Observations from our 2017/18 central government audits

Review your integrity settings

Although there are no immediate concerns about integrity arising from the 2017/18 audits, the risk is always there. Organisations need to “keep their house in order” by, for example, preparing a suitable assessment of the risk of fraud and other wrongdoing, ensuring that all relevant policies for sensitive expenditure are reviewed and updated, and making expectations clear at all levels of the organisation.

For example, sensitive expenditure needs to:

  • have a justifiable business purpose;
  • preserve impartiality;
  • be done with integrity;
  • be moderate and conservative, having regard to the circumstances;
  • be made transparently; and
  • be appropriate in all respects.

These principles apply as much to Crown entities as to the core state sector. If in doubt about whether an item of sensitive expenditure is appropriate, consider how the spending could be perceived by the public – will the spending withstand public scrutiny?

Also, we keep encountering issues with the use of work credit or purchase cards. We understand that businesses need to use them and most agencies manage them well. However, there are inherent risks associated with the use of credit or purchase cards. Please make sure that your management team is vigilant, clear about the risks, and you have strong systems in place to manage them.

Getting the basics right

Our auditors noted that some organisations have gaps in some “basic accounting housekeeping” aspects of financial management. Reflecting on the recurring issues we have found, we suggest that organisations should:

  • have in place separate functions for journal entry and approval, and a formal process for reviewing journal entries;
  • have independent reviews and validation of creditor and staff masterfile changes and of monthly reconciliations; and
  • ensure the segregation of duties - that is, sharing the tasks and associated privileges for a specific process among multiple users - to provide increased protection against fraud or errors.

Another significant matter to be mindful of is the recognition and disclosure of liabilities. The annual report should be as clear as possible about uncertainties and possible costs arising.

Compliance with the Holidays Act

It is time to put to rest any residual issues regarding Holidays Act 2003 obligations. Most organisations have now assessed and reported on their liabilities under the Act and have paid their employees what they were owed. This is a long-standing issue which needs to be addressed by the public sector as a whole. Employees should be paid what is owed to them.

Appropriation management

It is important that you continue to closely monitor and manage appropriations. The underlying authority to spend public money is given by Parliament, mainly through an appropriation. Breaches in appropriations have continued a generally positive downwards trend in recent years but they do still occur – in many cases for very avoidable reasons. I have recently increased the profile of our Controller work, with a separate report on it. Through this and other means I will continue to highlight appropriation management issues where they occur.

Fees and levies

Memorandum accounts play an important role in ensuring that agencies are appropriately and transparently managing fees and levies collected from regulated sectors, users of services, or the wider public.

Some central government agencies have significant memorandum account balances that appear to have been accumulating for several years. When significant deficits or surpluses accrue in memorandum accounts, more significant adjustments to fees or levies will be required to correct them. This can be challenging for fee and levy payers and, in some cases, means that service users will bear a disproportionate burden of costs compared with other users over time.

Memorandum accounts need to be monitored regularly, in line with internal policies set for the operator of each memorandum account, and agencies should be taking steps to adjust fees or levies whenever there is a significant change in revenue or expenditure assumptions. This should ensure that memorandum account balances move towards zero in a reasonable time frame. Please refer to our publication Charging fees for public sector goods and services for guiding principles and good practice for setting and reviewing fees, levies, and other charges.

Asset management

Our 2017/18 audits show that organisations are actively working to improve their asset management. There are some specific areas where ongoing attention may be required:

  • Organisations should prepare and implement an asset management plan that identifies important service assets and assesses their condition. This matters because it provides the foundation for robust planning (including financing) for maintaining or replacing these assets. It involves a shift from reactive responses, driven by asset failure or a risk of failure, to proactive long-term planning and investment to maintain and improve service delivery.
  • At an operational level, we noted that some large organisations still manage assets outside their core systems and processes. This is not desirable. Whether it is the use of manual spreadsheets or failure to process transactions through the fixed-asset register, this impedes record-keeping, impairment calculations, and sound planning.

Information Communications Technology controls

Surprisingly, basic information communications technology (ICT) controls still need attention. In several organisations, issues persist despite our auditors making recommendations about them for some time.

Weak ICT policies and procedures for user access increase the risk of unauthorised access to data. In our article on data security, which covered the 2016/17 audits, we found that data security issues continued to be common.

We continue to see:

  • staff and/or third-party contractors with inappropriate access to information systems, including administrative and “superuser” accounts;
  • staff who have left the organisation retaining access to information systems;
  • formal reviews of user-access not being performed or documented; and
  • password policies that are weak or not enforced.

We suggest that you conduct periodic reviews of access rights. We also recommend regular audits of information technology system risks, with any serious concerns addressed as a matter of urgency.

Some organisations are constrained by legacy systems but, regardless of the systems you have, you need to take action if you cannot answer “yes” to the following questions:

  • Do you manage the changes made to information systems, including masterfile data, to ensure that all changes are authorised and understood?
  • Do you implement timely security patches and service packs?
  • Do you regularly review information system policies to ensure that they reflect the changing technology environment and strengthen the governance of the organisation?

Also, following the 2016 Kaikōura earthquake, every organisation should have prepared and tested information technology disaster recovery processes to ensure that critical operations can be recovered quickly.

Governance

We are pleased that organisations are taking seriously many of the issues we discussed in a recent governance and accountability report (Reflections from our audits: Governance and accountability). Many organisations have established an external Audit and Risk Committee and an internal audit function - both strengthen an organisation’s control environment.

On the whole, good governance and reporting mechanisms are in place for major projects and programmes. However, risk management still deserves more attention. Although risk registers are used, they are at differing levels of maturity and follow-up of actions proposed to mitigate risks varies. It is important to continually assess risks at both the strategic and operational level and update the register when risks and issues arise. Some good risk management approaches we have seen include:

  • organisations clarifying their risk appetite and considering how risks can be moderated;
  • differentiating between organisational and project risk;
  • clear responsibility for assessing and managing risks;
  • using external expertise to calibrate risk identification and mitigation strategies; and
  • senior leadership teams and, where relevant, the Board regularly discussing risks and progress on risk management.

One potential weakness is a lack of alignment between risk assessments at “head office” and other offices. More effort needs to go into communication and training to help staff to manage organisational risks. They also need appropriate tools and systems to record, monitor, escalate, and address issues arising.

Performance reporting

In our view, despite some improvements to underlying data capture, there is considerable scope to further improve performance reporting. Issues that we noted include:

  • the need to have strong links between strategy and performance measures;
  • weak or non-existent links between outcomes and outputs or no clear description of attribution between impacts and outcomes;
  • a lack of alignment between performance monitoring and reporting for external accountability purposes and internal management reporting;
  • unclear or undocumented reporting methodology and data definitions for each performance measure;
  • when agencies use client satisfaction measures, they need to make sure they are based on robust methodologies and use appropriate data;
  • a lack of robust systems to report actual results;
  • insufficient quality, quantity, and efficiency measures for each group of outputs; and
  • insufficient assurance that third-party data is correct and verifiable.

Managing data and information well

Some of our recent work focused on how well the public sector uses and manages information to support good decision-making. That work reinforced the need for organisations to use the information they hold as a strategic asset. That involves recognising its value and having in place a deliberate strategy to manage it well, in much the same way as physical assets are managed.

Our 2018 report Reflecting on our work about information poses a number of questions that organisations should consider when thinking about how well they manage information to support decision-making.