Download User guide to Standing Direction 1

Financial Management
Compliance Framework
user guide
Updated August 2013
The Secretary
Department of Treasury and Finance
1 Treasury Place
Melbourne Victoria 3002
Australia
Telephone: +61 3 9651 5111
Facsimile: +61 3 9651 5298
www.dtf.vic.gov.au
Authorised by the Victorian Government
1 Treasury Place, Melbourne, 3002
© Copyright State of Victoria 2013
This book is copyright. No part may be reproduced by any process except in accordance with
the provisions of the Copyright Act 1968.
ISBN 000-0-000000-00-0
Published August 2013.
If you would like to receive this publication in an accessible format please telephone
9651 0909 or email mailto:[email protected]
This document is also available in PDF format at www.dtf.vic.gov.au
Contents
User guide to Standing Direction 1 ..................................................................... 1
Introduction ......................................................................................................................................... 1
User guide to Standing Direction 2.1 .................................................................. 6
Financial Code of Practice ................................................................................................................... 6
User guide to Standing Direction 2.2 ................................................................ 11
Financial Governance – Responsible Body ........................................................................................ 11
Financial Governance – formal statements....................................................................................... 13
Financial Governance – Audit Committee ......................................................................................... 21
User guide to Standing Direction 2.3 ................................................................ 35
Financial risk management................................................................................................................ 35
User guide to Standing Direction 2.4 ................................................................ 39
Authorisations ................................................................................................................................... 39
User guide to Standing Direction 2.5 ................................................................ 41
Internal audit ..................................................................................................................................... 41
User guide to Standing Direction 2.6 ................................................................ 48
External audit .................................................................................................................................... 48
User guide to Standing Direction 3.1 ................................................................ 51
Financial management structure ...................................................................................................... 51
User guide to Standing Direction 3.1.1 ............................................................. 52
Public sector agency financial Management team structure ............................................................ 52
User guide to Standing Direction 3.1.2 ............................................................. 54
Chief Finance and Accounting Officer (CFAO): credentials and endorsement ................................. 54
User guide to Standing Direction 3.1.3 ............................................................. 56
Policies and procedures..................................................................................................................... 56
User guide to Standing Direction 3.1.4 ............................................................. 57
Chart of accounts............................................................................................................................... 57
User guide to Standing Direction 3.1.5 ............................................................. 60
Managing outsourced financial services: outsourcing governance and audit scrutiny .................... 60
Financial Management Compliance Framework user guide
Updated August 2013
i
User guide to Standing Direction 3.2 ................................................................ 74
Information technology systems ....................................................................................................... 74
User guide to Standing Direction 3.2.1 ............................................................. 75
Information technology management .............................................................................................. 75
User guide to Standing Direction 3.2.2 ............................................................. 79
Information technology operations .................................................................................................. 79
User guide to Standing Direction 3.2.3 ............................................................. 91
Security .............................................................................................................................................. 91
User guide to Standing Direction 3.2.4 ............................................................. 94
Development ..................................................................................................................................... 94
User guide to Standing Direction 3.2.5 ........................................................... 100
Change control ................................................................................................................................ 100
User guide to Standing Direction 3.3 .............................................................. 102
Education and training .................................................................................................................... 102
User guide to Standing Directions 3.1.3 and 3.4 ............................................. 103
Policies and procedures................................................................................................................... 103
User guide to Standing Direction 4.1 .............................................................. 121
Internal financial management reporting ....................................................................................... 121
User guide to Standing Direction 4.2 .............................................................. 125
Reporting in terms of part 7 of the FMA ......................................................................................... 125
User guide to Standing Direction 4.3 .............................................................. 127
Other external reporting ................................................................................................................. 127
User guide to Standing Direction 4.4 .............................................................. 129
Financial performance management and evaluation ..................................................................... 129
User guide to Standing Direction 4.5 .............................................................. 142
Financial management compliance obligations .............................................................................. 142
User guide to Standing Direction 4.5.1 ........................................................... 143
Compliance with directions ............................................................................................................. 143
User guide to Standing Direction 4.5.2 ........................................................... 149
Taxation ........................................................................................................................................... 149
ii
Financial Management Compliance Framework user guide
Updated August 2013
User guide to Standing Direction 4.5.3 ........................................................... 151
Purchasing card ............................................................................................................................... 151
User guide to Standing Direction 4.5.4 ........................................................... 153
Thefts and losses ............................................................................................................................. 153
User guide to Standing Direction 4.5.5 ........................................................... 165
Risk management compliance......................................................................................................... 165
User guide to Standing Direction 4.5.6 ........................................................... 166
Treasury risk management .............................................................................................................. 166
User guide to Standing Direction 4.5.7 ........................................................... 169
Foreign exchange risk management................................................................................................ 169
User guide to Standing Direction 4.5.8 ........................................................... 174
Commodity risk management ......................................................................................................... 174
Financial Management Compliance Framework user guide
Updated August 2013
iii
User guide to Standing Direction 1
Introduction
Contents:
 Introduction to Standing Directions of the Minister for Finance; and
 Attachments:
– overview of the Financial Management Compliance Framework; and
– annual FMCF certification process.
The Financial Management Compliance Framework (FMCF) is a framework to assist Victorian
public sector (VPS) agencies establish and maintain effective financial management to
support the achievement of agencies’ key objectives and goals.
It also helps the Victorian Government monitor the standard of financial management in line
with the Standing Directions of the Minister for Finance (the ‘Directions’).
The FMCF was launched by the Department of Treasury and Finance (DTF) in July 2003 and
was subsequently updated in July 2005 and August 2007.
The Directions are designed to supplement the Financial Management Act 1994 (FMA).
Objectives of the FMCF
The FMCF was developed to:
 promote effective financial management;
 meet the government’s requirements for accountability;
 provide Ministers (including the Minister for Finance) with reasonable assurance that VPS
agencies have implemented appropriate systems to comply with the Directions and to
use public resources efficiently and responsibly; and
 assist agencies in identifying and documenting their financial compliance status.
Application and compliance with the FMCF
The FMCF applies to all VPS agencies who:
are a ‘public body’ (defined in section 3 of the FMA) and are included in the whole of
government consolidated ‘Annual Financial Report for the State of Victoria’.
Annual compliance certification
Agencies certify compliance with the Directions requirements (that are derived from the
Directions) of the FMCF via the Compliance Monitoring System (CMS) website:
https://www.cms.dtf.vic.gov.au
Certification takes place annually from July to September each year.
An overview of the annual certification process can be found within this section.
Financial Management Compliance Framework user guide
Updated August 2013
1
The structure and components of the Directions
The Directions have four components. Section 1 is the Introduction. Sections 2, 3 and 4 are
based on components of sound financial management as depicted below:
Key components of leading edge
financial management
Section 2 –
Section 3 –
Section 4 –
Financial
management
governance
and oversight
Financial
management
structure,
systems
policies and
procedures
Financial
management
reporting
Section 2 – Financial management governance and oversight
Governance is about the processes by which a public sector agency is directed, controlled
and held to account. The Directions on financial management governance and oversight set
standards for public sector agencies, which should be incorporated as fundamental
elements in an overall governance framework.
Section 3 – Financial management structure, systems, policies and procedures
The Directions for financial management structure, systems, policies and procedures set
standards for all public sector agencies to achieve sound systems of internal control to
support financial management.
Section 4 – Financial management reporting
The Directions for financial management reporting set standards for public sector agencies
to assist them in measuring and managing performance and to ensure financial
management reporting is consistent with applicable statutory reporting obligations.
Presentation of the Directions
Each Standing Direction is comprised of the following:
Background
Explanatory
section providing
users with an
understanding of
the compliance
obligation.
2
Direction
A statement
which sets out
the compliance
obligation
(mandatory).
Financial Management Compliance Framework user guide
Updated August 2013
Procedure
Sets out the
method of
achieving the
compliance
obligation
(mandatory).
Guidelines
Supplementary
material
Serve to explain
and clarify the
principles and
objectives of the
direction
(reference only).
Information
designed to
assist in
achieving
compliance with
the Directions.
Exemptions
Agencies may seek exemptions from the Minister for Finance for specific direction
requirements including:
 to establish and maintain a proper functioning audit committee (Direction 2.2,
procedure (e));
 to establish and maintain an Internal Audit function (Direction 2.5);
 that the audit committee chair is an independent chair (Direction 2.2, procedure (l)); and
 that the chair of the audit committee is not also the chair of the board (or responsible
body) (direction 2.2, procedure (m)).
Exemptions must be sought in writing and include the reasons for the exemption as well as
proposed alternative actions or procedures.
Government departments are not eligible for exemptions.
Section 2.2 and 2.5 of the user guide provide detail on the exemption process and
evaluation criteria.
Abbreviations
AASB
Australian Accounting Standards Board
ATO
BFMG
CFAO
CFO
DTF
FBT
FMA
FRD
GST
Australian Taxation Office
Budget and Financial Management Guide
Chief Finance and Accounting Officer
Chief Finance Officer
Department of Treasury and Finance
Fringe Benefits Tax
Financial Management Act 1994
Financial Reporting Directions
Goods and Services Tax
Definitions
Accountable Officer
Business Rules
Directions
Financial Reporting Directions
Government Department
Public sector agency
Responsible Body
as per section 3 of the FMA
are the rules made by the Deputy Secretary, Budget and Finance,
Department of Treasury and Finance
mean these Standing Directions
are directions given by the Minister for Finance for the
accounting treatment and reporting of financial transactions.
same as ‘department’ as defined in section 3 of the FMA.
any public body as defined in section 3 of the FMA or any
government department.
 for a government department – the accountable officer; and
 for every other public sector agency – the Board.
In the event that a person or body is declared to be an authority
for the purposes of the definition of ‘authority’ in section 3 of the
FMA, anything in these directions applying or referring to a
government department applies or refers also to that person or
body, unless a Direction explicitly provides otherwise.
Financial Management Compliance Framework user guide
Updated August 2013
3
An overview of the Financial Management Compliance Framework
What is in the FMCF?
What are the objectives?
Who needs to comply?
How and when do agencies certify?
The Financial Management Compliance
Framework (FMCF) is a framework to
assist Victorian public sector (VPS)
agencies establish and maintain
effective financial management to
support the achievement of agencies’
key objectives and goals.
It also helps the Victorian government
monitor the standard of financial
management in line with the Standing
Directions of the Minister for Finance
(the ‘Directions’).
The FMCF was launched by the
Department of Treasury and Finance
(DTF) in July 2003 and was subsequently
updated in July 2005.
The FMCF was developed to:
 promote effective financial
management;
 meet the government’s requirements
for accountability;
 provide Ministers (including Minister
for Finance) with reasonable
assurance that VPS agencies have
implemented appropriate systems to
comply with the Directions and to
use public resources efficiently and
responsibly; and
 assist agencies in identifying and
documenting their financial
compliance statement.
The FMCF applies to all VPS agencies
who:
are a ‘public body’ (defined in section
3 of the FMA); and
are included in the whole of
government consolidated ‘Annual
Financial Report for the State of
Victoria’.
Agencies certify compliance with the
Directions Requirements (that are derived
from Directions) of the FMCF via the
Compliance Monitoring System (CMS)
website: https://www.cms.dtf.vic.gov.au/
Certification takes place annually from
July to September each year.
Refer overleaf for an overview of the
annual certification process.
How did the Direction come about?
What are the key components of
the Directions?
How are the Directions presented?
The Directions are designed to
supplement the Financial Management
Act 1994 (FMA).
They are pursuant to section 8 of
the FMA.
The Directions are based on the
following three components of sound
financial management:
 Financial management, governance
and oversight;
 Financial management, structure,
systems, policies and procedures; and
 Financial management reporting.
Details of the Directions
Background
Explanatory
section providing
users with an
understanding of
the compliance
obligation.
Direction
A statement
which sets out
the compliance
obligation
(mandatory).
Procedure
Sets out the
method of
achieving the
compliance
obligation
(mandatory).
Guidelines
Supplementary
material
Serve to explain
and clarify the
principles and
objectives of the
direction
(reference only).
Information
designed to
assist in
achieving
compliance with
the Directions.
Further information and assistance
www.dtf.vic.gov.au
(See: Government Financial
Management: Financial Management
Compliance Framework
4
Financial Management Compliance Framework user guide
Updated August 2013
Go to the FMCF toolkit (on the DTF
website) – the online information
resource for the FMCF.
DTF initiatives:
Launch of the FMCF toolkit to provide a single resource for all
FMCF information in relation to the Directions, Rules, certification
process, upcoming seminars and the updated user guide.
Annual FMCF certification process
FMCF certification is completed by agencies on an annual basis. The following flowchart outlines the steps within the annual FMCF certification
process at the agency and portfolio level. The timing of tasks is provided as a guide.
Data integrity framework – Process overview
When?
Throughout the year
June – July
July – August
August – September
What?
Complete review
requirements
Assess
compliance
Obtain
sign-off
Complete and
submit certification
How?
There are requirements within the
FMCF to complete reviews over a
number of areas throughout the
year, e.g. policy documents and the
financial risk profile (see
Supplementary Material flyer for
Direction review requirements.
1.
Complete relevant reviews
2.
Where required, obtain
endorsement by the CEO/CFO
(or delegate) or the Board/
Audit Comittee
3.
The FMCF compliance certification checklist
provides detailed guidance of compliance
requirements for each Direction
4.
5.
Keep documentation supporting 6.
evidence of these reviews
7.
Use the compliance certification checklist
to review the compliance status against
8.
each of the mandatory elements within
the Direction Requirements
Determine the compliance level
(compliant, partially compliant, not
compliant) using results from step 4 and
complete the ‘certification checklist as at
30 June
Obtain required approval, e.g.
Board/ Audit Committee upon
completion of the compliance
certification checklist
9.
Complete online certification via the
compliance monitoring system
(CMS) website:
www.cms.dtf.vic.gov.au
Finalise detailed sign-off over
10. Provide signed certification letter
Direction 2.2(d) and (w), including:
and exception compliance summary
attachment (where applicable) to
– internal controls
the relevant portfolio Minister and
– risk management
copied to the portfolio coordinator
– financial statements
Note: The compliance summary
attachment is an exceptions report that
details rectification plans and reasons for
partially or not compliant responses.
Agencies can also add further comments
in this attachment
Ensure there is evidence to support the
compliance levels certified (where
relevant)
Department/portfolio process
September
When?
When?
11.
Agency compliance certification
received by the Portfolio Minister via
the portfolio department
October
12.
Agency compliance certification
received by the Portfolio Minister via
the portfolio department
13.
Agency compliance certification
received by the Portfolio Minister via
the portfolio department
Financial Management Compliance Framework user guide
Updated August 2013
5
User guide to Standing Direction 2.1
Direction requirement 1
Financial Code of Practice
Introduction
Direction 2.1 of the Standing Directions of the Minister for Finance (the Directions) requires
each agency to implement and maintain a Financial Code of Practice (the Code) that outlines
standards and practice in relation to the probity of their financial management.
Developing a code
The Code must cover the following areas (as per Direction 2.1):
 independence, integrity, accountability, confidentiality;
 procurement, tendering, credit cards;
 conflicts of interest;
 personal relationships with the public sector agency’s customers and providers;
 corporate opportunities;
 fair dealing;
 protection and proper use of the public sector agency’s assets; and
 encouraging the reporting of unlawful or unethical behaviour.
Agencies will have detailed policies and procedures in place for some of the areas listed
above, e.g. whistle-blower, procurement, conflict of interest.
The Code should not duplicate, but direct the reader to the agency’s existing detailed policies
and procedures which provide further guidance and detailed procedures in relation to the
items listed in the Code. The Code should not replace detailed policies and procedures but
should provide a high level statement about employee conduct required for specific areas.
The Code should also be consistent with the Victorian Public Service Code of Conduct and the
Directions. Consideration could also be given to good practice in the public and private sector
bodies, e.g. Principle 3 ‘Promote ethical and responsible decision-making’ of the ASX
Corporate Governance Council Principles of good corporate governance and best practice
recommendations, March 2003.
Supporting the Code
Processes to support the Code should be developed to:
 ensure it is up to date and consistent with changes in the internal and external
environment;
 identify employees required to comply with the code;
 prompt regular (at least annual) review of changing roles within the agency to identify
relevant employees with direct or indirect responsibilities for financial transactions, group
of transactions, or other financial matters for example initiation, authorisation/approval,
processing, reporting; and
 handle queries, monitor compliance and manage breaches of the Code.
6
Financial Management Compliance Framework user guide
Updated August 2013
Communication and education
The Code should be communicated to relevant employees to ensure it is understood and
enhance compliance. Communication of the Code could include:
 access to the document;
 explanation of individual involvement in financial management for the agency,
e.g. explanation of roles and responsibilities, delegations, etc.;
 explanation of responsibilities under the Financial Management Act 1994 and the
Directions; and
 a requirement for individuals to acknowledge receipt and understanding of the Code,
i.e. signing and returning an acknowledgement form (that is kept to demonstrate that the
agency has complied with the requirements of the Direction).
Example
An example of a Financial Code of Practice template is attached.
The template is generic and does not specifically address each agency’s requirements. It is
the basis of Code that is tailored to suit the individual needs of the agency.
Financial Management Compliance Framework user guide
Updated August 2013
7
Attachment 1
Template for a Financial Code of Practice
User note: This template is generic and should be amended to suit the purposes of
the organisation.
<Insert organisation name>
<Insert site name> Financial Code of Practice
Organisation address: <insert address>
Contents:
 Introduction.
 Public funds.
 Declaration of financial and other interests.
 Financial inducements, gifts and hospitality.
 Secondary employment.
 Tendering and procurement process.
 Corporate credit cards.
 Use of property, facilities or equipment.
 Confidentiality.
8
Attachment 1
Template for a Financial Code of Practice
Introduction
This Financial Code of Practice sets the standards of conduct expected from <insert
organisation name> employees. It applies to all employees of the <insert organisation
name> it forms parts of the terms and conditions of employment.1 If any of the provisions
contained within this Financial Code of Practice are not fully understood, employees should
seek clarification from their line managers.
Employees are expected to act at all times in the best interest of the <insert organisation
name> and should conduct all dealings with integrity and fairness.
The <insert organisation name> may apply its disciplinary procedures against employees
who are in breach of this code. Instances of non-compliance with this Code may be reported
through <insert details of the breach reporting process>.
<Insert organisation name> procedures are consistent with the requirements of the
Victorian Government Whistle-blower Legislation.2
Public funds
The <insert organisation name> acknowledges the responsibility it has for the
administration of public funds. The <insert organisation name> emphasises both to the
public, the government and to its employees the importance it places upon propriety,
financial control and honest administration.
The <insert organisation name> arrangements for the prevention and detection of fraud and
corruption will be kept under constant review, and suspected irregularities will be
investigated.
Where employees have direct responsibility for financial transactions, for example the
ordering of goods and services on behalf of the <insert organisation name>, then they must
be fully acquainted with the Standing Directions of the Minister for Finance pursuant to
Section 8 of the Financial Management Act 1994 and comply with these.
Declaration of financial and other interests3
Employees must declare any personal interests, which may affect or be affected by a <insert
organisation name> transaction.
Interests should be declared to the <to be determined by the agency and must be consistent
with the agency’s enabling legislation and culture>.
Employees must not influence the awarding of any contract in which they have any interest.
Employees who act as panel members in the interview and selection process must also
declare any knowledge they have of candidates. Any such knowledge must be disclosed to
<to be determined by agency and must be consistent with the agency’s enabling legislation
and culture> at the earliest opportunity.
1
The Financial Code of Conduct should be distributed as part of the induction process. New employees should sign to
acknowledge that they have read its contents. Further, upon promotion or transfer, employees should be required to
reconfirm and sign to acknowledge their understanding of the contents of the Code with regard to their new role.
2
This legislation should be referred to in developing procedures.
3 Conflicts of interest requirements will vary from public sector agency to public sector agency, for example compare a hospital
agency with the Victorian Police. It is imperative that guidelines are established to ensure that staff are aware of the
requirements to disclose interests and gifts offered and received.
Attachment 1
Template for a Financial Code of Practice
9
Financial inducements, gifts and hospitality
Employees may not accept gifts that may be, or may be construed as, rewards or
inducements for directing business towards that body/person.
Any monetary gifts handed over to employees must be passed to the <to be determined by
agency and must be consistent with the agency’s enabling legislation and culture>.
Goods, vouchers, non-cost payments etc. received from suppliers or agents (other than
goods officially ordered) shall be declared to the <to be determined by agency and must be
consistent with the agency’s enabling legislation and culture>.
This rule is waived in respect of small items such that have a value not exceeding <to be
determined by agency and must be consistent with the agency’s enabling legislation and
culture>.
In areas of doubt advice should be sought from the appropriate manager <to be determined
by the agency>. Employees should also refer to the Official Hospitality Principles issued by
the Department of Premier and Cabinet from time to time.4
Secondary employment
Staff members may not undertake employment outside <insert organisation name> or
engage in the conduct of a business, trade or profession without written permission.
Employees considering taking up a second post should take into account whether this might
conflict with their employment with the <insert organisation name> and should seek
guidance from <to be determined by the agency>.
Tendering and procurement process
All tendering and procurement activity must be compliant with Victorian Government
Purchasing Board’s guidance material where applicable <if VGPB guidance material is not
applicable, replace with ‘policies and procedures’>.
Corporate credit cards
All usage of corporate credit cards must be complaint with the Standing Directions of the
Minister for Finance under the Financial Management Act 1994.
Use of property, facilities or equipment
Employees of the <insert organisation name> often have access to facilities, including office
equipment such as computers, telephones, photocopiers and fax machines to use in carrying
out their official duties.
Excessive personal use of any <insert organisation name> equipment or removal of any
property from the work place for any purpose is not permitted without line manager
approval. Any use for personal gain is not permitted under any circumstances.
Confidentiality
Staff are expected to maintain and respect the confidentiality and privacy of financial
information and other matters of a financial nature that they come across during the course
of their employment. Unless authorised, staff are not to use confidential information for
personal use or to benefit another third party.
4
10
The most recent version is dated 14 July 1998 and replaces Circular 90/1on Entertainment Expenditure Guidelines.
Attachment 1
Template for a Financial Code of Practice
User guide to Standing Direction 2.2
Direction requirement 2
Financial Governance – Responsible Body
Introduction
The governance and oversight of the financial management of an agency is the responsibility
of the Responsible Body as per Direction 2.2(a) in the Standing Directions of the Minister for
Finance (the Directions).
Definitions
Responsible Body defined
The Directions define ‘Responsible Body’5 to mean:
 the accountable officer for a government department; or
 the Board for all other public sector agencies.
Accountable Officer defined
‘Accountable Officer’6 means:
 the department head for a department; or
 the chief executive officer for a public body (or the relevant title of this position).
Delegation of responsibilities
The Responsible Body may delegate some of its responsibilities under the Directions to an
Audit Committee, Finance Committee or equivalent (as per Direction 2.2(c))
However, the Responsible Body cannot delegate or diminish ultimate responsibility for:
 overseeing the financial performance of agency;
 ensuring the integrity of financial reporting; and
 retaining oversight responsibility for the relevant actions and activities of its delegates.
The Directions do not prevent operational aspects of the Responsible Body’s oversight and
governance role from being delegated to management.7
Documentation of role and responsibilities
The roles, responsibilities and delegations of the Responsible Body should be documented in
a charter or equivalent document.
The document should detail the responsibility and accountability of relationships between
the Minister, the Responsible Body, the Accountable Officer and the CFAO.
5
Refer to S. 1.1 in the Directions for more information re: where a person or body is declared to be an ‘authority’ under S.3 of
The Financial Management Act 1994.
6 Defined under S.3 of The Financial Management Act 1994.
7 This must be completed in accordance with Direction 2.4 (Authorisations).
Financial Management Compliance Framework user guide
Updated August 2013
11
Requirements of the Responsible Body
The Responsible Body has a number of requirements outlined in Direction 2.2(b) that are
part of its financial oversight and governance role. The requirements are outlined in the
checklist below and should be considered in developing the charter or equivalent. Please
note that guideline 1 to Direction 2.2 also details a number of suggested tasks for the
Responsible Body.
In addition to Direction 2.2(b) the Responsible Body has a number of other requirements8
under the Financial Management Compliance Framework. Please refer to the Directions and
relevant supplementary material for information about this.
Requirements of the Responsible Body under direction 2.2(b)
Review all financial reports that are provided to parties external to the public
sector agency, prior to their release but subsequent to the approval of the reports
by the CFAO in accordance with Direction 4.3(c).
Work with management to develop the strategic directions for the public sector
agency, set performance indicators, set performance targets, review performance
management information and reports against those targets.
Monitor and oversee the financial performance of the public sector agency on an
ongoing basis ensuring appropriate human and financial resources are available.9
Oversee and ensure that procedures are in place that will result in effective and
efficient budgeting.
Ensure a balance of authority so that no single individual has unfettered powers
over the finances of the public sector agency.
Ratify the appointment or removal of the CFAO, where appropriate.10
Review, ratify and oversee the public sector agency’s systems of risk management
and financial internal controls.
Approve and monitor the progress of major capital expenditure, capital
management, acquisitions and divestitures.
Meet often enough to undertake its financial governance role effectively, if it
comprises more than one person(e.g. at least four times a year).
Establish appropriate arrangements to ensure that public funds and resources are
used economically, efficiently, effectively, with due propriety, and in accordance
with the statutory or other authorities that govern their use.
Undertake an annual review of its own performance in respect of its financial
governance.
8
Considered?











Examples of other Directions with requirements for the Responsible Body include: Directions 2.3, 2.4, 2.6, 3.1.3, 3.1.5, 3.2.1,
3.4.1, 3.4.3 and elements of Directions in relation to Financial Management Reporting as detailed in Directions 4.1 to 4.5.
Please note this list is not complete.
9 This is also consistent with its role under Direction 4.1 Internal Financial Management Reporting and Direction 4.4: Financial
Performance Management and Evaluation to work with management to develop financial KPIs and receive reports on financial
performance.
10
This is also consistent with its role under Direction 3.1.2: Chief Finance and Accounting Officer to ensure the agency has
financial management leadership from a suitably qualified CFAO.
12
Financial Management Compliance Framework user guide
Updated August 2013
Direction requirement 3
Financial governance – formal statements
Introduction
The Standing Directions of the Minister for Finance (the Directions) under Direction 2.2
require an agency to:
… establish robust and transparent financial governance policies and procedures
directed to the oversight of its financial management which should be incorporated as
fundamental elements of a public sector agency’s overall governance framework.
Particular attention must be paid to the systems of financial reporting, risk
management, internal control and the adequacy of management reporting.
The Directions mandate an annual formal statement of compliance with the following three
distinct requirements of 2.2(d) for agencies and 2.2(w) for government departments.11
Requirement 1
Presentation of agency’s financial reports.
Requirement 2
That the risk management, internal compliance and controls form the basis of the
financial report.
Requirement 3
That the risk management, internal compliance and control systems operate effectively
and efficiently.
The requirements of Direction 2.2 and in particular, 2.2(d) and 2.2(w) serve as the
foundation for the Financial Management Compliance Framework.
Timing of formal statement
It would be expected that the formal statement of compliance would be made in writing at
least annually upon completion, and before public release of the annual financial report.
There are example formal statement templates included in this material:
 Template 1 – example representation from Accountable Officer and CFAO to Responsible
Body.
 Template 2 – example representation from Management and Staff to the Accountable
Officer and CFAO.
Difference between 2.2(d) and 2.2(w)
The requirements under Direction 2.2(d) are identical in nature to 2.2(w) the only
differences are:
 Direction 2.2(d):
– relates to agencies; and
– requires the Accountable Officer and the CFAO to make the formal statement to the
Responsible Body.
11
Note: This material explains each of these requirements in further detail overleaf.
Financial Management Compliance Framework user guide
Updated August 2013
13
 Direction 2.2(w):
– relates to government departments; and
– requires the CFAO to make the formal statement to the Audit Committee and the
Accountable Officer.
Explanation of the three requirements
The following tables provide detailed explanation of each of the requirements under 2.2(d)
and (w) and include a list of potential steps that the Accountable Officer and CFAO could
consider implementing to support the formal statement requirements.
Please note that the lists are not exhaustive and should only be used as a guide to assist in
the development of agency specific procedures in relation to Direction 2.2(d) and (w).
Requirement 1: Statement over presentation of agency’s financial reports
The CFAO and/or the Accountable Officer12 have an obligation to provide a statement to the
Responsible Body stating that:
 the financial reports present fairly, in all material respects, of the financial condition and
operating results of the Agency; and
 the financial reports have been prepared in accordance with the Financial Management Act 1994
including the Directions.
Links to other Directions
 Reporting in terms of Part 7 of the FMA (Standing Direction 4.2, Direction Requirement 23).
How to sign off on Requirement 1
Traditional sign off over financial statements.
(see also Template 1)
Requirement 1 signed off by
 Accountable Officer and Responsible Body at agency level; and
 CFAO at department level.
Example of potential steps and detail for Requirement 1
Discussions with relevant management and staff with a view to:
 satisfying themselves that the process supporting the preparation of financial
reports was robust and that the financial reports are complete, accurate and
reliable;
 understanding any key assumptions and accounting policies which underpin
material balances (including changes to assumptions or accounting policies since
the previous year);
 considering key areas where significant judgement was exercised in determining
accounting treatments; and
 understanding the nature and rationale of any significant period end
adjustments.
Reviewing performance against financial budgets carried out throughout the
course of the year with a view to:
 ensuring that all material transactions have been captured within underlying
financial accounting systems;
 developing an understanding of the reasons for variances between budgeted
and actual financial results and their reasonableness; and
 comparing year-end financial reports to management accounts and
understanding large adjustments made at year end as well as other impacts
potentially affecting the robustness of the financial management process.
12
Considered?


At Government Departments the CFAO provides this statement. At other agencies, the CFAO and Accountable Officer
provide this statement.
14
Financial Management Compliance Framework user guide
Updated August 2013
Example of potential steps and detail for Requirement 1
Considered?
Reviewing the financial reports prior to release by:
 completing a comparison to last year’s financial reports and consideration of
significant movements in results, balances and disclosures; and
 understanding changes that have occurred to relevant Accounting Standards
and Directions under the FMA to ensure that they have been captured.
Considering the findings of the financial statement audit process this is achieved
through discussions with financial accounting staff, the external auditor and
internal auditor (where relevant), including a summary of adjusted and unadjusted
differences.


Requirement 2: Statement over risk management, internal compliance and control
The CFAO and/or the Accountable Officer6 have an obligation to provide a statement to the
Responsible Body stating that the financial report is founded on a sound system of risk
management, internal compliance and control which implements the policies adopted by the
Responsible Body.
Further explanation for Requirement 2
Requirement 2 focuses on the design effectiveness of internal controls within the financial
reporting process. Internal controls over the financial reporting process would be considered to be
designed effectively if, assuming they were operating as intended, they provided reasonable
assurance that material misstatements in financial reports would be prevented or detected by
management.
Requirement 2 reinforces the fact that the CFAO and Accountable Officer are ultimately responsible
for ensuring that the Agency has adequately designed internal controls over the financial reporting
process. The nature of internal controls that an agency has over financial reporting will vary from
agency to agency depending on factors including, but not limited to:
 the size of the agency;
 the nature and volume of accounting transactions processed by the agency;
 the information technology environment within the agency; and
 the nature and complexity of financial report disclosures required by the agency under Financial
Reporting Directions and accounting standards.
Links to other Directions
 Financial risk management (Standing Direction 2.3, Direction Requirement 5);
 Policies and procedures (Standing Directions 3.1.3 and 3.4, Direction Requirement 12); and
 Risk management compliance (Standing Direction 4.5.5 – refer to Victorian Government Risk
Management Framework).
How to sign off on Requirement 2
Sign off that internal controls have been designed effectively so that they provide reasonable
assurance that material misstatements in financial reports are prevented or detectable. This may
require:
 a representation from the Accountable Officer and CFAO to the Responsible Body – refer
Template 1; and
 where appropriate, a series of management/staff representations to the Accountable
Officer/CFAO – refer Template 2.
Requirement 2 signed off by
 Accountable Officer and Responsible Body at agency level; and
 CFAO at department level.
Financial Management Compliance Framework user guide
Updated August 2013
15
Example of potential steps and detail for Requirement 2
 Identify significant accounts and disclosures.
Identification of significant accounts and disclosures in financial reports.
Examples include:
 items separately disclosed in financial reports;
 qualitative and quantitative factors; and
 materiality at the consolidated financial statements level.
Account mapping
Map significant accounts and disclosures to accounting policies, procedures and
processes that generate the information reported.
Identify the relevant financial statement assertions
For each significant account and disclosure, identifying the relevant financial
statement assertions. Assertions examples are as follows:
 existence or occurrence;
 completeness;
 valuation or allocation;
 rights and obligations; and
 presentation and disclosure.
 Account/Disclosure X.
Identify risks of misstatement
For each of the significant accounts and disclosures, identifying risks of
misstatement with reference to the financial statement assertions.
Identify mitigating controls
Based on the risks identified, and with reference to accounting policies,
procedures and processes, identifying the key controls which reduce either the
likelihood or impact of the risk occurring.
Sufficiency of mitigating controls
Consider whether key controls identified are designed such that they provide
reasonable assurance that material misstatements would be prevented or
detected by management throughout the year.
Develop and implement remediation plan
Where significant deficiencies in the design of internal control over financial
reporting have been identified:
 implement immediate corrective action to ensure reported results are not
adversely affected; and
 develop and implement appropriate remedial action plans.
Considered?








Requirement 3: Statement over efficient and effective operation of risk management,
internal compliance and control systems
The CFAO and/or the Accountable Officer6 have an obligation to provide a statement to the
Responsible Body stating that the agency’s risk management and internal compliance and control
system is operating efficiently and effectively in all material respects.
Further explanation for Requirement 3
Requirement 3 is intended to consider and report against operating effectiveness of controls, i.e.
are internal controls being applied and operated as intended throughout the entire reporting
period?
16
Financial Management Compliance Framework user guide
Updated August 2013
Requirement 3: Statement over efficient and effective operation of risk management,
internal compliance and control systems
Links to other Directions
 Financial management governance and oversight (Section 2 – Standing Directions 2.1 to 2.6,
Direction Requirements 1 to 8); and
 Financial management structure, systems, policies and procedures (Section 3 – Standing
Directions 3.1 to 3.4 Direction Requirements 9 to 21).
How to sign off on Requirement 3
Sign off that internal controls are being applied and operated as intended throughout the entire
reporting period. This may require:
 a representation from the Accountable Officer and CFAO to the Responsible Body – Refer
Template 1; and
 where appropriate, a series of management/staff representations to the Accountable
Officer/CFAO – refer Template 2.
Requirement 3 signed off by
 Accountable Officer and Responsible Body at agency level; and
 CFAO at department level.
Example of potential steps and detail for Requirement 3
Conclusions?
Gather information about the implementation and operation of internal controls
in the organisation.
For example, this may include results of staff surveys re: knowledge and
understanding of internal controls in day to day operations, the extent to which
internal and external audit recommendations have been implemented,
completion of risk assessment processes within finance and accounting functions,
evidence that system generated financial reports have been prepared and
disseminated on a timely basis.
Develop and execute an evaluation plan on control activities
For key control activities identified during the evaluation of design effectiveness,
develop and execute an evaluation plan with a view to determining whether they
were operating as intended throughout the course of the year. This may involve a
combination of:
 direct testing of a sample of significant control activities conducted by internal
audit;
 risk and control self-assessment by management and staff; and
 management and staff representations over the operation of internal controls.
Evaluate results to determine if deficiencies represent material weakness
Review the information obtained together with results of testing to determine
whether deficiencies either individually or in aggregate represent material
weaknesses. Where deficiencies are identified (be they material or immaterial),
develop and implement appropriate remedial action plans (immediate and longer
term).
Notification of any control weaknesses
Prepare and provide representation to the Responsible Body noting any material
control weaknesses identified based on the evaluation of control effectiveness.
Financial Management Compliance Framework user guide
Updated August 2013




17
Attachments
Templates for formal statements
18
Template 1
Example representation from Accountable Officer and CFAO to
Responsible Body
Template 2
Example representation from Management and Staff to the Accountable
Officer and CFAO.
Financial Management Compliance Framework user guide
Updated August 2013
Template 1
Example representation from Accountable Officer and CFAO to
Responsible Body
Statement to the Responsible Body of <insert agency name>
The Accountable Officer and Chief Finance and Accounting Officer state that:
(a) with regard to the integrity of the financial reports of <insert agency name> for the year
ended 30 June <insert year> that:
(i)
the financial statements and notes thereto comply with accounting standards in all
material respects;
(ii) the financial statements and notes thereto give a true and fair view, in all material
respects, of the financial position and performance of the agency and consolidated
entity;
(iii) in our opinion, the financial statements and notes thereto are in accordance with
the Financial Management Act 1994 and associated directions; and
(iv) in our opinion, there are reasonable grounds to believe that the agency will be able
to pay its debts as and when they become due and payable.
(b) with regard to risk management and internal compliance and control systems of <insert
agency name> for the year ended 30 June <insert year>:
(i)
the statements made in (a) above regarding the integrity of the financial
statements and notes thereto are founded on a sound system of risk management
and internal compliance and control systems which, in all material respects,
implement the policies adopted by the Responsible Body;
(ii) the risk management and internal compliance and control systems underpinning
financial management processes are operating effectively and efficiently, in all
material respects, based on an evaluation against the elements of the agency’s
defined internal control framework; and
(iii) nothing has come to our attention since 30 June <insert year> that would indicate
any material change to the statements in (i) and (ii) above.
<insert name>
Accountable Officer
<insert name>
Chief Finance and Accounting Officer
<Date of annual report> *
<Date of annual report> *
* To be dated as same date as annual report. Statement should be made at least annually to the Responsible Body upon
completion and before the public release of the annual report
Template 1
Example representation from Accountable Officer and CFAO to Responsible Body
19
Template 2
Example representation from management and staff to the
Accountable Officer and CFAO
Statement to the Accountable Officer and CFAO of <insert agency name>
This statement is to verify that I have:
1)
Identified the financial management requirements of my <insert cost centre/division>.
2)
Put in place a structure to ensure transactions of the <insert area/office> have been
processed in accordance with these requirements and including:
<insert reference to approved policies and procedures>
<insert reference to approved delegations of authority>
3)
Monitored transactions and processes in my <insert cost centre/division> in
accordance with my financial management responsibilities
4)
In this process, identified the following issues that have or may impact financial
management structures or processes under my responsibility:
<insert any areas that need improvement>
<insert any areas that need improvement>
5)
Put in place the following rectification plans to address the above issues:
<insert rectification plan and when date it is expected to be completed>
This statement has been prepared to the best of my knowledge and confirms that no other
issues that would impact on financial management have come to my attention.
<Manager/staff name>
<Title>
<Date of report>
20
Template 2
Example representation from Management and Staff to the Accountable Officer and CFAO
Direction requirement 4
Financial governance – Audit Committee
Introduction
Direction 2.2 (Direction Requirement 4) of the Standing Directions of the Minister for
Finance (the Directions) requires an agency to appoint an audit committee to oversee and
advise on matters of accountability and internal control affecting the operations of the
agency, unless an exemption has been obtained.13
The detailed requirements for audit committees are outlined in the Procedures to Direction
2.2 specifically:
 establishment and exemptions
Procedure (e)
 charter, roles, responsibilities, meetings
Procedures (h)-(j)
 membership and member qualifications
Procedures (f), (g), (k)-(q), (s)
 member induction
Procedure (r)
 relationships and reporting
Procedures (t)-(v).
This material provides:
 guidance to agencies for the implementation of the requirements in relation to audit
committees; and
 an overview of other audit committee requirements under the Directions.
The checklists in this material identify the mandatory requirements relevant to each of the
detailed requirements for audit committees. The checklists also contain elements that
represent good practice.
Please note that this material should be read in conjunction audit committee requirements
detailed in Directions for internal audit (2.5, Direction Requirement 7) and external audit
(2.6, Direction Requirement 8).
Audit committee establishment and exemptions
The Directions permit agencies to apply for an exemption from establishing an audit
committee. A number of parameters must be met to ascertain whether an agency is
permitted to apply for an exemption.
The exemption process is outlined in the steps below. Also, Attachment 1 provides a
template for the exemption application.
Where an audit committee has been established, it is usually a sub-committee of the Board
(Responsible Body). While the establishment of an audit committee supports the Board’s
performance in the discharge of its financial governance and oversight responsibilities, it
does not release the Board from its responsibilities.
13
Procedure (e) under Direction 2.2 from the Standing Directions of the Minister for Finance under the Financial Management
Act 1994.
Financial Management Compliance Framework user guide
Updated August 2013
21
Step 1
Majority of
non-executive
directors
Step 2
Audit Committee exemption process
Majority of
non-executive
independent
directors
 Are the majority of directors on the Board non-executive directors?
If yes, continue to Step 2.
 Are the majority on non-executive directors independent?
If yes, continue to Step 3.
 If there are at least three non-executive directors (and two of these are independent), an Audit Committee can be established in accordance with the Directions.
Step 3
Agency size

Step 4
 Agencies with an aggregate score (across all four parameters) of:
size and eligibility for exemptions.
– less than equal to 10 are able to seek an exemption, continue to Step 4; or
The parameters include: Total budget, total assets, number of full time
– more than 10 cannot seek an exemption.
equivalent employees, and financial risk profile must be totalled. The table below
provides scores for each parameter.
Agencies that meet the requirements can seek an exemption via a written submission to the Minister.
A copy of the submission must be sent to DTF with a set of the agency’s most recently audited financial statements.
See the example template exemption letter.
Exemption
application



Step 5
 A number of parameters are taken into account when determining an agency’s
Exemption
approval
 Exemption applications are assessed on a case by case basis and DTF may request additional information.
 Exemptions are only granted for the one compliance year (1 July to 30 June).
 Agencies granted an exemption must follow the ‘exemption confirmation process’ the following year.
Notes for Step 1
A non-executive director is an agency director that is:
1. part of the Responsible Body
2. not employed on a full time basis by the Responsible Body
3. is not involved in the day to day management of the agency.
Notes for Step 2
Guideline 3 to Direction 2.2 defines an independent person as one who:
1. is independent of management of the agency
2. has not been employed in an executive capacity by the agency or related organisation or been a director after
ceasing to hold such employment within the last three years.
3. has not been a principal of a material professional advisor or a material consultant to the agency or a related
organisation, or an employee materially associated with the service provider within the last three years.
4. is not a material supplier or customer of agency or related organisation or an officer or otherwise directly or
indirectly associated with a material supplier or customer
5. has no material contractual relationship with the agency or a related organisation other than as committee
member of the agency
6. has not served on the Responsible Body (if it is a board) or the Committee for a period which could, or could
reasonably be perceived to materially interfere with the person’s ability to act in the best interests of the
public sector agency
7. is free from any interest and any business or other relationship which could, or could reasonably be perceived
to, materially interfere with the Committee member’s ability to act in the best interests of the agency.
22
Financial Management Compliance Framework user guide
Updated August 2013
Also,
1. family ties and cross-directorships may be relevant in considering interests and relationships which may compromise
independence
2 ‘materiality’ should be considered from the perspectives of both the public sector agency and the individual
Committee member/candidates.
Scoring parameters for Step 3 Audit Committee exemption:
Parameter
Small
Score
Medium
Score
Large
Score
Total Budget1
Total Assets2
Number of full time equivalent employees3
<$5m
<$5m
<20m
2
2
2
$5m-$15m
$5m-$20m
20-50
4
4
4
>$15m
>$20m
>50
6
6
6
Financial Risk Profile
Details
Low
Agency has responsibility for managing their budget with no significant financial
transactions with third parties.
2
Moderate
Agency has responsibility for managing their budget with limited significant financial
transactions with third parties.
4
High
Agency has responsibility for managing its budget with significant transactions with
third parties.
6
1
Total Budget $m refers to Total Budgeted Expenditure.
Total Assets $m amount should be derived from the last audited financial statements.
3.
A measurement equal to one staff person working a full-time work
2
Score
Processes for obtaining exemption confirmation for an audit committee
Exemptions are granted by the Minister for one financial year (from 1 July to 30 June) only.
Agencies requiring extensions on their exemptions need to complete the exemption process
outlined in the steps below.
Exemption Confirmation Process
When?
What?
How?
Dec-Jan
Agencies notify DTF
Feb
Assessment
Mar
DTF extends
exemptions
Agencies that have previously been provided exemptions must
confirm with DTF that:
 an exemption is still required; and
 there have been no changes in the circumstances surrounding
the agency.
Agencies must inform DTF of situations where:
 there has been or will be some change to its operating or
governance structures;
 its operating functions or parameters have or will be altered;
 it is subject to litigation or pending litigation;
 the agency has previously been the subject of media attention
regarding its financial management activities;
 the agency is subject to an internal or external review of any
kind;
 a significant or material internal control weakness has been
identified and is yet to be rectified;
 the Auditor-General has provided a qualified audit opinion;
 the Auditor-General has been unable to provide an audit
opinion on the agency’s financial statements; or
 there has been a change in the financial and/or political
circumstances surrounding the agency.
Agency responses are collated and assessed accordingly.
If the circumstances of the agency have altered, the agency will
be assessed using the exemption criteria.
DTF writes to agencies, informing them if their exemption(s) has
been extended for the current compliance year.
Audit committee charter, roles, responsibilities and meetings
The role, responsibilities, composition, structure and membership requirements of an audit
committee should be defined in an audit committee charter.
Areas to consider including in an audit committee charter
Included
Purpose of the charter
Detail the functional and organisational framework for the audit committee to
operate, for example:
The audit committee is a sub-committee of the Responsible Body. The audit
committee is established to assist the Responsible Body fulfil its governance and
oversight responsibilities including the:
 financial reporting process including annual financial statements;
 effectiveness of the internal audit function;
 scope of work, independence and performance of the external auditor; and
 agency’s process for monitoring compliance with laws and regulations and
financial code of conduct.
Financial Management Compliance Framework user guide
Updated August 2013

23
Areas to consider including in an audit committee charter
Included
Roles and responsibilities
Define the requirements for roles and responsibilities of the audit committee, for
example:
 ensuring management has appropriate processes for identifying, assessing and
responding to risks;
 evaluating the overall effectiveness of the internal control and risk management
frameworks and consider if management has implemented recommendations
made by internal and external auditors;
 overseeing the periodic financial reporting process implemented by management
and review interim financial statements, annual financial statements and
preliminary announcements before release;
 reviewing the effectiveness of the system to monitor against compliance with
laws, regulations and internal policies;
 reviewing external audit’s proposed audit scope and approach for current year
and discuss with external audit significant findings and recommendations; and
 reviewing the activities, resources and organisational structure of the internal
audit function.
Accountability and reporting



 be fully accountable to the Responsible Body;14


 state the attendance and meeting requirements, for example:
– meetings are to be held not less than four times a year;2
– meetings should correspond with agency’s financial reporting cycle;
– only committee members are entitled to attend meetings;
– the Accountable Officer and CFAO are to attend relevant sections of the
meetings by standing invitation – they are not members of the committee;
and15
– other invitees can be included, e.g. internal audit and external audit
representatives.
24


its responsibilities;2
 minutes are to be provided to the Responsible Body at the next meeting (or at
agreed interval where Responsible Body is not a board);
 meeting attendance and schedule; and
15

State the accountability and reporting requirements for the audit committee, for
example:
 meetings are to be minuted to ensure audit committee is addressing discharging
14

This is a mandatory requirement as per Direction 2.2 (i) (Direction Requirement 4 (i)).
This is a mandatory requirement as per Direction 2.2 (k) (Direction Requirement 4 (k)).
Financial Management Compliance Framework user guide
Updated August 2013








Audit committee membership requirements and member qualifications
Requirements for audit committee membership are designed to ensure the committee has
the appropriate skills and experience required to fulfil its roles and responsibilities
effectively. Membership requirements should be specified in the charter.
Areas to consider including in an audit committee charter
Included
Composition, structure, membership and skills
Outline the membership requirements and structure of the audit committee,16
including for example:



 the number of members comprising the audit committee;17
 at least two members of the audit committee are to be independent;
5
 independent members are acknowledged as being independent in the annual




report;5
each member of the audit committee must have and maintain a number of skills
including for example, basic financial literacy, relevant industry knowledge and
business experience;18
at least one member must have appropriate expertise in financial accounting or
auditing; 6
the Chairperson is to be one of the independent members and not also the
Chairperson of the Responsible Body unless exemption has been obtained;19
the Responsible Body is to review membership at least every three years; and20





 new members are provided with all relevant and necessary information by the
CFAO.21
Audit committee member induction
Audit committee members require a range of information to develop their knowledge and
fulfil the obligations of their role. Agencies should consider developing an induction program
to ensure audit committee members have access to the relevant information and are able to
gain an adequate understanding about the agency and its operations.
The following is a list of areas to consider in the development of an induction program.
Suggested information/steps to include in an induction kit
Included
Meet with key personnel
 To assist in obtaining an adequate understanding of the financial situation and
industry within which the public sector agency operates Members should meet:
– the Accountable Officer (where applicable);
– the Board, or representatives from the Board (where applicable); and
– appropriate senior or key members of management (for example the CEO, CFAO
etc.).

16
This is a mandatory requirement as per Direction 2.2 (h) (Direction Requirement 4 (h)).
This is a mandatory requirement. Please refer to Direction 2.2 (f) and (g) for specific membership details (Direction
Requirement 4 (f),(g)).
18 This is a mandatory requirement. Further detail is outlined in Direction 2.2 (n), (o), (p) and (q) and Guidelines 6 and 7
(Direction Requirement 4 (n),(o),(p),(q)).
19 This is a mandatory requirement. Further detail is outlined in Direction 2.2 (l) and (m).
20
This is a mandatory requirement as per Direction 2.2 (s) (Direction Requirement 4 (s)).
21
This is a mandatory requirement as per Direction 2.2 (r) (Direction Requirement 4 (r)). Also refer to further information
available in this material.
17
Financial Management Compliance Framework user guide
Updated August 2013
25
Suggested information/steps to include in an induction kit
Provide general information about the agency
 Outputs, products and services of the agency.
 Overview of the governance, risk management and internal control framework.
 Major statutory or other reporting requirements.
 Financial and accounting policies along with details of major financial reporting
systems.
 Areas of risk (both financial and non-financial) ideally presented in a summary risk
profile or equivalent.
 Overview of any outsourced service arrangements or major contracts.
 Areas of recent or immediate particular concern.
 Any involvement in litigation or other disputes with third parties.
 Contingencies being faced.
 Code of Conduct, Code of Financial Practice and the audit committee’s role in
overseeing management’s monitoring of compliance with the Codes.
 Organisational structure with details about the senior management team.
 Any recent or planned systems modifications or organisational restructures.
Provide audit committee information
 The audit committee charter outlining its role and responsibilities, composition,
structure and membership requirements.
 Copies of recent audit committee minutes and reports from the audit committee to
the Responsible Body.
 The annual audit committee programmes/plan detailing the number, date, time
and standing agenda items for each meeting etc.
Other committee arrangements
 Details of relevant Responsible Body sub committees and other relevant
committees including their charters, for example Finance Committee, Risk
Management Committee etc.
 External advisors available to support the relevant committees, including the audit
committee.
 public sector agency staff available to support the relevant committees, including
the audit committee.
Internal audit arrangements
 The governance and reporting arrangements for internal audit.
 The responsibilities of the internal audit function, i.e. fraud, risk management,
internal controls etc. This could be achieved by providing a copy of the Internal
Audit Charter and/or contract with outsourced provider (where relevant).
 Details about the internal audit team – their qualifications/experience, scope of
services, period of contract, fees etc. (where relevant).
 The current year’s internal audit plan, and future years if applicable and the status
of work against the approved plan.
 Examples of information the audit committee receives from internal audit, e.g.
recent and previous reports.
 Results of recent independent reviews that were not included in the internal audit
plan.
External audit arrangements
 The scope and timing of the external audit and/or latest audit strategy and status
for the current year.
 Examples of information the audit committee receives from the external auditors.
 The audit committee’s relationship with the Auditor-General’s Office and/or its
service providers.
26
Financial Management Compliance Framework user guide
Updated August 2013
Included





Audit committee relationships and reporting
The audit committee should report directly to the Responsible Body. It is usually a
sub-committee of the Responsible Body that has no separate authority unless this has been
specifically delegated. The responsibility for decisions, performance and outcomes of the
agency therefore remain with the Responsible Body.
It is essential that the audit committee, management, internal and external auditors work
with a common purpose in improving financial reporting and greater effectiveness of
internal controls. To succeed with this, audit committees should work closely with
management and internal audit within an agency to ensure relevant information is obtained
and reported in a timely manner.
Areas to consider including in an audit committee charter
Included
22
Relationships and access
 Outline the audit committee’s access to, for example:
– the internal and external auditors without the presence of management;
– the Accountable Officer, CFAO and management;
– independent expert advice; and
– Include that the audit committee has the right to seek explanations, additional
information and the ability to seek assistance to undertake its oversight
responsibilities.
Detail the evaluation and review responsibilities including:
 evaluate at least annually the committee’s own performance and report the
results to the Responsible Body2 including a review of the individual members and
collectively as a committee – see Attachment 2 for a template questionnaire;
 formally assess the achievement of duties specified in the charter and report
findings to the Responsible Body;
 requirements for the approval and review of the audit committee charter
including for example:
– review the audit committee charter periodically but at least every three years
with recommendations for updates approved by the Responsible Body;4
– that the Responsible Body is to approve the audit committee charter (including
any proposed changes and/or amendments); and4
– details of a resolution process for situations where the audit committee or
individual members cannot obtain adequate access to or response from the
Responsible Body, CFAO and/or management.
22










These are mandatory requirements as per Direction 2.2 (t), (u) and (v) (Direction Requirement 4 (t),(u),(v)).
Financial Management Compliance Framework user guide
Updated August 2013
27
Overview of other audit committee requirements under the Directions
There are a number of other Direction requirements to be met by audit committees other
than those articulated in Direction 2.2.
The table below provides a summary of the high level detail of the Directions that relate to
audit committees. Please refer to the Directions for specific information.
High level detail of Directions relating to audit committees
Complete?
Direction 2.2 Financial governance – audit committees
Mandatory requirements for this Direction are outlined in the audit committee
charter checklists above.
Direction 2.5 Internal audit

 Approve the internal audit charter.



 Approve the internal audit plan.
 Annually review the focus of the internal audit plan and its fit with the risk
profile and work of external audit.
 Annually review internal audit’s performance.
 Annually confirm that the internal auditor has not been influenced by
management and/or has had problems with management.
 At least annually meet privately with internal audit.
 Fulfil the following tasks:
– approve management response to audit recommendations;
– monitor actions taken to resolve audit issues identified; and
– advise management to adopt recommendation on a timely basis.




Direction 2.6 External audit
 Members are to have a clear understanding of the role of the external auditor
(the Auditor-General).
 Consider results from the external audit.
 Invite the external auditor to attend relevant meetings. Discussions are to
include:
– proposed audit objectives
– briefing on the process
– accounting issues potentially impacting the financial statements
– outcomes of the audit
 At least annually meet privately with external audit.
 Monitor rectification of issues identified by the Auditor-General and investigate
reasons for any material adjustments to the accounts.
Direction 4.2 Reporting requirements in terms of Part 7 of the FMA
 Review and recommend the financial statements prior to finalisation and
submission (if relevant, e.g. if delegated by Responsible Body).
28
Financial Management Compliance Framework user guide
Updated August 2013






High level detail of Directions relating to audit committees
Complete?
Direction 4.5.1 Compliance with Directions
 Annual review of FMCF compliance certification checklist (where relevant, e.g. if
delegated by Responsible Body)23 and including:
– review the results of the annual Financial Management Compliance
Framework certification process prior to its finalisation based on:
 an understanding of the business;
 prior management reporting of the implementation of financial
management compliance action/rectification plans;
 internal audit findings on work performed; and
 findings of any external audit reviews.
 make enquiries of management in relation to any identified or emerging issues
and their associated rectification plans;
 include financial management compliance as a standing audit committee
agenda item;
 ensure that internal audit continue to be proactive in the monitoring of financial
management compliance and risk areas;
 encourage management to implement a culture of compliance throughout the
entity; and
 review implementation of the Victorian Government Risk Management
Framework and check annual attestation by the Accountable Officer.
Direction 4.5.2 Taxation
 Annual tabling of certification of compliance with tax rules (where relevant, e.g.
if delegated by Responsible Body);12
 Active involvement in tax compliance matters; and24
 Obtain regular reports and updates from management on the tax position, any
issues and compliance status of the agency.13
Direction 4.5.3 Purchasing card
 To oversee the compliance with the Rules and consider them in the broader risk
management strategy of the agency, e.g. include in internal audit program.13
 In the event of a significant instance of unauthorised use of the purchasing card
obtain a report as soon as the inquiry into the issue is complete. Note that the
report is also sent to the Minister for Finance and agency’s minister.
 Where the Accountable Officer uses a purchasing card the Chairperson is to
authorise expenses incurred.
Direction 4.5.4 Thefts and losses
 Active involvement in the monitoring and reporting of thefts and losses.13














Direction 4.5.5 Risk management compliance
 Agree with the agency’s attestation of compliance with the Victorian
Government Risk Management Framework. 13

23
Note: This is not a mandatory requirement as per the Directions, rather good practice as outlined in the Guideline to the
Direction.
24 Note: This is a requirement of the Rules or Framework accompanying this Direction.
Financial Management Compliance Framework user guide
Updated August 2013
29
Attachment 1
Template for an Audit Committee and/or Internal Audit exemption
application
User note: this template is generic and must be amended to suit.
<Minister for Finance>
<name and address details>
<>
<>
<Date>
Application for exemption – Standing Directions of the Minister for Finance under the
Financial Management Act 1994
Dear Minister
I am writing to apply for an exemption from certain provisions of the Standing Directions of
the Minister for Finance issued pursuant to section 8 of the Financial Management Act 1994
for the <insert financial year> financial year. The table below details the specific Direction(s)
which this agency seeks an exemption from, the reason for exemption and the proposed
alternative procedure(s) or action(s).
Direction
reference
Direction
Reason
Alternative
procedure/action
<insert ref>
<insert ref>
<insert Direction>
<insert Direction>
<insert reason>
<insert reason>
<insert procedure/action>
<insert procedure/action>
<Attach appropriate documentation to support reason for exemption>
<Attach copy of latest audited financial statements and accompanying notes>
Should you wish to discuss the matter, please contact <insert names and phone numbers of
relevant contacts>.
Yours sincerely
<signed by the Chair of the Responsible Body>
<Title>
<Agency>
cc: Manager, Financial Management Framework Team, Department of Treasury and Finance.25
25
A copy of this letter should be sent to the Manager, Financial Management Framework Team, Department of Treasury and
Finance, Level 4, 1 Treasury Place, East Melbourne, VIC, 3002.
30
Financial Management Compliance Framework user guide
Updated August 2013
Attachment 2
Template for an Audit Committee Audit Committee self-assessment
questionnaire
User note: This template is generic and must be amended to suit.
Audit Committee self-assessment questionnaire
Introduction
The purpose of the review is to enable the Audit Committee members to critically assess the
Committee’s operations and performance and either:
 confirm the appropriateness of existing procedures; or
 provide suggestions for improvements to procedures.
The survey asks you to consider how well the committee has performed in relation to the
major functional areas defined in the charter.26 The results of the survey, and its discussion
at the meeting, will form the basis of a report to the Responsible Body.
Process
Action
Timing
Committee members complete survey.
Survey results to be consolidated by <insert appropriate officer>.
Committee discusses survey results and potential improvements.
Committee agrees a self-assessment rating and actions it will undertake to improve
performance.
Committee reports agreed survey results and suggested improvements to the
Responsible Body for endorsement
Please complete and return the attached questionnaire to <insert appropriate officer> by
<insert date> in order for the results to be collated and a report prepared for <insert date of
appropriate Audit Committee>.
The Audit Committee’s charter and annual work-plan27 should be referred to when
answering the questionnaire.
Respondents are not limited to the space provided. If additional space for comments is
required, please either use the reverse side of the page, or attach an additional sheet at the
end of the questionnaire.
If you have any queries about the questionnaire itself or the process and timing of its
completion, please contact <insert appropriate officer>.
Survey – rating scale
Questions ask you to assess the performance of the committee in relation to its activities as
described in the charter using the rating scale below as a guideline circle the number that
best reflects your assessment.
26
This survey is based on the ‘Purpose and Objectives’ as described in the example Audit Committee Charter provide as part of
the guidance material to accompany the Ministerial Directions to the Financial Management Act 1994. Refer Appendix A for
detail. The specific questions will need to be tailored to the specific requirements of the public sector agency’s Audit
Committee’s Charter and Membership.
27 Where an annual plan exists.
Financial Management Compliance Framework user guide
Updated August 2013
31
Rating
Description
0
No evidence that the committee has met any of its responsibilities in this area.
Extensive improvements required, approaching worst in field.
The committee has partially met some of its responsibilities in this area.
Considerable improvements required.
The committee has fully undertaken some of its responsibilities in this area. Major
improvements required, approaching middle of field.
The committee has fully undertaken most of its responsibilities in this area. Minor
improvement required, but approaching best in field.
The committee has fully undertaken all its responsibilities in this area. It would be
expected that independent assessment would find that <insert name of public sector
agency> is a leader in this field.
2–3
5
7–8
10
32
Financial Management Compliance Framework user guide
Updated August 2013
Name:
1. How well is the Audit Committee achieving its purpose and objective to oversee:
a. Financial performance and the financial reporting process, including the annual financial
statements.
0
1
2
3
4
5
6
7
8
9
10
b. The scope of work, performance and independence of internal audit.
0
1
2
3
4
5
6
7
8
9
10
c. Ratifying the engagement and dismissal by management of any chief internal audit executive.
0
1
2
3
4
5
6
7
8
9
10
d. The scope of work, independence and performance of the external auditor.
0
1
2
3
4
5
6
7
8
9
10
e. The operation and implementation of the risk management framework.
0
1
2
3
4
5
6
7
8
9
10
f. Matters of accountability and internal control affecting the operations of the public sector
agency.
0
1
2
3
4
5
6
7
8
9
10
g. The effectiveness of management information systems and other systems of internal control.
0
1
2
3
4
5
6
7
8
9
10
h. The acceptability of and correct accounting treatment for and disclosure of significant
transactions which are not part of the public sector agency’s normal course of business.
0
1
2
3
4
5
6
7
8
9
10
i. The sign off of accounting policies.
0
1
2
3
4
5
6
7
8
9
10
j. The public sector agency’s process for monitoring compliance with laws and regulations and
its own code of conduct and code of financial practice.
0
1
2
3
4
5
6
7
8
9
10
k. Reasons for your assessment.
l. What are your suggested improvements?
Financial Management Compliance Framework user guide
Updated August 2013
33
2. How well has the Audit Committee interact with the internal audit function of <insert name of
public sector agency>?
0
1
2
3
4
5
6
7
8
9
10
a. Reasons for your assessment.
b. What are your suggested improvements?
3. How well has the Audit Committee undertaken its responsibility to provide an independent
and objective review of the financial statements presented by <insert name of public sector
agency> to Parliament?
0
1
2
3
4
5
6
7
8
9
10
a. Reasons for your assessment.
b. What are your suggested improvements?
4. How well has the Audit Committee undertaken its responsibility to report periodically to the
Responsible Body and senior management on the activities of the committee?
0
1
2
3
4
5
6
7
8
9
10
a. Reasons for your assessment.
b. What are your suggested improvements?
5. How well has the Audit Committee undertaken its responsibility to satisfy itself that
appropriate action is taken on matters raised in respect of <insert name of public sector
agency> by the Auditor-General and Internal Audit?
0
1
2
3
4
5
6
7
8
9
10
a. Reasons for your assessment.
b. What are your suggested improvements?
34
Financial Management Compliance Framework user guide
Updated August 2013
User guide to Standing Direction 2.3
Direction requirement 5
Financial risk management
Introduction
Direction 2.3 of the Standing Directions of the Minister for Finance (the Directions) outlines
a number of requirements that agencies need to adopt in relation to managing risks
associated with financial management.
In particular, Direction 2.3 requires agencies to:
 ensure that there is a financial risk management policy and internal control system in
place; and
 implement an effective framework to identify, assess, monitor, manage and report, on an
ongoing basis, the significant financial risks to which the agency is exposed to as a result
of, and in the course of its activities and responsibilities.
Implementation and operation of an agency’s financial risk management framework rests
with management within that agency. Oversight of the framework and its operation rests
with the Responsible Body.
The management of financial risks may be a component of an agency’s overall enterprise
wide risk management framework in line with the Victorian Government’s Risk
Management Framework.28
This material provides an overall checklist for:
 oversight by the Responsible Body of the framework and its operation; and
 steps to assist in the implementation of the agency’s financial risk management
framework.
Oversight by the responsible body
The Responsible Body may use its Audit Committee to oversee the effective operation of the
financial risk management framework. As detailed within Direction 2.3(a) of the Directions
the Responsible Body must:
Requirements in Direction 2.3(a)
Achieved
Yet to be
achieved








The responsible body has:
 ensured that there is a financial risk management policy in place
within the agency;
 ensured that the financial risk management policy outlines roles,
responsibilities and accountabilities of the Responsible Body, audit
committee, management and internal audit;
 ensured management has implemented an effective financial risk
management framework;
 a clear understanding of the significant financial risks facing the
agency;
28
Direction 4.5.5 outlines the requirements in relation to Risk Management Compliance and the Victorian Government’s Risk
Management Framework.
Financial Management Compliance Framework user guide
Updated August 2013
35
Requirements in Direction 2.3(a)
Achieved
Yet to be
achieved








 regularly, and at least annually, critically appraised and challenged
the financial risk profile prepared by management;
 provided clear guidance on the level and categories of financial
management risk it regards as acceptable for the agency;
 provided oversight and supervision of financial management risks
and the implementation of the related management
plans/treatment strategies; and
 regularly and at least annually, reviewed the effectiveness of the
agency’s system of risk management and internal control.
Implementation of a financial risk management framework
In order to satisfy the requirements of Direction 2.3, a financial risk management framework
could be structured using the following components.
Financial risk management framework and processes in relation to:
 Day-to-day financial activities;
 Budgeting processes; and
 Monitoring and reporting activities.
Guidance for potential steps within each component has been detailed below in the form of
a checklist.
Day-to-day financial and risk management processes
Step
Example of detail for potential steps
1
Identification of significant financial management processes.
This may vary from agency to agency depending on the nature
of operations of the agency.
Ensure that adequate and up-to-date policies and procedures
exist for significant financial management processes.
Document the key ‘compliance’ and ‘operations’ objectives for
each financial management process identified. 29
No less than annually, identify and assess the risks relevant to
the achievement of those objectives.
Based on the risks identified, identify the key controls which
reduce their likelihood and/or impact and determine whether
residual risk is reduced to an acceptable level (i.e. assess
design effectiveness).
Where deficiencies in internal control are identified, develop
action plans to remediate.
2
3
4
5
6
Yes
No
N/A


















29 Supplementary Material on Direction 2.2 ‘Financial Governance’ outlines the steps that should be taken in order to manage
risks associated with the financial reporting process. It is recommended that the steps outlined here be read in conjunction
with that Supplementary Material and that agency’s combine their activities to respond to Directions 2.2 and 2.3.
36
Financial Management Compliance Framework user guide
Updated August 2013
Step
Example of detail for potential steps
7
Develop and undertake a program of activities to obtain
assurance that the key elements of internal control operate
effectively throughout the year (i.e. assess operating
effectiveness). This may include a combination of:
 testing of key internal control activities by internal audit;
 risk and control assessment by management and staff; and
 management and staff representations over the operation
of internal controls.
Where internal controls are not operating as intended,
develop and implement appropriate remedial action plans.
8
Yes
No
N/A






Budgeting processes
Step
Example of detail for potential steps
1
At the commencement of each budget planning process an
agency should take into account the following:
 the strategic plan, the annual plan development with
project identification;
 identification of risks and risk response strategies;
 communication to relevant internal and external
stakeholders; and
 potential funding arrangements.
Each agency should develop detailed financial budgets
consistent with the framework, either on a rolling or annual
basis to be aligned with strategic and other business plans.
As part of the budget development process, sensitivity
analysis should be conducted around those assumptions and
variables that could materially impact budgeted outcomes.
For each variable that could materially impact budgeted
outcomes, risk response strategies should be considered and
action plans developed as appropriate.
Management should submit the proposed budget to the
Responsible Body for approval.
The Responsible Body should review the proposed budget,
including sensitivity analysis around key assumptions and
variables as well as management’s proposed risk response
strategies, and approve where satisfied.
2
3
4
5
6
Yes
No
N/A


















Monitoring and reporting activities
Step
Example of detail for potential steps
1
Continue to monitor financial performance against budget
throughout the course of the year both at Management and
Responsible Body levels.
Identify new financial risks as they emerge and/or change
2
3
Yes
Re-forecast budgets at least quarterly, or more frequently if
necessary, and submit to Responsible Body for review.
No
N/A









Financial Management Compliance Framework user guide
Updated August 2013
37
38
Step
Example of detail for potential steps
4
Periodically throughout the course of the year review the
financial risk profile at both management and Responsible
Body levels. This would include:
 status of key assumptions and variables underlying
budgets;
 status of key risks identified in financial processes
(including any new risks identified);
 status of action plans arising from financial risk assessment
exercise;
 the operation of key financial control activities (as per
assurance activities described above); and
 any control related observations made by the agency’s
assurance providers, e.g. external and internal auditors.
Financial Management Compliance Framework user guide
Updated August 2013
Yes

No

N/A

User guide to Standing Direction 2.4
Direction requirement 6
Authorisations
Introduction
The Standing Directions of the Minister for Finance (the Directions) require agencies to
establish and maintain authorisations for the overall financial management of the agency
under Direction 2.4 (Direction Requirement 6). The authorisations must include any financial
obligations including contingent liabilities arising on behalf of the agency.
Direction 2.4 outlines a number of detailed requirements in relation to authorisations. The
table below outlines areas to consider in relation to the implementation of authorisations.
Areas and detail to consider in relation to authorisations
Considered?
The agency has clearly defined authorisations/delegations in place for all
financial obligations made on behalf of the agency that:
 refer to positions rather than specific individuals; and
 are allocated to positions that have an appropriate level of authority.*


 Processes are in place to ensure:
– authorisations cease immediately when the position has a change in title or
there is a material change in the duties of the position;
– internal controls are not compromised where multiple financial
authorisations are assigned to a single position;
– continuous running of the agency in the absence of the holders of an
authorised position, e.g. a person acting in a position;* and
– re-assessment of financial authorisations where the agency is restructured,
e.g. a restructure affecting 50 per cent or more of the positions.*
Documentation to support authorisations is:
 retained in line with legal requirements for document retention and record
keeping, including an ability to track changes made to authorisations over time;
and
 maintained in a register of financial authorisations. The register of contains, for
example the:
– list of positions holding financial authority for transaction types;
– transaction types, e.g. requisitions, liabilities, payment approval;*
– dollar amounts and caps for transaction and authorisation types;* and
– list of staff names holding positions with regular updates of the list.*
The Responsible Body30 at least annually reviews and where relevant makes
changes to, the agency’s authorisations including the:
 positions holding authorisations;
 categories and types of financial authority;
 processes and controls over authorisations;* and
 maintenance of the register of financial authorisations.










In the case of a Government Department, the Responsible Body for the purposes of this Direction is the Minister. The
Minister may delegate to the Department’s Secretary some or all of the responsibilities for this Direction, but only up to the
Secretary’s Accreditation Limit as defined by the Victorian Government Purchasing Board’s purchasing accreditation of the
Department. Refer to the Standing Directions for further detail.
30
Financial Management Compliance Framework user guide
Updated August 2013
39
Areas and detail to consider in relation to authorisations
Considered?
A financial authorisation cannot be given to:
 another position without appropriate authority/approval, i.e. not just an
authorised individual; or
 a contractor or consultant.


* denotes considerations that are not mandatory requirements in Direction 2.4.
Further considerations for the Responsible Body
The Responsible Body should also consider the following as a part of the annual review:
 Is there any evidence of non-compliance with authorisations?
 Are there instances where authorisations are not operating effectively?
 Is there any evidence of fraud?
 Are there any concerns about conflicting authorisations?
 Have there been any significant changes to the structure, objectives and roles of agency?
If there the answer to any of the above questions is ‘yes’, the matter should be investigated
further and a complete review of the authorisations and relevant controls and processes
should be considered.
40
Financial Management Compliance Framework user guide
Updated August 2013
User guide to Standing Direction 2.5
Direction requirement 7
Internal audit
Introduction
Direction 2.3 (Direction Requirement 7) of the Standing Directions of the Minister for
Finance (the Directions) require, unless an exemption has been obtained, an agency to
establish and maintain an adequately resourced independent internal audit function
appropriate for its needs.
Purpose of internal audit
The Institute of Internal Auditors globally define internal auditing as follows:
Internal auditing is an independent, objective assurance and consulting activity
designed to add value and improve an organisation’s operations. It helps an agency to
accomplish its objectives by bringing a systematic, disciplined approach to evaluate
and improve the effectiveness of risk management, control and governance
processes.
Internal audit is a part of an agency’s governance framework. It works with
management and the Responsible Body to provide an independent and objective
assessment of the efficiency and effectiveness of controls, potential control gaps and
whether controls in place are working as intended.
The role of internal audit also includes the development of practical and useful
recommendations for improvement – to enhance opportunities and control
deficiencies.
Internal audit coverage
Internal audit can cover all aspects of an organisation’s functions for example:
 financial processes and controls;
 operational processes and controls;
 risk management framework monitoring;
 IT controls including: information quality, integrity, reliability;
 project/program management; and
 special investigations and ad hoc reviews.
Resourcing internal audit
The work for internal audit is to be carried out by suitable qualified staff that are
independent of management and free from operational duties.
The internal audit function can be resourced in-house through a co-sourcing arrangement or
fully outsourced.
Access for internal auditors
The internal auditors should have access across the organisation to ensure an in-depth
understanding of the business, culture, systems and processes can be developed.
Financial Management Compliance Framework user guide
Updated August 2013
41
Processes for obtaining exemption for an internal audit function
The Directions permit agencies to apply for an exemption from establishing an internal audit
function. A number of parameters must be met to ascertain whether an agency is permitted
to apply for an exemption.
The exemption process is outlined in the steps below. Also, Attachment 1 provides a
template for the exemption application.
Internal audit exemption process
 A number of parameters are taken into account when determining an agency’s size and
Step 1
eligibility for exemptions.
 The parameters include: Total budget, total assets, number of full time equivalent
Agency size

Step 2

Exemption
application

Step 3


Exemption
approval


employees, and financial risk profile must be totalled. The table below provides scores
for each parameter.
Agencies with an aggregate score (across all four parameters) of:
– less than equal to 10 are able to seek an exemption, continue to Step 4; or
– more than 10 cannot seek an exemption.
Agencies that meet the requirements can seek an exemption via a written submission to
the Minister.
A copy of the submission must be sent to DTF with a set of the agency’s most recently
audited financial statements.
See the example template exemption letter.
Exemption applications are assessed on a case by case basis and DTF may request
additional information.
Exemptions are only granted for the one compliance year (1 July to 30 June).
Agencies granted an exemption must follow the ‘exemption confirmation process’ the
following year.
Scoring parameters for Step 1 Internal Audit exemption
Parameter
1
Total Budget
Total Assets2
Number of full time equivalent employees3
Small
Score
Medium
Score
Large
Score
<$10m
<$10m
<20m
2
2
2
$10m-$20m
$10m-$20m
20-50
4
4
4
>$20m
>$25m
>50
6
6
6
Financial Risk Profile
Details
Low
Agency has responsibility for managing their budget with no significant financial
transactions with third parties.
Agency has responsibility for managing their budget with limited significant
financial transactions with third parties.
Agency has responsibility for managing its budget with significant transactions with
third parties.
Moderate
High
1
Total Budget $m refers to Total Budgeted Expenditure.
Total Assets $m amount should be derived from the last audited financial statements.
3 A measurement equal to one staff person working a full-time work
2
42
Financial Management Compliance Framework user guide
Updated August 2013
Score
2
4
6
Processes for obtaining exemption confirmation for an internal
audit function
Exemptions are granted by the Minister for one financial year (from 1 July to 30 June) only.
Agencies requiring extensions on their exemptions need to complete the exemption process
outlined in the steps below.
Exemption Confirmation Process
When?
What?
How?
Dec-Jan
Agencies
notify DTF
Feb
Assessment
Mar
DTF extends
exemptions
Agencies that have previously been provided exemptions must
confirm to DTF that:
 an exemption is still required; and
 there have been no changes in the circumstances surrounding the
agency.
Agencies must inform DTF of situations where:
 there has been or will be some change to its operating or
governance structures;
 its operating functions or parameters have or will be altered;
 it is subject to litigation or pending litigation;
 the agency has previously been the subject of media attention
regarding its financial management activities;
 the agency is subject to an internal or external review of any kind;
 a significant or material internal control weakness has been
identified and is yet to be rectified;
 the Auditor-General has provided a qualified audit opinion;
 the Auditor-General has been unable to provide an audit opinion
on the agency’s financial statements; or
 there has been a change in the financial and/or political
circumstances surrounding the agency.
Agency responses are collated and assessed accordingly.
If the circumstances of the agency have altered, the agency will be
assessed using the exemption criteria.
DTF writes to agencies, informing them if their exemption(s) has been
extended for the current compliance year.
Financial Management Compliance Framework user guide
Updated August 2013
43
Internal audit charter
An agency should define the purpose, responsibilities and accountability of its internal audit
function in an internal audit charter.
The development of an internal audit charter is a Direction requirement.
The following checklist outlines areas and detail to consider including in an internal audit
charter. Please note that the mandatory Direction requirements are referenced.
Areas and detail to consider including in an internal audit charter
Included
Purpose of the charter
Detail the functional and organisational framework for internal audit to operate

Role of internal audit
Define the role of internal audit, for example:
 The role of internal audit is to provide objective assurance to the Audit
Committee/Board on the state of risks and internal controls, providing
management with recommendations to improve the management of the agency’s
risks and enhance controls.
 The role of internal audit is also to assist management in improving the entity’s
business performance.
Authority and accountability

Outline reporting and authority of the internal audit function including for example:
 that the internal function reports to senior management;31
 that the head of internal audit reports to the audit committee who approves and
advises the Board on the appointment or dismissal of the head of internal audit;
and
 that the head of internal audit is responsible for setting the overall direction of
internal audit activities and reports.
Independence
31
44



State the independence requirements, for example:
 Internal audit must be independent of the activities and processes it appraises in
order to be able to perform its duties in an objective manner and provide impartial
advice to management and the board.1
 Internal audit has no line responsibility or authority over any of the activities or
operations they review.
Access

Ensure that the internal auditor has direct access to the Chairman of the audit
committee.1
State internal audit’s accessibility to information, for example:
 Internal audit has full, free and unrestricted access to all records and
documentation to fulfil its responsibilities. 1
 Internal audit has the authority to seek any information it requires to fulfil its
responsibilities from any employee.1

This is a mandatory requirement for the internal audit charter as per Direction 2.5 (a) (Direction Requirement 7(a)).
Financial Management Compliance Framework user guide
Updated August 2013

Areas and detail to consider including in an internal audit charter
Included
Internal audit planning
Detail the requirements in relation to the internal audit plan including for example:
 that the internal auditor is to develop an annual internal audit plan to address the
relevant elements of the agency’s risk profile;32
 that the internal audit plan is to be approved by the audit committee;33
 that the audit committee annually review the adequacy and focus of the internal
audit work plan and its fit with the public sector agency’s risk profile and work of
the external auditors; and34
 that the internal audit plan is typically developed for a three year period to show
the coverage across the business over a three year cycle.
Reporting




Outline internal audit’s reporting requirements including, for example:
 report on the overall state of controls to the audit committee at least once
annually;
 provide a quarterly summary report to be provided to the audit committee;
 discuss all reports with management before they are finalised and issued;
 issue a report for every review performed containing contain at a minimum:
– scope of review;
– findings/issues/observation identified as result of the review that are rated by




priority and/or risk level;
– recommendations for improvement relating to findings/issues raised and overall
observations; and
– agreed management actions and/or remediation plans with timelines and
responsibilities
Implementation and monitoring of internal audit outcomes
Outline the requirements for implementation and monitoring of internal audit
including, for example:
 that the audit committee approve, review and direct (where appropriate)
management’s planned actions and response to advice and recommendations
received from the internal auditor;35
 that the audit committee monitor actions taken by management to resolve issues
raised by the internal auditor;5 and
 that the audit committee advise management to adopt and address the accepted
recommendations from the internal auditor on a timely basic.5
Review of the internal audit function
Outline the review requirements in relation to the internal audit function including, for
example:
 that the audit committee annually review the internal audit function’s
performance, its authority, the adequacy of its resources and the proposed
allocation of those resources;36
 that the audit committee annually take steps to confirm that the internal auditor
has not been unduly influenced by management or experienced any problems with
management; and6
 that the audit committee annually meet separately and privately with management
and the internal auditors if necessary to ensure free, frank and open
communications.6






32
This is a mandatory requirement for internal audit as per Direction 2.5(b) (Direction Requirement 7(b)).
This is a mandatory requirement for internal audit as per Direction 2.5(c) (Direction Requirement 7(c)).
34 This is a mandatory requirement for internal audit as per Direction 2.5(d) (Direction Requirement 7(d)).
35 This is a mandatory requirement for internal audit as per Direction 2.5(e) (Direction Requirement 7(e)).
36 This is a mandatory requirement for internal audit as per Direction 2.5(d) (Direction Requirement 7(d)).
33
Financial Management Compliance Framework user guide
Updated August 2013
45
Areas and detail to consider including in an internal audit charter
Included
Approval and review of the internal audit charter
Detail the requirements for the approval and review of the internal audit charter
including for example:
 the audit committee is to approve the internal audit charter (including any
proposed changes and/or amendments); and1
 review the internal audit charter at least annually to ensure it remains consistent
with current strategy and objectives.


Annual internal audit plan
Agencies must develop internal audit plan annually that sets out the key areas for internal
audit review for the upcoming year.
Ideally the internal audit plan would be a three year rolling plan that identifies areas to be
covered across a three year period including those reviews undertaken annually, i.e. high
risk areas and/or reviews to meet legislative requirements, e.g. payroll in large organisations
and/or purchasing card reviews as per FMCF requirements.
The internal audit plan should be developed in conjunction with the internal auditor (and
approved by the audit committee) to address relevant elements of the agency’s risk profile.
Considerations include:
 Does the internal audit plan address key risks of the agency?
 What operational processes and key controls are involved in these risk areas?
 Are sufficient time and resources allocated in the plan to reviewing the control
environment for the risks?
46
Financial Management Compliance Framework user guide
Updated August 2013
Attachment 1
Template for an audit committee and/or internal audit exemption
application
User note: This template is generic and must be amended to suit.
<Minister for Finance>
<name and address details>
<>
<>
<Date>
Application for exemption – Standing Directions of the Minister for Finance under the
Financial Management Act 1994
Dear Minister
I am writing to apply for an exemption from certain provisions of the Standing Directions of
the Minister for Finance issued pursuant to section 8 of the Financial Management Act 1994
for the <insert financial year> financial year. The table below details the specific Direction(s)
which this agency seeks an exemption from, the reason for exemption and the proposed
alternative procedure(s) or action(s).
Direction Reference
Direction
Reason
Alternative
procedure/action
<insert ref>
<insert ref>
<insert Direction>
<insert Direction>
<insert reason>
<insert reason>
<insert procedure/action>
<insert procedure/action>
[Attach appropriate documentation to support reason for exemption]
[Attach copy of latest audited financial statements and accompanying notes]
Should you wish to discuss the matter, please contact <insert names and phone numbers of
relevant contacts>.
Yours sincerely
<signed by the Chair of the Responsible Body>
<Title>
<Agency>
cc: Manager, Financial Management Framework Team, Department of Treasury and Finance.37
37
A copy of this letter should be sent to the Manager, Financial Management Framework Team, Department of Treasury and
Finance, Level 4, 1 Treasury Place, East Melbourne, VIC, 3002.
Attachment 1
Template for an audit committee and/or internal audit exemption application
47
User guide to Standing Direction 2.6
Direction requirement 8
External audit
Introduction
The Victorian Auditor-General is responsible for the external audit of financial operations
and resource management of the Victorian public sector.
Direction 2.6 (Direction Requirement 8) of the Standing Directions of the Minister for
Finance (the Directions) requires an agency to establish and maintain a constructive, open
working relationship with the Auditor-General and the appointed representatives.
It is also a requirement of the Direction for the Responsible Body to ensure that agency staff
adopt a cooperative and conservative approach with the external auditors on relevant
auditing matters.
The specific requirements for this Direction should be considered in conjunction with
Direction 2.2 Procedures (e) to (v) in relation to the audit committee.
Defining an external audit
The objective of an external audit of the financial statements is to determine whether, in the
auditor’s opinion, the statements present fairly in all material respects, the agency’s
financial position, results of operations and cashflows. Qualified auditors that are
independent of the entity conduct the external audit. In the Victorian public sector the
Victorian Auditor-General conducts the audits as required by the Audit Act 1994.
An external audit comprises of a review of:
 an entity’s financial statement;
 the data sources, processes and reports used to compile the financial statement;
 the control environment surrounding financial systems and processes within an entity;
 the information technology procedures and controls that support the entity;
 the overall internal control environment; and
 any issues raised as a result of the audit and identify and material misstatements in the
financial statements.
48
Financial Management Compliance Framework user guide
Updated August 2013
External audit preparation
The following checklist outlines a number of suggestions to consider when preparing for the
annual external audit. It is also advisable to check with the auditor for any specific
requirements and/or requests for information.
Areas and detail to consider when preparing for an annual external audit
Included
General
 Copy of financial statements at 30 June.
 Copy of trial balance at 30 June.
 Copy of trial balance mapping to financial statements.
 Working papers to supporting notes to the accounts.




Revenue
 Obtain copy of confirmation for contributions received 30 June.
 Listing of grants received from the Department and other sources 30 June.
 Transaction listing of other revenue.
 Transaction listing of sales of goods.




Expenditure
 Transaction listing of payments – include expenditure account codes.

Payroll
 Gross pay per payroll cycle including number of staff paid per cycle.
 Payroll reconciliation – reconciling payroll system to finance system/general ledger
and financial statements at 30 June.
Cash
 Bank reconciliation at 30 June.
 Access to monthly bank statements.
 Copy of responses of bank confirmations for 30 June.
 Supporting documentation for agency’s bank balances at 30 June.






Receivables
 Trade debtors reconciliation at 30 June.





 Aged trade debtors listing at 30 June.
 Listing of other receivables at 30 June.
 Analysis of trade debtors and doubtful debts.
 BAS as at 30 June.
Inventories
 Listing of inventories at 30 June.
 Assessment of inventories – provision for obsolescence.


Prepayments
 Schedule of prepayments at 30 June.

Financial Management Compliance Framework user guide
Updated August 2013
49
Areas and detail to consider when preparing for an annual external audit
Included
Property, plant and equipment
 Listing of asset additions at 30 June.
 Listing of asset disposals at 30 June.
 Fixed asset reconciliation between fixed asset register and general ledger at
30 June.
 Fixed asset movement schedule at 30 June.
 Asset revaluation report (if applicable).
 Supporting work papers of analysis Revaluation of PPE.






Payables
 Trade creditors reconciliation at 30 June.
 Aged trade creditors listing at 30 June.
 Listing of accrued expenditure at 30 June.
 Sundry creditors reconciliation at 30 June.
 Sundry creditors listing at 30 June.





Employee provisions
 Long service leave liability calculation at 30 June
 Annual leave liability calculation at 30 June.
 Supporting documentation for other employee provisions at 30 June.
Commitments
 Schedule of capital expenditure commitments at 30 June.
 Schedule of lease commitments at 30 June.
 Schedule of other expenditure commitments at 30 June.
Cashflow
 Working papers to support cashflow calculations.
Financial information
 Report on movements in equity and reserves at 30 June.
 Supporting documentation for auditor’s remuneration at 30 June.
 Supporting documentation for Executive Officer remuneration at 30 June.
 Supporting documentation for superannuation disclosure at 30 June and applicable
actuary reports for defined benefit superannuation schemes.
 Correspondence responses received from solicitors for 30 June.
 Access to recurring/standing journal folder for financial year.
 Supporting documentation for trust account balances and/or corporate donations
at 30 June.
 Supporting documentation for contingent assets and liabilities at 30 June.
50
Financial Management Compliance Framework user guide
Updated August 2013















User guide to Standing Direction 3.1
Financial management structure
Including:
3.1.1
Direction Requirement 9
3.1.2
3.1.3
3.1.4
3.1.5
Direction Requirement 10
Direction Requirement 11
Direction Requirement 12
Direction Requirement 13
Direction Requirement 14
Direction Requirement 15
Public sector agency Financial Management Team
Structure
Chief Finance and Accounting Officer (CFAO):
 CFAO Credentials
 CFAO Endorsement
Policies and procedures
Chart of Accounts
Managing Outsourced Financial Services:
 Outsourcing governance
 Audit scrutiny
Financial Management Compliance Framework user guide
Updated August 2013
51
User guide to Standing Direction 3.1.1
Direction requirement 9
Public sector agency financial management team structure
Introduction
Standing Direction 3.1.1 (Direction requirement 9) of the Minister for Finance outlines
requirements in relation to an agency’s financial management team structure.
The Direction states that:
The Chief Finance and Administration Officer (CFAO) must ensure that there is a
structure for the financial management team with clearly defined roles and
responsibilities to adequately support sound financial management.
This supplementary material provides an outline and high level guidance in relation to the
detail within the Direction.
Financial management team documentation
Direction 3.1.1 specifically requires an agency’s financial management team to have defined
and documented the:
 team structure;
 roles and responsibilities for each position with effective and efficient allocation of tasks
and resources; and
 prerequisite skills, qualifications and experience required for each position.
Documentation should take into account:
 review and monitoring processes across the finance function to ensure responsibilities
are allocated to specific positions;
 segregation of conflicting duties, i.e. no one person should have the ability to perform,
approve or oversee the preparation, processing and reviewing of an overall financial
function or transaction without the involvement and/or oversight by others; and
 roles that have a number of duties across the agency, e.g. within the financial function,
administration and management of an agency and/or human resources.
Financial management functions
There are a number of functions within financial management including:
 budgeting;
 financial reporting;
 accounts receivable/payable;
 procurement;
 taxation;
 asset management;
 financial systems;
 accounting policies;
 cash management;
52
Financial Management Compliance Framework user guide
Updated August 2013
 project management – financial aspects (for further details see User Guide for Standing
Direction 3.2.4 – IT Development);
 payroll; and
 management reporting.
These areas and functions should be considered when defining the structure and allocating
roles and responsibilities within the financial management team.
Roles that cover financial management functions
A financial management team may include the following roles (depending on the size and
nature of the agency/department):
 CFAO;
 Financial controller(s);
 Supervisors/managers for key financial activities (for example, accounts payable,
accounts receivable, management reporting, budgeting, payroll, general ledger etc.);
 Clerical/administrative/processing for each key financial activity;
 Corporate card, fleet, lease, asset management administrator(s);
 Contract administrator;
 Payroll administrator; and
 System administrator(s) for the various financial management systems.
Financial Management Compliance Framework user guide
Updated August 2013
53
User guide to Standing Direction 3.1.2
Direction requirements 10 and 11
Chief Finance and Accounting Officer (CFAO): credentials and
endorsement
Introduction
Standing Direction 3.1.2 of the Minister for Finance relates to the financial management
leadership within a public sector agency (agency).
The Direction outlines requirements for an Agency to appoint a Chief Finance and
Accounting Officer’s (CFAO) with the appropriate credentials, i.e. suitable experience and
qualifications (Direction Requirement 10).
The Direction also requires the CFAO’s to endorse financial reports to senior management,
the Responsible Body and other boards or management groups (Direction Requirement 11).
This supplementary material provides an outline and high level guidance in relation to the
detail within Direction 3.1.2 including:
 CFAO credentials (Direction Requirement 10);
 qualifications;
 potential examples of competencies for a CFAO;
 potential examples of key responsibilities for a CFAO;
 CFAO endorsement of financial information (Direction Requirement 11);
 endorsement; and
 access to the Responsible Body.
CFAO credentials (direction requirement 10)
The role of the CFAO must have a clearly defined position description with prerequisite
skills, qualifications and experience.
The duties, rights and responsibilities must also be clearly defined and documented.
Qualifications
The guidelines to the Direction state that a CFAO should hold at least tertiary level
qualifications and membership of the Institute of Chartered Accountants in Australia (ICAA),
CPA Australia, National Institute of Accountants (NIA), or equivalent.
Potential examples of key responsibilities for a CFAO
The following is a list of key responsibilities to consider for the role of CFAO:
 establishing and directing the public sector agency’s financial administrative activities
and operational procedures to ensure sound financial management;
 in consultation with other senior management, making recommendations and devising
financial policy approach and strategy of the public sector agency as well as planning the
financial operations;
 overseeing the development, implementation and monitoring of financial accounting and
related systems;
54
Financial Management Compliance Framework user guide
Updated August 2013
 communicating changes in accounting standards (and guidance material) and taxation
rulings or legislative requirements;
 directing the collection of financial and accounting information and the preparation of
budgets, reports, forecasts and the various statements as required by the Model Report
for Departments (issued annually by DTF);
 directing and coordinating economic research, major feasibility studies involving detailed
financial analysis, and estimates of future returns on proposed investment;
 evaluating the financial aspects of proposed acquisitions, investments, or the sale of
assets and giving assessments of proposals involving financial expenditure and of the
financial status of syndicates, joint venture parties etc.;
 representing the agency in dealings with stakeholders, legal advisers and others as
required;
 making policy decisions and accepting responsibilities for operations, performance of
staff, achievement of targets and adherence to budgets, standards and procedures; and
 managing the selection and training of finance staff, establishing lines of control and
delegating responsibilities to subordinate staff.
CFAO endorsement of financial information (direction requirement 11)
Endorsement
The CFAO must endorse all financial information submitted to senior management, the
Responsible Body and peak boards and management groups.
The CFAO must endorse/approve by physically signing or other electronic means the
financial information to ensure it is:
 complete;
 reliable; and
 accurate.
Access and involvement with to the Responsible Body, executive and senior management
To assist with the understanding of financial information presented to the Responsible Body
it is recommended that the CFAO has access to Responsible Body.
The direct access creates the opportunity to question and clarify as well as independently
explain the information presented for completeness, accuracy and improved quality.
Consideration should also be given to including the CFAO in relevant:
 executive/senior management forums to present financial reports and to discuss
financial risk management issues;
 audit committee meetings particularly when internal audit reports relating to financial
administration of the agency are presented and the financial statements are being
presented for review; and
 other forums where key decisions with financial management implications are made.
Financial Management Compliance Framework user guide
Updated August 2013
55
User guide to Standing Direction 3.1.3
Direction requirement 12
Policies and procedures
Please refer to Section 3.4 of the user guide
56
Financial Management Compliance Framework user guide
Updated August 2013
User guide to Standing Direction 3.1.4
Direction requirements 13
Chart of accounts
Introduction
The Standing Directions of the Minister for Finance (the Directions) require public sector
agencies to:
establish and maintain a chart of accounts to accurately reflect transactions in the
financial records for management decision-making purposes and to ensure
compliance with external reporting requirements (Direction 3.1.4, Direction
Requirement 13).
The Direction also requires that:
 the CFAO (or an approved delegate) is responsible for the development and maintenance
of the chart of accounts;
 there is effective and efficient communication about the chart of accounts across an
agency;
 Government departments must use the chart of accounts issued by the Minister for
Finance to align activities and reporting for consistency; and
 the nature and purpose of each account within the chart of accounts is explained so that
capital, revenue and expense items set down and to assist with the categorisation of
transactions.
Structure of the chart of accounts
A chart of accounts outlines accounts that are used to record transactions in a general
ledger. Details within a chart of accounts include the:
 account name; and
 account number.
A chart of accounts is flexible and can be tailored to suit the needs and structure of an
organisation.
The chart of accounts is typically structured to include:
 balance sheet accounts:
– assets; and
– liabilities.
 income statement accounts:
– revenue;
– expenses;
– profits; and
– losses.
Additional categories should be included in each account for example, within revenue and
expenses business functions such as producing, selling, administrative and financing could
be added.
Financial Management Compliance Framework user guide
Updated August 2013
57
Additional accounts/information should also be reflected in the balance sheet to ensure
consistency.
Depending on the agency’s operations, the chart of accounts could be based on the agency’s
organisational structure. For example, each business area/division could be responsible for
its own expenses and oncosts such as salaries, supplies, communications,
accommodation, etc. An account for each expense would then be created for each business
area/division.
Alignment of the chart of accounts
An agency should ensure the structure of the chart of accounts fulfils the requirements of
the portfolio and the Department of Treasury and Finance.
A chart of accounts that is structured to align with the portfolio would enable
straightforward and consistent reporting.
A consistent chart of accounts enables financial information to be:
 analysed and compared over time (current vs previous data)
 published in a consistent and clear format across government.
Financial reporting against the chart of accounts
Agencies should consider the structure of the chart of accounts in line with reporting
requirements (annual and progressive estimates) and ensure consistency with the audited
financial statements.
It is recommended that agencies limit their use of ‘other' categories in the chart of accounts,
to ensure comprehensive identification of transactions and minimise queries from the
portfolio and the Department of Treasury and Finance at year end.
Overall considerations for a chart of accounts
The checklist (aside) provides an outline of high level considerations of the chart of accounts
in relation to:
 development and structuring;
 day to day financial operations; and
 review and maintenance.
Chart of accounts (CoA) – checklist
Included
Development and structure of the CoA
Has there been a restructure or machinery of government change impacting the CoA?
Have any changes or updates to the CoA be approved by your agency’s CFAO or their
delegate?
Is the CoA sufficiently detailed and logically structured to allow useful and timely
management reporting and financial reporting?
Is the CoA consistent with legislative and professional accounting requirements?
Does the CoA provide for effective departmental budgeting, reporting and monitoring
of the output management principles and practices?
Are ‘other’ categories used? Can they be reclassified?
58
Financial Management Compliance Framework user guide
Updated August 2013






Chart of accounts (CoA) – checklist
Included
Operations
Is the CoA incorporated into the financial process, e.g. updating the general ledger and
relevant accounts during financial payments?
Is your CoA communicated efficiently and effectively to all officers within your public
sector agency?
Review and Maintenance

Does your agency’s CoA align with the reporting requirements of the Department of
Treasury and Finance (DTF), e.g. is there a map or a relationship table between your
agency’s CoA and whole of government requirements as issued by DTF?
Has the CoA been maintained and updated in a timely manner so that it meets the
objectives of your agency? Is there a map to reference changes across years for year
to year comparison?

Financial Management Compliance Framework user guide
Updated August 2013


59
User guide to Standing Direction 3.1.5
Direction requirements 14 and 15
Managing outsourced financial services: outsourcing governance
and audit scrutiny
Introduction
The Standing Directions of the Minister for Finance (the Directions) require that agencies
ensure effective management of outsourced financial functions and related services
(Direction 3.1.5, Direction Requirements 14 and 15).
This supplementary material has been developed to assist agencies in implementing and
managing their own outsourced services; and to provide guidance for maintaining
appropriate control over the end to end life cycle of outsourced functions.
The material also details elements of cost benefit analysis and audit scrutiny to assist with
specific aspects of Direction 3.1.5.
This supplementary material includes the following information:
 the definition of outsourcing.
 impact of legislation on outsourcing.
 spectrum of outsourcing.
 outsourcing lifecycle:
1. strategy and approach.
2. requirements and selection.
3. negotiation and agreement.
4. transition and implementation.
5. maintenance and management.
6. realisation of benefits.
7. amendment or termination.
 cost benefit analysis.
 audit scrutiny of outsourced services.
The definition of outsourcing
Outsourcing is a process by which a specific service or group of services is provided for the
agency by a third party through an agreement, e.g. contract. Typical drivers for outsourcing
include cost savings, improved quality, access to specialised skills and other efficiencies.
Impact of legislation on outsourcing
Where an agency relies on outsourced services, appropriate procedures should be in place
to manage the associated risks to ensure all legislative requirements are being met.
The public sector agency should be aware that outsourcing does not diminish the
responsibilities of the Chief Finance and Accounting Officer (CFAO) and the Accountable
Officer for the outsourced function – in summary, a service can be outsourced but the risk
cannot.
60
Financial Management Compliance Framework user guide
Updated August 2013
Direction 2.2(d) and (w) requires annual sign-off that the agency’s:
(i) financial reports are presented fairly;
(ii) risk management, internal compliance and control framework is sound; and
(iii) internal control framework is operating effectively and efficiently.
This is relevant for all functions within an agency including those outsourced.
Direction 3.1.5 also outlines specific requirements for outsourced financial functions. The
underlying concepts included in this Direction are relevant to all outsourced services. As
stated in Guideline (i) to Direction 3.1.5:
The public sector agency remains responsible for ensuring that the third party provider is
meeting the requirements of the FMA, these Directions and any other relevant legislation.
This supplementary material provides guidance on outsourced services in addition to the
requirements outlined in Direction 3.1.5 and is relevant to outsourced financial functions as
well as other outsourced services.
Spectrum of outsourcing
There is a broad spectrum of models to deliver services. The following table provides an
overview of the spectrum of service delivery models.
Internal delivery
Full outsourcing
Co-sourcing
Insourcing/shared
services38
Selective sourcing
Delivery of the service is managed and resourced internally. Third parties
may provide discrete products or services.
Where a single contract with a single supplier exists usually covering a
broad scope of services and needs. This model is typically implemented
as a strategic partnership between management and the service provider
and is usually put in place for the long-term.
Responsibility for delivery of service is spilt between an outsourcer and
internal delivery. This model often involves an internal delivery team
working with the outsourcer as a single group.
Insourcing or shared services disconnect a service from the organisation
via a separate business unit. The business unit is usually set up with its
own profit/loss statement.
An agreement such as a Service Level Agreement (SLA) is commonly in
place to govern the provision of the service and payment levels. The
underlying concept is to run the separate unit like a business and
emulate outsourcing services and pricing. The benefits of this type of
arrangement are that organisations can achieve consolidation,
integration, and standardisation while maintaining direct control of the
service provider and openness to changing market options.
Where multiple contracts are set up with multiple suppliers. This type of
arrangement is common in the public sector.
This model is often implemented when the sourcing strategy is
undefined and there is a variety of service delivery options.
Benefits of this type of outsourcing model include the ability to leverage
the markets’ best capabilities in a very competitive environment.
Innovation is available and ‘switching costs’ are typically minimal. When
managed effectively, agility, flexibility, and scalability are readily
available.
38
Whilst the supplementary material can be applied to a shared services function, it does not address the additional
organisational and other aspects that need to be considered when establishing a shared service function.
Financial Management Compliance Framework user guide
Updated August 2013
61
Outsourcing lifecycle
An inherent risk of outsourcing is that the intended benefits are not realised, be they cost,
quality or other benefits.
The typical outsourcing lifecycle is outlined in the diagram (aside) with further detail for
each step provided in the form of checklists.
The checklists provide information to assist with mitigating against the risk of benefits not
being realised. It includes guidance for the end-to-end lifecycle of an outsourced function
from strategy and approach through to termination.
Steps within an outsourcing lifecycle
1. Strategy and Approach
2. Requirements and selection
3. Strategy and Approach
4. Transition and implementation
5. Maintenance and management
6. Realisation of benefits
7. Amendment or termination
62
Financial Management Compliance Framework user guide
Updated August 2013
Step 1. Strategy and approach
Prior to embarking on a decision to outsource a business process, it is important to have a
full understanding of the business drivers for considering outsourcing, i.e. the business
reasons for outsourcing the function and how they align to the agency’s strategy.
The following aspects should be considered:
1.0
Strategy and approach
1.1
Understand, define and document business drivers and intended benefits.
Consider:
 improved service quality;
 cost savings;
 software fees and maintenance charges;
 hardware capital costs, leases and maintenance charges;
 fixed cost, flexibility (e.g. additional capacity available);
 clarity of accountability;
 access to wider skill base;
 staff costs;
 freeing up existing staff; and
 enabler of change.
Verify that the drivers align with the business strategy and overall objectives.
1.2
1.3
1.4
Included
Define outsource components. Consider:
 clearly defined scope of services to be outsourced:
– clearly state the business functions and processes to be outsourced;
– define parts to be retained in-house and ongoing in-house
responsibilities; and
– specify exclusions to reduce risk of ambiguity
 classification of activities, for example:
– strategic and non-strategic/non-core and core competencies.
 in-house control over strategic direction of outsourced service;
 key service level requirements define Key Success Factors (KSF):
– aligning with identified business drivers defined in 1.1;
– using essential criteria and desirable criteria; and
– categories for KSFs:
(a) financial;
(b) technical/functional;
(c) market;
(d) approach; or
(e) other, e.g. post implementation, support, HR requirements, time
constraints.
Consider current environment/market place capability including:
 assessment of what other Agencies have done, and whether there is
opportunity to achieve synergies of scale;
 areas for improvement in processes/functions/operations;
 review of service delivery options other than outsourcing;
 potential constraints; and
 sources of service and experience of others:
– technological advances; or
– regulatory changes.
Financial Management Compliance Framework user guide
Updated August 2013




63
1.0
Strategy and approach
1.5
Select sourcing options including:
 internal delivery;
 full outsourcing;
 co-sourcing;
 insourcing/shared services; and
 selective sourcing.
Understand and clarify risks considering for example:
 financial risks – costs data used in the selection process is inaccurate
and/or lack firm costs estimates;
 regulatory/legal risk;
 technical risk – the risks associated with continuing the project, e.g.
interfacing new systems with legacy systems;
 capability risk – the capability and capacity of the organisation to execute
the project and make the necessary changes required;
 benefits risk – the risks affecting the potential achievement of the intended
outsourcing benefits and meeting key objectives;
 operational risk – the risk that operations of the agency may be impacted;
 erosion of competitiveness (confidentiality, uniqueness, responsiveness,
flexibility);
 loss of in-house skills and understanding;
 level of difficulty and expense to bring back in-house;
 technology stagnation; and
 cost of planning and transition.
Mitigating these risks:
 undertake a thorough risk analysis as part of investment appraisal; and
 ensure risk management activities feature in the implementation plan and
on-going management model.
Conduct feasibility study/cost benefit analysis to:
 define objectives and project scope;
 identify the options;
 identify costs and benefits;
 complete sensitivity analysis; and
 identify and report on preferred option.
See also detailed checklist in this material.
Develop business case (using information from work conducted) to:
 define objectives and define scope;
 analyse of the current situation and the need for change;
 outline end benefits that can be achieved (e.g. improved efficiency of the
new system through reduced costs);
 define measures for the intended benefits;
 describe options and consider:
– criteria for selecting preferred solution; and
– preferred option.
 provide estimates of establishment and implementation costs;
 estimate on-going costs and of the financial benefits;
 consider qualitative and quantitative evaluation options;
 explain and clarify risks and proposed mitigation strategies;
 develop a proposed timeline and key milestone and decision dates;
 summarise the cost versus benefit versus risk assessment; and
 summarise impacts on agency processes.
1.6
1.7
1.8
64
Financial Management Compliance Framework user guide
Updated August 2013
Included




1.0
Strategy and approach
1.9
Establish project – work to be completed includes:
 develop a project plan with key milestones, timeframes, resource
requirements etc.
 establish project governance and procedures:
– allocate sponsor responsible for the project plan and delegation to
authorise project funding;
– establish a steering group with responsibility for the project;
– consider if project requires a project manager and project team;
– establish a project tracking, reporting and monitoring process; and
– ensure strong business representation and buy-in.
 considering whether to leverage a project methodology such as Prince II;
and
 develop communications strategy:
– define stakeholders;
– identify key messages to be communicated;
– consider nature, level and frequency of communication required,
e.g. email, newsletter; and
– integrate with the project plan.
Assess the maturity of the function to be potentially outsourced. Consider the
following:
 how efficient and effective the function is currently; and
 whether the above assessment has bearing on the contract price, intended
costs/savings, other factors.
1.10
Included


Step 2. Requirements and selection
Once a potential outsourcing solution has been identified, the functional and service
delivery requirements need to be defined in sufficient detail to enable potential suppliers to
submit proposals.
The processes involved in this step are outlined below. Agencies will note that internal
procurement and purchasing policies form part of this step.
2.0
Requirements and selection
2.1
Prepare statement of requirements consider and include:
 a comprehensive request for proposal focused on business issues, business
requirements and required benefits;
 potential major contractual issues;
 third-party consents;
 personnel issues;
 conditions for hiring third parties for new services if required; and
 appropriate approval.
Map requirements to business case (drivers and risks) ensure drivers and risks
have been considered.
Define selection criteria and weightings consider the following:
 skills;
 financial impact;
 service levels;
 flexibility;
 core expertise;
 stability;
 market share;
 cultural compatibility;
 quality service attitude; and
 vertical expertise.
2.2
2.3
Included
Financial Management Compliance Framework user guide
Updated August 2013



65
2.0
Requirements and selection
2.4
Issue request for services in accordance with agency’s internal policy and
procedures (and where appropriate, Victorian Government Purchasing Board
guidance material39).
Evaluate responses ensuring
 defined selection criteria and weightings are used;
 vendor competition continues until decision is made;
 due diligence, best and final offer invitation, is completed; and
 references are checked.
Select preferred supplier in accordance with agency’s internal policy and
procedures.
Define basis for proceeding communicate to all parties involved the next steps
in the processes.
Update project plan and business case.
2.5
2.6
2.7
2.8
Included





Step 3. Negotiation and agreement
When finalising the contractual terms for outsourcing, it is particularly important that the
agreement covers all the necessary legal aspects and that the Service Level Agreement
contains sufficient detail to enable the agency to monitor the adequacy of the services
provided.
There are also a number of mandatory areas, such as access for audit (internal and external)
and business continuity arrangements that should be addressed. The agency may also
consider staffing issues and transition or exit requirements in this step so that they can be
included in the agreement where necessary. The checklist identifies some issues to consider
in the negotiation and agreement step.
These steps should be considered in conjunction with Victorian Government Purchasing
Board (VGPB) guidance material and other standard procedures relevant to the agency.
39
66
3.0
Negotiation and agreement
3.1
Refine and confirm solution to ensure drivers and risks are addressed.
3.2
Review terms of contractual agreement in accordance with agency’s internal
policy and procedures (and where appropriate, Victorian Government
Purchasing Board guidance material). Consider:
 pricing structure;
 confidentiality;
 exclusivity;
 regulatory requirements, e.g. audit access;
 performance reporting;
 management structure;
 deadlock resolution;
 penalty and reward clauses; and
 extension clauses.
Included


For more information on Victorian Government Purchasing Board guidance material , please refer to www.vgpb.vic.gov.au
Financial Management Compliance Framework user guide
Updated August 2013
3.0
Negotiation and agreement
3.3
Define the Service Level Agreement:
 to include service delivery considerations and measures;
 to include information and measures for the assessment of realisation of
overall business drivers (benefits realisation);
 ensuring performance measures are SMART:
– Specific
– Measurable
– Action oriented
– Realistic
– Time-bound
Refer to User Guide Standing Direction 4.4 Financial Performance
Management and Evaluation for more detail
 detailing reporting requirements:
– content (including regulatory requirements);
– stakeholders/audiences;
– timeframes; and
– frequency.
Establish agreements (contractual and SLA). Ensure:
 areas of uncertainty have been clarified and defined;
 the best and final offer is included;
 there is flexibility catering for potential changes in the business;
 all parties understand and accepted the agreement; and
 the business case is approved.
Include transition and termination and amendment clauses in accordance
with agency’s internal policy and procedures (and where appropriate,
Victorian Government Purchasing Board guidance material).
Assess legal sign-off requirements on the contracts and supporting materials.
3.4
3.5
3.6
Included




Step 4. Transition and implementation
This step is focused on addressing the activities and processes in relation to the
implementation and transition of the outsourced service. Most of the information required
for this step should have been developed during agreement negotiations, although there
will be some issues and circumstances that will not have been included or foreseen.
In order to manage transition and implementation effectively as well as safeguard the
agency’s relationship with the service provider, it is important to apply sound project
management practices. Some considerations are outlined below.
4.0
Transition and implementation
4.1
Establish process for managing relationships and staff. Consider:
 nominating a relationship manager;
 agreement on contact point arrangements;
 retaining sufficient in-house staff to manage the agreement; and
 clear and simple procedures.
Develop implementation plan. Consider:
 human resources issues, e.g. training, change management;
 implementation activities, e.g. data conversion and test environments,
responsibilities identified;
 transferring/assigning contracts and agreements;
 plans for transition of physical, legal and taxation considerations,
e.g. buildings, equipment, other assets; and
 due diligence by supplier to allow detailed planning of the transition by
accessing information, e.g. monthly reports, asset register.
4.2
Included
Financial Management Compliance Framework user guide
Updated August 2013


67
4.0
Transition and implementation
4.3
Update business case. Ensure:
 business drivers are fulfilled and risks are mitigated; and
 agreement with supplier reflects all requirements including transition
arrangements.
Prepare handover and undertake transition. Ensure:
 documentation complete, authorised and signed by both parties;
 work undertaken in accordance with implementation plan; and
 milestones are monitored.
Manage business change arising from implementation. Consider:
 communicating changes throughout organisation;
 keeping relevant stakeholders updated on progress (positive and negative);
 remaining in-house processes may need to be amended to optimize the
change;
 updating organisational risk profile; and
 other impacts such as:
– agency’s employee satisfaction with the services being outsourced;
– impact on staff structure; and
– privacy of information and legislative requirements (potential training
requirements).
4.4
4.5
Included



Step 5. Maintenance and management
It is important to have maintenance and management procedures in place for the
outsourced service once it is implemented.
The relationship with the outsourced provider needs to be managed proactively to ensure
the smooth operation of services. The business process needs to be adequately controlled,
monitored and reported on. Any changes should be adequately controlled and
implemented, and service should continue at the required quality and cost levels and within
agreed timeframes. The checklist below provides an outline for potential management and
maintenance processes.
Where the processes or activities outsourced have some impact on the financial
management, financial processing or financial statements of an agency, there is a need to
obtain specific assurance on the control procedures at the service entity. Even where there
is no impact, there may still be a need to obtain assurance over control procedures to
enable:
 the agency to ensure the requirements of the FMA, the Directions and any other relevant
legislation are being met; and
 the Accountable Officer and CFAO to make the annual statement required under
Direction 2.2(d) for public sector agencies, or (w) for government departments.
68
Financial Management Compliance Framework user guide
Updated August 2013
The primary reason for this is that outsourcing does not diminish the responsibilities and
accountabilities of the agency for sound financial management.
5.0
Maintenance and management
5.1
Manage ongoing service delivery. Consider:
 budget, costs, charges;
 relationship management;
 manage risks and plan for contingencies; and
 reporting on the SLA:
– service delivery;
– key controls;
– performance measures;
– regulatory compliance; and
– annual review.
Provide ongoing management and monitoring. Consider:
 implementing customer satisfaction surveys;
 implementing a continuous improvement programme; and
 conducting audits at supplier’s premises.
Obtain appropriate levels of assurance – as per Direction 3.1.5(d).
Consider requirements for Direction 2.2(d) and (w) sign-off.
5.2
5.3
Included



Note: see audit scrutiny section in this material for further information.
5.4
5.5
5.6

Review aspects of the functions retained internally.
Consider remaining in-house processes as they may need to be amended to
optimize the change.
Review outsourcing strategy. Consider:
 periodically assess requirements are met and amended; and
 re-tendering regularly.
Report to demonstrate drivers are met and risks managed.


Step 6. Realisation of benefits
After the outsourcing is operational and the management processes are in place, an
assessment of the operational and financial benefits originally intended in the business case
should be conducted.
The results of the assessment should be communicated and necessary improvements need
to be managed and implemented. Outsourcing projects have the potential to fail to deliver
the intended benefits because of the lack of focus on post implementation issues. The
checklist outlines some ideas for benefits realisation processes.
6.0
Realisation of benefits
6.1
Implement a process to identify, monitor and report against the originally
intended benefits as well as other intended benefits identified throughout
the process. Consider:
 implementation of a strong reporting and governance framework to keep
focus on delivery of benefits;
 operational and financial benefits; and
 regular monitoring of benefits and business drivers, e.g. 6 monthly.
Review costs and benefits
Conduct an assessment of costs and benefits against the business case to
determine whether costs and benefits have been achieved.
6.2
Included
Financial Management Compliance Framework user guide
Updated August 2013


69
6.0
Realisation of benefits
6.3
Independent review/assessment/audit. Consider:
 independent assessment to obtain an impartial review of the
implementation;
 benchmarking to confirm costs and benefits are in line with the market;
 obtaining information on potential areas for improvement; and
 assessment frequency to be at least annual.
Included

Step 7. Amendment or termination
Once the outsourced service is implemented and reviewed some changes may be required
that effect the agreement. Alternatively, the agreement may need to be terminated.
Potential reasons for termination include reaching the end of a defined agreement term or
failure of one of the parties to comply with the terms of agreement.
The process for managing an agreement termination or amendment should be clear and
well-organised. The checklist provides some suggestions for this.
7.0
Amendment or termination
7.1
Assess options and business case. Include:
 reassessment of current service position;
 review of contract termination provisions;
 calculation of a financial model for termination options;
 a strategy for managing supplier; and
 update/review business case.
Negotiate term or amend agreement. Include:
 transition activities and associated costs;
 severance costs;
 agreement on contract and financial reconciliation issues;
 resolution of ‘blame’ if termination due to failure to provide service;
 timeframes for activities, milestones, etc.; and
 resources from both parties.
Terminate arrangements. Consider:
 planning and executing transition; and
 updating business case.
7.2
7.3
Included



Cost benefit analysis
This section provides a cost benefit analysis checklist to assist with the preparation and
evaluation of the cost benefit analysis.
The use of this checklist will also assist to define the scope and thoroughness required for
the evaluation.
Steps to consider when conducting a Cost Benefit Analysis
Step 1: Define objectives and project scope
 Why is the proposal/project proposed?
 Are the objectives consistent with overall agency objectives and strategies?
 What type of proposal is it? Temporary or permanent or new?
 What is the scope of the proposal?
 Has it been evaluated previously or been subject to other forms of analysis,
e.g. risk analysis or value management?
70
Financial Management Compliance Framework user guide
Updated August 2013
Included





Steps to consider when conducting a Cost Benefit Analysis
Included
 Is it part of a larger program or strategy?
 What major stakeholders are likely to be impacted – internal and external, public,
private, community sectors?
 What consultation was undertaken and how was it done?



Step 2: Identify the options
 What are the options to achieve the objectives?
 What is the base case? (What would happen without the project/proposal?)
 What other relevant information is available? Has this project been undertaken
elsewhere? Where was the information sourced? How can it be used?
Step 3: Identify costs and benefits
 What are the capital (equipment, facilities, structures, project management,
construction, decommissioning etc.) costs? Over what timeframe?
 Is refurbishment or system upgrade costs needed?
 What are the recurrent costs – labour, training, maintenance, utilities etc.
 What are the operating parameters, e.g. levels of service, hours of operation
availability, expectations of growth in use/demand etc?
What data may be required for monitoring/reporting?
 Do policies, procedures need to be amended or changed, e.g. security, operations?
 What are the user benefits?
 What are the cost savings (avoidable capital and recurring costs, sale of assets,
risk, efficiency, economies of scale, etc.)?
 What are the external costs and benefits?
 How will these costs and benefits be presented?
 Have you considered a discounted cash flow analysis to present financial cost and
benefit information in current dollars?
 Are user comfort and convenience issues a factor?















 How will risk issues be managed?
Step 4: Sensitivity analysis
 Is there are need for sensitivity analysis based on optimistic and pessimistic




estimates of costs and benefits?
Have the values of costs and benefits been adjusted for real price variations over
time?
What is the length of the evaluation period – over how many years was the
discounted cash flow analysis be undertaken and is the evaluation period based on
the life of the expected outsourcing arrangement?
What are the major areas of uncertainty and risk in the project?
How have these been dealt with, i.e. specific analyses?
Which assumptions need to be tested?
Financial Management Compliance Framework user guide
Updated August 2013





71
Steps to consider when conducting a Cost Benefit Analysis
Included
Step 5: Identify and report on preferred option
 What is the preferred option when the initial evaluation of costs and benefits,
sensitivity analysis and all qualitative factors are taken into account? Does the risk
analysis impact on the outcomes significantly?
Has a report been prepared and include:
 the objectives of the outsourcing strategy and alignment with agency objectives
and strategies?
 a description of the evaluation framework, assumptions and key input data?
 a description of all the costs and benefits?
 the assumptions underpinning the evaluation?
 the evaluation results with cost, sensitivity and qualitative analysis?
 comparison of preferred option with other options?
 recommendations for the preferred option?


Audit scrutiny of outsourced activities
An agency must ensure effective management of outsourced activities to obtain the
required levels of service and maintain compliance with regulatory requirements such as the
Standing Directions of the Minister for Finance the Financial Management Act 1994
(Direction 3.1.5).
The Direction requires outsourced financial services to be subject to internal and external
audit scrutiny (Direction 3.1.5(d)). An agency should take into account the risk profile of an
outsourced activity to determine the nature and extent of information required to be
subject to audit scrutiny.
The purpose of audit scrutiny is to enable the agency to obtain an appropriate level of
assurance that the:
 provider is complying with the agreed terms and conditions (e.g. performance measures
and relevant legislation as outlined in the contract or Service Level Agreement);
 controls for activities and processes impacting financial management are efficient and
effective resulting in accurate financial and other relevant information being reported;
 control environment surrounding the outsourced services provided is robust, efficient
and effective to enable complete and accurate processing of underlying transactions
and/or data;
 agency’s responsibilities and accountabilities for good governance and sound financial
management are not negatively impacted by the outsourced activities; and
 the Accountable Officer and CFAO can sign-off on the accuracy, effectiveness and
efficiency of the financials, internal control and compliance systems and risk
management within an agency on an annual basis (as per Direction 2.2(d) and (w)).
72
Financial Management Compliance Framework user guide
Updated August 2013
How to obtain assurance using internal or external audit
It is strongly recommended that an agency liaise with its own internal and/or external
auditors to discuss the best approach to obtaining assurance. However, the following
options are provided for consideration:
Option 1: Outsourced service provider provides assurance through either:
 a publicly available opinion on internal control (usually this will be an opinion in accordance
with Australian Auditing Standards that is made available to all customers of the outsourced
service provider); and
 an opinion or report specifically designed for the use of the agency (in these instances, a
tailored scope of work will typically be requested by the agency, but the work is performed,
and report provided, by the outsourced service provider’s internal or external auditors).
Option 2: Agency arranges for an independent party/auditor to visit the outsourced
service provider to obtain assurance (in these instances, the scope of work will be
determined by the agency and results will often be reported in format that the agency
is familiar with).
Interpreting the results from audit scrutiny to determine the level of assurance provided.
It is strongly recommended that the agency obtain assistance from its internal or
external auditors to interpret the information received as a result of audit scrutiny.
Factors that need to be considered in interpreting results include, but are not necessarily
limited to:
 What type of opinion or report has been issued? Is there reference to an auditing standard? If





so, is there an expression of the level of assurance being provided and are there any
limitations on scope referred to? What does the conclusion say?
What period of time is covered by the opinion or report? Is this consistent with the period of
interest to the agency?
What locations, specific business processes and/or transactions have been reviewed and
reported on? Do these cover the full scope of the agency’s activities or transactions provided
by the outsourced service provider? If not, are the activities or transactions not covered
material or significant to the agency?
What issues or concerns have been identified?
What resolution plans has the provider put in place?
What is the impact of the identified issues and resolution plans on the agency?
Financial Management Compliance Framework user guide
Updated August 2013
73
User guide to Standing Direction 3.2
Information technology systems
Including:
3.2.1
3.2.2
3.2.3
3.2.4
3.2.5
74
Direction requirement 16
Direction requirement 17
Direction requirement 18
Direction requirement 19
Direction requirement 20
Financial Management Compliance Framework user guide
Updated August 2013
Information technology management
Information technology operations
Security
Development
Change control
User guide to Standing Direction 3.2.1
Direction requirement 16
Information technology management
Introduction
The Standing Directions of the Minister for Finance have a number of requirements in
relation to information technology (IT).
Direction 3.2.1 specifically requires an agency to ensure that the direction, strategy and use
of information technology is consistent and appropriate for sound financial management.
In addition the Responsible Body must at least annually:
 review the use of information technology for financial management; and
 conduct or review an assessment of information technology risks and their impact on
financial management.
This material outlines guidance to assist with the compliance of these requirements and
includes:
 management and integration of IT within an agency;
 annual IT management reviews;
 use of IT for financial management;
 manual processes and spreadsheets;
 IT risk assessment for financial management; and
 outsourced IT for finance functions.
Management and integration of IT within an agency
The management of IT operations should be integrated into an agency’s day to day business
practices and processes.
IT operations (and expenditure requirements) should be considered and linked, where
relevant, to the agency’s strategic plan, goals and business plans to ensure IT needs are met
and appropriately managed.
IT systems and operations with financial management functions should be identified to
ensure governance and compliance requirements are monitored and fulfilled.
An agency may establish an IT steering committee to assist with the management of IT
operations. An IT steering committee typically:
 comprises of representatives from the executive team, IT division as well as various areas
within the agency to ensure users are represented. Members are usually from the
agency’s management team;
 meets regularly to oversee all IT activities within an agency;
 oversees the resourcing for IT operations across the agency as well as any outsourced IT
activities;
 reviews all proposals for IT projects, prior to sign-off and oversees the prioritisation of
projects, expenditure, resourcing, contract and vendor management (e.g. rollout of
disaster recovery plan, new implementations);
Financial Management Compliance Framework user guide
Updated August 2013
75
 ensures the IT strategy is implemented and reviewed taking into account alignment with
the business strategy;
 reviews IT policy and procedure documentation for currency and relevance; and
 reviews and resolves IT related risks and issues.
Annual IT management reviews
The purpose of annual IT management reviews are to:
 assess the effectiveness of current technology used for financial management and
reporting;
 identify any new or changed technology requirements in relation to financial
management;
 monitor the extent to which alternative (i.e. unapproved) technology solutions may be in
use across the agency; and
 examine the risks in relation to IT systems supporting the agency’s financial
management.
Annual review – use of IT for financial management
The annual review of IT for financial management may be undertaken in a number of forms.
Upon reflection an agency may find that there is a variety of work conducted during the
normal course of business that would contribute to a review of IT for financial management.
Examples of this may include:
 internal documentation, e.g. memos, reports, emails, that discuss risks/issues associated
with financial management and provide comment how the risks would be managed
including the technological implications, i.e. are upgrades or software changes required;
and
 information regarding alternative technologies, databases or spreadsheets being used
across an agency to supplement the core finance system.
This information could be identified in reports by internal audit or external reviews, e.g. a
division of the agency keeps its own spreadsheet to record certain financial transactions and
circumvents the main system.
Management response and subsequent actions to these findings form part of the annual
review process.
The annual review of IT for financial management should also consider and include:
 any work conducted on business continuity and disaster recovery planning for financial
management should also be included in the review;
 annual budget and/or corporate planning information which may highlight decisions for
new technologies around financial management;
 the resources and skills available to support the IT environment within the agency and
whether external support is required;
 the appropriateness and current level of reliance on IT at the agency;
 the control environment surrounding IT systems and operations; and
 the adequacy, impact, management and understanding of changes to financial
applications and IT infrastructure (where relevant).
76
Financial Management Compliance Framework user guide
Updated August 2013
The outcomes of the review should be reported to the Responsible Body and outline:
 current technology for financial management;
 risks and opportunities; and
 actions/changes planned and recommendations (where relevant).
Note: This information could be included in the CFAO’s report on the plan for preparation and finalisation of the
financial statements.
Also an agency may wish to consider including the requirements to monitor the use of
technology for financial management in the CFAO’s annual performance plan.
Manual processes and spreadsheets
Manual processes and spreadsheets are a common aspect of many financial management
systems that have higher risks when used outside of the core financial system.
An agency should consider the use of manual processes in the annual review of IT for
financial management. The checklist below provides some areas for consideration.
Step
Checklist for processes outside the financial management system
1
Identify all spreadsheets, manual processes etc. across the agency.
2
Consider whether processes identified in Step 1 capture significant
financial transactions, calculations or processes.
Identify the risks, e.g. the risk of error in the financial management
information sourced from processes identified in Step 1.
Review mitigation and management strategies for the risks, e.g. review of
data input and output, use of formulae.
Review need for processes identified in Step 1.
Consider implementation of formal, automated or system based
processes within existing financial management applications to replace
manual processes.
Report findings, actions, recommendations and mitigation strategies to
Responsible Body as part of the annual review process.
3
4
5
6
Considered?






Annual review – IT risk assessment
The agency’s annual assessment of IT risks and their impact on financial management should
be reported to the Responsible Body. The risk assessment should seek to cover the following
areas (where applicable):
 backup, recovery and contingency planning;
 change management;
 delivery, support, operations and procedures;
 physical and logical security;
 planning, organisation and resourcing;
 project management and systems development; and
 strategic IT management.
Financial Management Compliance Framework user guide
Updated August 2013
77
For further information about IT risk management refer to:
 Standards Australia – security risk management documentation; and
 Government services group on the Department of Treasury and Finance website
(www.dtf.vic.gov.au).
Outsourced/shared IT services
Where IT services and/or operations are outsourced, co-sourced or shared etc., the agency
needs to seek an annual assessment of the services/operations from the provider to ensure
this Direction and the specific requirements are met.
The assessment should be documented and provided to the Responsible Body.
The agency is responsible for the implementation of this Direction in relation to IT for
financial management irrespective of the provider. That is, if the provider is another agency
or department, the documented assessment is to be submitted to the Responsible Body.
For further information refer to the User Guide for Direction 3.1.5 – Outsourcing
governance.
78
Financial Management Compliance Framework user guide
Updated August 2013
User guide to Standing Direction 3.2.2
Direction requirement 17
Information technology operations
Introduction
The Standing Directions of the Minister for Finance (the Directions) require that agencies
strongly support financial management systems with particular requirements for disaster
recovery and business continuity management. These requirements are outlined under
Direction 3.2.2 Procedure (a) and include:
 formal assessment, at least annually, of the impact of financial management systems not
being available for an extended period; and
 review and testing of a formally documented disaster recovery plan and business
continuity plan.
This supplementary material has been developed to assist public sector agencies in
developing and implementing their own business continuity and disaster recovery plans.
This supplementary material includes the following information:
 understanding business continuity;
 understanding disaster recovery;
 developing business continuity and disaster recovery plans;
 business continuity and disaster recovery plan methodology:
– scoping – definition and awareness;
– business impact analysis;
– strategy selection and evaluation;
– plan development and documentation;
– implementation and testing; and
– maintenance and update.
 Attachment 1 – template for a business continuity and disaster recovery plan.
Understanding business continuity
Business continuity is a state where the agency’s critical functions and operations continue
with minimal interruption in the event of a disruption. Examples of disruptions can include
natural disasters, human error, loss of resources and/or suppliers.
Business continuity management (BCM) is an integrated approach that includes policies,
standards, and procedures for ensuring operations can be maintained or recovered in a
timely fashion in the event of a disruption. Its purpose is to minimise the operational,
financial, legal, reputational and other material consequences arising from a disruption.
Business continuity plans (BCP) are a component of BCM. Business continuity plans are
documented contingency plans that outline actions and methods required to recover agency
operations from particular disruptions.
Financial Management Compliance Framework user guide
Updated August 2013
79
The development of the business continuity plan follows a methodology that identifies
critical business processes, activities and related risks to ensure the continuity of business
operations in the event of a disruption. The methodology also proactively aims to minimise
risks and potential losses.
The implementation of a developed plan should reduce the time spent in the contingency or
recovery phase in the case of a disruptive event.
Understanding disaster recovery
Disaster recovery focuses on the recovery of information technology (IT) systems
infrastructure used to support an Agency’s operations in the event of disruption (to one or
more systems for a period of time).
A disaster recovery plan (DRP) specifically documents the technical recovery procedures to
be implemented to regain critical IT systems and/or components for an agency’s operations
to continue.
Disaster recovery plans are referred to in business continuity plans as a part of the complete
recovery of an agency’s operations.
Developing business continuity and disaster recovery plans
This material provides an outline of methodology used to develop business continuity and
disaster plans as well as an example template to document the plans (see Attachment 1).
As business continuity and disaster recovery requirements differ between agencies this
material should only be used as a guide for agencies. The information can be tailored to suit
an Agency’s needs, size and operational type.
For further information about disaster recovery and business continuity capability refer to
government services group on the Department of Treasury and Finance website
(www.dtf.vic.gov.au).
Business continuity and disaster recovery planning methodology
The typical methodology for developing business continuity and disaster recovery plans is
outlined in the diagram (aside) with further detail for each step provided in the form of
checklists.
This methodology can be used for business continuity and disaster recovery planning across
all functions within an agency. The requirements of the Financial Management Compliance
Framework (FMCF), however, solely focus on information technology operations that
support financial management.
This methodology aims to assist public sector agencies in implementing an effective business
continuity and disaster recovery capability with focus on:
 engaging the appropriate stakeholders;
 documenting a Business Impact Analysis (BIA) with a focus on critical business activities.
Under the FMCF, focus will be on those that have an impact on financial management;
 identifying risk reduction measures and selecting recovery strategies;
 documenting continuity and recovery plans as appropriate to the agencies requirements;
and
 testing continuity and recovery solutions and plans and training relevant staff in recovery
processes.
80
Financial Management Compliance Framework user guide
Updated August 2013
The methodology used to develop a BCP is similar to that required for a DRP as the
checklists outlined in this material indicate. When preparing the plans it is advisable to
develop them separately to ensure all steps are implemented.
Figure 1 – Steps within a business continuity and disaster recovery planning methodology
2. Business impact analysis
3. Strategy selection and evaluation
4. Plan development and documentation
6. Maintenance and update
1. Scoping
5. Implementation and testing
Step 1. Scoping – definition and awareness
The first step in the development of a BCP and/or DRP is to define the objectives and scope
and understand the timelines, assumptions, resource allocation and milestones for the
project. The following outlines the details to be considered in this step.
Example tasks
BCP
DRP
Identify key stakeholders.








Organise a briefing session.
Ensure the staff involved in documenting the BCP and DRP have the
appropriate:
 skills; and
 knowledge of the organisation and functional areas.
Assign responsibilities for plan ownership and administration, including plan
testing and maintenance activities.
Assign responsibilities for collaborative plan development with process/activity
owners.
Assign responsibilities for collaborative plan development with IT personal and
where possible functional area representatives.
Develop and document project objectives.
Develop draft BCP and DRP assumptions (may need to revisit as plan develops).
Define in-scope and out-of-scope activities.
Obtain current copy of the organisation chart.






Obtain current copy of the organisational structure for the IT
department/division.
Financial Management Compliance Framework user guide
Updated August 2013




81
Example tasks
BCP
DRP
Review existing BCP and DRP documentation (where available) and assess the
relevance/opportunity for integration with existing arrangements,
responsibilities and recovery strategies.
Define timelines and milestones and assign adequate resources for the BCP
and DRP activities.




Step 2. Business impact analysis
A business impact analysis (BIA) identifies and measures (quantitatively and qualitatively)
the business impact or loss of business processes in the event of a disruption. It also defines
recovery priorities as the critical business processes and activities are identified. BIA’s
analyse and evaluate the impact and probabilities of failures and critical business processes.
The results of a BIA are crucial to the development of a BCP and DRP. The processes outlined
below provide high level detail of what is required to complete a BIA.
Example tasks
BIA
Identify key business processes and activities.


For each business process and activity, identify dependencies, such as Information
Technology (IT), resources, other activities, locations, other.
For each business process and activity, identify critical time periods, i.e. daily, end of
week, month-end, quarter-end, year-end, other.
For each business process and activity, identify potential failure events or disaster
scenarios, i.e. describe how the activity is able to fail.
For each business process and activity, rate the impact of not having the business process
and activity available.
For each business process and activity, identify the remaining impact and maximum
tolerable outage40 to be addressed.
For each business process and activity, identify controls to prevent an event from
occurring.





Step 3. Strategy selection and evaluation
This step defines the recovery strategies for critical processes and systems identified in the
BIA that require continuity planning. The strategies provide actions to deal with impacts of
business interruption efficiently.
Recovery strategies are pre-defined, pre-tested, management approved actions that are
employed in response to a business disruption, interruption or disaster.
The tasks below should be considered when developing recovery strategies for BCPs and
DRPs.
Example tasks
BCP
Identify recovery strategies, including approach, escalation plan process and
decision points.
Identify recovery strategies specifically related to IT systems, including
approach, escalation plan process and decision points.
Ensure the recovery strategies are cost effective and meet agreed maximum
acceptable outage requirements.
Implement proposed response strategies and solutions.

40
DRP



Maximum Tolerable Outage (MTO) – the maximum period of time that critical business processes can operate before the loss
of critical resources affects their operations.
82
Financial Management Compliance Framework user guide
Updated August 2013
Step 4. Plan Documentation
This step results in the documentation of plans.
Example tasks
Document the BCP.
BCP
Document the DRP.
DRP

41.


2.
Identify systems/applications/infrastructure which may require more detailed
policies and procedures. Document as necessary.
Approval and endorsement of BCP and DRP.


Step 5. Implementation and testing
Regular testing of continuity and disaster recovery plans is one of the most important
aspects of successful business continuity.
Plans should be tested as least once a year to ensure they are kept up to date, new systems
and processes are included and staff are familiar with their individual roles and
responsibilities. Consideration could be given to testing the BCP and the DRP at the same
time.
Testing validates the usability of contingency and recovery plans and identifies changes.
Example tasks
BCP
DRP
Determine testing approach to be followed (approaches documented within
BCP and DRP).
Hold testing briefing with all participants.












Test developed plans following to adopted approach.
Undertake a testing debrief This process will identify gaps/additional needs in
the current plans.
Incorporate necessary changes into BCP and DRP.
Publish and distribute final copies of BCP and DRP to responsible parties.
Step 6. Maintenance and update
To ensure plans are current and up to date with an agency’s systems and processes they
should be reviewed and updated on a regular basis. This will help to ensure that the
contingency and recovery measures remain current and accurate.
Annual testing programs will assist in identifying areas within the plan that require
maintenance and update.
41
Attachment 1 provides an example template for the documentation of a BCP and DRP.
Financial Management Compliance Framework user guide
Updated August 2013
83
Some considerations for this step are outlined below.
84
Example tasks
BCP
During the updates, at a minimum, the following details must be checked:
 business processes;
 criticality of assessed processes and elements;
 third-party interfaces;
 organisation structure;
 responsible persons assigned to carry out tasks;
 deadlines; and
 appendices, including contact lists.
Ensure IT change management procedures include the requirement to
consider IT DRP arrangements and backup strategies
During the updates, at a minimum, the following details must be checked:
 criticality of assessed IT systems/applications/infrastructure;
 changes in IT systems/applications/infrastructure;
 IT organisation structure;
 responsible persons assigned to carry out tasks;
 deadlines; and
 appendices, including contact lists.

Financial Management Compliance Framework user guide
Updated August 2013
DRP


Attachment 1
Template for a business continuity and disaster recovery plan
User note: This template is generic and does not therefore use terminology
that is restricted to business continuity planning for financial management
purposes.
<Insert organisation name>
<Insert site name> business continuity and disaster recovery plan
Organisation address: <Insert address>
Contents:
Purpose and objectives
 objective
 scope
 out of scope
Contingency strategy
 overview of contingency strategy
 recovery team structure
Fast action summary checklist
Business continuity recovery procedures
 <Insert system/application/infrastructure name>
 <Insert system/application/infrastructure name>
Disaster recovery tasks
 <Insert system/application/infrastructure name>
 <Insert system/application/infrastructure name>
Testing and maintenance procedures
Appendix 1 BIA findings and conclusions
Version Control
Version #
Updated
Author
Changes
1.0
<insert date>
<Insert author>
<Insert changes made>
Attachment 1
Template for a Business Continuity and Disaster Recovery Plan
85
Purpose and objectives
Objective
The objective of this business continuity plan (BCP)42 and disaster recovery plan (DRP)43 is to
provide guidance to <insert organisation name> management for the restoration of
facilities, critical business processes and Information Technology (IT) facilities by defining, at
a high level, the recovery procedures required to continue/restore core services in the event
of a disaster.
This plan describes the organisational framework and procedures to be activated in the
event of a disaster occurring to enable recovery of services provided to <Insert organisation
name>’s customers, including the public, and the relevant business units supporting these
services.
Scope
This plan is confined to the main business processes of the following business units:
 <Insert applicable business units>
Out of scope
The following are not considered by this plan:
 <Insert any relevant exclusions, such as non-critical business functions, separate incident
plans, non-financial business processes and activities>
Contingency strategy
Overview of contingency strategy
The contingency strategy aims to recover operations with minimal, if any, impact on the
services supplied to our customers. The contingency strategy focuses on resolving issues
relating to information technology, suppliers and service factors for services offered to
<insert organisation name> customers and, where appropriate the public.
Specifically the contingency strategy focuses on:
 immediate welfare of staff employed at the service site;
 assessing the workload requirements for business unit(s);
 establishing priorities for, and allocating the use of, technological and human resources;
 delegating responsibilities for critical recovery procedures of each functional service
area;
 overall control of recovering operations; and
 communicating the status of the event to customer representatives, management and
alternate sites.
42
A BCP describes the methods and procedures required to recover business operations from particular disaster scenario’s or
events.
43 The DRP focuses on recovery of IT systems infrastructure to support the recovery of the business. The DRP is a subset of the
BCP and outlines separate recovery procedures defined by the IT team for the technical recovery of IT systems or components
to support the business operations.
86
Attachment 1
Template for a Business Continuity and Disaster Recovery Plan
Recovery team structure
The recovery team structure is critical to the success of the recovery process. The recovery
team structure consists of a combination of representatives for recovery of service and
business units at <insert organisation name>.
Key roles and responsibilities are as follows:
Role
Name
Contact details
Alternate contact
Alternate contact
details
<insert role>
<insert name>
<insert details>
<insert name>
<insert details>
Fast action summary checklist
The initial response procedures are critical to efficiently manage a disaster scenario and
reduce the impact on business operations at <insert site(s)>. The following key tasks are
required to be completed and are used as the trigger for the initial response to the relevant
disaster scenario. The following table acts as a checklist to ensure all relevant activities have
been performed within the required time frames.
Ref
Example activities
1
Notify recovery team leader of the incident
including:
 time of incident; and
 manner in which incident was identified.
Liaise with Police, Fire Brigade or
Ambulance services (where appropriate)
Conduct initial assessment of incident and
determine severity
Notify First Aid/Occupational Health and
Safety or Human resource Officers of
incident to ensure adequate attention is
provided to employees impacted by event
Notify security (if loss of facilities is the
incident) to distribute additional security to
affected <insert organisation name> area
Notify recovery team members of severity
2
3
4
5
6
7
8
9
Determine availability of:
 backup data for recovery of IT systems;
 access to customer data delivered prior
to the incident;
 receiving and processing data by
alternate means; and
 redirecting service to alternate site.
Contact back up facilities as necessary
Determine if incident is likely to publicly
impact <insert organisation name>
Responsibility Required
timeframe
Sign-off
Immediate
upon
identification
of incident
Every 5-15
minutes
1-5 minutes of
incident
2-5 minutes of
incident
2-5 minutes of
incident
15 minutes of
incident
15-20 minutes
of incident
15-20 minutes
of incident
45 minutes of
incident
Attachment 1
Template for a Business Continuity and Disaster Recovery Plan
87
Ref
Example activities
10
Assess the need to release a
communications briefing and release as
determined appropriate
Monitor and review the detailed recovery
procedures relevant to the service and
scenario
11
Responsibility Required
timeframe
Sign-off
60 minutes of
incident
Continuously
Business continuity recovery procedures
The following high level recovery procedures are required to be completed if for each critical
business process (as identified during the Business Impact Assessment as per Appendix 1)
<insert organisation name> cannot operate under normal capacity; this may be due to loss
of site, loss of key personnel, loss of IT systems, loss of suppliers, etc.
<Insert system/application/infrastructure name>
The <Insert system/application/infrastructure name> recovery tasks are outlined below.
Period44
Task Requirement
Responsibility
0-2 hours
<Insert>
<Insert>
2-4 hours
<Insert>
<Insert>
Sign-off
etc.
<Insert system/application/infrastructure name>
[Repeat as per 4.1 for each critical system/application/infrastructure to be covered.]
The <insert system/application/infrastructure name> recovery tasks are outlined below.
Disaster recovery tasks
<Insert system/application/infrastructure name>
[Repeat for each critical system/application/infrastructure to be covered.]
The <insert system/application/infrastructure name> recovery tasks are outlined below.
Objectives
<Insert objectives for the recovery of the system/application/infrastructure, including the
required recovery timeframe (i.e. maximum tolerable outage>
Pre-Conditions
<Insert any pre-conditions here. For example, where a systems or applications recovery depends
on the recovery of infrastructure, make reference here>
Supporting Documentation
<Insert any supporting documentation here. For example, if detailed policies and procedures
have already been documented elsewhere, do not repeat this information, rather refer to the
documentation and ensure it is appropriately accessible>
44
These represent the time frames after the initial incident was identified. The period indicates that the Task Requirements are
required to be completed during the time frame indicated for the period.
88
Attachment 1
Template for a Business Continuity and Disaster Recovery Plan
Task
Task Requirement
Responsibility
1
[Document the tasks required to enable the IT department (or
other party as required) to recover the critical
system/application/infrastructure in the required timeframe. The
tasks should include the acquisition of computer hardware and
communications equipment, installation of system software and/or
application from original CD, retrieval and loading of backup tapes,
reference to security standards to be implemented, etc.]
Sign-off
2
<Insert system/application/infrastructure name>
[Repeat as per 5.1 for each critical system/application/infrastructure to be covered]
Testing and maintenance procedures
Testing and maintenance of the BCP and DRP is critical to ensuring that the planned
procedures remain both relevant and reliable for use in the event of a disaster. The
document owner is responsible for updating the document to ensure that it accurately
reflects the customer services provided, contact listing details and additional references that
may change from time to time.
The schedule below depicts the anticipated time frames in which testing, and subsequently
maintenance, will be performed.
Section within the BCP/DRP
Recovery Procedures
Business Continuity Recovery Procedures
Disaster Recovery Tasks
Example appendices
Appendix 1 – Business Impact Analysis
Appendix 2 – Software and Application Contacts
Appendix 3 – Required Information/ Data Locations
Appendix 4 – Internal Telephone Directory
Appendix 5 – External Suppliers’ Contact List
Testing conducted
Annually
Annually
Annually
Annually
Annually
Semi annually
Semi annually
Attachment 1
Template for a Business Continuity and Disaster Recovery Plan
89
Appendix 1. BIA Findings and Conclusions
Based on the workshops held as part of this BIA and the questionnaires completed, <insert
number> business activities and <insert number> instances where a failure event would
have an impact on <insert organisation name> operations were identified. A break down by
functional area is outlined below.
Business
process
Business activity
Event failure
<Functional area name>
<Functional area name>
<Functional area name>
90
Attachment 1
Template for a Business Continuity and Disaster Recovery Plan
Dependencies – IT
MTO (hrs)
system/software/supplier/
3rd party/PPE
User guide to Standing Direction 3.2.3
Direction requirement 18
Security
Introduction
The Standing Directions of the Minister for Finance requires an agency’s financial
management system have appropriate security level in place that only allow authorised
access to transactions (Direction 3.2.2, Direction Requirement 18).
The Direction requires an annual formal assessment of the security and controls surrounding
financial management information that is sensitive to the agency and stakeholders. The
assessment must consider the adequacy of the following controls:
 security policies;
 password controls, for both applications and operating platforms;
 segregation of duties;
 user access levels in line with roles and responsibilities; and
 restricted physical access to the computer room and other sensitive financial
management technology assets.
This material provides guidance in relation to different aspects of information
technology (IT) security.
Basic IT security governance and controls
The governance structure for IT security should be outlined in a detailed policy that:
 is approved by management and annually reviewed for currency and validity;
 is based on clearly defined business and regulatory requirements and supports relevant
standards and procedures;
 ensures establishment of acceptable information risks including the agency’s risk
appetite;
 ensures impact reduction is implemented through use of control measures, i.e. the
agency’s ability to prevent, detect and recover from an incident;
 requires regular monitoring and reporting of information security issues/events; and
 is regularly communicated across the agency.
The IT security controls to be implemented as a minimum across all agencies are listed
below.
 implement mandatory passwords for individuals and passwords that have composition to
prevent guessing, e.g. contains numbers and letters;
 maintain a user listing to monitor all login IDs (active and inactive);
 implement procedures to revoke access to IT network and deactivate login IDs for
terminations;
 ensure user access rights are restricted to those processing functions and data files
required for the users’ normal duties and to enforce an appropriate level of segregation
of duties;
Financial Management Compliance Framework user guide
Updated August 2013
91
 ensure network servers are protected from hazardous operations, and fire detection and
extinguishing equipment are nearby;
 ensure operations personnel restrict and monitor visitor access to terminals;
 ensure IT equipment is physically tagged, inventoried periodically, and reconciled to the
general ledger; and
 Software licenses are current, compliant and updated with relevant security patches.
Good practice IT security
There are a number of elements to an IT security framework that take into account physical,
logical, environmental and technological issues. The following checklist outlines the
elements within an IT security framework that should be considered for good practice.
Examples of potential IT security elements
Logical security
 automatic disabling of access and logon after:
– a prescribed number of logon failures (usually three); and
– a set period of inactivity (usually two months).
 revoke logon access upon employee termination or relocation;
 user access rights are restricted to processing functions and data files required
for the users’ normal duties;
 approval required for changes to user access rights, proof of approval is retained
for audit trail requirements;
 regular review of user access rights for propriety to ensure inline with position
requirements etc. (e.g. biannual review); and
 individual password controls requiring:
– minimum length (generally between six-eight characters);
– password composition to be designed to prevent guessing (for example alpha
and numeric characters);
– maximum three attempts before lockout;
– minimum 12 previous passwords stored; and
– intruder lockout set at 120 minutes.
Physical security
 physical security perimeters are clearly defined;
 regular review of access to sensitive areas and ensure access is revoked when no
longer required;
 physical security controls are typically:
– operations personnel restrict and monitor visitor access to areas containing
sensitive information or assets;
– computer equipment is physically tagged, inventoried periodically, and
reconciled to the general ledger;
– commercial software on computers and PCs is licensed;
– servers are stored in secure cabinets; and
– access to the computer room is restricted at all times (e.g. lock and key).
 regular testing of physical security controls (alarms, locks etc.).
Environmental security
Typical environmental controls for IT server rooms include:
 uninterruptible power supply;
 raised floors;
 air-conditioning that is separate to the building and ensures constancy; and
 fire suppression system.
Cryptographic controls
 encryption of sensitive information while it is stored/at rest or being transmitted
over open or public networks.
92
Attachment 1
Template for a Business Continuity and Disaster Recovery Plan
Considered




Examples of potential IT security elements
Considered
Vulnerability management
 installation of anti-virus programs to protect sensitive information and programs
and prevent, detect and remove malicious programs;
 sensitive information systems are regularly checked for compliance with security
implementation standards, e.g. through penetration testing;
 regular review to ensure security patches are installed and up to date; and
 logging and active monitoring of security events.

For further guidance on information security refer to:
 Information systems audit and controls association (www.isaca.org.au).
 Standards Australia – Security Risk Management documentation.
 The Department of Treasury and Finance website (www.dtf.vic.gov.au).
 Best management practices (www.best-management-practice.com).
Financial Management Compliance Framework user guide
Updated August 2013
93
User guide to Standing Direction 3.2.4
Direction requirement 19
Development
Introduction
The Standing Directions of the Minister for Finance (the Directions) require the CFAO of an
agency to regularly review developments in financial management systems to ensure
appropriate technological support for financial management practices.
The specific requirements include:
 implementation of a formal methodology for information technology (IT) development in
relation to financial management systems and technology;
 developments to IT systems impacting financial management:
– must have a business case approved by the IT steering committee (or Responsible
Body or Executive Team) and end user representatives prior to project
commencement; and
Note: see user guide for Direction 3.2.1 IT management for further information about IT
steering committees
– must follow project management practices.
 annual review of manual financial processes including the use of spreadsheets to assess
whether automated systems are available;
Note: see user guide Direction 3.2.1 IT management for further information about manual processes and
spreadsheets.
This supplementary material outlines guidance in relation to:
 IT development methodology;
 key steps within an IT development methodology; and
 project management:
– project scope;
– project governance;
– project steering committee; and
– project stages.
IT development methodology
Potential steps for an IT development methodology are outlined in the diagram below with
further detail for each step provided in the form of checklists.
This methodology can be used for IT development projects across all functions within an
agency. The requirements of the Financial Management Compliance Framework (FMCF),
however, solely focus on information technology operations that support financial
management.
94
Attachment 1
Template for a Business Continuity and Disaster Recovery Plan
1. Design
a. build
b. specify and design
2. Develop
a. build
b. integration testing
3. Deliver
a. implement
b. operate
Packaged/off the shelf products
Where an off the shelf product is being implemented agencies should follow the three
phases of the IT development methodology to ensure the chosen product:
 fits requirements as defined in the design phase;
 is modified and integrated as defined in the develop phase, e.g. developing reports and
customising terminology structure, etc; and
 is implemented and operational as per the delivery phase.
It is recommended that customisations for off the shelf products are kept to a minimum to
ensure the integrity of the product is maintained.
Key steps within an IT development methodology
The following table outlines the key steps in an IT development methodology which should
be considered.
1.
Design
1.a
Initiate and plan
 Identify business requirement.
 Define project requirements/scope.
 Develop business case* for IT Steering Committee (or Responsible Body) approval, as per
Direction requirements, outlining:
– cost benefit analysis (see user guide for Direction 3.1.5 Outsourcing for a detailed
checklist);
– approach for the development;
– defined measures for the development;
– proposed budget; and
– key risks and migration strategies (for more detail see user guide for Direction 3.1.5
Outsourcing, Step 1.8).
 Establish the project (for more detail see user guide for Direction 3.1.5 Outsourcing,
Step 1.9):
– implement project management practices as per Direction requirement; and
– establish project steering committee (see ‘Steering Committee’ below for further
detail).
 Secure and plan resources for the project.
 Define security requirements, i.e. the impact of the development on the existing security
environment.
Financial Management Compliance Framework user guide
Updated August 2013
95
1.b
Specify and design
 Analyse requirements and develop detailed functional specifications that include user
needs analysis.
 Develop detailed systems design document outlining how functionality is to be delivered.
 Design testing requirements/cases/procedures based on specifications.
 Finalise and formalise approvals (with IT steering committee, project committee, etc.) for
all relevant project documentation including specifications and contracts.
2.
Develop
2.a
Build
 Produce hardware and executable software based on specifications, e.g. databases,
coding, programs compiled and refined, systems acquired and installed.
 Develop environment for testing.
 Conduct initial testing of software and hardware as it is assembled and integrated.
Integration testing
 Complete testing of requirements using test data in the test environment to ensure
conformance with detailed functional specifications.
 Complete User Acceptance Testing (UAT) to ensure the specification, privacy, security and
other mandated requirements are met.
2.b
3.
Deliver
3.a
Implement
 Resolve test issues.
 Sign-off of test results and issue resolutions prior to ‘go-live’.
 Install the system for operation in the production environment:
– sign-off data migration/conversion;
– user groups are installed with segregated duties.
Operate
 System is operational.
 Finalise system documentation:
– procedures to operate and maintain system;
– user guides/manuals.
 Conduct post-implementation review after the production environment has stabilised
using key metrics to measure impact and success.
 Monitor system continued performance in accordance with user requirements.
 Incorporate system modifications as/when required.
3.b
Project management processes
Project management is the combination of resources, tools and processes used to manage a
project successfully.
Project scope
Projects vary in size, complexity and involve change that affect a combination of areas
within an organisation, e.g. people, policies, technology, structure and work practices.
Projects have:
 a finite and defined life span;
 defined and measurable deliverables;
 a corresponding set of activities to achieve the required outcome;
 a defined amount of resources; and
 a governance structure to manage the project, e.g. project manager, working group,
project board/steering committee.
96
Attachment 1
Template for a Business Continuity and Disaster Recovery Plan
Project governance
Well defined and implemented project governance assists a successful outcome for a
project.
Project governance structures are used to:
 resolve issues that arise;
 consider recommendations on project deliverables;
 agree/approve changes to a project's scope, timelines or budget; and
 ensure the documentation trail for the project is maintained, e.g. approvals,
changes, etc.
Without a rigorous approach to governance projects can potentially experience scope creep,
poorly-defined requirements, overruns with timelines and budget.
Project steering committee
If defining the governance structure for a project an agency may decide to establish a
project steering committee for projects of a particular size and/or complexity.
The project steering committee would work with the IT steering committee and other parts
of the governance structure such as the executive team and Responsible Body.
Substantial consultation with all parts of the governance structure usually occurs at the
beginning of a project and then declines once the project is underway, even so the
governance structures remain active throughout the project's life.
The project steering committee should:
 have a clear and well defined role that is formalised/documented in the form of a charter
or terms of reference;
 meet at least every two months;
 approve the business case and project initiation and project close phases;
Note: The business case should also be approved by the IT Steering Committee for IT development projects.
 approve the request for tender and tender decision;
Note: The tender decision should also be approved by the Responsible Body and/or relevant delegate.
 monitor the project’s progression as well as any changes (within approved delegations);
 provide direction and resolution of issues and risks;
 provide advice, updates and referrals (as required) to the Responsible Body or relevant
delegate;
 communicate project outcomes, benefits, changes, etc; and
 facilitate change management programs required as a result of the project.
Financial Management Compliance Framework user guide
Updated August 2013
97
Project stages
Agencies should have project management methodologies that are specific to their
organisation as required by Direction 3.2.4(d). The checklist below can be used as a high
level guide to project management across the four phases of a project.
Potential project management steps to consider during a project
Phase A: Initiation
Is the project scoped and defined?
Has the business case been developed?
Note: consider financial implications in relation to the objective and need for the project.
Is the project in line with the strategic plan?
Has the project received sign off by sponsor, IT steering committee, Responsible
Body or delegate, etc?
Phase B: Planning
Are governance structures/levels of authority for the project clear?
Are roles/resources appropriate, explicit and documented?
Has the project steering committee been appointed?
Have risks been assessed with an action to mitigate/monitor them?
Has an implementation plan with schedules and phases been developed?
Have the project quality/cost/time drivers been identified?
Have clear project control/reporting procedures been established?
Are tools to manage the project being used, e.g. monitor milestones using
Gantt charts?
Has the critical path for the project been identified?
Has an overall project budget been set up and approved?
Have outsourced services been identified/approved/appointed?
Are financial milestones included in payment terms and conditions
Is there a communications plan that is included in the project plan/Gantt charts?
Is risk analysis conducted and reported throughout the project?
Considered?


















Phase C: Implementation
Have appropriate controls been identified to monitor project implementation and
delivery?
Are there regular meetings of the project steering committee to monitor progress,
discuss risks, changes, etc?
Are project reporting requirements being met and managed, e.g. status reporting
for contract, timelines, deliverables?
Project costs are tracked and monitored through detailed cost estimates and
expenditure reporting. Deviations are reported and additional expenditure is
approved.
Is there a clear procedure for managing and approving change and/or variations
(to scope, timelines, contracts, milestones, etc.)?
Is the planned versus actual schedule current/reported/monitored?
Is there agreement on the level of tolerance?
Is the executive, Responsible Body or delegate periodically updated on progress?
98
Attachment 1
Template for a Business Continuity and Disaster Recovery Plan








Potential project management steps to consider during a project
Considered?
Phase D: Closure and review
Have all products been completed and delivered?
Have the communications, change and training programs been implemented?
Has the project review been completed including assessment of:
 overall outcomes vs initial objectives?
 financial outcomes in relation to the initial/revised budget?
 intended benefits?
 the learnings?
Where relevant, is there a case for abandoning the project – where it is off
schedule or has not been fully delivered?
Has formal approval to close the project been obtained from the project steering
committee following tabling of the project review report?
Financial Management Compliance Framework user guide
Updated August 2013





99
User guide to Standing Direction 3.2.5
Direction requirement 20
Change control
Supplementary material in relation to change control
Introduction
The Standing Directions of the Minister for Finance (the Directions) require authorisation to
be obtained for changes made to financial management systems. It also requires changes to
be implemented in a controlled manner through a change control and management process
to ensure the integrity of financial management data is maintained (Direction 3.2.5,
Direction requirement 20).
A ‘change control‘ process is required to ensure major impacts of a proposed change can be
identified and adequately managed while designing and implementing the changes
required.
Benefits of change control
The benefits of change control include:
 improved oversight and communication of changes to be implemented;
 increased certainty that only changes that will benefit agency business will be approved
and implemented;
 ensure that business priority, infrastructure impact and project risk of proposed changes
are considered prior to implementation;
 improved ability to move back to the previous environment in case of change failure or
unanticipated results; and
 streamlining and efficiency of change implementation including minimisation of
disruptions to ongoing services.
Key aspects of a change control process
All aspects of changes to the IT environment should be controlled including the initial
proposal/submission for the change, analysis, decision making, approval and
implementation of any changes as well as documentation to ensure appropriate recording
of the change.
The key aspects of a change control process are outlined below:
1.
2.
3.
100
Change requirements and approval
Change requirements are clearly defined and approved by management
Project management
Consider project team structure, communication between dependent parties, level of
involvement and commitment from senior management, property reporting and escalation of
project issues, post implementation support model
Project monitoring
Consider deadlines, milestones, resources, activities, monitoring costs against budget and
monitoring status of progress against milestones
Attachment 1
Template for a Business Continuity and Disaster Recovery Plan
4.
5.
6.
7.
8.
9.
Risk/issue management
Potential impacts, including security impacts, of changes has occurred and processes exist to
capture and escalate project issues, risk mitigation plans, ensuring that people with
appropriate authority can resolve issues, contingency planning
Process requirements
New processes defined (system design documentation) and approved by process owners with
sufficient training provided to majority base of users
Segregation of duties
Duties are segregated between users who develop changes and users who test and promote
changes to the production environment
Testing
Testing procedures exist around development, regression and user acceptance tests, data
conversion activities etc.
Fall back procedures
Procedures exist including defined responsibilities for aborting/recovering from unsuccessful
changes
Sign Off
Sign-off for ‘Go Live’ (migration to the production environment) based on agreed acceptance
criteria has been provided and is appropriately controlled
Financial Management Compliance Framework user guide
Updated August 2013
101
User guide to Standing Direction 3.3
Direction requirement 21
Education and training
Introduction
It is a requirement of the Standing Directions of the Minister for Finance to review, at least
annually, the education and training needs for financial management staff within a public
sector agency (Direction 3.3).
The Direction also states that a program for the identified needs should be developed.
This supplementary material outlines a checklist of areas to consider to fulfil the
requirements of this Direction.
Specifically, the checklist includes consideration of an agency’s:
 overall approach to education and training;
 organisation of training/education for staff; and
 post training activities.
Education and training checks
Overall approach
Is there an education and training strategy implemented across the agency that
includes all sites and business units?
Are there policies and procedures in place for the application and approval of
education and training for staff?
Are there links between the identification of training needs and position
requirements/competencies?
Does management discuss training and education opportunities and requirements
with each staff member as part of their annual review process?
Are outcomes of the annual review discussion in relation to training reflected in:
 individual performance plans?
 business unit/division plans?
 agency wide training plans/program?
Is there an education and training program for the agency that is aligned to the
overall strategy and supports identified training needs of individuals?
Are specific training requirements considered/reflected in the annual budget
process?
Organising training
Have workloads and skill requirements been considered in the preparation and
timing of training courses?
Does the education/training cover training needs that have been identified?
Post training activities
Are details of staff education and training documented and recorded centrally/by
business unit/on personnel records?
Are the training strategy and individual programs regularly reviewed (including the
assessment of whether training should be delivered in-house or externally)?
102
Attachment 1
Template for a Business Continuity and Disaster Recovery Plan
Included













User guide to Standing Directions 3.1.3 and 3.4
Direction requirement 12
Policies and procedures
Introduction
The Standing Directions of the Minister for Finance (the Directions) require agencies to
establish and maintain documented policies and procedures in relation to financial
administration and management under Direction 3.1.3.
The specific policies and procedures required are outlined in Direction 3.4.
In addition, the Directions require agencies to:
 communicate policies and procedures to staff; and
 adopt quality assurance mechanisms to monitor, review and assess compliance with
policies and procedures.
The table below outlines the required policies and procedures and indicates whether
example internal control checklists are included in this material:
Direction Financial management element requiring policy and
procedure
3.4.1
3.4.2
3.4.3
3.4.4
3.4.5
3.4.6
3.4.7
3.4.8
3.4.9
3.4.10
3.4.11
3.4.12
Revenue
Cash handling
Bank accounts
Cash flow forecasting
Procurement
Expenditure
Employee costs
Commission on employee payroll deductions
Physical and intangible assets
Liabilities
Reconciliations
Administration of discretionary financial benefits
3.4.13
Information collection and management
Internal control
checklist available




This material outlines detail in relation to:
 the definition of policy and procedure;
 authorisations and approvals;
 maintenance, monitoring and access;
 content;
 internal controls; and
 example internal control checklists for:
– revenue;
– cash handling;
– expenditure; and
– physical and intangible assets.
Financial Management Compliance Framework user guide
Updated August 2013
103
Definitions
Definition of policy
Policies are principles, rules or guidelines that regulate and direct actions and activities.
They are formulated and adopted to ensure good governance, compliance and fulfilment of
organisational goals.
Definition of procedure
Procedures outline the specifics of day-to-day operations of the organisation explaining how
to and who will implement policies.
They are specific, factual, succinct and to the point. Well-developed procedures identify and
define controls within a process, e.g. authorisation requirements for payments.
Procedures generally refer to the process rather than the result.
Together, policies and procedures contribute to good governance and fulfilment of the
Responsible Body’s directions/instructions.
Authorisations and approvals
Policies are approved at an executive level and should be ratified by the Board/Responsible
Body or relevant delegate, e.g. audit committee.
Procedures should be ratified by the CFAO.
Content
The guideline to Direction 3.1.3 suggests that policies and procedures for financial
administration and management should incorporate:
 the legislation under which the agency operates;
 the financial management structure of the agency;
 the agency’s chart of accounts;
 policy and procedure details for areas of financial management covered detailed in
Direction 3.4, including use of information technology related to financial matters, where
appropriate;
 standard forms to be used in financial management;
 a list of exemptions obtained from the Minister for Finance and all relevant supporting
documentation;
 Accounting Standard Pronouncements of the Australian Accounting Standards
Board; and
 conflict of interest details.
Maintenance, monitoring and access
Systems for the maintenance and monitoring of policies and procedures should be
implemented to ensure they are regularly reviewed and updated to reflect requirements.
Monitoring activities could be conducted by agency staff as well as internal audit.
Policies and procedures should be reviewed at least every two years. Reviews should be
designed to continuously improve the policies and procedures and reflect changes in the
business/operations, technologies and best practice trends in financial management.
104
Attachment 1
Template for a Business Continuity and Disaster Recovery Plan
Review triggers
The following is a list of circumstances that could trigger a review (outside of the two year
process) of policies and procedures to ensure they are in line with requirements and agency
direction:
 significant change in the underlying business of the agency, e.g. organisational
restructure, merging or alteration of finance structure, changes to staff numbers or the
finance team;
 legislation or regulation introduction/amendment with financial impact (these changes
often impact procedures rather than policies);
 new accounting standards or policies;
 whole of government or departmental change to financial management, e.g.
implementation shared services; and
 machinery of government change.
Version control
In addition, policies and procedures should clearly outline version control details as well as
role and responsibility information (i.e. who is responsible for the maintenance, review and
implementation of the policy/procedure). Agencies should ensure that only authorised
versions are in use at any point in time.
Access
Policies and procedures should be accessible to staff at all times.
Details of how and where to access the documents should be circulated to staff regularly.
Staff should also be aware of any changes and updates made to policies and procedures.
Internal controls
Internal controls prevent or detect irregularities in financial management processes. Internal
controls can be used to assist with:
 ensuring compliance;
 monitoring activities;
 communication to staff regarding the relevance and significance of the policy and
procedures; and
 the assessment of risks associated with that procedure.
Example checklists for internal controls are outlined below. These controls can be
incorporated into financial management procedures.
Example checklists for internal control activities
The following checklists provide example control objectives and examples of potential
control activities. The material should be used as a guide to assist the agency with internal
control activities.
Revenue (Direction 3.4.1)
Public sector agencies must implement and maintain an effective internal control
framework over revenue transaction processing and management to ensure that revenue is
completely and accurately identified, recorded and collected.
Financial Management Compliance Framework user guide
Updated August 2013
105
Accounts receivable – invoicing
Example control objective: Sales invoice is generated for every approved provision of
services.
 Invoices are sequentially pre-numbered and accounted for.
 A manual or system check is performed to ensure documents are not missing or
duplicated or fall outside of a specified range of numbers. All rejected, suspense, or
missing items are researched, corrected and re-entered on a timely basis.


Example control objective: Invoices generated represent actual provision of services.
 Sales personnel reconcile control totals of the daily invoices generated with the total
shipments per the shipping system (if applicable).
 A manual or system check is performed to ensure data is not duplicated or falls
outside a specified range of numbers (check can be preventive or detective).
 All rejected, suspense or missing items are investigated, corrected and re-entered on a
timely basis.
Example control objective: Price, amount, and other information on the invoice are
correct.
 Management approval is required for discounts and allowances in excess of
predefined limits.
 Invoicing personnel examine the sales order for evidence of appropriate approval
before input. Invoices that are not approved are placed in a suspense file that is
reviewed by management for clearance on a regular basis.
 Potential system control: System edits exist to validate invoice data input (e.g.
customer name and number, pricing, amounts, other information) against approved
standing data in the sales order system. Invalid data is rejected for re-entry or stored
in a suspense file where it is investigated, corrected and re-entered for completeness.






Example control objective: Duplicate recording of invoices is prevented.
 A manual or system check is performed to ensure invoice numbers are not duplicated
or fall outside a specified range of numbers (check can be preventive or detective).
 All rejected, suspense or missing items are investigated, corrected and re-entered on a
timely basis.
Example control objective: Periodic updates for batch processing are complete and
accurate.
 For invoices that are input into a temporary file before sub-ledger updates, batch
totals are utilised before processing is complete. Input documents are grouped and a
numerical total is calculated (i.e. number of documents, dollar amount, hash totals).
These totals are compared to post input/update reports. All out of balance conditions
are researched and re-entered on a timely basis.



Example control objective: Duties are adequately segregated.
 Appropriate segregation of duties should be maintained over, for example: order
entry, determining credit limits, inventory custody, shipping, invoicing, returns
acceptance, returns approval, credit note approval, cash receipts, cash disbursements,
bank reconciliations, approval of bank reconciliations, A/R accounting/maintenance,
and G/L maintenance functions.
 Exceptions noted are investigated and resolved. If management accepts incompatible
duties, appropriate mitigating controls exist.
Example control objective: Ability to post to the accounting records is restricted to
authorised users.
 Formal approval by application owner is required for access to specific accounting
records.
 Management reviews access rights periodically to ensure only authorised individuals
have access and for segregation of duties. Exceptions noted are investigated and
resolved.
106
Attachment 1
Template for a Business Continuity and Disaster Recovery Plan




Accounts receivable – invoicing
Example control objective: Unauthorised access to the accounting records is prevented
and detected.
 Management investigates and resolves all instances where unauthorised access has
been obtained.
 Potential system control: Access controls such as user IDs and passwords are utilised
and specific to each application.
 Potential system control: Multiple failures to log on invalidate the user ID and are
reported via an exception report. The exception report is reviewed by management on
a regular basis.



Credit notes
Example control objective: Ability to raise credit notes is restricted and subject to
review.
 Credit notes are sequentially numbered and access to physical credit notes restricted.
 Any gap in credit notes sequential numbering is investigated.
 Credit notes are raised and approved by a separate authority within delegation.
 All applications for credit notes are supported by the original invoice and other
relevant information regarding the credit note.
 Credit notes are only raised to correct transactions relating to an incorrect accounts
receivable balance and/or charge.
 Finance personnel regularly review outstanding credit notes.
 Any credit notes linked to a customer’s account will be utilised before cash payment is
accepted for the customer.







Bad debts
Example control objective: Doubtful debts are accounted for correctly.
 Senior Finance Management regularly review outstanding payments to ensure all
debts are recoverable.
 Management ensure that all outstanding debts over XX days are included in the
provision for doubtful debts.


Example control objective: Ability to write-off bad debts is subject to approval.
 All write-offs are subject to review and approval within delegated authority limits. All
submissions for write-off have supporting documentation.
Financial Management Compliance Framework user guide
Updated August 2013

107
Cash handling (Direction 3.4.2)
Public sector agencies must implement and maintain an effective internal control
framework over cash handling and banking so that cash from all sources is completely and
accurately identified, banked and recorded in the financial records.
Cash receipting
Example control objective: Cash receipts are accurately recorded and in the proper
period.
 The organisation/department directs all cash receipts to its lockbox(es).
 A summary report and electronic file of receipts is provided by the bank to the agency
on a daily basis.
 Total amount of cash receipts from the bank summary report is recorded as cash and
unapplied accounts receivable.
 The electronic files are provided to the accounts receivable clerk for application to
customer accounts.
 Bank statements are reconciled to cash accounts:
– discrepancies are researched, corrected, and adjusted as necessary on a timely
basis; and
– the reconciliations are reviewed and approved by appropriate management.
Example control objective: Cash receipts relate to sales and are recorded against the
correct customer account:
– detailed accounts receivable aging is reviewed monthly and any long outstanding
balances or other unusual balances (i.e. credit balances) are investigated.
 Potential system control: The electronic file of receipts into the lockbox interfaces with
the accounts receivable sub-ledger and applies cash receipts to the debtor accounts
based on a matching of debtor name, number, invoice number, etc:
– unmatched cash receipts are investigated and manually applied.
Example control objective: All cash receipts are input for processing.
 Cash posting personnel reconcile control totals of the cash receipts received for the
day (from lockbox files/reports) with the total of cash receipts applied to customer
accounts.
 All rejected, suspense or missing items are researched, corrected and re-entered on a
timely basis.
Example control objective: Periodic updates for batch processing are complete and
accurate.
 For systems where application of cash is input into a temporary file before sub-ledger
updates, batch totals are utilised before processing is complete:
– input documents are grouped and a numerical total is calculated (i.e. number of
documents, dollar amount, hash totals). These totals are compared to post
input/update reports; and
– all out of balance conditions are researched and re-entered on a timely basis.
Example control objective: Duties are adequately segregated.
 Appropriate segregation of duties are to be maintained for the following: order entry,
determining credit limits, inventory custody, shipping, invoicing, returns acceptance,
returns approval, credit note approval, cash receipts, cash disbursements, bank
reconciliations, approval of bank reconciliations, A/R accounting/maintenance, and
G/L maintenance functions):
– exceptions noted are investigated and resolved; and
– if management accepts incompatible duties, appropriate mitigating controls exist.
108
Attachment 1
Template for a Business Continuity and Disaster Recovery Plan










Cash receipting
Example control objective: Ability to post to the accounting records is restricted to
authorised users.
 Formal authorisation by application owner is required for access to specific accounting
records:
– management reviews access rights periodically to ensure only authorized
individuals have access and for segregation of duties; and
– exceptions noted are investigated and resolved.
Example control objective: Unauthorised access to the accounting records is prevented
and detected.
 Potential system control: access controls such as user IDs and passwords are utilised
and specific to each application:
– multiple failures to log on invalidate the user ID and are reported via an exception
report; and
– management investigates and resolves all items.
Example control objective: Cash receipts are protected before they are deposited.
 Physical access to cash receipts is limited to the cash receipts personnel prior to
posting to the system:
– incompatible functions and related duties are subject to a regular review by
management; and
– discrepancies and exceptions noted are investigated and resolved.



Petty cash
Example control objective: There is restricted access over petty cash.
 The petty cash box is locked and kept in a secure location.
 No more than two staff members have access to the petty cash fund.


Example control objective: All requests for petty cash are valid and accounted for.
 A set limit for petty cash requests should be in place and should not go over this level.
 All petty cash requests should be documented on a standard form/petty cash book
detailing date, amount required, reason, and signature of employee requesting petty
cash.
 The finance personnel with access to petty cash review each request for petty cash
and determine if it is appropriate.
 Petty cash payments should not be over $X level and should not be used for payments
that should be made with a purchase order or can be paid via an expense
reimbursement process.
Example control objective: Unauthorised expenditure of petty cash is prevented and
detected.
 Petty cash should be reconciled on a regular basis (e.g. fortnightly)
 Appropriate segregation of duties should be in place so that the reconciliation is
performed by finance personnel who do not have access to the petty cash fund.






 Spot checks are performed on petty cash floats on a regular basis.

Example control objective: Replenishment of petty cash fund should be appropriately
approved.
 Replenishment of the petty cash fund should be done on a regular basis, either when
reconciled or when funds have diminished to below a particular threshold (e.g. x%).
 The replenishment amount should be reviewed and approved by an appropriate
member of finance personnel.

Financial Management Compliance Framework user guide
Updated August 2013

109
Expenditure (direction 3.4.6)
Public sector agencies must implement and maintain an effective internal control
framework over expenditure transaction processing and management to ensure that
disbursements (including but not limited to grants, capital expenditure, salaries and wages,
and other recurrent expenditure) are appropriately authorised and incurred in accordance
with business needs, and captured in the financial records.
Invoice processing
Example control objective: Invoices are processed for payment after goods are received.
 When goods/services are received, the finance system is updated to reflect the
receipt.
 All invoices are date stamped and signed by appropriate personnel and forwarded to
the finance department for payment.
 Invoices received by the finance department are reconciled to the accounting system
to ensure the good/service has been received:
– if the invoice is not found in the finance system, it is passed to the receipting
department for authorisation that the good/service has been received prior to
returning the invoice to the finance department for payment.
 Potential system control: appropriate financial limits are established within the
payables function of the finance system.
 Potential system control: an exception report is reviewed to identify instances where
the financial limits established have been overridden when raising purchase
requisition or purchase order. Discrepancies are followed up on a timely basis by
management.
Example control objective: Ability to enter goods receipts is restricted to authorised
users.
 Formal authorisation is required for access to the purchasing module of the system
and key purchasing transactions.
 Management reviews access rights periodically to ensure only authorised individuals
have access and that duties are appropriately segregated.
 Potential system control: Attempts to access the system are prevented if access is not
authorised.
Example control objective: Duties are adequately segregated.
 Purchasing and accounts payable duties are segregated. Incompatible functions and
related duties are subject to a regular review by management. Discrepancies and
exceptions noted are promptly investigated.
 Raising and editing of purchase requisitions or purchase orders is restricted to
authorised users.
 Potential system control: Users with access to the purchasing module do not have
access to the vendor maintenance, goods receipts, accounts payable and processing
disbursements functions within the system.
Example control objective: All invoices received are input for processing.
 Accounts payable personnel reconcile daily batch totals of the invoices entered with a
post input report of invoices entered into the Accounts Payable system.
 All non-reconciling items are investigated, corrected and re-entered on a timely basis.
Batch totalling is completed for the re-entered data.
 Review long standing purchase orders and purge from the system if no longer current.
110
Attachment 1
Template for a Business Continuity and Disaster Recovery Plan














Invoice processing
Example control objective: Invoices are input for processing correctly.
Potential system controls:
 system edits ensure vendors, quantities, price, extensions, payment terms (including
available discounts), supplier name and code, GST Classification, purchase order
reference and accuracy of the account distribution are agreed between the invoice,
receiving report and purchase order.
 items that do not match are researched, corrected and re-entered prior to approving
the invoice for payment.
 duplicate invoice numbers are not permitted.
 incorrect entry of price, quantity, amounts, vendor or general account numbers is
prevented or detected; and mismatched purchase orders or receiving reports are
investigated and resolved.
Example control objective: Expenditure is allocated to the correct cost centre.
 Accounts payable officers check the cost centre coding per the accounting system (or
stamped to the invoice if applicable) to the nature of the good/service per the invoice
and the delivery details:
– any overrides to cost centre coding are checked on a regular basis by the accounts
payable supervisor.
Example control objective: Periodic updates for batch processing are complete and
accurate.
 For systems where invoices are input into a temporary file, batch totals are utilised
before processing of invoices is complete. Input documents are grouped and a
numerical total is calculated (i.e. number of documents, dollar amount, hash totals).
These totals are compared to post input/update reports:
– all non-reconciling items are researched and re-entered on a timely basis.
Example control objective: Duplicate recording of invoices are prevented.
 Invoices and supporting documents are stamped as ‘entered’ to prevent re-submission
for payment.
 Potential system control: Once a purchase order is matched to an invoice, the system
identifies the purchase order as 'closed'. Closed purchase orders cannot be selected
again for matching.
Example control objective: Routine services (e.g. rent, utilities) are recorded
 A process exists to capture recurring costs on a monthly basis.
For example, accounts payable group maintains an excel spreadsheet. When an
invoice is received from a recurring bill or open purchase order, accounts payable
checks the bill/purchase order against the spreadsheet to ensure the amount has not
been processed, the invoice amount matches to the list of normal recurring bills, and
the amount is not outside of the expected dollar range.
Example control objective: Payments against capital expenditure are recorded.
 When invoices are received in relation to capital expenditure projects (which may not
have a corresponding purchase order) a designated project accountant/manager is
responsible for monitoring these costs and signing invoices for approving payment:
– frequent monitoring of expenditure against budget/approved capital expenditure
plan should be performed by an independent person (e.g. fixed assets manager).
Example control objective: Postings to expense and/or inventory in the general ledger
are complete, accurate and valid.
 A monthly report is generated that lists receipts for which a supplier invoice has not
been received. This report is utilised by accounts payable to accrue for these
materials/services in the month of their receipt.
 Procedures exist to ensure that period end reconciliation of the accounts payable
ledger to the general ledger and cut-off errors are corrected on a timely basis:
– accounts payable suspense accounts are included in the period end reconciliation
process.
Financial Management Compliance Framework user guide
Updated August 2013













111
Invoice processing
Example control objective: Duties and taxes on purchases are accounted for correctly.
 Tax components in an invoice are compared with the tax estimate in the purchase
order. Significant variances are reviewed.
Example control objective: Data input for invoicing is restricted to authorised users.
 Accounts payable personnel who are responsible for updating invoice information
should be different to those who sign cheques.
 Potential system control: attempts to access the finance system are prevented if
access isn’t authorised.
Example control objective: Duties over invoice processing are adequately segregated.
Fraudulent invoices cannot be created.
 Invoice processing is restricted to authorised users independent from vendor
maintenance, goods receipts, and processing disbursements.
 Incompatible functions and related duties are subject to a regular review by
management. Discrepancies and exceptions noted are promptly investigated.





Payments
Example control objective: Disbursements are input for processing in a complete
manner.
 An accounts payable aging report is reviewed periodically to ensure payments have
been recorded.
Example control objective: Disbursement is for the correct invoice.

 Payments are not made on invoices that have not been matched to a receiving report

and purchase order. This may be a manual or a system control.
 Potential system control: The system may be configured to allow payments that have
not been matched. Appropriate segregation of duties must be in place over who can
alter and override those configurations.
Example control objective: Disbursement is to the correct payee and vendor.
 Statements received from suppliers are reconciled to the supplier’s accounts in the
accounts payable sub ledger regularly and differences are investigated.
 Potential system control: Payee name and address are automatically extracted from
the vendor master file.
Example control objective: Disbursement input is for the correct amount.
 Any differences between the payment amount and the invoice amount are
automatically put into a suspense file. Management must clear items in the suspense
file on a timely basis.
 Payment amount information is automatically input from the invoice matching
process.
Example control objective: Payments in foreign currency are accurately calculated.
 Potential system control: All payments in foreign currencies are flagged by the system
and foreign currency translation is calculated off line by an accounts payable clerk and
reviewed by the accounts payable manager.
Example control objective: Disbursement input is in the proper period.
 Potential system control: The system does not allow for differences between the
payment date and the date of the cheque. Management approval is required for any
override of this control.
112
Attachment 1
Template for a Business Continuity and Disaster Recovery Plan







Payments
Example control objective: Correct postings are made to the purchase ledger control
account and cash in the general ledger.
 The total of cheques issued is reconciled with the updates to the accounts payable
sub-ledger and cash account. Reconciling items are researched and corrected as
necessary.
 A list of outstanding purchase orders for which ownership of goods is transferred prior
to delivery is prepared for accrual purposes. Management reviews and approves the
listing.
 Potential system control: The system updates the corresponding cash and accounts
payable accounts as of the cheque run date. Reconciliations are performed to ensure
transactions are posted correctly.
Example control objective: Purchase discounts are accurately calculated and recorded.
 Potential system control: The system is configured to calculate applicable discounts
per management policy. If the discount policy can be overridden, monitoring
procedures exist for detection and resolution of any system overrides.
Example control objective: Signed cheques are mailed out promptly to the correct
payee.
 Bank reconciliations are performed to check for old reconciling items. Exceptions are
investigated and corrected as necessary.
 An accounts payable aging report is reviewed periodically to ensure payments have
been recorded.
Example Control Objective: Missing, duplicate or long outstanding cheques are
investigated.
 When a payment is made in the system a reference is made to a specific invoice and
the system does not allow the payment to be made again:
– accounts payable staff adopt a consistent approach to entering invoice/supplier
details to ensure no invoices are duplicated for payment; and
– only original invoices are accepted for processing payments in the accounting
system.
 Cheques outstanding >30 days are reviewed and resolved on a monthly basis.
 All cheques must be paid in sequential order.
 Bank reconciliations are performed on a regular basis to determine outstanding
cheques and reconciling items. Exceptions are investigated and corrected as
necessary.
Example control objective: Periodic updates for batch processing are complete and
accurate.
 Input documents are grouped and a numerical total is calculated (i.e. number of
documents, dollar amount, hash totals).
 These totals are compared to post input/update reports. All out of balance conditions
are researched and re-entered on a timely basis.
 Potential system control: For systems where disbursements are input into a temporary
file, batch totals are utilised before processing of payments is complete.
Example control objective: Cash and electronic funds payments are approved.
 The release of cheques for printing and signing or release of electronic funds is
approved by personnel separate from those who enter and match invoices.
 Appropriate authority limits are established for approvals.
Financial Management Compliance Framework user guide
Updated August 2013















113
Payments
Example control objective: Electronic funds transfers are controlled.
 One-off and initial standing wire transfer requests are accompanied by appropriate
supporting documentation.
 Only authorised treasury personnel can initiate wire transfers. Bank call-back
verification procedures are in place:
– potential system control: electronic fund transfers require dual authorisation.
 All bank accounts are reconciled on a timely basis and all wire transfer activity
accounted for.
Example control objective: Duplicate payments are prevented.



 Potential system control: The system does not allow an invoice to be paid twice.

Example control objective: Payments made are for goods or services actually ordered or
rendered and received.
 Payments can only be made from 'closed' invoices. Invoices are closed after matching
to a receiving report and purchase order.
Example control objective: Urgent payment requests are approved.

 Requests for manual cheques are supported by purchase agreements, receiving

reports, original invoices, or other documentation that indicates the purpose of the
expenditures:
– the cheque request amount is compared to the initiator or approvers maximum
delegation amount to determine if a second signature is required; and
– cheques in excess of established dollar amounts (or equivalent) are forwarded to a
second designated cheque signatory for approval with supporting documentation.
Example control objective: Access to unissued cheques and cheque signing machines is
restricted.
 Duties over the release of cheques for printing and signing are segregated from those
of entering and matching invoices for approval.
 Unused cheques are kept in a locked location.
 Mechanical cheque signers and signature plates are safeguarded.
 Access to cheque signing privileges is limited to a minimum number of people.
– Multiple signatures are required for cheques over a certain amount.
 Cheque stock is sequentially pre-numbered:
– sequential cheque numbers are reviewed and reconciled on a regular basis. Any





missing cheque numbers are researched immediately; and
– cheque runs are reviewed for any inaccurate, spoiled or illegible cheques.
Example control objective: Input and generation of payments is restricted to authorised
users.
 Attempts to access the system are prevented if access isn’t authorised.

Example control objective: Duties are adequately segregated.
 Access to process disbursements is segregated from vendor maintenance, purchasing,
goods receipts, and accounts payable.
 Incompatible functions and related duties are subject to a regular review by
management. Discrepancies and exceptions noted are promptly investigated.
114
Attachment 1
Template for a Business Continuity and Disaster Recovery Plan


Masterfile changes to accounts payable
Example control objective: Approved changes are input for processing completely and
accurately.
 An appropriate officer approves changes to standing data prior to input. Each change
must be supported by sufficient documentation.
 A one-to-one check of changes input into the system is completed via a comparison
between post input/update reports to the change source documents for completeness
and accuracy. Discrepancies are resolved and the re-entered data is subject to the
same control.
 To ensure that data remains accurate, the standing data owners complete a regular
review. Any changes noted by the owners are entered via the standard standing data
change process.
 Potential system control: For changes to certain types of standing data and/or changes
outside certain parameters, the system produces a report of these changes which is
forwarded to management for review. Acceptance of these changes by the system is
dependent upon management review of supporting documentation and approval.
Example control objective: Periodic updates to standing data via batch processing are
complete and accurate.
 Where batch totals are utilised, input documents are grouped and a numerical total is
calculated (i.e. number of documents, dollar amount, hash totals). These totals are
compared to post input/update reports.
 All out of balance conditions are investigated and re-entered on a timely basis.






Example control objective: Duties are adequately segregated.
 Segregation of duties is maintained between the update of standing data and the
maintenance of financial records (i.e. posting or approval of adjustments,
reconciliations, etc.). Exceptions noted are investigated and resolved.
 If management accepts incompatible duties, appropriate mitigating controls exist,
such as regular review of system access.
Example control objective: Ability to post to the accounting records is restricted to
authorised users.
 Formal authorisation by the application owner is required for access to specific
accounting records:
– management reviews access rights periodically to ensure only authorised
individuals have access to the accounting system and there is adequate segregation
of duties. Exceptions noted are investigated and resolved.
Example control objective: Unauthorised access to accounting records is prevented and
detected.
 Access controls such as user IDs and passwords are utilised and specific to each
application and user:
– multiple failures to log on invalidate the user ID and are reported via an exception
report. Management investigates and resolves all items on the exception report.
Example control objective: Vendors in the masterfile are current.
 Potential system control: A report of vendors with no purchasing activity for
12 months or more is generated periodically (e.g. quarterly) to ensure that all vendors
in the masterfile are current.
Financial Management Compliance Framework user guide
Updated August 2013





115
Physical and intangible assets (direction 3.4.9)
Public sector agencies must implement and maintain an effective internal control
framework for asset management to ensure that assets are identified, recorded accurately
and accounted for in accordance with Australian Accounting Standards.
Asset additions
Example control objective: Capital expenditure requests are recorded completely.
 Capital expenditure forms are sequentially pre-numbered and accounted for.
Alternatively, every capital expenditure request is assigned a unique number to
eliminate the risk of duplication:
– a manual or system check is performed to ensure documents are not missing or
duplicated or fall outside a specified range of numbers. All rejected, suspense or
missing items are researched, corrected and re-entered on a timely basis.
 Potential system control: If an automated purchasing system is used, specific
application controls may be embedded in the system.
Example control objective: Capital expenditure requests are approved.
 The pre-numbered capital expenditure forms (for both internally constructed assets
and external purchases)/capital expenditure requests are approved by an appropriate
level of management and forwarded to either the internal engineering group or the
purchasing department, respectively:
– all changes to capital expenditure forms require formal approval from management
in accordance with appropriate delegations of authority (see below).
 Established policies and procedures define spending limits and approval procedures
for capital expenditure.
 Potential system control: Approval limits are configured in the system, which allow
authorised users to enter and approve acquisitions within approved limits. These are
systematically applied and attempts to override are prevented.
Example control objective: Approved capital expenditure request are recorded
accurately.
 Approved capital expenditure forms are input into a capital expenditure request
tracking system or fixed asset/projects sub-ledger:
– a one-to-one check between the entered information and source documentation
occurs for accuracy of key data fields. Any discrepancies are re-entered and subject
to the same control.






Note that ordering, receipt, invoice processing and payments related to capital expenditure
are covered in the Internal Control checklists of Expenditure.
Example control objective: Capital expenditure requests are appropriately updated upon
receipt of asset.
 The finance department performs a monthly review of the open capital expenditure
forms per the capital expenditure request tracking system/fixed assets/project
sub-ledger. Items are researched and resolved as necessary.
 Potential system control: When capital items are received and matched to the
purchase order, the system automatically notifies the appropriate personnel so that
the capital expenditure request tracking system or fixed assets/projects sub-ledger can
be updated.
116
Attachment 1
Template for a Business Continuity and Disaster Recovery Plan


Asset additions
Example control objective: Fixed asset acquisitions are input accurately and in the
correct period.
 Subsequent to receipt, fixed asset records are updated. A one-for-one check between
the internal and external supporting documents (i.e. invoice) and the fixed asset sub
ledger/fixed asset register occurs. Any discrepancies are identified and re-entered. The
check occurs again for re-entered data.
 The fixed asset manager/appropriate personnel reviews all fixed asset additions and
approves the classification, useful lives, depreciation method, etc.
 Periodically, management reviews acquisition reports and compares to budgets or
other data for reasonableness of acquisitions by category of asset, location or division.
Discrepancies are followed up and corrected as necessary.
Example control objective: Where applicable, the organisation/department holds a valid
title.
 Where applicable, internal legal counsel ensures that the organisation/department
holds legal title to recorded fixed assets.
 Where a physical title is received, it is maintained in a secure location.
Example control objective: Duties and taxes on fixed asset transactions are recorded in
accordance with applicable laws and regulations.
 Periodically, the tax department reviews the tax consequences of fixed asset additions
to determine appropriate treatment.
 Due to complexity, all foreign taxes are reviewed by the tax department.
Example control objective: Interests that can be capitalised on financed capital projects
are recorded completely and accurately.
 All debt and interest expense information is stored in a central repository, including
the purpose of the debt:
– the information used to calculate the capitalisation of interests is reviewed by
management and matched against the repository; and
– discrepancies are identified, investigated and re-entered.
Example control objective: Capitalised interest is recorded in the proper period.
 The finance department generates a report on debt used to finance acquisitions. This
report is reconciled by management to the interest capitalised:
– any discrepancies are identified and re-entered.
 The interest capitalised is compared against a separate approved budget file. Items
that do not match are investigated, corrected and re-entered as necessary on a timely
basis.
 Capitalised interest is approved.
 Significant differences between actual and budgeted capitalised interest are approved.
Example control objective: Capitalisation of payroll cost for services rendered for
construction purposes are recorded completely and accurately.
 Employees charge hours worked on capital projects to specific time codes. Edit checks
lead to the rejection of invalid codes or storage in a suspense file where it is
investigated, corrected and re-entered.
 If applicable, the engineering department provides a report on the involvement of
employees in capital projects. This report is reconciled by management to the
personnel costs capitalised. Any discrepancies are identified and re-entered.
 The payroll costs capitalised are matched against a separate approved budget file.
Items that are not matched are investigated, corrected and re-entered on a timely
basis.
Example control objective: Capitalised payroll is approved.
 Significant differences between actual and budgeted capitalised payroll are approved.
Financial Management Compliance Framework user guide
Updated August 2013
















117
Asset additions
Example control objective: Constructions-in-progress is input accurately and in the
correct period.
 There is a one-for-one check between the project status report and the construction in
process sub-ledger. Any discrepancies are identified and re-entered. The check occurs
again for re-entered data.
 Periodically, management reviews the construction in process sub ledger against the
project status reports and budgets to assess the status of projects. Final costs for
completed projects are provided for posting to the fixed asset sub-ledger.
Example control objective: Duties are adequately segregated.
 Adequate segregation of duties exists between the physical custody of assets,
acquisition/disposal approval and finance duties.
Example control objective: Unauthorised input to Fixed Asset sub-ledgers is prevented
and detected.
 Potential system control: Access controls such as user ID’s and passwords are utilised
and specific to each application. Multiple failures to logon invalidates the user ID and
are reported via an exception report for investigation by management. Formal
authorisation by the application owner is required for access to the fixed asset
sub-ledgers of the system:
– management reviews access rights periodically to ensure only authorised
individuals have access and for segregation of duties; and
– discrepancies and exceptions are promptly investigated.
Example control objective: Ability to post to the fixed asset sub-ledger is restricted to
authorised users.
 Incompatible functions and related duties are subject to a regular review by
management. Discrepancies and exceptions noted are promptly investigated.
 Potential system control: Attempts to access the system are prevented if access isn’t
authorised.






Depreciation
Example control objective: Information necessary to calculate the depreciation
(e.g. depreciation rates, estimated useful lives) is recorded in the system completely and
accurately.
 The fixed asset sub-ledger utilises a standard form to record all relevant information
for fixed asset additions. Additions are not accepted without information necessary to
compute depreciation.
 Edit checks ensure that the information input to calculate the depreciation is
reasonable.
 Potential system control: Invalid data is rejected for re-entry or stored in a suspense
file where it is investigated, corrected and re-entered on a timely basis.
Example control objective: Property, plant and equipment accounts have an assigned
depreciation rate.
 Useful lives and other information are standardised:
– management reviews system reports on changes to depreciation rates and
methods. Changes not in compliance with policies are identified and corrected.
 Potential system control: Program limits and reasonableness checks identify
deviations from these standards that are investigated and re-entered if appropriate.
Example control objective: Fixed assets are depreciated appropriately.
 Management performs reasonableness tests of depreciation expenses. Results that
are outside an expected range are investigated and corrected as necessary.
118
Attachment 1
Template for a Business Continuity and Disaster Recovery Plan






Depreciation
Example control objective: Fixed assets are depreciated appropriately and correct
postings are made to accumulated depreciation, depreciation expense and the general
ledger.
 Management reviews periodic reports and compares to budgets or other data for
reasonableness of depreciation charges by category of asset, location or division.
Discrepancies are followed up and corrected as necessary.
Example control objective: Information necessary to calculate the depreciation expense
(e.g. depreciation rates, estimated useful lives) is approved.
 The methods of fixed asset depreciation are formally documented, approved and
consistently applied through manual or system processes.


Assets valuation and stocktakes
Example control objective: All fixed asset accounts are tested for valuation issues on a
timely basis.
 Significant fixed asset accounts are reviewed quarterly by management for
impairment, including an assessment of current and future utilisation.
Example control objective: All damaged or idle fixed assets are assessed for impairment.

 Periodic physical inspections of fixed assets and construction-in-progress are

compared to manually or system recorded data:
– discrepancies are investigated, corrected, and reprocessed as necessary on a timely
basis.
Example control objective: All construction-in-progress projects are assessed for
impairment.
 Appropriate reports are prepared for all construction in progress projects. Regular on
site meetings are held by management to identify and assess valuation issues.
Example control objective: Appropriate information is used to calculate the impairment.
 The information needed for fixed asset valuation is formally documented in
accordance with policies.
 A one-for-one check between all source documents and information recorded in the
fixed asset sub ledger occurs:
– any discrepancies are identified and re-entered. The check occurs again for
re-entered data.
Example control objective: Valuation calculations/recordings are approved.



 Significant impairments require management approval to be processed:
– on a quarterly basis, management reviews all impairments.

Example control objective: Ability to post to the Fixed Asset sub-ledger is restricted to
authorised users.
 Incompatible functions and related duties are subject to regular review by
management. Discrepancies and exceptions noted are promptly investigated.
 Potential system control: Attempts to access the system are prevented if access is not
authorised.

Financial Management Compliance Framework user guide
Updated August 2013

119
Asset disposals
Example control objective: All disposals are completely and accurately input for
processing.
 Fixed asset disposal documents are sequentially pre-numbered and accounted for:
– those with custody over fixed assets regularly report the disposals/retirements of
fixed assets under their custody to the finance department using these
pre-numbered forms.
 Periodic physical counts of fixed assets are compared to the fixed asset register.
Differences to the information in the sub ledger/fixed assets ledgers are identified,
investigated and when applicable, the ledger is corrected. Refer to stocktake
procedures above.
Example control objective: Periodic updates for batch processing are appropriately
executed.
 For systems where disposals are input into a temporary file before sub-ledger updates,
batch totals are utilised before processing is complete. Input documents are grouped
and a numerical total is calculated (i.e. number of documents, dollar amount, hash
totals). These totals are compared to post input/update reports. All out of balance
conditions are investigated and re-entered on a timely basis.
Example control objective: Information that is used to calculate asset
disposals/retirements is complete and accurate.
 The fixed asset sub-ledger utilises a standard form to record all relevant information
for fixed asset disposals:
– disposals are not accepted without information necessary to process the impact of
the disposal.
 Potential system control: Edit checks ensure that the information input to calculate
the disposal is complete:
– invalid data is rejected for re-entry or stored in a suspense file where it is
investigated, corrected and re-entered on a timely basis.
Example Control Objective: Net proceeds/costs associated with asset retirement are
recorded accurately.
 A one-for-one check between disposal source documents (i.e. cash proceeds, removal
costs, etc.) and the disposal form in the fixed asset system occurs:
– any discrepancies are identified and re-entered. The check occurs again for
re-entered data.
Example control objective: Correct postings are made to fixed assets, accumulated
depreciation and the general ledger.
 A one-for-one check occurs to ensure the fixed asset to be disposed per the approved
disposal request matches the fixed asset removed from the fixed asset ledger and that
the correct related accumulated depreciation is removed and the net amount booked
to gain or loss on disposal, including a check related to date removed from service.
Example control objective: Disposals/retirements of fixed assets are approved.
 Those with custody over fixed assets have to obtain approval from management
before they process a fixed asset for disposal/retirement.
Example control objective: Recordings of disposals/retirements of fixed assets are
approved.
 Management reviews and approves monthly reports on disposals/retirements
generated by the finance department.
Example control objective: Duties are adequately segregated.
 Adequate segregation of duties exists between the physical custody of assets,
acquisition/disposal approval and finance duties.
120
Attachment 1
Template for a Business Continuity and Disaster Recovery Plan










User guide to Standing Direction 4.1
Direction requirement 22
Internal financial management reporting
Introduction
The Standing Directions of the Minister for Finance (the Directions) require the agencies
implement and maintain internal financial reporting that is timely, accurate, appropriate and
effective.
The reports should provide strong financial analysis and are to be used to support
management decision making and broader operations.
A number of specific requirements are outlined under Direction 4.1 including that:
 an agency must identify its financial management information requirements;
 financial management reports must be presented to the Responsible Body;
 the CFAO must sign off on financial management reports; and
 financial systems must support internal financial management reporting.
This supplementary material provides guidance in relation to each of the specific
requirements for internal financial reporting as outlined in Direction 4.1.
The purpose of internal financial management reporting
Internal financial management reporting should take the ‘pulse’ of an agency and provide
management with the information required to support effective, timely decision making.
Internal financial management reporting should assist with:
 early identification of potential problems through the use of performance measures,
trend analysis, forecasting, benchmarks, etc;
 data-driven decision making, i.e. information and measures to assist management in
decision making processes;
 quality improvement programs, based on clear identification of areas for improvement
that align with business plans across the agency; and
 allocation of responsibilities/accountabilities.
In substance, the fundamental objective is to provide clear and common understanding of:
‘What has happened?’ so that management can focus their efforts on ‘What does this
mean?’ and ‘What do we need to do?’
While the focus of this guidance material is on internal financial management reporting, an
effective suite of management reports require a balance of financial, operating and risk and
control indicators, as these are essential to the holistic monitoring of agency performance.
Note: for further detail please refer to material for Direction 4.4 Financial Performance Management and
evaluation (KPIs).
Financial Management Compliance Framework user guide
Updated August 2013
121
Good practice reporting
Internal reporting requirements depend on the nature of the agency’s business, the
operational and strategic drivers and expectations of management and the Responsible
Body.
Internal management reporting should consistently reflect and align with strategic
objectives and only provide key information that drives an agency performance in achieving
business objectives.
The table below provides some good practice principles for internal reporting.
1. Reports fulfil business needs
Internal financial management reports should be developed to meet an agency’s financial
management reporting requirements, to:
 understand agency strategy (e.g. improve resource utilisation);
 identify which factors are critical to the achievement of the strategy (e.g. manage resource
expenditure);
 identify impacts on these factors (e.g. overtime);
 identify which of these factors can be controlled by the agency;
 assess which factors to report (based on significance, degree of control, etc.); and
Consider:
 whether the benefit derived from reports exceeds the cost of producing the report;
 using existing measurement/reporting frameworks to streamline the process; and
 the example pulse questions below to check whether reports will meet requirements.
Are we on track?
To manage the day to day operations as appropriate.
Will we deliver the strategy?
To monitor and track their progress against organisational priorities and the strategic plan.
Is the performance optimal?
To manage the internal control environment, efficiency and effectiveness of operations.
What do we need to change to make it right?
To implement corrective actions, e.g. resource re-allocation.
2. Reports are clear and relevant
Ensure reports:
 contain clear and concise information that is usable, digestible and have widely accepted
definitions;
 include useful information that is relevant to the users and represents the reality of the business;
and
 have appropriate measures that are presented clearly through tables, graphics, text
numbers, etc.
3. Reports are accurate, reliable and timely
Reports should:
 be valid, reliable, dependable and free from error and bias by using data sources that are reliable
and accurate;
 use information that is current to ensure timely reporting; and
 enable informed, effective and decision making in a timely manner.
Processes should be developed to ensure sufficient time for preparation, review and distribution of
reports, e.g. develop annual reporting timetable with timelines and responsibilities.
122
Attachment 1
Template for a Business Continuity and Disaster Recovery Plan
4. Reports are complete and consistent
 Financial information must be consistent and complete to ensure reliability and allow for
comparability over time and financial periods.
 Measurement processes should be applied to enable consistency over time for quality analysis
and assurance purposes.
 An adequate audit trail for the production of reports should be kept to detail changes made and
comparisons to the underlying financial systems.
5. Reports comment, evaluate and compare
Financial reports must include commentary to evaluate and compare results.
Results can be compared across time periods, across different agencies and/or portfolios –
comparisons should be appropriate to ensure relevancy.
Evaluations can take into account variations that are seasonal or cyclical, for example:
 Comments can be structured using Cause, Impact and Action for example:
Cause – What happened and how did it happen?
 The result.
 The financial/non-financial outcome effecting the result.
 The main driver causing the outcome.
Impact – What is the result to our expected/planned benefit?
 The impact on the financial/non-financial benefit?
 The impact of the benefit into the future?
 The impact on our expectations of the benefit?
Action – What are we doing as a result and who is charged with it?
 The decision required to take action?
 The action taken to mitigate the risk or maximise the opportunity.
Representing financial information graphically can assist report users in ‘digesting’ the
information presented.
Where it is inappropriate to present large volumes of financial information in a graph, the
application of a few simple principles can help to draw attention to the key areas of interest.
The example below demonstrates that for better understanding the rounding to 000’s assist
users to digest numbers more easily and attention is drawn to variance analysis through the
use of the traffic light system, i.e. use of colours and arrows to indicate financial
movements.
Statement of financial position
Month ($’000)
Income
Actual
Budget
Variance
Full Year ($’000)
LY Variance
Budget
Forecast
Grant income
Onshore student income
Offshore student income
Other fees and charges
1 233
303
700
466
1 800
300
100
577
(567) ▼
3
600 ▲
(111) ▼
333 ▲
(1 000) ▼
150
100
21 600
3 600
1 200
6 924
14 796
3 636
8 400
5 592
Total student related income
2 702
2 777
(75) ▼
(417) ▼
33 324
32 424
Financial Management Compliance Framework user guide
Updated August 2013
123
Meeting good practice
The checklist below can be used to assist in assessing whether an agency’s internal financial
management reports are meeting requirements and good practice
Question in consideration of good practice
What information is being reported?
e.g. income, expenditure, safety indicators, enrolments information etc.
How is it being reported?
e.g. tabular, graphical, textual, numerical etc.
When is it being reported?
e.g. daily, weekly, monthly, annually, is there a report timetable in place
To whom is it being reported?
e.g. manager, senior managers, portfolio heads etc.
What decision making does it support?
e.g. daily operational decision making, strategic planning etc.
Who is involved in the production of the report?
e.g. finance
What resources are required? Is there reliable data available?
e.g. time taken to produce reports/how complex is it/is the time and effort worth
it?
Who owns the report?
e.g. finance
124
Attachment 1
Template for a Business Continuity and Disaster Recovery Plan
Considered?








User guide to Standing Direction 4.2
Direction requirement 23
Reporting in terms of part 7 of the FMA
Introduction
The Standing Directions of the Minister for Finance (the Directions) require agencies to
develop procedures for the timely and accurate preparation of reports to ensure compliance
with Part 7 of the Financial Management Act 1994 (FMA).
The FMA requires agency’s to submit:
 an annual report with a number of specific requirements; and
 financial information for the purposes of meeting the State’s Consolidated Financial
Reporting requirements.
Procedures for FMA reporting
To comply with the Directions, agencies must ensure there are procedures in place to
support the implementation of Part 7 of the FMA.
Procedures should consider:
 tasks to be completed to meet the requirements;
 identification of appropriate resources;
 responsibilities for tasks (at a role level);
 approval processes across the agency; and
 timelines that ensure requirements are met and appropriate approvals have been
obtained.
Annual report
The annual report is the medium through which agencies discharge their accountability to
Parliament, government and the Victorian public. The FMA requires an annual report to
consist of:
 a Report of Operations; and
 Financial Statements
The information provided in relation to an agency’s finances, performance operations and
other general details is valuable information that is used for planning and resource
utilisation decisions.
Report of Operations
The Report of Operations provides users of financial statements with general information
about the entity and its current and future activities (by providing qualitative and
quantitative information) and other relevant information that is not included in the financial
statements.
This report is to be prepared in accordance with the requirements of Financial Reporting
Directions, and presented in accordance with the guidelines contained in the Model Report
for Victorian Government Departments, as issued annually by the Department of Treasury
and Finance.
Financial Management Compliance Framework user guide
Updated August 2013
125
Government departments are also required to include in the unaudited section of the
annual report a comparison between their portfolio financial statements published in
Budget Paper No 4 and actual results for the portfolio for the corresponding financial year.
This is known as ‘Budget Portfolio Outcomes’ and must be presented as a set of financial
statements in the same format and consolidation basis as those prepared for the agency.
The Report of Operations must be signed and dated by the Accountable Officer in the case
of a government department or, in the case of any other agency, a member of the
Responsible Body.
Financial statements
The financial statements must be prepared in accordance with:
 Australian accounting standards and interpretations (AAS’s) which include Australian
equivalents to International Financial Reporting Standards;
 Financial Reporting Directions; and
 business rules.
Consistent with professional accounting requirements, the financial statements are to
comprise the following:
 comprehensive operating statement;
 balance sheet;
 statement of changes in equity;
 cash Flow Statement; and
 notes to the financial statements.
The financial statements are to be signed and dated by the Accountable Officer, CFAO and a
member of the Responsible Body, stating that the financial statements have been presented
fairly, in accordance with applicable Financial Reporting Directions and applicable
accounting standards.
Model Report
Each year the Department of Treasury and Finance issues a Model Report to assist agencies
with the planning and preparation of their FMA reporting requirements.
The Model Report is available on the Department of Treasury and Finance website
(www.dtf.vic.gov.au).
Consolidated financial reports for the State
Financial Reports for the State of Victoria are key elements of the government’s financial
reporting framework.
The FMA requires agencies to submit financial information for the preparation of quarterly,
mid-year and annual Consolidated Financial Reports for the state. The information is
submitted to the Department of Treasury and Finance through the State Resource and
Information Management System.
Quarterly financial reporting and mid-year financial reporting were introduced in the
2000-01 financial year, following the introduction of amendments to the Financial
Management Act 1994. The reporting framework is a key component of the government's
commitment to openness and accountability in financial management.
126
Attachment 1
Template for a Business Continuity and Disaster Recovery Plan
User guide to Standing Direction 4.3
Direction requirement 24
Other external reporting
Introduction
The Standing Directions of the Minister for Finance (the Directions) require agencies to
ensure all other external reporting requirements are met through the development of
procedures. The procedures should also ensure other external reports are completed in a
timely and accurate manner.
External reports must:
 be identified by the agency to ensure all external reporting requirements are met;
 be delivered completely, accurately and in a timely manner; and
 be reviewed by the CFAO or delegate prior to release.
Procedures for other external reporting
To comply with the Directions, agencies must ensure there are procedures in place to
support the implementation of other external reporting requirements.
Procedures should consider:
 tasks to be completed to meet the requirements;
 identification of appropriate resources;
 responsibilities for tasks (at a role level);
 approval processes across the agency; and
 timelines that ensure requirements are met and appropriate approvals have been
obtained.
The strategic management framework
The strategic management framework (SMF)45 provides a guide for departments and
agencies on best practice approaches to core management processes. The framework is
structured around six core elements: analyse, plan, allocate resources, implement and
monitor, evaluate and report and describes key activities to integrate and align strategic
priority setting and planning with resource allocation, service and asset delivery
implementation and monitoring, evaluation and reporting.
The key objectives of the SMF are to ensure that:
 key activities and processes are stable and certain;
 management activities are not focussed on seeking new resources to the detriment of
focusing on the efficient and effective use of existing resources; and
 quality financial and non-financial performance information from departments and
agencies informs government decision making and policy approaches.
45 Internal financial management reporting is a critical process for the efficient and effective management of departments and
agencies and a key component of the SMF.
Financial Management Compliance Framework user guide
Updated August 2013
127
The diagram below outlines the SMF:
Analyse
Report
Please refer to the DTF website for further information (www.dtf.vic.gov.au).
128
Attachment 1
Template for a Business Continuity and Disaster Recovery Plan
User guide to Standing Direction 4.4
Direction requirement 25
Financial performance management and evaluation
Introduction
The Standing Directions of the Minister for Finance (the Directions) require that agencies
develop appropriate financial management performance indicators and monitor
performance against these to identify key statistics and trends for use in management
decision-making.
The Directions outline a number of specific requirements, under Direction 4.4, for financial
key performance indicators (KPIs) including that KPIs:
 must be developed by the Responsible Body working with management, including the
Chief Financial Accounting Officer (CFAO) and the Accountable Officer;
 must be designed to measure and monitor financial management performance of the
public sector agency;
 must be measured, monitored and reported against on a regular basis (at least quarterly,
unless the financial KPI is an annual measure) to the Responsible Body; and
 are implemented by the Responsible Body with procedures to ensure they are
monitored.
This material provides guidance in relation to developing an agency’s internal KPIs to assist
in monitoring financial performance. It is designed to assist agencies in considering,
designing and developing the types of KPIs that may be appropriate for their agency
activities.
This material specifically relates to financial KPIs only does not include overall KPIs required
for annual performance reporting.
This material includes the following information:
 performance management and KPIs;
 purpose of KPIs;
 types of KPIs;
 KPI development and design;
 KPI characteristics;
 implementation of KPIs; and
 examples of KPIs relating to:
– revenue;
– expenditure;
– cash handling;
– investments; and
– liabilities.
Financial Management Compliance Framework user guide
Updated August 2013
129
Performance management and KPIs
Performance management is a combination of approaches, measures, processes and
systems that organisations use to monitor and manage their performance. KPIs are a
fundamental component of performance management that communicate strategic goals
across the agency.
KPIs can be used across all levels of an organisation, from business plans at
divisional/department levels to individual employee work programs and activities. An
organisation can use KPIs from across the different areas and levels to align and feed into
overall strategic organisational measures.
Well defined KPIs can be monitored to measure how effectively the overall organisation
strategy is being implemented – ‘strategy to execution’ – and will also provide a mechanism
that allows early action to be taken if issues arise – ‘opportunity for action’.
Performance management cycle
A typical performance management cycle is depicted in the diagram aside. The initial step is
to define the key business drivers for the agency. Steps 2 and 3 consider the design and
development of KPIs.
The collation and recording of data (as per Step 4) for KPI monitoring typically provides a
challenge for agencies; though this is less of an issue for financial KPIs which are usually
sourced from the core financial systems.
The performance management cycle uses the reporting results (from KPI monitoring and
reporting) as a basis to assess the need for change and implement it as required. It also
analyses the results (Steps 6 and 7) to consider the reward for successful achievement of
goals.
Diagram of a performance management cycle
1. What are
the key
business
drivers in the
agency
strategy?
7. How are set
budgets
compared with
actual results?
2. How is the
strategy
translated into
KPIs?
Business
analytics
6. How are
individuals and
agencies
rewarded for
achieving their
KPIs?
3. How is KPI
progress
measured?
Reporting
5. How can the
data be used to
implement
sustainable
change?
130
Planning
Attachment 1
Template for a Business Continuity and Disaster Recovery Plan
4. What data
and systems
are available to
collate
information for
management?
Purpose of KPIs
KPIs provide a means for monitoring agency performance, and understanding how effective
and efficient that agency is in achieving its objectives and desired outcomes.
KPIs are a way for an agency to effectively establish measures and monitor progress for the
following overall organisational questions:
 Where do we want to be?
 How will we know when we get there?
 What are we doing to get there?
KPIs that are designed to support the overall strategic objectives of an organisation
represent its ‘vital signs’. When part of a comprehensive system of measures implemented
across an organisation, KPIs inform the CFAO, management and the governing body and
employees of what and how they are progressing towards achieving overall agency
objectives.
Types of KPI
There are a number of different categories into which KPIs can be grouped. These include:
Financial:
Stakeholder:
Process:
People:
focus on financially driven measures. It is this category of KPI that is the focus of
Direction 4.4 and for which illustrative examples of potential indicators are
included in this supplementary material (for revenue/ receivables,
expenditure/accounts payable and cash receipting).
focus on service to, and satisfaction of various stakeholders who are impacted by
the agency’s activities. This could include response times or service satisfaction
levels.
target the key processes or activities that allow an agency to meet its strategic
objectives and are operational in nature.
focus on the recruitment, development, appraisal and retention of staff within
the agency.
KPIs developed and implemented across all agency activity areas using these different
categories provide a balanced and comprehensive view of expectations, outcomes and
activities that can be monitored and reported against.
KPI development and design
The process for designing and implementing effective KPIs commences with consideration of
an agency’s strategy, vision, and goals as well as the drivers that support those goals.
The link to strategy is achieved most effectively by starting at the strategy level and moving
to the task and activity level (rather than the other way).
Using the agency’s strategy, vision and goals, KPIs are identified with defined metrics. The
annual budget process provides a good opportunity to identify KPIs and targets each year.
Once KPIs are defined it is important to ensure processes are in place to collect data for the
monitoring of the KPI. Indicators and metrics can be incorporated into a single source, e.g. a
scorecard, to input and collate data for tracking KPIs. A scorecard of indicators provides an
effective tracking device for:
 financial and non-financial performance;
 short-term and long-term performance; and
 lag measures (which represent past performance) and lead measures (which indicate
future performance).
Financial Management Compliance Framework user guide
Updated August 2013
131
Once initial KPIs are established agencies should consider the process for reviewing and
revising KPIs. The process should be efficient and well controlled and may take into account
use of appropriate technology and software for performance management to help achieve
this.
Process for developing KPIs
The diagram below illustrates the process for developing KPIs, monitoring and reporting
activities.
Define strategy
Identify KPIs
Budgeting process
should incorporate
targets for KPIs
Define metrics/
scorecards
Develop data
collection processes
Report metrics
KPI characteristics
To be meaningful and effective, performance indicators should be ‘SMART’. The table below
outlines the characteristics of ‘SMART’ KPIs:
Specific:
Measurable:
Action oriented:
Realistic:
Time-bound:
linked to a specific desired outcome or goal that is clearly defined and
understood, e.g., accelerate cash collections cycle
capable of being measured in a timely and efficient manner
linked to the desired actions that are expected of the people being measured
based on facts and agreed targets should be achievable
refers to how frequently the KPI should be measured and reported, e.g. will
the KPI be reported weekly, monthly, quarterly or yearly
Implementation of KPIs
Public sector agencies must develop, measure, monitor, evaluate and report against
financial KPIs.
Ultimately, financial KPIs are tailored to an agency’s business and assist management in
strategic planning and resource allocation. KPIs can also provide information from ongoing
activities to assist in highlighting instances where corrective action is required on a timely
basis.
CFAO’s should not take KPI results as just a static ‘point in time’ measure. The results should
be analysed in the context of their overall trend, generally across three to five periods.
132
Attachment 1
Template for a Business Continuity and Disaster Recovery Plan
The checklist below provides an overall guide in relation to developing KPIs.
KPI checks
Included
Is there a clear link between portfolio level goals and/or government level
goals/aspirations and agency level desired outcomes and services?
Does the KPI enable assessment of service delivery by key stakeholders, including
Portfolio departments?
Does the KPI assist CFAO’s in strategic planning, resource allocation as well as
highlighting instances where corrective action is required on a timely basis?
Is the KPI comparable with similar agencies?
Can data be readily collected and reported against the indicator when required?
Have the KPIs been endorsed by the CFAO?






This supplementary material sets out a number of illustrative KPIs for across the following
financial processes:
 revenue;
 expenditure;
 cash receipting;
 investments; and
 liabilities.
The KPIs provided are examples only and are not a complete list of all possible KPIs. Other
suitable financial KPIs may also exist
The material should be used as a guide to assist the agency select KPIs which are specific to
their business in order to provide meaningful information to management.
Example of KPIs relating to revenue/receivables
Revenue
KPI: Revenue growth
Description
This KPI measures the percentage growth in revenue for the current period.
Objective
To ensure that revenue growth is in line with the target set by agency.
KPI calculation
(Current period revenue – prior period revenue)/Prior period revenue.
Example target
Revenue growth to be greater than or equal to xx per cent.
KPI: Actual revenue vs budgeted revenue
Description
This KPI measures the variance between actual and budgeted revenue.
Objective
To ensure that actual vs budget meet internal targets set by the agency to
improve forecasting.
KPI calculation
(Actual revenue – budgeted revenue)/budgeted revenue.
Example target
Actual revenue to deviate from forecast revenue by xx per cent.
KPI: Operating margin
Description
To measure the percentage of revenue which converts into operating income.
Objective
To ensure that each dollar of revenue that translates into operating Income,
(profitability measure) is in line with the targets set by the agency.
KPI calculation
(Total operating revenue – total operating expenditure)/revenue.
Example target
Operating margin to be greater than or equal to xx per cent.
KPI: Significant revenue items as a percentage of total revenue
Description
This KPI measures significant revenue items as a percentage of total revenue
(e.g. premiums).
Financial Management Compliance Framework user guide
Updated August 2013
133
Revenue
Objective
To ensure that significant revenue items as a percentage of total revenue is in
line with the target set by the agency.
KPI calculation
Revenue for specific revenue item/total revenue.
Example target
The total significant revenue items as xx per cent of total revenue or lower
(direction).
KPI: Grant monies as a per cent of total revenue
Description
This KPI measures the percentage contribution that grant monies make to
overall revenue.
Objective
To ensure that the grant monies as a percentage of revenue is in line with the
target set by the agency.
KPI calculation
Total grant monies/total revenue.
Example target
Total grant monies as a percentage of revenue is in line with the target set by
the agency by xx per cent.
Revenue – accounts receivable
KPI: Accounts receivable (AR) cost as a percentage of total revenue
Description
This KPI measures the AR processing cost as a percentage of total revenue.
Objective
To ensure that the cost of AR processing as a percentage of total revenue is in
line with the target set by the agency.
KPI calculation
Total AR processing cost/total revenue.
Example target
The total cost of AR processing as a xx per cent of total revenue or
lower/higher (direction).
KPI: Ageing of receivables
Description
This KPI measures the spread of receivables across each ‘days outstanding’
tranche, e.g. 30 days, 60 days or 90 days.
Lead indicator for bad debts.
Objective
To monitor the ageing of receivables on a regular basis.
KPI calculation
n/a
Example target
Tranche 1: (xx days): xx per cent
Tranche 2: (xx days): xx per cent
Tranche 3: (xx days): xx per cent
KPI: Total cost of the AR function as a percentage of sales
Description
This KPI measures the cost of an agency’s accounts receivables function as a
percentage of total sales.
Objective
To ensure that the cost of the AR function as a percentage of total sales is in
line with the target set by the agency.
KPI calculation
Total AR cost/total sales.
Example target
The total cost of the AR function as a xx% of total sales or lower/higher
(direction).
134
Attachment 1
Template for a Business Continuity and Disaster Recovery Plan
Revenue – bad debts
KPI: Credit worthiness of customers
Description
This KPI measures the creditworthiness of customers.
Lead indicator for bad debts.
Objective
To ensure that the provision for bad debts is appropriate and to manage the
number of receivables that ‘go bad’.
KPI calculation
Total number of customers with a credit rating of > xx/total number of
customers.
Example target
The per cent of customers with a credit rating of a xx or higher is xx per cent.
KPI: Bad debts as a per cent of accounts receivable
Description
This KPI measures the percentage of receivables not recovered by the entity,
e.g. bad debts ‘gone bad’.
Objective
To minimise bad debts as a per cent of receivables.
KPI calculation
Total bad debts/total receivables.
Example Target
Bad debts as a per cent of total receivables is less than or equal to xx per cent.
KPI: Bad debts as a per cent of sales
Description
This KPI measures the number of receivables not recovered by the entity, as a
percentage of sales.
Objective
To minimise bad debts as a per cent of sales.
KPI calculation
Total bad debts/total sales.
Example target
Bad debts as a percentage of total sales is less than or equal to xx per cent.
KPI: The provision for bad debts greater than xx days outstanding
Description
This KPI measures the receivables which may not be recovered by the entity as
a percentage of receivables which are greater than xx days outstanding. This
may indicate when the provision for bad debt is understated.
Objective
To minimise bad debts as a percentage of receivables.
Lead indicator for bad debts.
KPI calculation
Total provision for bad debt/total average receivables > xx days outstanding.
Example target
The provision for bad debts as a per cent of total receivables > xx days is
consistently xx per cent.
Financial Management Compliance Framework user guide
Updated August 2013
135
Example KPIs relating to expenditure/payables
Expenditure
KPI: On-time payment percentage
Description
This KPI measures the percentage of invoices paid on time (within invoice
terms).
Objective
To maximise the frequency of on-time payment.
KPI calculation
Total invoices paid on-time/total invoice payments.
Example target
The on-time payment percentage is xx per cent or higher.
KPI: AP turnover days
Description
This KPI measures how long it takes to pay the vendor, once the liability is
established.
Objective
To ensure that the AP turnover days is in line with the targets set by the agency.
KPI calculation
Average AP balances/total purchase costs x 360 days.
Example target
The AP turnover days is in line with the target set by the agency by xx per cent.
KPI: Ageing of payables
Description
This KPI measures the spread of payables across each ‘days outstanding’
tranche, e.g. 30 days, 60 days or 90 days this will allow improved visibility over
cash flow.
Objective
To monitor the ageing of payables on a regular basis.
Lead indicator for on-time payments.
KPI calculation
n/a
Example target
Tranche 1: (xx days): xx per cent
Tranche 2: (xx days): xx per cent
Tranche 3: (xx days): xx per cent
KPI: YTD expenditure to budgeted expenditure
Description
This KPI measures the deviation of expected expenditure to budgeted
expenditure.
Objective
To ensure that YTD expenditure does not deviate significantly to budgeted
expenditure and to improve forecasting.
KPI calculation
(YTD expenditure – budgeted expenditure)/budgeted expenditure.
Example Target
Variance between actual and budgeted expenditure is xx per cent or lower.
KPI: Total wages expense to budgeted wages expense
Description
To ensure that total actual wages expense does not deviate significantly to
budgeted wages expense and to improve forecasting.
Objective
This KPI measures the deviation of expected wages expenditure to budgeted
wages expenditure.
KPI calculation
(Total wages expenditure – budgeted wages expenditure)/budgeted wages
expenditure.
Example target
Variance between actual and budgeted wages expenditure is xx per cent or
lower.
KPI: Total project expense to total budgeted/approved expense
Description
This KPI measures the deviation of total project expenditure to
budgeted/approved project expenditure.
Objective
To ensure that total project expense does not deviate significantly to budgeted
(approved) project expense and to improve forecasting.
KPI calculation
(Total project cost – total budgeted/approved project cost)/total budgeted/
approved project cost.
Example target
Variance between actual and budgeted/approved project expenditure is xx per
cent or lower.
136
Attachment 1
Template for a Business Continuity and Disaster Recovery Plan
Expenditure
KPI: Overtime as a percentage of wages
Description
This KPI measures expected expenditure to budgeted expenditure.
Objective
To ensure that the per cent of overtime of total wages is in line with the target
set by the agency.
KPI calculation
Total overtime expense/total wages expense.
Example target
The overtime expense as xx per cent of wages or lower.
KPI: Total wages expense to total expenditure
Description
This KPI measures total wages expense as a percentage of total expenditure.
Objective
To ensure that the total wages expenditure as a per cent of total expenditure is
in line with the target set by the agency.
KPI calculation
Total wages expenditure/total expenditure.
Example target
The total wages expense as xx per cent of total expenditure or lower.
KPI: Total contractors expense to total expenditure
Description
This KPI measures total contractors expense as a percentage of total
expenditure.
Objective
To ensure that the total contractors expenditure as a percentage of total
expenditure is in line with the target set by the agency.
KPI calculation
Total contractors expenditure/total expenditure.
Example target
The total contractors expense as xx per cent of total expenditure or lower.
KPI: Foreign exchange gains or losses
Description
This KPI measures the foreign exchange gains or losses as a percentage of total
expenditure.
Objective
To ensure that gains or losses resulting from exposure to changes in foreign
exchange rates are within the tolerance thresholds set by the agency. Also
measures the effectiveness of management of FX risk (realised and unrealised).
KPI calculation
Total gains or losses related to expenditure/total expenditure.
Example target
The total gains or losses is within xx per cent -xx per cent of total expenditure.
KPI: Significant expense items as percentage of total expenditure
Description
This KPI measures significant expense items as a percentage of total
expenditure (e.g. claims).
Objective
To ensure that significant expense items as a percentage of total expenditure is
in line with the target set by the agency.
KPI calculation
Total expense (for specific expense item)/total expenditure.
Example target
The total significant expense items as xx per cent of total expenditure or lower
(direction).
Example KPIs relating to cash receipting
Cash
KPI: Proportion of cash payments made via electronic means
Description
This KPI measures the proportion of all cash receipts processed electronically as
a proportion of total cash receipts.
Objective
To maximize the efficiency of the cash receipt processing through the use of
technology, for example, internet banking.
KPI calculation
Number of cash receipts paid electronically/total number of cash receipts.
Example target
The number of cash receipts processed electronically is xx per cent of total cash
receipts or higher.
Financial Management Compliance Framework user guide
Updated August 2013
137
Cash – petty cash
KPI: Petty cash disbursements
Description
This KPI measures petty cash disbursements as a percentage of total cash
disbursements.
Objective
To ensure that petty cash disbursements are in line with internal requirements
(policies and procedures) as set by the agency.
KPI calculation
Total petty cash disbursements/total cash disbursements.
Example target
Petty cash requests should be less than or equal to xx per cent.
Cash – liquidity
KPI: Current ratio (working capital ratio)
Description
This KPI measures an agency's ability to cover its short-term liabilities with its
current assets.
Objective
To ensure that the current ratio complies with target set by the agency.
KPI calculation
Current assets/current liabilities.
Example Target
The current ratio is xx or higher.
KPI: Quick (acid test) ratio
Description
This KPI measures an agency's ability to cover its short-term liability with its
most liquid assets.
Objective
To ensure that the quick ratio complies with target set by the agency.
KPI calculation
(Current assets – inventory)/current liabilities.
Example target
The quick ratio is xx or higher.
KPI: Debt as a percentage of net working capital
Description
This KPI measures the liquidity of an agency.
Objective
To ensure that the working capital ratio complies with agency target set.
KPI calculation
Long term debt (excluding current portion)/net working capital.
Example target
Ratio is xx or lower.
KPI: Debt/capital ratio
Description
This KPI measures the leverage of an agency.
Objective
To ensure that the debt to capital ratio complies with agency target set.
KPI calculation
Long term debt (excluding current portion)/total invested capital.
Example target
Ratio is xx or lower.
KPI: Debt refinancing for the upcoming quarter
Description
This KPI measures the amount of debt which requires refinancing within the
next quarter which will impact on an agency’s cash flow.
Objective
To ensure that debt obligations are monitored and managed given their direct
impact on the availability of cash.
KPI calculation
Total dollar value of debt expiring within the upcoming quarter.
Example target
Total value of debt is xx or lower.
138
Attachment 1
Template for a Business Continuity and Disaster Recovery Plan
Cash – cash flow
KPI: Total cash flow to budget
Description
This KPI measures cash flow.
Lead indicator of solvency.
Objective
To ensure that total cash flow is in line with the budget operating cash flow
requirements as set by the agency.
KPI calculation
Total cash flow actuals/total cash flow budget.
Example target
Total cash flow actuals to budget is within xx per cent -xx per cent.
KPI: Operating cash flow (OCF) growth
Description
This KPI measures the OCF growth over a given period.
Lead indicator of solvency.
Objective
To ensure operating cash flow growth to meet internal target set by the agency
KPI calculation
(OCF current period – OCF prior period)/OCF prior period.
Example target
OCF growth to be equal to or greater than xx per cent.
KPI: Net change in cash
Description
This KPI measures the change in cash and cash equivalents within a period.
Objective
KPI calculation
Example target
To ensure that significant changes in cash and cash equivalents are monitored.
Cash and cash equivalents at period end – cash and cash equivalents at the
beginning of the period.
Movement in cash and cash equivalents is within +/-$xx or +/- per cent xx.
Cash – invoice processing
KPI: Cash collections cycle
Description
This KPI measures the average number of days required to collect cash from
sales.
Objective
To ensure the cash collections cycle is in line with targets set by the agency
(terms).
KPI calculation
Days taken from date of sale to date of collection of cash.
Example target
The days taken from date of sale to collection of cash does not exceed xx days.
KPI: Average processing time
Description
This KPI measures the average time taken to process cash receipts.
Objective
KPI calculation
Example target
To minimise processing time of cash receipts in accordance with targets set by
the agency (where appropriate).
(Total time spent on cash receipts processing)/number of receipts processed.
Average processing time of cash receipts does not exceed xx hours.
Example KPIs relating to liabilities
(also see examples in cash receipting – liquidity)
Liabilities
KPI: current liabilities as a percentage of total liabilities
Description
This KPI measures current liability as a percentage of total liabilities.
Objective
To ensure that the ratio of short-term liabilities complies with the target set by
the agency.
KPI calculation
Current liabilities/total liabilities.
Example target
The ratio of current liabilities is within xx per cent -xx per cent.
Financial Management Compliance Framework user guide
Updated August 2013
139
Liabilities
KPI: non-current liabilities as a percentage of total liabilities
Description
This KPI measures non-current liability as a percentage of total liabilities.
Objective
To ensure that the ratio of liabilities not due in the current year complies with
the target set by the agency. This ratio can be used/calculated at an aggregate
level or by liability type.
KPI calculation
non-current liabilities/total liabilities.
Example target
the ratio of current liabilities is within xx per cent -xx per cent.
Example KPIs relating to investments
Investments – capital
KPI: The average Net Present Value (NPV) of investments
Description
This KPI measures the average NPV of investments (i.e. the current value of the
expected future cash inflows/outflows associated with the investment).
Objective
To ensure that the average NPV of investments is in line with targets set by the
agency.
KPI calculation
Sum of total investment NPVs/total number of investments.
Example target
The average investment NPV is greater than $xx.
KPI: The average pay back period for investments
Description
This KPI measures the average payback period for investments (i.e. the time
taken for the expenditure relating to the investment is recouped).
Objective
To ensure that the average payback period for investments is in line with
targets set by the agency.
KPI calculation
Sum of total investment payback period/total number of investments.
Example target
The average investment payback period is less than xx weeks/months/years.
KPI: the average Return on Investment (RoI) of investments
Description
This KPI measures the average RoI (i.e. the earnings generated by an investment
expressed as a percentage of the investment).
Objective
To ensure that the average RoI of investments is in line with targets set by the
agency.
KPI calculation
Sum of total investment RoIs/total number of investments.
Example target
The average investment RoI within xx per cent -xx per cent.
KPI: The average Internal Rate of Return (IRR) of investments
Description
This KPI measures the average IRR of investments (i.e. the return required for
the NPV to equal zero).
Objective
To ensure that the average IRR of investments is in line with targets set by the
agency.
KPI calculation
Sum of total investment IRRs/total number of investments.
Example target
The average investment IRR is less than xx per cent.
140
Attachment 1
Template for a Business Continuity and Disaster Recovery Plan
Investment – non-capital
KPI: Short/medium/long term investments as a percentage of total investments (deposits)
Description
This KPI measures short/medium/long term investments as a percentage of
total investments (deposits).
Objective
To ensure that the percentage of short/medium/long term investments
(deposits) is in line with targets set by the agency.
KPI calculation
(Sum of short/medium/long term investments)/total number of investments.
Example target
The percentage of short/medium/long term investments is within xx per cent
and xx per cent.
KPI: The average rate of return for investments(deposits)
Description
This KPI measures the average rate of return for investments (deposits).
Objective
KPI calculation
Example target
To ensure that the rate of return for investments (deposits) is in line with
targets set by the agency.
Sum of total investment returns/total number of investments.
The average rate of return for investments (deposits) is greater than
xx per cent.
Financial Management Compliance Framework user guide
Updated August 2013
141
User guide to Standing Direction 4.5
Financial management compliance obligations
Including:
4.5.1
4.5.2
4.5.3
4.5.4
4.5.5
4.5.6
4.5.7
4.5.8
142
Direction requirement 26
Direction requirement 27
Direction requirement 28
Direction requirement 29
Direction requirement 30
Direction requirement 32
Direction requirement 33
Direction requirement 34
Attachment 1
Template for a Business Continuity and Disaster Recovery Plan
Compliance with directions
Taxation
Purchasing card
Thefts and losses
Risk management compliance
Treasury risk management
Foreign exchange risk management
Commodity risk management
User guide to Standing Direction 4.5.1
Direction requirement 26
Compliance with directions
Introduction
The Standing Directions of the Minister for Finance (the Directions), under Direction 4.5.1,
require agencies to certify that they have complied with all applicable Directions. The
Direction specifically requires agencies to:
 certify annually, using the form provided by DTF for the purpose, that they have
complied with all applicable Directions;
 conduct an annual review of their obligations under these Directions; and
 identify and rectify any failure or deficiency in complying with these Directions.
Certification of compliance should be made annually to the Responsible Body or relevant
delegate, e.g. audit committee.
Agencies subject to the Financial Management Compliance Framework (FMCF) are also
required to annually certify compliance with these Directions to their Minister.
This material provides guidance in relation to:
 compliance with Directions:
– Direction Requirements.
 compliance levels:
– definitions;
– determining compliance level;
– documentation; and
– partially or not compliant certification responses.
 certification:
– overview;
– annual FMCF certification process; and
– certification requirements for newly created or structurally changed agencies.
Compliance with directions
Entities are required to comply with each of the mandatory components of the Directions.
Direction requirements
Direction Requirements have been developed to assist and simplify annual certification
against the Directions. The Direction Requirements incorporate the key themes and
principles from the Directions.
The Direction Requirements included in the annual certification process are outlined in the
certification checklist.
Financial Management Compliance Framework user guide
Updated August 2013
143
Each Direction Requirement has a:
 high level requirement that is used for certification purposes, i.e. agencies submit their
level of compliance against each high level requirement; and
 number of elements (mandatory requirements) that must be considered when certifying
the level of compliance. These elements are taken from the detail within the Directions.
Compliance levels
Compliance level definitions
Agencies are required to certify their level of compliance against each of the Direction
Requirements in the annual certification process.
The compliance level definitions are detailed in the table below:
Compliance level
Definition
Compliant
A compliant level of compliance
means that the agency is fully
compliant with all elements
within the Direction and
Direction Requirement.
A partially compliant level of
compliance means that the
agency is partially compliant
with any element within the
Direction and Direction
Requirement as at 30 June.
A not compliant level of
compliance means that the
agency is not compliant with
any element within the
Direction and Direction
Requirement as at 30 June.
A not applicable compliance
level means that the Direction
is not applicable to the agency.
This response is only
appropriate for a limited
number of Directions and
Direction Requirements.
Partially Compliant
Not Compliant
Not Applicable
Additional information
Direction Requirements that are certified
(in the annual certification process) as
not compliant or partially compliant must
contain information that outlines:
 reasons for the partial compliance or
non-compliance
 rectification plans to achieve full
compliance.
Note: These responses should be added in
the comments field in the compliance
monitoring system and/or certification
checklist.
Direction Requirements that are certified
(in the annual certification process) as
not applicable must detail reasons for
the response.
Note: If the response is not applicable due to
an exemption, please provide details
regarding the exemption, e.g. date, period of
exemption, etc.
Determining compliance levels
To determine the compliance level for each Direction Requirement agencies need to:
 use the certification checklist to review compliance against each element within a
Direction Requirement;
 assess the overall compliance of the Direction Requirement based on the compliance
levels of the elements, i.e. are all, or a majority, or less than a majority of elements
within the Requirement compliant?
 select a compliance level based on the definitions.
Note: Any queries relating to compliance responses should be directed to portfolio coordinators.
144
Attachment 1
Template for a Business Continuity and Disaster Recovery Plan
Documentation of compliance levels certified
Agencies should maintain a documentation trail to support the level of compliance certified
each year. Documentation could be in the form of references to relevant policies, meeting
minutes, files, etc.
This could be recorded in the comments section of the certification checklist.
Partially compliant and not compliant certifications
The focus for agencies with areas of partial or non-compliance is to address the issues
through the development and implementation of action plans that will effectively achieve
compliance with the Directions.
Agencies are expected to actively work towards and be able to demonstrate progress in
becoming fully compliant with the Directions over time.
Where an agency is partially or not compliant with the Directions, consideration should be
given to disclosing the compliance level to the Auditor-General prior to an audit. This would
assist:
 in maintaining an open and constructive relationship with the Auditor-General (as per
Direction 2.6 – external audit); and
 in ensuring that the Auditor-General is provided with all relevant information that could
potentially influence a positive outcome for the entity.
Certification
Overview
Agencies are required to certify their compliance against the Directions, through the
Direction Requirements, on an annual basis to their portfolio Minister.
Portfolios each report their FMCF status to the Minister for Finance via the Department of
Treasury and Finance (DTF).
The diagram below details the process:
1. Department/Agency
Complete certification process with a letter prepared
by the department/agency and signed off by the
Accountable Officer (Secretary/CEO).
Timing: between 1 July and 30 September each year
2. Portfolio
Portfolio summary report prepared by the portfolio
and signed off by the Departmental Secretary on
behalf of the Portfolio Minister.
Portfolio
Minister
Timing: by 31 October each year
3. Whole of government
Whole of government report prepared by DTF and
approved by DTF’s Secretary for the Minister of
Finance.
Finance
Minister
Financial Management Compliance Framework user guide
Updated August 2013
145
Certification period and financial year end
The FMCF compliance year is from 1 July to 30 June, i.e. agencies must certify their
compliance with the Directions (through the Direction Requirements) as at 30 June.
For certification purposes, the last set of annual financial accounts/statements must be used
to certify again relevant Direction Requirements in Sections 2 and 4.
Certification approval and sign-off
The Chief Executive Officer of each entity is required to approve and sign the FMCF
certification letter and exceptions compliance summary attachment.
The Responsible Body or delegate, e.g. audit committee must also review and approve the
certification.
Annual certification process – compliance monitoring system
The annual certification process contains a number of parts including:
 complete review requirements;
 assess compliance;
 obtain sign-off; and
 complete and submit certification.
Please refer overleaf for a detailed outline of each part of the process.
Agencies use the compliance monitoring system (CMS) to complete their certification. The
CMS is an online tool that is accessed through a website.
It is suggested that agencies obtain approval for the certification from the CEO and Audit
Committee once they assess their compliance prior to entering the detail into the CMS (as
per process overleaf).
The CMS generates a certification letter and exceptions compliance summary attachment.
The certification letter is a standard template that is populated with an agencies compliance
details.
The compliance summary attachment is an exceptions report that details rectification plans
and reasons for partially or not compliant responses.
Agencies are able to add additional comments to the certification letter and exceptions
report.
Note: The CMS is open to agencies from 1 July to 30 September annually. Please refer to the Department of
Treasury and Finance website (www.dtf.vic.gov.au) for further information.
146
Attachment 1
Template for a Business Continuity and Disaster Recovery Plan
Annual FMC certification process
The following flowchart outlines the steps within the annual FMCF certification process at the agency and portfolio level.
The timing of tasks are provided as a guide
Please refer to guidance
material in the FMCF toolbox
for further information.
Data integrity framework – Process overview
When?
Throughout the year
June – July
July – August
August – September
What?
Complete review
requirements
Assess
compliance
Obtain
sign-off
Complete and
submit certification
How?
There are requirements within the
FMCF to complete reviews over a
number of areas throughout the
year, e.g. policy documents and the
financial risk profile (see
Supplementary Material flyer for
Direction review requirements).
1.
Complete relevant reviews
2.
Where required, obtain
endorsement by the CEO/CFO
(or delegate) or the Board/
Audit Committee.
3.
The FMCF compliance certification checklist
provides detailed guidance of compliance
requirements for each Direction.
4.
5.
Keep documentation supporting 6.
evidence of these reviews.
7.
Use the compliance certification checklist
to review the compliance status against
8.
each of the mandatory elements within
the 29 Direction Requirements.
Determine the compliance level
(compliant, partially compliant, not
compliant) using results from step 4 and
complete the ‘certification checklist’ as at
30 June.
Obtain required approval, e.g.
Board/Audit Committee upon
completion of the ‘compliance
certification checklist’.
9.
Complete online certification via the
compliance monitoring system
(CMS) website:
www.cms.dtf.vic.gov.au
Finalise detailed sign-off over
10. Provide signed certification letter
Direction 2.2(d) and (w), including:
and exception compliance summary
attachment (where applicable) to
– internal controls;
the relevant Portfolio Minister and
– risk management; and
copied to the portfolio coordinator
– financial statements.
Note: the compliance summary
attachment is an exceptions report that
details rectification plans and reasons for
partially or not compliant responses.
Agencies can also add further comments
in this attachment
Ensure there is evidence to support the
compliance levels certified (where
relevant).
Department/portfolio process
September
When?
When?
11.
Agency compliance certification
received by the Portfolio Minister via
the portfolio department
October
12.
Portfolio summary report prepared by
Portfolio Coordinator and signed off by
the Department Secretary.
13.
Portfolio summary report presented
to the Minister for Finance and
copied to DTF
Financial Management Compliance Framework user guide
Updated August 2013
147
Certification requirements for newly created or structurally changed
agencies
Agencies created during the compliance year
Agencies created during a compliance year that are required to comply with the FMCF must
apply the FMCF from the date of establishment.
The FMCF is mandatory for agencies:
 that are a government department or are defined as a public body in Section 3 of the
Financial Management Act 1994; and
 that feed into Victoria’s Whole of Government Consolidated Annual Financial Report.
Merger of agencies during the compliance year
In cases where two or more agencies are merged during a compliance year, i.e. between
1 July and 30 June, a single FMCF certification is required for the merged agency.
The certification must reflect the compliance environment of the newly merged agency. The
certification should detail the reasons for the compliance level and state the details of the
merger. Any relevant instances of non-compliance identified by the agencies prior to the
merger should be documented in the certification.
Partially merged agencies
Where agencies partially merge, a certification for each agency is required.
Certification should reflect the compliance status of the agencies as at 30 June and detail
any areas that are partially or not compliant. The certification should detail the reasons for
the compliance level and state the details of the merger.
Departmental division moves to a different department
Departments should detail the level of financial management compliance achieved by all its
divisions as at 30 June in the certification.
The certification should include divisions that have moved from one department to another
during the compliance year.
Agencies moves portfolios
Agencies that move to a different portfolio during a compliance year should certify to the
portfolio to which the agency belongs as at 30 June.
The certification should incorporate the compliance status for the entity for entire
compliance year.
Closing of an agency
Agencies that close during a compliance year should contact DTF for advice to determine if
certification is required for that financial year, and to arrange access to the compliance
monitoring system if necessary.
Note: the compliance monitoring system (CMS) will be updated to reflect any changes to agencies and portfolios
prior to 30 June certification.
148
Financial Management Compliance Framework user guide
Updated August 2013
User guide to Standing Direction 4.5.2
Direction requirement 27
Taxation
Introduction
The Standing Directions of the Minister for Finance (the Directions) require agencies to
demonstrate compliance with Commonwealth Government taxation obligations and
concessions (Direction 4.5.2, Direction requirement 27).
The Direction stipulates that agencies must:
 annually review compliance with taxation and concession requirements;
 annually certify that taxation compliance and concession requirements have been met;
 develop and maintain taxation policies and procedures;
 develop and implement a taxation education program; and
 identify and rectify any taxation compliance issues.
Taxation compliance rules
A set of taxation compliance rules (the rules) supplement Direction 4.5.2 to assist agencies
in meeting the requirements.
The rules set out principles and specific procedures to follow so that compliance with the
Direction is achieved. Specifically, the rules assist VPS agencies to meet their compliance
obligations in relation to:
 Australian Business Number (ABN);
 Goods and Services Tax (GST);
 Pay As You Go (PAYG);
 Fringe Benefits Tax (FBT);
 Deductible Gift Recipient (DGR);
 Income Tax Exempt Charity (ITEC); and
 Fuel Tax Credits Scheme (FTCS).
Application of taxation compliance rules
The rules apply to agencies that must comply with the FMCF, that is agencies that:
 meet the ‘public body’ definition contained within section 3 of the Financial
Management Act 1994;
 have an Australian Business Number (ABN); and
 have Commonwealth taxation obligations (including GST, FBT and PAYG).
Compliance requirements
Compliance with the taxation direction and procedure is monitored through the taxation
compliance rules and associated guidance.
The Tax Compliance Review Questionnaire is used to assess compliance with the rules. This
should be the starting point of the annual taxation compliance assessment process.
Financial Management Compliance Framework user guide
Updated August 2013
149
Certification of compliance should be made annually to the Responsible Body and/or audit
committee (or equivalent).
Ultimate responsibility for taxation compliance rests with the agency. Accordingly, it is
anticipated that the Chief Finance and Accounting Officer, the Accountable Officer and the
Audit Committee are actively involved in taxation compliance matters.
More information
The taxation compliance rules are available in the ‘Standing Directions associated rules’
section of the DTF website.
150
Financial Management Compliance Framework user guide
Updated August 2013
User guide to Standing Direction 4.5.3
Direction requirement 28
Purchasing card
Introduction
The Standing Directions of the Minister for Finance (the Directions), under Direction 4.5.3,
require agencies that operate purchasing cards to:
 establish a facility account, with a maximum monthly account limit, with the card
provider;
 ensure only one card is issued to employee cardholders:
– that are approved;
– with maximum limit of $25 000 per card, unless approved by the Minister for Finance;
– that have a financial delegation and that individual transaction limits do not exceed
this delegation;
– requiring supporting documentation for all transactions and ensure expenditure is
approved under delegates prior to settling the monthly account with the card
provider; and
 ensure cardholders use the card for official business and that purchases of goods and
services are for government purposes.
Monitoring and certification
Agencies must:
 ensure adequate monitoring and security procedures are in place;
 include a review of the card scheme and the use of cards issued in the internal audit
program; and
 certify annually that they have followed the purchasing card procedure.
Unauthorised use
The Direction also requires that:
 any instance of unauthorised use46 of a purchasing card must be reported to the Minister
for Finance and the audit committee following an inquiry by the accountable officer; and
 all instances of unauthorised use of purchasing cards for the period ending 30 June are to
be reported annually to the Minister for Finance.
Note: All reports of unauthorised use of purchasing cards should also be provided to the Audit Committee.
Internal controls for purchasing cards
When implementing the necessary internal controls for the card, public sector agencies and
cardholders are to apply the principles set out in the purchasing card rules for use and
administration (the rules), issued by the Department of Treasury and Finance.
The rules outline guiding principles and procedures that should be followed in relation to
the use and administration of the card.
46
An instance of unauthorised use is defined in Section 7 ‘Unauthorised Use’ of the Purchasing Card Rules for Use and
Administration.
Financial Management Compliance Framework user guide
Updated August 2013
151
Purchasing card rules for use and administration
The Purchasing Card Rules for Use and Administration (the rules), supplement Direction
4.5.3 and have been developed to assist cardholders and agencies in the interpretation and
application of the legislative requirements.
The rules aim to ensure agencies administer procurement using purchasing cards within a
controlled environment of strict procedures and guidelines, with clear consequences for
public servants or statutory officers who misuse cards.
Key principles for conduct
The following key principles are outlined in the rules for conduct of cardholders:
 cardholders must always act in the interests of the State, as opposed to their own
personal interests or convenience; and
 cardholders must perform their duties honestly, with skill and care.
Liability for charges
The liability for any charges on purchasing cards rests with the State and not the individual
cardholder. For this reason, the rules must be strictly adhered to as a means of limiting the
financial exposure of the State.
More information
The Purchasing Card Rules for Use and Administration are available in the ‘Standing
Directions associated rules’ section of the DTF website.
Please contact your portfolio coordinator directly if you have problems with access.
152
Financial Management Compliance Framework user guide
Updated August 2013
User guide to Standing Direction 4.5.4
Direction requirement 29
Thefts and losses
Introduction
The Standing Directions of the Minister for Finance (the Directions), under Direction 4.5.4,
require the Responsible Body to ensure ‘all cases of suspected or actual theft, arson,
irregularity or fraud in connection with the receipt or disposal of money, stores or other
property of any kind whatsoever under the control of the agency are notified to the Minister
for Finance and the Auditor-General.’
Notification requirements
Where the receipt or disposal of money is:
 equal to or exceeds $1 000, the incident must be reported at the time of the occurrence
and an incident report must be submitted within two months; or
 less than $1 000 the incident must be reported annually for the period ending 30 June
together with an incident report.
For stores and property of any kind with a value:
 equal to or exceeding $20 000, must be reported at the time of occurrence and an
incident report must be submitted within two months; or
 less than $20 000 must be reported annually for the period ending 30 June together with
an incident report.
Incident report
The incident report must outline:
 whether internal controls and systems:
– have been reviewed; and
– have identified weaknesses and that have or will be rectified.
 the status of any proceedings, investigations or disciplinary actions;
 what has been recovered, whether by way of money, stores, other property or insurance;
and
 any other information that it appears appropriate to include.
Notification reports and incident reports provided to the Minister for Finance and the
Auditor-General should also be provided to the relevant Minister.
Thefts and losses rules
Direction 4.5.4 is supplemented by a set of Thefts and Losses Rules (the rules) which have
been developed to assist agencies.
The rules set out the principles and procedures to be followed in relation to the thefts and
losses monitoring and reporting requirements.
Financial Management Compliance Framework user guide
Updated August 2013
153
More information
The Thefts and Losses Rules are available in the ‘Standing Directions associated rules’
section of the DTF website. This supplementary material contains the following:
 Attitudes to fraud.
 Definition of fraud.
 Fraud control framework:
a. Fraud control policy.
b. Responsibility structures.
c. Fraud monitoring.
d. Fraud risk profile.
e. Employee awareness.
f. Fraud reporting systems.
g. External requirements.
h. Investigation procedures.
i.
Code of conduct and discipline procedures.
This outline of a fraud control framework serves to raise awareness of, and therefore
minimise, the consequences of fraudulent or corrupt behaviour in relation to the conduct of
public service sector agencies’ business or activities.
Attitudes to fraud
State Government
The Victorian State Government is committed to the aims and objectives of good corporate
governance. It does not tolerate improper conduct by its employees and recognises the
value of transparency and accountability in its administrative and management practices.
This supplementary material has been developed:
 to assist agencies in developing a fraud control framework to suit the particular
operational requirements and circumstances of their business; and
 to assist agencies in reviewing, revising and implementing their own fraud control
framework.
Agencies
Effective fraud control requires the commitment and involvement of all public service sector
agencies, employees and external service providers. All agencies are potentially exposed to
losses as a result of fraud and corruption which may have an impact on reputation and
inappropriate or inefficient use of financial or physical resources. Agencies should be
committed to minimising the risk of fraud, not tolerating any act of internal fraud or corrupt
conduct and take steps to manage the risks of external fraud.
The guidelines for unacceptable behaviour are outlined in the Victorian Public Service Code
of Conduct which is the standard by which public sector behaviour is measured.
Definition of fraud
For the purpose of this supplementary material, fraud against the State of Victoria is defined
as ‘dishonestly obtaining a benefit by deception or other means’.
154
Financial Management Compliance Framework user guide
Updated August 2013
This definition includes, but is not limited, to the following types of fraud:
 theft;
 obtaining property, a financial advantage or any other benefit by deception;
 providing false or misleading information to the State Government, or failing to provide
information where there is an obligation to do so;
 causing a loss, or avoiding or creating a liability by deception;
 creating, using or possessing forged or falsified documents;
 bribery, corruption or abuse of office;
 unlawful use of public sector equipment including interfering with or hacking into
computers, misuse of vehicles, telephones and other property or services;
 relevant bankruptcy offences; and
 any offences of a like nature to those listed above.
Fraud can be perpetrated by:
 a public sector employee against a public sector agency or its programs;
 an agency or external individual against such an agency or its programs;
 a contractor or service provider against an agency or its programs; and
 any combination of the above, acting in collusion or otherwise.
Fraud control framework
It is vital that public sector agencies establish a fraud control framework to protect
themselves against loss or reputation damage. The strategy should include a range of
proactive and reactive strategies designed to mitigate fraud.
The following table outlines the components of a fraud control framework. Each component
is discussed in detail in sections (a) to (i) in this supplementary material.
Please note that this list is guide only and there are many other steps that an agency can
incorporate into their own framework to minimise fraud and tailor to their individual
requirements, such as the introduction of a conflicts of interest policy.
a.
b.
c.
d.
e.
f.
g.
Fraud control policy
As a part of the fraud control framework an agency should adopt a fraud control policy that integrates
components of the framework and is designed to meet the specific needs of the organisation.
Responsibility structures
An agency should define the organisational responsibility for fraud control to implement and give
effect to a fraud control framework.
Fraud monitoring
On-going fraud monitoring activities can be encompassed into existing assurance programs.
Fraud risk profile
Developing a fraud risk profile includes undertaking a fraud risk assessment across areas of the
organisation on a periodic basis, e.g. every two years. The assessments examine the internal and
external fraud risks (employee and contractor/customer fraud) and also the potential for collusion.
Employee awareness
Fraud awareness training for all employees is essential to provide an understanding of what
constitutes fraud and to assist in recognising fraudulent behaviour.
Fraud reporting systems
A fraud control framework should have internal and external reporting arrangements which include
formal and informal mechanisms for reporting fraud.
External requirements
Policies and procedures should include consideration of the requirement to report incidents of fraud
or corruption to external authorities.
Financial Management Compliance Framework user guide
Updated August 2013
155
h.
i.
Investigation procedures
Formalised, documented procedures for internal investigations including reporting matters to the
police and other external parties should be implemented as a part of the framework.
Code of conduct and discipline procedures
An agency’s Code of Conduct should support a culture of honesty and integrity where fraud,
corruption and dishonest acts will be detected, investigated and if required, disciplined.
a. Fraud control policy
A fraud control policy designed to meet the specific needs of an agency should be
developed and implemented.
The table below provides an example of a structure for fraud control policy and
procedures.
Example of potential structure for fraud control policy and procedures
Executive summary
 Introduction to policy;
 Objectives of the policy, e.g. management’s commitment for its responsibility
towards identifying fraudulent activity and establishing procedures for prevention
and detection;
 Definition of fraud;
 Agency’s statement of attitude towards fraud, which may incorporate and/or refer
to the code of conduct;
 Responsibility structures including:
– appointment of Fraud Control Officer and/or external support role; and
– fraud control responsibilities.
Fraud control strategies
 Fraud monitoring activities including:
– internal audit reviews;
– internal compliance reporting; and
– external obligation requirements.
 Fraud risk profiling and assessment;
 Implementation of proposed actions; and
 Employee awareness and conduct.
Fraud reporting
 Procedures for internal reporting of fraud;
 Procedures for external anonymous reporting;
 Protection for discloser reporting suspected fraud (see whistle-blowers);
 Procedures for reporting to police and external parties; and
 Reporting requirements.
Fraud investigation
 Procedures for internal investigations and reporting to external parties; and
 Documentation of results of investigation.
Disciplinary matters
Included

















b. Responsibility structures
The Accountable Officer and the Responsible Body are responsible for the system of
internal control, which includes the prevention and detection of fraud. The audit
committee also plays a role in the oversight of the operation and implementation of
the risk management framework.
156
Financial Management Compliance Framework user guide
Updated August 2013
Agencies should ensure that appropriate resources are allocated to fraud monitoring
and control.
Each agency should allocate appropriate personnel to:
 implement their fraud and corruption control initiatives;
 coordinate the fraud risk assessment procedures;
 record fraud incident reports; and
 conduct investigations of allegations of fraud.
Allocation of these resources may also require the assistance of specialist skilled
internal or external resources to the agency. Alternatively existing staff may need to
be trained to perform these roles.
Larger agencies should consider appointing a Fraud and Corruption Control Officer
who can implement practical fraud and control procedures, as well as training of all
staff in identification of risks.
When defining the responsibility structure an agency may wish to bear in mind that
management are responsible for the prevention of fraud, however operational line
management are often in a better position to prevent and detect fraud by monitoring
the continued operation of controls to prevent fraud.
The Audit Committee are also responsible for overseeing an agency’s operation and
implementation of their risk management framework.
c. Fraud monitoring
Reviews for the monitoring and prevention of fraud can be encompassed into an
agency’s assurance programs and should also be reflected in the responsibility
structure.
Agencies can ensure fraud is monitored through existing assurance programs such as
internal audit, internal review and other review mechanisms. Ideas for the scope of
these reviews include:
 proactive fraud detection can be achieved by performing regular data mining reviews
using an automated detection program. This program assists an agency to identify
anomalous transactions and other data records that appear to be suspicious and
therefore might be worth further investigation;
 fraud risk reviews should be undertaken on a recurring basis to regular monitor all
agency processes;
 monitoring of calls to the whistle-blowers hotline; and
 regular screening of new and/or promoted employees.
d. Fraud risk profile
A fraud risk profile includes the completion of a fraud risk assessment which identifies
weaknesses in procedures and controls and links them to risks across functions within
an organisation.
When preparing a fraud risk profile, high risk functions should be considered to
determine what controls are in place to prevent, detect, or deter fraudulent activity.
An assessment of whether the controls in place are sufficient can then be made and
an agency can determine if fraud control obligations can be met and whether external
support is required to determine the fraud risk profile. Each agency’s requirements
will vary when developing a fraud risk profile.
The table below outlines potential steps to consider when developing a fraud risk
profile.
Financial Management Compliance Framework user guide
Updated August 2013
157
Example of potential steps to consider when developing a fraud risk profile
1.
2.
3.
4.
5.
6.
7.
158
Consideration of the size of the agency:
 are the internal controls robust in a large agency?
 are there any set guidelines to follow in a small agency?
Determine the number of staff working for an agency and identify associated
risks:
 does the agency enforce segregation of duties?
 in a small agency are there only a few staff responsible for accounting
procedures?
 in a large agency are staff rotated on a regular basis to reduce the chances of
supplier familiarity which can lead to improper relationships?
Management accountability:
 has management effectively implemented the agency’s antifraud controls?
 is the code of conduct is adhered to?
 has it been demonstrated that internal controls are important?
Undertake a fraud risk assessment – identify the risks:
A fraud risk assessment considers fraud schemes and circumvention of existing
controls.
The fraud risk assessment should be conducted on a systematic basis and could
include:
 interviews with agency employees at different levels identify risks relevant to
their role and area;
 the identification and risk assessment of the reliance on process of each area
within the agency;
 identification of possible fraud risks that might occur in a typical administrative
situation; and
 review outcomes of previous risk treatment activities.
Undertake a fraud risk assessment – rate the risks:
Assessment of the probability and impact of the fraud needs to be considered.
Risk weightings can be assigned to each fraud risk, such as:
 probable (rating 1);
 reasonably possible (rating 2); and
 remote (rating 3).
The impact and significance of fraud should also be identified. This could be
completed:
 by focussing on one area within a fraud risk profile at a time (e.g. HR);
 consider all the fraud risks associated with that area;
 consider existing control measures to mitigate the risks;
 assess whether the control measures are actively in place; and
 assess the rating of the control measure using the rating weightings.
Consideration of circumvention and overriding of controls by management.
Effectively designed internal controls should be in place to respond to the
assessment of risk of management override.
Fraud control plan:
Following the risk assessment and evaluation of potential fraud risks, a fraud
control plan should be implemented.
These control activities should be designed and implemented to mitigate
identified fraud risks. The risks acknowledged in the fraud control plan should be
monitored on a regular basis to ensure new risks are identified.
Financial Management Compliance Framework user guide
Updated August 2013
Included







Areas and elements within a fraud risk profile
A fraud risk profile considers the potential for fraud across areas within an
organisation.
A potential fraud exposure can be described as an element.
The table below outlines examples of areas and potential fraud elements within an
area and can be used to assist in the development of a fraud risk profile.
Area
Example of elements of potential fraud within an area
Payroll









Accounts
payable
Petty cash
Accounts
receivable












Physical assets
Tendering and
contracting
Communications
HR



















Duplicate payroll payments for personal gain.
Continued payments to employees who have been terminated.
Fraudulent payments in excess of authorised salary.
Excessive payments of overtime as a proportion of gross salary.
Fictitious employees on payroll.
Lack of segregation of duties between accounting processes.
Creation fictitious invoices or bogus vendors.
Duplicate invoice numbers and payments.
Payments to vendors where the bank account matches the account
number of an employee and the vendor name is different from the
employee name.
Favourable payment of invoices (within five days).
Misuse of purchasing card/cab charges/travel and expense claims.
EFT fraud.
Misappropriation of funds.
Poor controls over cash under lock and key.
Lack of segregation of duties from receiving cash, issue of receipts and
bank deposits.
Regular reconciliations not performed.
Infrequent cash deposits, allowing cash to accumulate.
Lack of control or system processes over generation of invoice numbers.
Lack of segregation of duties between processing of accounts receivable,
posting to ledger and issuing of receipts.
Frequent credit notes and write offs.
No reconciliation of accounts receivable sub ledger to general ledger
control account.
Poor controls over asset records.
Personal use of assets.
Theft of assets.
Unlawful disposal of assets.
Falsification of asset statements.
Selection of a preferred supplier for personal gain, e.g. kickbacks.
Paying the contractor more than what they are entitled.
Payment to supplier of services not performed.
Conflicts of interest.
Misuse of sensitive information in contracting.
Fraudulent dealing in relation to capital projects.
Collusion between employees and contractors.
Unauthorised acquisition of information.
Fraudulent release of information.
Fraudulent application of sponsorships/donations.
Pre-employment screening.
Fraudulent recording of attendance and/or changes to leave entitlements.
Fraudulent worker’s compensation claims.
Unauthorised disclosure of confidential employee information for profit.
Financial Management Compliance Framework user guide
Updated August 2013
159
Area
Example of elements of potential fraud within an area
Information
technology
 Unauthorised release of login and password details.
 Inadequate controls over software resulting in unauthorised staff
Motor vehicles








accessing systems.
Downloading of inappropriate material from the internet.
Installation of pirated software of organisation’s computers.
Theft of data, hardware, software.
Manipulation of output from IT processes for fraud.
Unauthorised private use of vehicles.
Theft or substitution of accessories or tools.
Use of petrol card for private vehicles.
Falsification of vehicle logs.
Detailed elements within an area
In order to explain how an element within an area can be included in a fraud risk
profile an example on pre-employment screening has been provided below.
Area:
Element:
Explanation:
HR
Pre-employment screening
Pre-employment screening is the verification of a candidate’s background for
employment purposes. The screening of potential employees has proven to
be a valuable risk management tool and is considered by experts to be the
most effective way of minimising and guarding against potential security risks
by identifying undesirable employees before they join the organisation.
Potential steps for a pre-employment screening process
1.
2.
Development of an effective pre-employment screening process for employees before the
commencement of employment, promotion and prior to the completion of the
probationary period, paying particular attention to those positions with higher risk
exposures.
Enquiries should be undertaken as part of the employment process to verify identity,
credentials and validate employment history.
These checks could include:
 the verification of two forms of identification such a driver’s licence or a passport;
 a Victoria Police criminal history search;
 verbal reference checks with the candidate’s last two employers;
 consideration and the reasons for any discrepancies or gaps in employment history
provided on the candidate’s curriculum vitae; or
 confirmation of any formal qualifications obtained.
A review of a fraud risk profile for the element in this area would include examination
of documented procedures and testing of controls.
e. Employee awareness
Employee awareness about fraud is important for the prevention and control of both
internal and external fraud.
For a fraud awareness program to be effective training should be delivered to all staff
initially.
It is important to update and present the program on a regular basis to ensure the
continuing identification of fraud weaknesses and development of controls (from
regular fraud risk assessments) is communicated. The agency should determine its
own regularity for fraud awareness training.
Induction programs for new staff could include information and training about fraud
prevention, detection and reporting of fraud or corruption as well as employee
malpractice.
160
Financial Management Compliance Framework user guide
Updated August 2013
A fraud awareness program for employees could include information about the
following:
Considerations for developing a fraud awareness program for employees
Included
Fraud awareness training should be provided to all staff.
Development of a training program to raise the level of awareness of fraud issues
to assist employees to identify, prevent and control fraud.
Fraud awareness training should cover:
 culture and ethics
 code of conduct
 identification of fraud
 prevention
 detection
 fraud profiles, e.g. behavioural characteristics
 responsibility structure
 reporting and obligations
 consequences.
Short training sessions (one to two hours) should be scheduled on a periodic basis.
Supporting documentation should be available on hard copy and available on
intranet.
A record of the training sessions, including dates and attendees should be kept.














f. Fraud reporting systems
A fraud control framework should have internal and external reporting arrangements
which include formal and informal mechanisms for reporting fraud.
It should also include documented procedures for the receipt, retention and
treatment of complaints and confidential, anonymous disclosures of concern by
employees or external third parties. Best practice is the establishment of an
independent ethics/whistle-blower hotline to allow employees to make protected
disclosures in relation to unethical behaviour.
Agencies need to ensure that all employees are able to report suspicious behaviour or
unethical conduct. This could include reporting through the agency’s usual
organisation structure or internal/external anonymous reporting channels, for
example, a whistle-blower hotline discussed earlier.
Whistle-blower
Agencies should encourage employees to report suspicions of fraud and the
Whistleblowers Protection Act 2001 (the Act) provides protection to employees
making disclosures of improper conduct by public bodies or public sector employees.
Financial Management Compliance Framework user guide
Updated August 2013
161
The three key areas of inappropriate conduct falling within the realm of
whistle-blower reporting are:
1. ‘Improper conduct by a public body or public official’.
This incorporates conduct that is corrupt, a substantial mismanagement of public resources, or
conduct involving substantial risk to public health or safety or to the environment.
2. ‘Corrupt conduct’
Includes conduct that adversely affects the honest performance of a public officer’s or public
body’s functions, conduct that amounts to a breach of public trust or misuse of information or
material acquired in the course of their official functions; the performance of an employee’s
functions dishonestly or with inappropriate partiality, a conspiracy or attempt to engage in
any of the aforementioned conduct.
3. ‘Detrimental action’
A detrimental action makes it an offence for a person to take action against a person in
reprisal for a protected disclosure, including action causing injury, loss or damage, intimidation
or harassment; and discrimination or disadvantage in relation to a person’s employment,
including taking disciplinary action.
The following table outlines steps to consider when developing a policy and
procedures for whistle-blower reporting.
Steps to potentially consider when developing whistle-blower’s policy and
procedures:
1.
2.
3.
4.
5.
6.
7.
8.
9.
162
Establishment of a policy which outlines the agency’s commitment to a
culture of corporate compliance and ethical behaviour.
A statement in the policy which determines unethical behaviour and
encourages reporting to approved personnel.
A statement emphasising the benefits and significance of a whistle-blower
system. The policy should also encourage immunity for whistle-blowers.
The objectives of a whistle-blower system are to:
 encourage reports of corruption and illegal practices that can cause loss to
an agency or reputation damage;
 enable an agency to protect the identity of the whistle-blower;
 enable an agency to protect the whistle-blower from reprisal; and
 provide the framework including the nomination of a Coordinator, Welfare
Officer and Investigator as well as alternative means of reporting.
Provision of resources to support a whistle-blowers procedure that include
the appointment of a whistle-blower protection officer, a whistle-blower
investigations officer; an internal reporting line, regular training for all
relevant employees and a mechanism for appeals.
Establishment of reporting mechanisms which detail how and where to report
suspicions of fraud. Details of these mechanisms should be communicated to
all employees and be easily accessible, e.g. an intranet site.
A policy statement guaranteeing that the reporting of reportable conduct will
be held in the strictest confidence.
Communication by the agency that the whistle-blower will be kept informed
of the outcomes of investigation.
Reported conduct should be investigated by the Whistle-blower
Investigations Officer.
All reportable conduct investigated by the whistle-blower Investigations
Officer should be reported to the CEO or other senior executive.
Financial Management Compliance Framework user guide
Updated August 2013
Included









In addition to the Whistle-blower Investigations Officer within a public sector agency,
reports of improper or corrupt conduct may be made in writing or by telephone to
your agency’s nominated Protected Disclosure Officer. Alternatively, disclosures may
be directly to the Ombudsman for Victoria.
g. External Requirements
An agency should have formal procedures outlining external notification of
obligations, and mechanisms to record outcomes and reporting requirements.
External notification and reporting obligations are set out in the Financial
Management Act 1994 (the ‘FMA’). All incidents of theft or losses must be reported to
the Minister for Finance and the Auditor-General.
The reporting timeframe will depend on the value of the theft or loss.
Agencies should refer to the Theft and Losses Rules pursuant to the Financial
Management Act 1994 for further details on reporting thresholds and timeframes.
In addition, the agency is to provide an incident report to the Minister for Finance and
the Auditor-General.
The incident report must outline the following:
 whether internal controls and systems have been reviewed;
 whether these weaknesses identified have been rectified;
 the status of any proceedings, investigations or disciplinary actions; and
 what has been recovered?
h. Investigations procedures
Best practice suggests that agencies should establish standardised procedures for
tracking, responding to, investigating and assessing allegations of fraud. Procedures
could include a written plan for tracking and responding to allegations of misconduct.
Where appropriate, the investigative process should allow for an investigation
independent of management.
Consideration should also be given to ensuring that any initial action or full
investigation is concerned with the preservation of evidence, following other legal
rules and principles do not complicate any formal investigation.
i. Code of conduct and discipline procedures
It is important that an agency’s code of conduct supports a culture of honesty and
integrity where fraud, corruption and dishonest acts will be detected, investigated
and if required, disciplined.
The Victorian public sector Code of Conduct is a public statement of how agencies
should conduct their business and how they should treat their clients and colleagues.
It supports the legislation in relation to public administration in Victoria.
Agencies should be committed to effectively managing discipline and misconduct to
ensure that their standard of work performance and conduct are maintained.
Financial Management Compliance Framework user guide
Updated August 2013
163
Other references
There are a number of other references that should be considered when developing a fraud
control framework for example:
 legislation and regulations in relation to:
– financial management;
– public sector administration;
– whistle-blowers protection; and
– information privacy.
 codes of practice and/or good practice guides such as:
– code of conduct (Victorian public sector);
– financial code of practice; and
– whistle-blower guidelines (Ombudsman's Office).
 Australian Standards in relation to:
– fraud and corruption control;
– organisational codes of conduct; and
– whistle-blower protection.
164
Financial Management Compliance Framework user guide
Updated August 2013
User guide to Standing Direction 4.5.5
Direction requirement 30
Risk management compliance
Introduction
The Standing Directions of the Minister for Finance (the Directions) require agencies to
implement and maintain risk management governance, systems and reporting requirements
as outlined in the Victorian Risk Management Framework.
Direction 4.5.5 requires agencies to:
 conduct an annual review of their obligations under this Direction;
 identify and rectify any failure or deficiency in complying with this Direction; and
 provide an attestation that their risk identification and management plan is consistent
with AS/NZS ISO 31000:2009 or equivalent.
Compliance requirements
For details regarding compliance requirements for this Direction, agencies must refer to the
Victorian Risk Management Framework issued by the Minister for Finance in July 2007.
The framework document outlines the requirements and also contains example attestation.
More information
The Victorian Risk Management Framework can be obtained from the Department of
Treasury and Finance or found at www.dtf.vic.gov.au.
Financial Management Compliance Framework user guide
Updated August 2013
165
User guide to Standing Direction 4.5.6
Direction requirement 32
Treasury risk management
Introduction
The Standing Directions of the Minister for Finance require agencies to undertake all
borrowings, investments and financial arrangements with a financial institution that is either
a State owned entity or has a credit rating, assigned by a reputable rating agency, that is the
same as or better than the State of Victoria.
Note that there are a number of exceptions to this Direction:
 Where a public sector agency has been granted specific borrowing or investment powers
under its constituting legislation, this Direction will not apply (see explanatory note);
 Where the investment is cash on hand in a transactional bank account with an authorised
deposit-taking institution (ADI);
 Where the financial arrangement is a foreign currency hedging transaction of less than
$1 000 000 undertaken with an ADI;
 Where a public sector agency is operating a bank overdraft as part of its normal
transactional banking operations;
 Where amounts invested by the public sector agency with an ADI, excluding cash on
hand in a transactional bank account, do not in aggregate exceed $2 000 000;
 Where the public sector agency holds money, other than money held on trust for the
State or a public body, invested pursuant to a statutory function to hold it on trust for a
known beneficiary; or
 Where, following consultation with the public sector agency’s portfolio Minister, the
Treasurer has in writing approved otherwise.
Explanatory note:
Where a public sector agency merely has general powers to do things necessary or
convenient to perform its functions or achieve its objects, this Direction will apply to that
agency’s borrowings or investments. Where specific borrowing and/or investing powers are
provided, e.g. investment powers for registered funded agencies under the Health Services
Act 1988, this Direction will not apply to those investments. Agencies must:
 conduct an annual review of their obligations under this Direction; and
 identify and rectify any failure or deficiency in complying with this Direction.
Application for other exceptions
Any investments held by government agencies outside the centralised framework, apart
from the above exceptions must be approved by the Treasurer and reported to the
Department of Treasury and Finance semi-annually. Applications for approval and reporting
of such investments should be forwarded to:
The Director
Financial Assets and Liabilities Group
Department of Treasury and Finance
Level 5, 1 Treasury Place
Melbourne VIC 3002
166
Financial Management Compliance Framework user guide
Updated August 2013
Centralised treasury and investment policy
A centralised treasury and investment policy has been issued by the Treasurer. High level
details of the policy are included below.
Background
The objectives of the policy are to ensure that treasury risks are effectively identified,
assessed, monitored and managed by public sector agencies, and that the strategies
adopted by public sector agencies are consistent with the overall objectives of the
government.
The State has a conservative philosophy for the management of treasury risks and
accordingly, public sector agencies are encouraged to develop specific measures that best
address the borrowing and investment risks of their business.
As part of the State’s prudent approach to financial risk management, the government has
established the Treasury Corporation of Victoria (TCV) and Victorian Funds Management
Corporation (VFMC) as centralised agencies to manage the borrowing, investing and
financial market activities of public sector entities. A key reason for taking this action is so
that the government has assurance that government agencies are dealing with bodies that
are owned by the State and therefore have a credit rating equal to that of the State. In order
to minimise the State’s overall financial risk it is important that the State’s borrowing and
investment activities be undertaken through these agencies.
Operating guidance
TCV manages borrowings and short-term deposits, facilitates financial arrangements to
hedge, protect or manage the value of assets and liabilities, and executes the associated
transactions. VFMC manages long-term investments, advises and/or implements diversified
investment strategies, and executes the associated transactions. These centralised
arrangements create significant benefits as they:
 provide the capacity to net the State’s borrowings and investments prior to approaching
financial markets, thus reducing its overall borrowing program;
 create economies of scale which reduces execution and administration costs;
 enable the State’s overall counterparty risk to be monitored and managed;
 improve prudential oversight of the State’s overall borrowings and investments; and
 allow the concentration of appropriate financing and investment expertise, rather than
being spread thinly across a range of public sector agencies.
Under the centralised framework all borrowings, short term investments and financial
arrangements should be dealt through TCV which can advise on appropriate funding,
hedging and investing structures taking into account the financial requirements and risk
appetite of the public sector agency.
Where it is clear that an entity has a long term investment need, the entity should approach
VFMC directly (where appropriate, TCV will refer the entity to VFMC). Relevant approval
processes are to be followed before the transactions can be undertaken.
Financial Management Compliance Framework user guide
Updated August 2013
167
Transition arrangements
In terms of transition arrangements, there may be a number of public sector agencies that,
prior to the issuance of this policy, have entered into short term investments, such as term
deposits with commercial banks that may incur break costs if they are withdrawn prior to
maturity.
Where substantial break costs for early withdrawal exist, these short term investments are
permitted to continue to maturity, after which the proceeds must be invested with the
centralised agencies.
168
Financial Management Compliance Framework user guide
Updated August 2013
User guide to Standing Direction 4.5.7
Direction requirement 33
Foreign exchange risk management
Introduction
This Standing Direction requires a public sector agency that:
 has a foreign currency exposure that is in aggregate AUD $1 million or more and is known
with certainty (with respect to the timing and a minimum quantity), to fully hedge the
exposure with Treasury Corporation of Victoria (TCV); and
 has a foreign currency exposure that is in aggregate less than AUD $1 million and is
known with certainty, to hedge the exposure where it is considered material with TCV or
an authorised deposit-taking institution (ADI).
Hedging transactions greater than AUD $1 million outside of TCV will require the written
approval of the Treasurer.
Definition and example of foreign currency exposure
Foreign exchange risk is a risk to operating result or capital due to a change in foreign
exchange rates. Foreign exchange risk arises:
 when a cash payment or receipt is denominated in a foreign currency; or
 an Australian dollar cash payment or receipt is determined by a foreign currency amount
converted to Australian dollars at an exchange rate prevailing at some future date.
Exposure to changing foreign exchange rates often arises indirectly in the normal course of
business. It may occur when purchasing products from a foreign supplier and a fall in the
value of the Australian dollar may reduce the operating margin. In some instances the
foreign currency exposure may be embedded in the terms of a contract, such as an
agreement to purchase goods from an offshore supplier. To assist public sector agencies to
determine exposures, it is important to consider the likely amount and timing and the
degree of certainty attached to both.
The direction is not intended to cover investments such as foreign equities that form part of
a diversified portfolio.
Foreign exchange hedging
Hedging is the process of ‘locking in today’ the exchange rate for a transaction that will take
place at some future date. Hedging is a means of protecting against exchange rate
uncertainty. A public sector agency will be able to buy or sell at an agreed price, regardless
of how the actual exchange rate changes. Hedging protects against adverse exchange rate
changes but also excludes any benefit arising from favourable movements.
The most common instrument used to hedge foreign exchange currency exposures is a
forward foreign exchange contract (see example below). With a forward foreign exchange
contract a foreign exchange rate for any future date can be set today. When the future date
arrives, the foreign exchange transaction is settled based on the agreed exchange rate
regardless of where the actual exchange rate is on settlement day. These contracts and
other foreign exchange instruments can be provided by TCV, see contact details below.
Financial Management Compliance Framework user guide
Updated August 2013
169
On 30 August, a public sector agency signs a contract to buy some medical equipment from
a supplier in Germany for EUR €1 million, with an agreed payment date of September 30. If
the current one month forward exchange rate is .75, the cost of the equipment in Australian
dollars is $1.3 million. In this example the exposure is in excess of AUD $1 million and the
amount and timing are certain, the public sector agency is required to hedge with TCV. If the
public sector agency does not hedge and the exchange rate on September 30 is .71, it will
cost the public agency AUD $1.4 million to purchase the equipment.
State purchase contracts
When a public sector agency purchases goods and services using fixed price state purchase
contracts they are reducing their foreign currency and commodity price exposure. This is
because the prices are fixed for a period of time, for sometimes three or more years, and
generally should not fluctuate. This includes items purchased under health purchasing
Victoria contracts and whole of Victorian Government contracts.
There could be a higher exposure to foreign exchange or commodity price risk when a public
sector agency negotiates pricing directly for goods and services with the supplier, for
example when a public sector agency purchases directly from an overseas supplier in an
overseas currency. Public sector agencies purchasing goods and services directly from a
supplier and negotiating individual pricing needs to aware of the requirements of the
Standing Direction 4.5.7 and 4.5.8.
Materiality
A public sector agency that has a foreign currency exposure that is in aggregate less than
AUD $1 million and is known with certainty must hedge the exposure where it is considered
material. Determining what is a material risk is the responsibility of the public sector agency.
Below is some high level guidance:
 Materiality is the concept of establishing the importance of information in accordance
with Australian Accounting Standard AAS 5. In general an item of information is material
if its omission, nondisclosure or mis-statement from the financial statements would
adversely affect a user’s decisions about the allocation of scarce resources.
 It is expected that public sector agencies will include within the policy a definition for
materiality based on their knowledge of the agency’s circumstances.
Authorised deposit-taking institution (ADI)
For a complete list of ADIs please visit the Australian Prudential Regulation Authority’s
website.
http://www.apra.gov.au/adi/Pages/adilist.aspx
Accounting Implications
Public sector agencies are required to comply with relevant Australian accounting standards
and Financial Reporting Directions (FRDs). For guidance regarding accounting for financial
instruments and hedge transactions, please refer to FRDs 114A and 116.
170
Financial Management Compliance Framework user guide
Updated August 2013
Exemptions
Agencies with a legitimate business reason not to comply with this direction must seek the
written approval of the Treasurer. An example of where an exemption might be considered
is where TCV could not provide a suitable hedging product. Agencies seeking an exemption
should first contact DTF using the contact details below.
The Director, Financial Assets and Liabilities Group
Department of Treasury and Finance
Level 5, 1 Treasury Place
Melbourne VIC 3002
Telephone: 9651 0922
TCV contact
For further information regarding hedging instruments and process, please consult TCV.
Treasury Client Services
Treasury Corporation of Victoria
Level 12, 1 Collins Street
Melbourne VIC 3000
Tel: 9650 7577
Fax: 9650 7557
Foreign exchange risk policy content
It is expected that public sector agencies will have a policy in place to address foreign
exchange risk, and may be incorporated in an overall treasury management policy. The
policy should include the following:
Objective of policy
Definition of foreign exchange risk
Definition of materiality
Level of exposure to foreign exchange risk
 Each public sector agency is expected to determine their level of exposure to foreign
exchange risk for inclusion within the policy.
Risk owner
 Each public sector agency is expected to assign a person within the organisation to be the
risk owner, who is responsible for the management of foreign exchange risk, and include
his/her details within the policy.
Responsibilities
 List of board, committee/s and/or person/s responsible for foreign exchange risk,
including details of their responsibilities of each in relation to foreign exchange risk.
Foreign exchange risk management
 Details on how the foreign exchange risk will be managed. This is expected to include
what products would be used to hedge the agency’s foreign exchange risk, and any
applicable restrictions (e.g. no historical rate rolls, no sold positions on options, no
trading, no leveraging).
Financial Management Compliance Framework user guide
Updated August 2013
171
Monitoring
 Details of how foreign exchange risk is to be monitored by the public sector agency. This
should include details on periodic monitoring or reporting, and procedures in place to
monitor any policy breaches.
Delegation of authority
 Details of any delegated authorities and any limitations on the authority.
Frequency of review
 Details on how often policy is to be reviewed.
Sample foreign exchange policy
Foreign exchange risk
Definition
Foreign exchange risk is the risk of financial loss due to adverse movements in exchange
rates.
A foreign exchange exposure is considered material if the value of the exposure is in excess
of AUD$250 000.
The current operation of agency ABC does not create exposure to foreign exchange risk. If
foreign exchange risks are identified, the matter will be referred to the audit and risk
committee and Board.
Objective
The objective is to ensure that when such risks are identified, the audit and risk committee
and Board are notified promptly. Then the objective will be to identify all foreign exchange
exposures and ensure that material exposures which are known with certainty in respect of
both timing and amount are fully hedged.
Responsibilities
Executive Manager Finance and Customer Services to:
(a) ensure that all borrowings are through TCV and hence there should be no foreign
exchange exposures from borrowings;
(b) inform the audit and risk committee and Board of any foreign exchange risks identified
and the appropriate actions taken or will be taken in managing the risk; and
(c) raise any other matters that may need to be considered by the audit and risk committee
and Board in relation to the management of foreign exchange risk.
Audit and risk committee
To recommend to the Board:
(a) to consider any matters in relation to the management of foreign exchange risk.
Board
(a) to note the hedging of any foreign exchange exposures which are known with certainty
in respect of both timing and amount; and
(b) to consider any other matters in relation to the management of foreign exchange risk.
172
Financial Management Compliance Framework user guide
Updated August 2013
Foreign exchange risk management
The financial arrangements to hedge, protect or manage foreign exchange exposures as
authorised by DTF are:
(a) forward foreign exchange contract;
(b) option on foreign exchange; and
(c) any combination of the above.
Historic rate rolls are not permitted in terms of this policy.
In relation to options on foreign exchange, sold position are specifically not permitted.
Usage of risk management products to manage financial risk is restricted to bona fide
hedging purposes only. For the purpose of this policy document, the following criteria must
be met to constitute a hedge:
(a) the item to be hedged must expose agency ABC to financial risk from exchange rate
movements. In particular, the item must not already be effectively hedged by an
offsetting risk;
(b) the instrument must be designated as a hedge at the time of taking out the hedge;
(c) no trading is permitted. All hedges must match an underlying exposure; and
(d) the underlying exposure shall not be levered through the use of derivatives or any other
instruments that have a leveraging effect.
Material foreign currency positions must be marked-to-market on a regular basis, at least
monthly.
The methodology used to value the foreign currency positions must conform to generally
accepted commercial practice.
Financial Management Compliance Framework user guide
Updated August 2013
173
User guide to Standing Direction 4.5.8
Direction requirement 34
Commodity risk management
Introduction
This Standing Direction requires that:
 a public sector agency develop appropriate policies and procedures for managing
exposure to specific commodity risk where it is considered these risks could have a
material impact on the business; and
 a public sector agency must consider whether fully hedging the exposure is appropriate.
It is important to note that fully or partial hedging of the exposure is not a requirement
but should be considered by the public sector agency where the exposure is material to
the business.
Definition and example of commodity risk
Commodity risk is a risk to operating result or capital due to a change in the price of a
commodity that is a key input or output of a business.47 For example a transport
organisation will be required to purchase fuel to operate its fleet. A commodity price risk
arises because the future price of fuel is uncertain. If fuel prices are rising the organisation
will have to pay more for fuel and this might reduce the organisations operating margins if
the increased prices cannot be passed on to the customers.48
Commodity is defined as:
A tradable item that can generally be further processed and sold; includes industrial
(metals such as aluminium), agricultural (wool, wheat, sugar, etc.), and bulk (coal, iron
ore) goods. Commodities are important to the Australian economy as they account for
the majority of our exports. From Australian dictionary of investment terms.
Examples of a definition of commodity price risk that could be included in a policy are
below:
 Commodity price risk is the risk that a change in the price of a commodity that is a key
input or output of a business will adversely affect its financial performance; and
 Commodity price risk is defined as the risk that changes in commodity prices will have an
impact on the cost of purchased raw materials and the proceeds received for
commodities sold.
Commodity hedging
Hedging is the process of reducing or removing the price risk associated with a particular
exposure. Hedging is a means of protecting against price uncertainty. The most common
hedging strategy is to set a future price of a commodity today by using a forward rate
contract. These contracts can be provided by the Treasury Corporation of Victoria (TCV), see
contact details below. By using this type of contract a public sector agency can have
certainty today what price it will pay in the future for a commodity. Regardless of how the
actual commodity price changes, a public sector agency will be able to buy at an agreed
47
48
174
Whole of State Risk Map.
http://www.invesco.com.au/web/webdict.nsf/lookuptermsmall/commodity?opendocument.
Financial Management Compliance Framework user guide
Updated August 2013
price. The forward contract protects against price rises but also excludes any benefit arising
from falling prices.
If the regular course of business does not involve speculating on future commodity prices
and commodity exposure is seen as material, consideration should be given to hedging.
State purchase contracts
When a public sector agency purchases goods and services using fixed price state purchase
contracts they are reducing their foreign currency and commodity price exposure. This is
because the prices are fixed for a period of time, sometimes for three years or more, and
generally should not fluctuate. This includes items purchased under Health Purchasing
Victoria contracts and whole of Victorian Government contracts.
There could be a higher exposure to foreign exchange or commodity price risk when a public
sector agency negotiates pricing directly for goods and services with the supplier, for
example when a public sector agency purchases directly from an overseas supplier in an
overseas currency. Public sector agencies purchasing goods and services directly from a
supplier and negotiating individual pricing needs to aware of the requirements of the
Standing Direction 4.5.7 and 4.5.8.
Materiality
It is the responsibility of the public sector agency to develop policies and procedures for
managing exposure to specific commodity risk where it is considered these risks could have
a material impact on the business. Determining what is a material risk is the responsibility of
the public sector agency. Below is some high level guidance:
 materiality is the concept of establishing the importance of information in accordance
with Australian Accounting Standard AAS 5. In general an item of information is material
if its omission, nondisclosure or mis-statement from the financial statements would
adversely affect a user’s decisions about the allocation of scarce resources.
Accounting implications
Public sector agencies are required to comply with relevant Australian accounting standards
and Financial Reporting Directions (FRDs). For guidance regarding accounting for financial
instruments and hedge transactions, please refer to FRDs 114A and 116 published on the
DTF website.
Treasury Corporation of Victoria contact details
For further information regarding hedging instruments, please contact TCV.
Treasury Client Services
Treasury Corporation of Victoria
Level 12, 1 Collins Street
Melbourne VIC 3000
Tel: 9650 7577
Fax: 9650 7557
Financial Management Compliance Framework user guide
Updated August 2013
175
Commodity risk policy content
The commodity risk policy may be incorporated in an overall treasury management policy.
The policy should include the following:
Objective of policy
Definition of commodity risk
Definition of materiality
Level of exposure to commodity risk
 Each public sector agency is expected to determine their level of exposure to commodity
risk for inclusion within the policy
Risk owner
 Each public sector agency is expected to assign a person within the organisation to be the
risk owner, who is responsible for the management of commodity risk, and include
his/her details within the policy
Responsibilities
 List of Board, committee/s and/or person/s responsible for commodity risk, including
details of their responsibilities of each in relation to commodity risk.
Commodity risk management
 Details on how the commodity risk will be managed. This is expected to include what
products would be used to hedge the agency’s commodity risk, and any applicable
restrictions (e.g. no sold positions on options, no trading, no leveraging).
Monitoring
 Details of how commodity risk is to be monitored by the public sector agency. This
should include details on periodic monitoring or reporting, and procedures in place to
monitor any policy breaches.
Delegation of authority
 Details of any delegated authorities and any limitations on the authority
Frequency of review
 Details on how often policy is to be reviewed.
Sample commodity risk policy
Definition
Commodity risk is the risk of financial loss resulting from movements in price of commodity
inputs and/or outputs.
The current operation of ABC does not create exposure to commodity risk. If commodity
risks are identified, the matter will be referred to the audit and risk committee and the
Board.
Objective
The objective is to ensure that when such risks are identified, the audit and risk committee
and Board are notified promptly.
176
Financial Management Compliance Framework user guide
Updated August 2013
Responsibilities
Executive Manager Finance and customer services
(a) To inform the audit and risk committee and Board of any commodity risks identified and
the appropriate actions taken or will be taken in managing the risk; and
(b) To raise any other matters that may need to be considered by the audit and risk
committee and Board in relation to the management of commodity risk.
Audit and Risk committee
To recommend to the Board:
(a) To note any commodity risk and the actions to be taken to manage the risk; and
(b) To consider any other matters in relation to the management of commodity risk.
Board
(a) To note any commodity risk and the actions taken to manage the risk; and
(b) To consider any other matters in relation to the management of commodity risk.
Delegation of authority
This section outlines the schedule of delegated authorities in executing treasury
transactions. Transactions required to hedge underlying commodity exposures must be
undertaken through TCV.
Responsibilities
Number of
authorisations
required
Authorising officers
Transaction
limit
(1) Approve hedging
transaction.
TCV = 2
Other = 2
Managing Director
Executive Manager Finance and
Customer Services
Manager Financial Services
Unlimited
Unlimited
$2 million
Financial Management Compliance Framework user guide
Updated August 2013
177
178
Financial Management Compliance Framework user guide
Updated August 2013
www.dtf.vic.gov.au
www.dtf.vic.gov.au
Financial Management Compliance Framework user guide
Updated August 2013
179