Letter to chief executives

After considering the results of the 2014/15 audits of government departments and Crown entities, the Auditor-General sent this letter to their chief executives.

5 May 2016

Dear [chief executive]

“JOINING THE DOTS” – INSIGHTS FROM THE 2014/15 ANNUAL AUDITS

I am writing to you and all other chief executives of government departments and Crown entities to draw your attention to some strategic insights and common internal control and reporting practices that we found during our annual audits in 2014/15.

In sharing these insights, I encourage you to consider which ones apply to your own entity and where you could strengthen your approach. I encourage you to seek input from your senior management team and staff, and independent comment and advice from your audit committee.

In most of the areas covered by our audits, I judge the fundamentals to be working well. We made few recommendations on significant matters because most entities have sound management and financial control environments. The challenge is how to build on these foundations to create a more sophisticated organisational environment – joining the dots internally and between public sector agencies – to deliver high-quality services to New Zealanders.

On the face of it, many of the issues found during our audits relate to processes and controls. However, deficiencies in systems and processes for managing and monitoring day-to-day operations tend to affect strategic leadership, organisational capacity, and, ultimately, effectiveness. For example, without governance and management practices to ensure that you get the right information about how your entity is performing, you may have to spend time on operational issues rather than exercising leadership towards strategic objectives.

Many of you are implementing changes to business models, driven by fiscal constraint and a desire to innovate to keep improving public services. Changes bring challenges, and reinforce the importance of taking care of people – including through training and building their capability. I’m sure you’ll agree that it’s people who make the difference between an acceptable service and an exceptional one.

I note that:

Many entities could better integrate corporate functions and expertise (such as financial and investment planning, monitoring, risk management, and performance reporting) into their core policy and operational work. Joining the dots internally and mainstreaming the responsibility for these functions throughout the entity improves the quality of planning and operations, and also gives the specialists time to focus more on their areas of expertise.
Although individual entities are, overall, managed well, systems could be lifted to a level of maturity where they support strategic leadership throughout the public sector, and support the stewardship of the whole system that chief executives of departments are collectively charged with. Entities’ planning and reporting is still largely entity-centric, rather than focused on meeting the needs of citizens in a more joined up way.

Governance and accountability

Governance and accountability arrangements need to support effective delegations, make management and reporting responsibilities clear, and provide avenues for considering risks and managing their mitigation. This leaves chief executives in a position to consider the medium- and long-term direction, rather than managing operational details.

Many entities have sought or are seeking to improve governance in their efforts to improve their management control environment, and good use is being made of audit committees.

Some of the good practice we saw…
A clearly structured audit committee, with a good charter and appropriate composition (including independent external members). Chief executives attending audit committee meetings. A risk management framework and regular reporting on risk management at the right levels. A formal and structured approach to risk, incorporating a broad range of external advice and assurance mechanisms to support governance (for example, a formal programme of independent quality assurance and an independent advisory body). An internal assurance mechanism integrated with risk management.

You might like to check that you have in place…
Governance that is based on clearly articulated and agreed accountability. Strong alignment between planned results, internal controls, and performance monitoring. Mature risk management: consideration of risk is integral to the operations and goes beyond compliance and avoidance. Strong controls over access to internal information to mitigate fraud risk. Timely implementation of recommendations from previous audits or other reviews.

Project and programme management

Appropriate governance and accountability arrangements are also important for successful project and programme management.

You might like to check that you have in place…
Clarity about the scope of significant projects, and a clear understanding of the intended benefits, goals, and outcomes, and when they are expected. Activities for investment in or changes to staffing, behaviours, processes, systems, and infrastructure that are integrated and aligned. Risk analysis that is commensurate with the size, value and complexity of projects. Assurance activities aligned with programme milestones and points of risk. Robust policies and processes for managing projects throughout the life of the project, including evaluation. Systems for monitoring and reporting stages of projects against milestones and budgets, and access to information throughout the life of the project to inform decision-making.

Management and financial control environments

In an environment of significant change, it is even more important that you maintain strong foundations for managing your entity and its finances, and take care of your people. Maintaining the right tone at the top, in integrity and strategic intent, is critical.

Knowing that the right systems and controls are in place provides important assurance. Based on what we have seen, management and financial control environments are generally sound. However, there is still room for improvement, including a need for wider thinking by chief executives about how to give effect to strategic leadership and their role as stewards of the public sector, not just of their own entities.

Financial oversight

Some entities could not provide timely records for audit – those entities urgently need to catch up on the basics.

Some entities had no independent review of financial transactions. This increases the risk of fraud or error. I encourage you to think about systems that could provide transparent and reliable reporting, with expert staff focused on checking for exceptions.

Some entities, particularly district health boards, did not calculate accruals correctly. This has affected how accurately surpluses and deficits were reported.

Some entities had payroll issues. Given that personnel costs account for 60% or more of many entities’ total expenses, it is important for managers and governors to obtain assurance over this expenditure.

Controls for information and communications technology

Some entities are still struggling with basic controls, such as ensuring that users’ access is appropriate to their roles and terminated when they leave the entity. Lapses in these controls could have serious consequences, such as fraud, identity theft, cyber-crime, or information leaks. As chief executive, you need to have assigned responsibility clearly and ensure that you or your internal audit team and the audit committee receive appropriate information.

In my view, chief executives need to be alert to the risks of cyber fraud, such as email scams, ransom-ware, and spear-phishing.

You might like to check that you have in place…
Good policies, processes, and practices for password controls to prevent inappropriate access to computer systems. Timely installation of new systems to avoid relying on manual workarounds and risks to accuracy and continuity. Adequate disaster recovery and business continuity planning. Documented evidence of independent approval of transactions.

Service performance reporting

Generally, central government organisations reported their performance adequately. Given how important accountability is, I encourage chief executives to look at reporting as more than a compliance exercise.

Also, smart entities (and those with smart management teams) use performance information effectively for management purposes, to identify high-performing areas, to drive improvement, and to build feedback loops that help with setting targets and monitoring and reviewing progress against strategic objectives.

During the 2014/15 audits, we found some deficiencies affecting the accuracy and quality of information. We saw:

“legacy” IT systems that did not properly provide the information needed to report;
lack of clarity about the strategic intentions of the entity, resulting in the entity not articulating appropriate performance indicators properly;
the absence of performance measures to provide information on the quality of the services provided; and
inconsistencies between the performance information used internally to make strategic and operational decisions and the information used for external reporting.

You might like to check that you have in place…
A strategy, and a performance framework, that are set out clearly with easily seen links to what is intended to be achieved each year and in the longer term. Performance measures that are reviewed to reflect any new areas of activity and funding. Clear and defined methodologies for measuring performance against each of the performance measures, and a consistent approach to collecting and recording performance data, based on good processes and controls. Systems and processes for recording performance information, with enough appropriate controls operating to protect the integrity and accuracy of underlying information.

Procurement and contracting

Government entities spend a lot of money on contracted goods and services each year, especially on health and social services. Generally, entities follow the right processes for procurement and work to safeguard the prudent use of public money. However, entities could benefit from closer links between strategic direction and procurement, enabling more strategic purchasing, monitoring, and risk management.

The mix of delivery models is changing. Commercial expertise is becoming more important, and entities need to ensure that they have the capability to interact with private sector and non-governmental organisation partners, and to co-ordinate effectively with other government organisations.

We expect to see procurement expertise embedded throughout entities as part of a core skill set, leaving specialists to focus on intractable or highly technical cases. It is also becoming more and more important to have commercial and technical expertise on decision-making panels for large projects, especially for ICT infrastructure. Most entities are following appropriate procurement and contracting practices and have adequate processes for doing so. However, we saw a procurement decision that was challenged in court after an alleged lapse in due process. Procurement processes must be fit for purpose and procurement costs need to match the size of the task and the risk it entails.

We are not seeing enough evidence of value-for-money assessments, nor enough account taken of service delivery from a citizen’s perspective.

You might like to check that you have in place…
Procurement frameworks and processes that are consistent throughout the entity. Terms for monitoring contracts that are clear and well recorded.

Investment and asset management

For many chief executives, managing assets is a core stewardship responsibility. In the past, investment and asset management have been treated as a specialist or niche function.

We have seen some improvements in overall practice but the quality of asset management planning still varies, and the collection and use of data could be enhanced.

I would like to see a shift from reactive responses when there is an asset failure or the risk of failure to proactive long-term planning and investment to maintain and enhance service delivery. This approach needs to feed into business planning and performance reporting.

Some of the good practice we saw…
Long-term asset management plans. Entities that knew the condition of their assets and had plans to ensure that physical assets were maintained and replaced to support effective operations. Entities keeping track of information technology systems, how well they were operating, and what needed to be spent to upgrade and maintain them. Appropriate analysis and information fed into capital budgets. Active consideration of the risks associated with legacy information technology systems, and the development of a legacy mitigation approach.

You might like to check that you have in place…
Comprehensive reviews of the quality of asset management planning. For all critical service assets, an understanding of the levels of service provided and what reinvestment will be required to ensure that they are maintained in future. Levels of service and performance measures applied in making and monitoring all asset management decisions. Consistent methodologies for assessing the condition of assets, targeting, and reporting against a specified standard of condition. Asset management plans and valuations reflecting the condition of assets, rather than assumptions about the state of the assets.

Avoiding appropriation breaches

Chief executives are responsible for making sure that their spending is within appropriations. In 2014/15, several entities recorded breaches of appropriations, spending beyond or out of scope of their appropriation without authority. Some breaches that result from unforeseen demand can be difficult to avoid – others could and should have been avoided with better anticipation of events and their financial consequences.

Financial reporting and new accounting standards

Entities have a responsibility to understand new reporting requirements and to plan effectively to implement them. For some entities, the new Public Benefit Entity (PBE) accounting standards posed challenges. Crown entities in some sectors did not all understand the new reporting requirements. Some organisations responsible for sector leadership or oversight did not exercise leadership and communicate adequately with their sector.

Also, entities need to take advantage of the flexibility available within the new accounting standards by focusing on users' information needs and what matters most. The way is open for public entities to change the focus of their reporting from complying with specific accounting standard requirements to communicating better through their financial reports. During the last six years, I have strongly supported the "de-cluttering" of financial statements. Those who prepare financial statements need to think about and include only the information that is necessary for users' understanding.

Some of the good practice we saw…
Modelling financial statements with new requirements incorporated early in the year. Working early on with auditors or commissioning an independent review to improve understanding of new requirements, such as the PBE accounting standards.

You might like to check that you have in place…
Effective sector leadership of changes, leading to clear, timely, and consistent communication. More effective anticipation of the accounting and appropriation changes, to prevent issues with accounting and reporting treatments. Regular contact with auditors in preparation for the audit. Review of the content of financial statements, to ensure that appropriate judgements have been made about what information needs to be disclosed.

I commend to you our report Improving financial reporting in the public sector, which is available at www.oag.govt.nz. I also enclose a copy of our report Reflections from our audits: Governance and accountability. If you would like extra hard copies for the chairperson of your Board and/or audit committee, please contact [email protected].

Deputy Controller and Auditor-General Greg Schollum and I are very happy to discuss the information in this letter and the governance and accountability report at our next meeting with you. Likewise, I encourage you to talk with your Sector Manager from the Office of the Auditor-General and your Appointed Auditor about the matters raised in these documents.

Yours sincerely

Lyn Provost
Controller and Auditor-General