Since the start of the COVID-19 pandemic, cyber threats have intensified in frequency and sophistication. This makes it even more important that organisations promptly fix any weaknesses in their systems.

This year, there has also been a significant increase in malware (malicious software intended to create damage to a computer, network, or server) threats. From June to September 2021, the number of malware threats increased significantly, as shown in Figure 5B.

This is consistent with the Australian Cyber Security Centre ACSC Annual Cyber Threat Report 2020–21, which noted a 15 per cent increase in ransomware cyber crime (malware that blocks access to a device and data until the owner pays a ransom fee) reported to its ReportCyber website since 2019–20.

We recommend all entities continue to act on the recommendation from our report last year to strengthen the security of their information systems. Appendix C provides the full recommendation and status as at 30 June 2021.

Departmental controls need to be stronger when a shared service provider is used

Most of the departments use a shared service provider to provide a range of payroll, accounts payable, and information technology infrastructure services. While the shared service provider processes transactions on behalf of departments, departments are responsible for ensuring they have complementary controls in place that are operating effectively.

We continue to identify weaknesses in complementary controls at departments relating to independently checking changes to supplier details and having effective controls over payroll.

Independent checks of changes to supplier details

Fraudsters continue to target the Queensland public sector. Scams often involve emails requesting fraudulent changes to bank account details for suppliers. To help prevent this, agencies must ensure they check all requests to change supplier bank account details using an independent source. Ways to do this include contacting the supplier directly using contact details that have been sourced independently, such as from the company website or white pages.

We observed that some entities relied on the shared service provider to confirm the change using an independent source. However, when the shared service provider was not able to do this within the agreed time frame, the change was referred back to the entities, who approved it without independent verification. This significantly increases the risk of fraud.

In our 2020 report, State entities 2020 (Report 13: 2020–21), we reported a lack of independent checking of changes to supplier details. Not all entities have fully addressed this recommendation, and we continue to identify significant deficiencies in this area. This recommendation applies whether suppliers’ details are updated by the department or a shared service provider, with all department employees needing to understand their responsibility for approving changes to supplier details. Appendix C provides the full recommendation and status as at 30 June 2021.

Payroll controls

Complementary payroll controls assist departments to ensure the employee payments processed by the shared service provider are valid and accurate. We identified the following common deficiencies:

• instances where departments did not review payroll reports
• inconsistencies between the supporting documentation completed and the requirements outlined in internal policies and procedures for processing of employee terminations
• inconsistent approval and lack of evidence of employee overtime across business areas.

In some cases, these control weaknesses resulted in overpayments to employees. Without effective review of key payroll reports and consistencies in processing, approving, and monitoring of employee payroll transactions, there is an increased risk that errors, or fraudulent transactions such as invalid payments for termination, overtime, or allowances, will not be detected.

We recommend all entities continue to promptly review payroll monitoring reports, particularly those entities with significant employee movements after machinery of government changes, as recommended in last year’s audit report. Appendix C provides the full recommendation and status as at 30 June 2021.

Financial delegations in grants management need to be reviewed

The Financial Accountability Act 2009 and the Financial Accountability Handbook require financial approval to rest with the director-general or their delegate (a public service employee). We identified deficiencies in a department’s financial delegations, where the minister was granted a financial delegation to approve payments.

In our report, Awarding of sports grants (Report 6: 2020–21), we reported about the minister’s role in the grant process. The minister may be involved in the process to provide approval to start a grant program, give feedback on the design of the program, and ensure the department’s operations are aligned with government policy. However, all grants require financial approval from the director-general or their delegate.

We also identified deficiencies across departments where grant expenditure had been approved by officers who did not have the delegation to approve that much expenditure. When this occurs, it increases the risk of grants being inappropriately approved and unauthorised grant payments being processed by departments.

Improvements need to be made to procurement policies and manuals

We identified weaknesses in procurement policies and manuals across departments where the policies did not provide enough guidance on key decisions and documentation requirements in the procurement process.

Without consistent guidance in place, there is a risk that procurement decisions may not be appropriately justified and may deliver poor value-for-money outcomes. An example of this is existing contracts being extended without going back to market to see if the arrangement remains the best value outcome for the department.

Entities should ensure their procurement policies and manuals give clear guidance on how to make contract decisions, including on the documentation that needs to be maintained to demonstrate the process undertaken and the decisions made.

Internal controls assessment tools

We are developing new assessment tools for internal controls relevant to public sector entities. They will provide entities with greater insight into the strength of their internal control processes.

These tools focus on asset management, change management, culture, governance, grants management, information systems, monitoring, procure-to-pay (the whole procurement process), record keeping, and risk management.

We are currently consulting with our clients on these tools and intend to begin using them in our audits from 2021–22. Our reporting on control deficiencies will not change.