Observations from our 2016/17 central government audits
16 May 2018
Letter sent on 16 May 2018 to chief executives of government departments and Crown entities by Greg Schollum, Deputy
Controller and Auditor-General sharing some observations on common issues and noteworthy practice from our 2016/17
annual audits.
Tēnā koe
I am writing to you and all other chief executives of government departments and Crown entities to share some
observations on common issues and noteworthy practice from our 2016/17 annual audits.
As you know, the public sector environment is rapidly changing, including changes in public expectations and technology.
There is also a stronger focus on cross-sector outcomes. Doing the basics well in this fast-paced and changing
environment is challenging. Our audits indicate that, collectively, chief executives have done a good job maintaining a
high standard of public sector management. However, there are some matters that need attention.
The fundamentals are working well
Most central government entities continue to have sound management and financial control environments. Our auditors
reported, overall, that entities are better prepared than previous years and provided information on time for audit.
However, there are aspects that some entities need to focus more on:
• Strategic financial management remains one of the bigger challenges. We encourage entities to share their
practice and, where possible, work together to improve capability.
• Staff who use the financial system in your organisation, particularly those holding financial and operating
delegations, need a clear understanding of their entity’s internal control framework, including their roles and
responsibilities.
• New entities, or entities that take on new functions, need to make financial management integral, rather than
considering it as an afterthought. There were instances where entities realised this too late with functions or assets
that they took on.
• Throughout the public sector, there are still significant challenges related to resolving historical holiday pay
issues. Although we accepted entities recording contingent liabilities when the holiday pay obligation could not be
reliably measured, it would be preferable if entities could quickly bring this issue to a conclusion.
• We recommend that entities have a system that enables transparent and reliable reporting on a day-to-day basis,
supported by a process of checking for exceptions by experts. Our auditors noted that some independent reviews of
financial transactions were handled too casually, not done, done manually, or not documented in a timely fashion.
• Supporting documentation for journals needs improvement and we encourage entities to have processes in place to
ensure that all journals are appropriately supported. Journals are at risk of manipulation because they can be used to
mask other transactions.
• Reconciliations of important control accounts are not being universally done well, which makes budget monitoring
more challenging.
• Revenue recognition caused difficulties for several entities. In some instances, this was related to externally
funded projects.
Information communications technology presents risks
Information Communications Technology (ICT) deserves a special mention, in part because our auditors continue to find
basic issues, but also because of the growing seriousness of ICT-related risks and their potentially pervasive adverse
impact. Our auditors found that entities have a greater awareness of cyber security and fraud access issues and have
generally improved their practices. However, on the whole, entities would benefit from enhanced controls when it comes
to preventing Information Technology (IT) fraud and mitigating risks of business interruption.
Some entities rely too much on contractors to manage ICT risks. Using external expertise should support internal
capability, not replace it. Entities are still accountable for the risks. We suggest that entities spend time and
resources on identifying their highest ICT risks. Some of this might require detailed work, for example, conducting an
independent review of all virus signature updates.
Governance is generally sound
Many entities have appropriate governance arrangements, and the benefits are apparent in day-to-day operational
oversight, reporting, and risk management. Significant change projects have also run well in part because of strong
governance arrangements.
Good governance for large projects enables better oversight
Robust governance processes help ensure oversight at the main stages of project delivery. This includes the complicated
area of IT project management. An appropriate governance setup might include an investment board, external risk and
assurance committee, a focus on integrating risk management in the investment portfolio, and developing benefits
reporting.
Managing change
Even when significant organisational changes were being implemented, our auditors found that most entities managed the
immediate transition well.
Financial and general IT controls that we rely on for our audit work continued to operate during the organisational
changes. The long-term challenge is benefits realisation. We are less certain about whether entities are always clear
about what they want to achieve and are appropriately measuring benefits.
Below we make some observations on good practice in managing change:
• Entities need to have a good understanding of the risks that changes could present to the control environment
and ensure that there are effective control and assurance measures in place to prevent and detect unauthorised or
inappropriate activity. This applies particularly if there is significant change to staff roles and the operating
culture.
• When core corporate teams (Finance, Human Resources, and Risk Assurance) are heavily affected by organisational
changes, entities need to be aware of the particular risks that come from this, including the loss of critical
institutional and financial knowledge.
• Taking a staged approach to managing change can help manage the risks inherent in delivering complex programmes
compared to implementing change all at once.
• When restructuring is likely to result in liabilities, entities need to remain alert to the threshold for
recognition of a liability being met, because this matter is likely to have implications for financial reporting in
future periods.
• Entities need to be aware of the need to have sound processes for severance payments.
Performance reporting
Effective performance reporting has become a more complex task in an environment where organisations are seeking to
achieve sector and system outcomes with other agencies. We are seeing some good examples of individual performance
frameworks, but a lot more remains to be done to report effectively on outcomes achieved by more than one entity.
Below we make some observations on good practice in performance reporting:
• Performance reporting needs to align with the main strategies, and work is needed to improve the links between
strategic priorities and measures of success.
• Entities should identify the main measures that reflect their overarching focus and objectives. If it is not
clear to the reader what service an entity delivers, then important information is missing.
• Good performance reporting often needs to draw on a combination of data, case studies, and commentary integrated
in the performance story.
• External measures and measures used for management decision-making should align.
• There needs to be an appropriate balance of timeliness, quantity, quality and, where appropriate, cost
effectiveness measures.
• Sophisticated performance reporting provides trends over time and uses well calibrated benchmarks for
performance, where possible drawing on comparator entities.
• Compiling a data dictionary can help entities understand if measures are fit for purpose.
• If your performance measures rely on third-party information, ensure that the information is independently
verified and appropriate controls are in place.
Asset valuations
We have concerns about some entities’ asset valuation practices. These concerns are less about actual control
deficiencies and more about entities’ substantive assessment of what they own and look after. Valuations are important
for some entities because of the size of the asset, which feeds into the Crown’s balance sheet.
Even for entities without significant asset valuation issues, there are some general lessons that might usefully be
applied to other functional aspects:
• The quality of information matters.
• Data collected needs to be suitable for the purpose it is collected.
• Methodologies are important for assessing condition, planning maintenance, and expenditure.
• Maintain ownership. You might contract out an activity such as asset valuations, but you are still accountable.
We suggest that you mitigate the risk by keeping in touch with the contractor to ensure the resulting valuation reflects
the environment in which you are operating.
• Maintain organisational oversight, consider an analytical review of main assets, and explain significant
movements or lack of expected movements. This will help identify potential errors.
• If there is a time-lapse between asset valuations, we suggest entities analyse where values may have moved
significantly and whether this could be material.
Procurement – reflecting on current strengths and what might still need attention
Our Office proposes to start a multi-year work programme on procurement in 2018/19. Our 2016/17 audits confirmed that
entities generally follow appropriate procurement and contracting practices and have adequate processes for doing so.
However, we are less certain that procurement is well embedded in entities’ strategic planning. For our future work
programme, we intend to focus more on how entities’ decisions reflect their strategic direction. We will also look at
whether entities are clear about the benefits sought, well placed to monitor and report on benefits realisation, and
making any needed changes to procurement arrangements.
We are aware of the changes in delivery models. Some entities have expanded their capability, including using private
sector expertise so they can have more effective relationships with partners from the private sector and
non-governmental organisations. However, recruiting staff who are new to the public sector poses challenges. We
encourage entities to put in place thorough induction processes and ongoing support for these staff to ensure that
private expertise can be harnessed effectively.
Below we list some of the foundations for effective procurement:
• Robust governance, independent assurance, and monitoring. There is a strong relationship between good
governance, project management, and ability to conduct procurement effectively.
• Pre-tender market engagement that is commensurate with the complexity and risks of the envisaged commissioning.
• An overriding framework, supported by guidelines, which allows all the parties to procurement contracts to
measure their performance consistently and accurately.
• Initiatives to build internal capability, such as undertaking procurement “health checks” throughout the
organisation and creating a “community” of people who are regularly involved in procurement to analyse and learn from
their practices.
• For complex procurement cases, preparing for possible outcomes and test whether the evaluation process and
criteria are indeed suitable for securing desirable outcomes.
We have emphasised in the past our expectation to see procurement expertise embedded throughout entities as part of a
core skill set. This will allow specialists to focus on difficult or highly technical cases. It is also becoming more
important to have commercial and technical expertise on decision-making panels for large projects, especially for ICT
infrastructure.
Grants
Because there is no specific accounting standard for grant accounting, policies have been prepared using other
accounting standards and liability definition and recognition principles. This has resulted in different accounting
practices for similar grant arrangements in the public sector. We acknowledge the challenges this has posed, but we
encourage public entities to improve their management of grants. When grants are seen as not constituting procurement,
they are often not treated with the same rigour, yet there are often significant amounts of money involved. Two main
deficiencies we have found relate to:
• a lack of clear policies and guidance for grant activity; and
• failure to exercise an overview across different operating functions.
Please stay in touch
I encourage you to discuss this letter with your appointed auditor. I would also welcome dialogue with our Office. I
suggest you contact the relevant sector manager in the first instance.
Nāku noa, nā
Greg Schollum
Deputy Controller and Auditor-General