Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
History of accounting wikipedia , lookup
Auditor's report wikipedia , lookup
Going concern wikipedia , lookup
Single Audit wikipedia , lookup
Information audit wikipedia , lookup
Microsoft Dynamics GP wikipedia , lookup
Enterprise risk management wikipedia , lookup
Internal audit wikipedia , lookup
Financial Management Compliance Framework user guide Updated August 2013 The Secretary Department of Treasury and Finance 1 Treasury Place Melbourne Victoria 3002 Australia Telephone: +61 3 9651 5111 Facsimile: +61 3 9651 5298 www.dtf.vic.gov.au Authorised by the Victorian Government 1 Treasury Place, Melbourne, 3002 © Copyright State of Victoria 2013 This book is copyright. No part may be reproduced by any process except in accordance with the provisions of the Copyright Act 1968. ISBN 000-0-000000-00-0 Published August 2013. If you would like to receive this publication in an accessible format please telephone 9651 0909 or email mailto:[email protected] This document is also available in PDF format at www.dtf.vic.gov.au Contents User guide to Standing Direction 1 ..................................................................... 1 Introduction ......................................................................................................................................... 1 User guide to Standing Direction 2.1 .................................................................. 6 Financial Code of Practice ................................................................................................................... 6 User guide to Standing Direction 2.2 ................................................................ 11 Financial Governance – Responsible Body ........................................................................................ 11 Financial Governance – formal statements....................................................................................... 13 Financial Governance – Audit Committee ......................................................................................... 21 User guide to Standing Direction 2.3 ................................................................ 35 Financial risk management................................................................................................................ 35 User guide to Standing Direction 2.4 ................................................................ 39 Authorisations ................................................................................................................................... 39 User guide to Standing Direction 2.5 ................................................................ 41 Internal audit ..................................................................................................................................... 41 User guide to Standing Direction 2.6 ................................................................ 48 External audit .................................................................................................................................... 48 User guide to Standing Direction 3.1 ................................................................ 51 Financial management structure ...................................................................................................... 51 User guide to Standing Direction 3.1.1 ............................................................. 52 Public sector agency financial Management team structure ............................................................ 52 User guide to Standing Direction 3.1.2 ............................................................. 54 Chief Finance and Accounting Officer (CFAO): credentials and endorsement ................................. 54 User guide to Standing Direction 3.1.3 ............................................................. 56 Policies and procedures..................................................................................................................... 56 User guide to Standing Direction 3.1.4 ............................................................. 57 Chart of accounts............................................................................................................................... 57 User guide to Standing Direction 3.1.5 ............................................................. 60 Managing outsourced financial services: outsourcing governance and audit scrutiny .................... 60 Financial Management Compliance Framework user guide Updated August 2013 i User guide to Standing Direction 3.2 ................................................................ 74 Information technology systems ....................................................................................................... 74 User guide to Standing Direction 3.2.1 ............................................................. 75 Information technology management .............................................................................................. 75 User guide to Standing Direction 3.2.2 ............................................................. 79 Information technology operations .................................................................................................. 79 User guide to Standing Direction 3.2.3 ............................................................. 91 Security .............................................................................................................................................. 91 User guide to Standing Direction 3.2.4 ............................................................. 94 Development ..................................................................................................................................... 94 User guide to Standing Direction 3.2.5 ........................................................... 100 Change control ................................................................................................................................ 100 User guide to Standing Direction 3.3 .............................................................. 102 Education and training .................................................................................................................... 102 User guide to Standing Directions 3.1.3 and 3.4 ............................................. 103 Policies and procedures................................................................................................................... 103 User guide to Standing Direction 4.1 .............................................................. 121 Internal financial management reporting ....................................................................................... 121 User guide to Standing Direction 4.2 .............................................................. 125 Reporting in terms of part 7 of the FMA ......................................................................................... 125 User guide to Standing Direction 4.3 .............................................................. 127 Other external reporting ................................................................................................................. 127 User guide to Standing Direction 4.4 .............................................................. 129 Financial performance management and evaluation ..................................................................... 129 User guide to Standing Direction 4.5 .............................................................. 142 Financial management compliance obligations .............................................................................. 142 User guide to Standing Direction 4.5.1 ........................................................... 143 Compliance with directions ............................................................................................................. 143 User guide to Standing Direction 4.5.2 ........................................................... 149 Taxation ........................................................................................................................................... 149 ii Financial Management Compliance Framework user guide Updated August 2013 User guide to Standing Direction 4.5.3 ........................................................... 151 Purchasing card ............................................................................................................................... 151 User guide to Standing Direction 4.5.4 ........................................................... 153 Thefts and losses ............................................................................................................................. 153 User guide to Standing Direction 4.5.5 ........................................................... 165 Risk management compliance......................................................................................................... 165 User guide to Standing Direction 4.5.6 ........................................................... 166 Treasury risk management .............................................................................................................. 166 User guide to Standing Direction 4.5.7 ........................................................... 169 Foreign exchange risk management................................................................................................ 169 User guide to Standing Direction 4.5.8 ........................................................... 174 Commodity risk management ......................................................................................................... 174 Financial Management Compliance Framework user guide Updated August 2013 iii User guide to Standing Direction 1 Introduction Contents: Introduction to Standing Directions of the Minister for Finance; and Attachments: – overview of the Financial Management Compliance Framework; and – annual FMCF certification process. The Financial Management Compliance Framework (FMCF) is a framework to assist Victorian public sector (VPS) agencies establish and maintain effective financial management to support the achievement of agencies’ key objectives and goals. It also helps the Victorian Government monitor the standard of financial management in line with the Standing Directions of the Minister for Finance (the ‘Directions’). The FMCF was launched by the Department of Treasury and Finance (DTF) in July 2003 and was subsequently updated in July 2005 and August 2007. The Directions are designed to supplement the Financial Management Act 1994 (FMA). Objectives of the FMCF The FMCF was developed to: promote effective financial management; meet the government’s requirements for accountability; provide Ministers (including the Minister for Finance) with reasonable assurance that VPS agencies have implemented appropriate systems to comply with the Directions and to use public resources efficiently and responsibly; and assist agencies in identifying and documenting their financial compliance status. Application and compliance with the FMCF The FMCF applies to all VPS agencies who: are a ‘public body’ (defined in section 3 of the FMA) and are included in the whole of government consolidated ‘Annual Financial Report for the State of Victoria’. Annual compliance certification Agencies certify compliance with the Directions requirements (that are derived from the Directions) of the FMCF via the Compliance Monitoring System (CMS) website: https://www.cms.dtf.vic.gov.au Certification takes place annually from July to September each year. An overview of the annual certification process can be found within this section. Financial Management Compliance Framework user guide Updated August 2013 1 The structure and components of the Directions The Directions have four components. Section 1 is the Introduction. Sections 2, 3 and 4 are based on components of sound financial management as depicted below: Key components of leading edge financial management Section 2 – Section 3 – Section 4 – Financial management governance and oversight Financial management structure, systems policies and procedures Financial management reporting Section 2 – Financial management governance and oversight Governance is about the processes by which a public sector agency is directed, controlled and held to account. The Directions on financial management governance and oversight set standards for public sector agencies, which should be incorporated as fundamental elements in an overall governance framework. Section 3 – Financial management structure, systems, policies and procedures The Directions for financial management structure, systems, policies and procedures set standards for all public sector agencies to achieve sound systems of internal control to support financial management. Section 4 – Financial management reporting The Directions for financial management reporting set standards for public sector agencies to assist them in measuring and managing performance and to ensure financial management reporting is consistent with applicable statutory reporting obligations. Presentation of the Directions Each Standing Direction is comprised of the following: Background Explanatory section providing users with an understanding of the compliance obligation. 2 Direction A statement which sets out the compliance obligation (mandatory). Financial Management Compliance Framework user guide Updated August 2013 Procedure Sets out the method of achieving the compliance obligation (mandatory). Guidelines Supplementary material Serve to explain and clarify the principles and objectives of the direction (reference only). Information designed to assist in achieving compliance with the Directions. Exemptions Agencies may seek exemptions from the Minister for Finance for specific direction requirements including: to establish and maintain a proper functioning audit committee (Direction 2.2, procedure (e)); to establish and maintain an Internal Audit function (Direction 2.5); that the audit committee chair is an independent chair (Direction 2.2, procedure (l)); and that the chair of the audit committee is not also the chair of the board (or responsible body) (direction 2.2, procedure (m)). Exemptions must be sought in writing and include the reasons for the exemption as well as proposed alternative actions or procedures. Government departments are not eligible for exemptions. Section 2.2 and 2.5 of the user guide provide detail on the exemption process and evaluation criteria. Abbreviations AASB Australian Accounting Standards Board ATO BFMG CFAO CFO DTF FBT FMA FRD GST Australian Taxation Office Budget and Financial Management Guide Chief Finance and Accounting Officer Chief Finance Officer Department of Treasury and Finance Fringe Benefits Tax Financial Management Act 1994 Financial Reporting Directions Goods and Services Tax Definitions Accountable Officer Business Rules Directions Financial Reporting Directions Government Department Public sector agency Responsible Body as per section 3 of the FMA are the rules made by the Deputy Secretary, Budget and Finance, Department of Treasury and Finance mean these Standing Directions are directions given by the Minister for Finance for the accounting treatment and reporting of financial transactions. same as ‘department’ as defined in section 3 of the FMA. any public body as defined in section 3 of the FMA or any government department. for a government department – the accountable officer; and for every other public sector agency – the Board. In the event that a person or body is declared to be an authority for the purposes of the definition of ‘authority’ in section 3 of the FMA, anything in these directions applying or referring to a government department applies or refers also to that person or body, unless a Direction explicitly provides otherwise. Financial Management Compliance Framework user guide Updated August 2013 3 An overview of the Financial Management Compliance Framework What is in the FMCF? What are the objectives? Who needs to comply? How and when do agencies certify? The Financial Management Compliance Framework (FMCF) is a framework to assist Victorian public sector (VPS) agencies establish and maintain effective financial management to support the achievement of agencies’ key objectives and goals. It also helps the Victorian government monitor the standard of financial management in line with the Standing Directions of the Minister for Finance (the ‘Directions’). The FMCF was launched by the Department of Treasury and Finance (DTF) in July 2003 and was subsequently updated in July 2005. The FMCF was developed to: promote effective financial management; meet the government’s requirements for accountability; provide Ministers (including Minister for Finance) with reasonable assurance that VPS agencies have implemented appropriate systems to comply with the Directions and to use public resources efficiently and responsibly; and assist agencies in identifying and documenting their financial compliance statement. The FMCF applies to all VPS agencies who: are a ‘public body’ (defined in section 3 of the FMA); and are included in the whole of government consolidated ‘Annual Financial Report for the State of Victoria’. Agencies certify compliance with the Directions Requirements (that are derived from Directions) of the FMCF via the Compliance Monitoring System (CMS) website: https://www.cms.dtf.vic.gov.au/ Certification takes place annually from July to September each year. Refer overleaf for an overview of the annual certification process. How did the Direction come about? What are the key components of the Directions? How are the Directions presented? The Directions are designed to supplement the Financial Management Act 1994 (FMA). They are pursuant to section 8 of the FMA. The Directions are based on the following three components of sound financial management: Financial management, governance and oversight; Financial management, structure, systems, policies and procedures; and Financial management reporting. Details of the Directions Background Explanatory section providing users with an understanding of the compliance obligation. Direction A statement which sets out the compliance obligation (mandatory). Procedure Sets out the method of achieving the compliance obligation (mandatory). Guidelines Supplementary material Serve to explain and clarify the principles and objectives of the direction (reference only). Information designed to assist in achieving compliance with the Directions. Further information and assistance www.dtf.vic.gov.au (See: Government Financial Management: Financial Management Compliance Framework 4 Financial Management Compliance Framework user guide Updated August 2013 Go to the FMCF toolkit (on the DTF website) – the online information resource for the FMCF. DTF initiatives: Launch of the FMCF toolkit to provide a single resource for all FMCF information in relation to the Directions, Rules, certification process, upcoming seminars and the updated user guide. Annual FMCF certification process FMCF certification is completed by agencies on an annual basis. The following flowchart outlines the steps within the annual FMCF certification process at the agency and portfolio level. The timing of tasks is provided as a guide. Data integrity framework – Process overview When? Throughout the year June – July July – August August – September What? Complete review requirements Assess compliance Obtain sign-off Complete and submit certification How? There are requirements within the FMCF to complete reviews over a number of areas throughout the year, e.g. policy documents and the financial risk profile (see Supplementary Material flyer for Direction review requirements. 1. Complete relevant reviews 2. Where required, obtain endorsement by the CEO/CFO (or delegate) or the Board/ Audit Comittee 3. The FMCF compliance certification checklist provides detailed guidance of compliance requirements for each Direction 4. 5. Keep documentation supporting 6. evidence of these reviews 7. Use the compliance certification checklist to review the compliance status against 8. each of the mandatory elements within the Direction Requirements Determine the compliance level (compliant, partially compliant, not compliant) using results from step 4 and complete the ‘certification checklist as at 30 June Obtain required approval, e.g. Board/ Audit Committee upon completion of the compliance certification checklist 9. Complete online certification via the compliance monitoring system (CMS) website: www.cms.dtf.vic.gov.au Finalise detailed sign-off over 10. Provide signed certification letter Direction 2.2(d) and (w), including: and exception compliance summary attachment (where applicable) to – internal controls the relevant portfolio Minister and – risk management copied to the portfolio coordinator – financial statements Note: The compliance summary attachment is an exceptions report that details rectification plans and reasons for partially or not compliant responses. Agencies can also add further comments in this attachment Ensure there is evidence to support the compliance levels certified (where relevant) Department/portfolio process September When? When? 11. Agency compliance certification received by the Portfolio Minister via the portfolio department October 12. Agency compliance certification received by the Portfolio Minister via the portfolio department 13. Agency compliance certification received by the Portfolio Minister via the portfolio department Financial Management Compliance Framework user guide Updated August 2013 5 User guide to Standing Direction 2.1 Direction requirement 1 Financial Code of Practice Introduction Direction 2.1 of the Standing Directions of the Minister for Finance (the Directions) requires each agency to implement and maintain a Financial Code of Practice (the Code) that outlines standards and practice in relation to the probity of their financial management. Developing a code The Code must cover the following areas (as per Direction 2.1): independence, integrity, accountability, confidentiality; procurement, tendering, credit cards; conflicts of interest; personal relationships with the public sector agency’s customers and providers; corporate opportunities; fair dealing; protection and proper use of the public sector agency’s assets; and encouraging the reporting of unlawful or unethical behaviour. Agencies will have detailed policies and procedures in place for some of the areas listed above, e.g. whistle-blower, procurement, conflict of interest. The Code should not duplicate, but direct the reader to the agency’s existing detailed policies and procedures which provide further guidance and detailed procedures in relation to the items listed in the Code. The Code should not replace detailed policies and procedures but should provide a high level statement about employee conduct required for specific areas. The Code should also be consistent with the Victorian Public Service Code of Conduct and the Directions. Consideration could also be given to good practice in the public and private sector bodies, e.g. Principle 3 ‘Promote ethical and responsible decision-making’ of the ASX Corporate Governance Council Principles of good corporate governance and best practice recommendations, March 2003. Supporting the Code Processes to support the Code should be developed to: ensure it is up to date and consistent with changes in the internal and external environment; identify employees required to comply with the code; prompt regular (at least annual) review of changing roles within the agency to identify relevant employees with direct or indirect responsibilities for financial transactions, group of transactions, or other financial matters for example initiation, authorisation/approval, processing, reporting; and handle queries, monitor compliance and manage breaches of the Code. 6 Financial Management Compliance Framework user guide Updated August 2013 Communication and education The Code should be communicated to relevant employees to ensure it is understood and enhance compliance. Communication of the Code could include: access to the document; explanation of individual involvement in financial management for the agency, e.g. explanation of roles and responsibilities, delegations, etc.; explanation of responsibilities under the Financial Management Act 1994 and the Directions; and a requirement for individuals to acknowledge receipt and understanding of the Code, i.e. signing and returning an acknowledgement form (that is kept to demonstrate that the agency has complied with the requirements of the Direction). Example An example of a Financial Code of Practice template is attached. The template is generic and does not specifically address each agency’s requirements. It is the basis of Code that is tailored to suit the individual needs of the agency. Financial Management Compliance Framework user guide Updated August 2013 7 Attachment 1 Template for a Financial Code of Practice User note: This template is generic and should be amended to suit the purposes of the organisation. <Insert organisation name> <Insert site name> Financial Code of Practice Organisation address: <insert address> Contents: Introduction. Public funds. Declaration of financial and other interests. Financial inducements, gifts and hospitality. Secondary employment. Tendering and procurement process. Corporate credit cards. Use of property, facilities or equipment. Confidentiality. 8 Attachment 1 Template for a Financial Code of Practice Introduction This Financial Code of Practice sets the standards of conduct expected from <insert organisation name> employees. It applies to all employees of the <insert organisation name> it forms parts of the terms and conditions of employment.1 If any of the provisions contained within this Financial Code of Practice are not fully understood, employees should seek clarification from their line managers. Employees are expected to act at all times in the best interest of the <insert organisation name> and should conduct all dealings with integrity and fairness. The <insert organisation name> may apply its disciplinary procedures against employees who are in breach of this code. Instances of non-compliance with this Code may be reported through <insert details of the breach reporting process>. <Insert organisation name> procedures are consistent with the requirements of the Victorian Government Whistle-blower Legislation.2 Public funds The <insert organisation name> acknowledges the responsibility it has for the administration of public funds. The <insert organisation name> emphasises both to the public, the government and to its employees the importance it places upon propriety, financial control and honest administration. The <insert organisation name> arrangements for the prevention and detection of fraud and corruption will be kept under constant review, and suspected irregularities will be investigated. Where employees have direct responsibility for financial transactions, for example the ordering of goods and services on behalf of the <insert organisation name>, then they must be fully acquainted with the Standing Directions of the Minister for Finance pursuant to Section 8 of the Financial Management Act 1994 and comply with these. Declaration of financial and other interests3 Employees must declare any personal interests, which may affect or be affected by a <insert organisation name> transaction. Interests should be declared to the <to be determined by the agency and must be consistent with the agency’s enabling legislation and culture>. Employees must not influence the awarding of any contract in which they have any interest. Employees who act as panel members in the interview and selection process must also declare any knowledge they have of candidates. Any such knowledge must be disclosed to <to be determined by agency and must be consistent with the agency’s enabling legislation and culture> at the earliest opportunity. 1 The Financial Code of Conduct should be distributed as part of the induction process. New employees should sign to acknowledge that they have read its contents. Further, upon promotion or transfer, employees should be required to reconfirm and sign to acknowledge their understanding of the contents of the Code with regard to their new role. 2 This legislation should be referred to in developing procedures. 3 Conflicts of interest requirements will vary from public sector agency to public sector agency, for example compare a hospital agency with the Victorian Police. It is imperative that guidelines are established to ensure that staff are aware of the requirements to disclose interests and gifts offered and received. Attachment 1 Template for a Financial Code of Practice 9 Financial inducements, gifts and hospitality Employees may not accept gifts that may be, or may be construed as, rewards or inducements for directing business towards that body/person. Any monetary gifts handed over to employees must be passed to the <to be determined by agency and must be consistent with the agency’s enabling legislation and culture>. Goods, vouchers, non-cost payments etc. received from suppliers or agents (other than goods officially ordered) shall be declared to the <to be determined by agency and must be consistent with the agency’s enabling legislation and culture>. This rule is waived in respect of small items such that have a value not exceeding <to be determined by agency and must be consistent with the agency’s enabling legislation and culture>. In areas of doubt advice should be sought from the appropriate manager <to be determined by the agency>. Employees should also refer to the Official Hospitality Principles issued by the Department of Premier and Cabinet from time to time.4 Secondary employment Staff members may not undertake employment outside <insert organisation name> or engage in the conduct of a business, trade or profession without written permission. Employees considering taking up a second post should take into account whether this might conflict with their employment with the <insert organisation name> and should seek guidance from <to be determined by the agency>. Tendering and procurement process All tendering and procurement activity must be compliant with Victorian Government Purchasing Board’s guidance material where applicable <if VGPB guidance material is not applicable, replace with ‘policies and procedures’>. Corporate credit cards All usage of corporate credit cards must be complaint with the Standing Directions of the Minister for Finance under the Financial Management Act 1994. Use of property, facilities or equipment Employees of the <insert organisation name> often have access to facilities, including office equipment such as computers, telephones, photocopiers and fax machines to use in carrying out their official duties. Excessive personal use of any <insert organisation name> equipment or removal of any property from the work place for any purpose is not permitted without line manager approval. Any use for personal gain is not permitted under any circumstances. Confidentiality Staff are expected to maintain and respect the confidentiality and privacy of financial information and other matters of a financial nature that they come across during the course of their employment. Unless authorised, staff are not to use confidential information for personal use or to benefit another third party. 4 10 The most recent version is dated 14 July 1998 and replaces Circular 90/1on Entertainment Expenditure Guidelines. Attachment 1 Template for a Financial Code of Practice User guide to Standing Direction 2.2 Direction requirement 2 Financial Governance – Responsible Body Introduction The governance and oversight of the financial management of an agency is the responsibility of the Responsible Body as per Direction 2.2(a) in the Standing Directions of the Minister for Finance (the Directions). Definitions Responsible Body defined The Directions define ‘Responsible Body’5 to mean: the accountable officer for a government department; or the Board for all other public sector agencies. Accountable Officer defined ‘Accountable Officer’6 means: the department head for a department; or the chief executive officer for a public body (or the relevant title of this position). Delegation of responsibilities The Responsible Body may delegate some of its responsibilities under the Directions to an Audit Committee, Finance Committee or equivalent (as per Direction 2.2(c)) However, the Responsible Body cannot delegate or diminish ultimate responsibility for: overseeing the financial performance of agency; ensuring the integrity of financial reporting; and retaining oversight responsibility for the relevant actions and activities of its delegates. The Directions do not prevent operational aspects of the Responsible Body’s oversight and governance role from being delegated to management.7 Documentation of role and responsibilities The roles, responsibilities and delegations of the Responsible Body should be documented in a charter or equivalent document. The document should detail the responsibility and accountability of relationships between the Minister, the Responsible Body, the Accountable Officer and the CFAO. 5 Refer to S. 1.1 in the Directions for more information re: where a person or body is declared to be an ‘authority’ under S.3 of The Financial Management Act 1994. 6 Defined under S.3 of The Financial Management Act 1994. 7 This must be completed in accordance with Direction 2.4 (Authorisations). Financial Management Compliance Framework user guide Updated August 2013 11 Requirements of the Responsible Body The Responsible Body has a number of requirements outlined in Direction 2.2(b) that are part of its financial oversight and governance role. The requirements are outlined in the checklist below and should be considered in developing the charter or equivalent. Please note that guideline 1 to Direction 2.2 also details a number of suggested tasks for the Responsible Body. In addition to Direction 2.2(b) the Responsible Body has a number of other requirements8 under the Financial Management Compliance Framework. Please refer to the Directions and relevant supplementary material for information about this. Requirements of the Responsible Body under direction 2.2(b) Review all financial reports that are provided to parties external to the public sector agency, prior to their release but subsequent to the approval of the reports by the CFAO in accordance with Direction 4.3(c). Work with management to develop the strategic directions for the public sector agency, set performance indicators, set performance targets, review performance management information and reports against those targets. Monitor and oversee the financial performance of the public sector agency on an ongoing basis ensuring appropriate human and financial resources are available.9 Oversee and ensure that procedures are in place that will result in effective and efficient budgeting. Ensure a balance of authority so that no single individual has unfettered powers over the finances of the public sector agency. Ratify the appointment or removal of the CFAO, where appropriate.10 Review, ratify and oversee the public sector agency’s systems of risk management and financial internal controls. Approve and monitor the progress of major capital expenditure, capital management, acquisitions and divestitures. Meet often enough to undertake its financial governance role effectively, if it comprises more than one person(e.g. at least four times a year). Establish appropriate arrangements to ensure that public funds and resources are used economically, efficiently, effectively, with due propriety, and in accordance with the statutory or other authorities that govern their use. Undertake an annual review of its own performance in respect of its financial governance. 8 Considered? Examples of other Directions with requirements for the Responsible Body include: Directions 2.3, 2.4, 2.6, 3.1.3, 3.1.5, 3.2.1, 3.4.1, 3.4.3 and elements of Directions in relation to Financial Management Reporting as detailed in Directions 4.1 to 4.5. Please note this list is not complete. 9 This is also consistent with its role under Direction 4.1 Internal Financial Management Reporting and Direction 4.4: Financial Performance Management and Evaluation to work with management to develop financial KPIs and receive reports on financial performance. 10 This is also consistent with its role under Direction 3.1.2: Chief Finance and Accounting Officer to ensure the agency has financial management leadership from a suitably qualified CFAO. 12 Financial Management Compliance Framework user guide Updated August 2013 Direction requirement 3 Financial governance – formal statements Introduction The Standing Directions of the Minister for Finance (the Directions) under Direction 2.2 require an agency to: … establish robust and transparent financial governance policies and procedures directed to the oversight of its financial management which should be incorporated as fundamental elements of a public sector agency’s overall governance framework. Particular attention must be paid to the systems of financial reporting, risk management, internal control and the adequacy of management reporting. The Directions mandate an annual formal statement of compliance with the following three distinct requirements of 2.2(d) for agencies and 2.2(w) for government departments.11 Requirement 1 Presentation of agency’s financial reports. Requirement 2 That the risk management, internal compliance and controls form the basis of the financial report. Requirement 3 That the risk management, internal compliance and control systems operate effectively and efficiently. The requirements of Direction 2.2 and in particular, 2.2(d) and 2.2(w) serve as the foundation for the Financial Management Compliance Framework. Timing of formal statement It would be expected that the formal statement of compliance would be made in writing at least annually upon completion, and before public release of the annual financial report. There are example formal statement templates included in this material: Template 1 – example representation from Accountable Officer and CFAO to Responsible Body. Template 2 – example representation from Management and Staff to the Accountable Officer and CFAO. Difference between 2.2(d) and 2.2(w) The requirements under Direction 2.2(d) are identical in nature to 2.2(w) the only differences are: Direction 2.2(d): – relates to agencies; and – requires the Accountable Officer and the CFAO to make the formal statement to the Responsible Body. 11 Note: This material explains each of these requirements in further detail overleaf. Financial Management Compliance Framework user guide Updated August 2013 13 Direction 2.2(w): – relates to government departments; and – requires the CFAO to make the formal statement to the Audit Committee and the Accountable Officer. Explanation of the three requirements The following tables provide detailed explanation of each of the requirements under 2.2(d) and (w) and include a list of potential steps that the Accountable Officer and CFAO could consider implementing to support the formal statement requirements. Please note that the lists are not exhaustive and should only be used as a guide to assist in the development of agency specific procedures in relation to Direction 2.2(d) and (w). Requirement 1: Statement over presentation of agency’s financial reports The CFAO and/or the Accountable Officer12 have an obligation to provide a statement to the Responsible Body stating that: the financial reports present fairly, in all material respects, of the financial condition and operating results of the Agency; and the financial reports have been prepared in accordance with the Financial Management Act 1994 including the Directions. Links to other Directions Reporting in terms of Part 7 of the FMA (Standing Direction 4.2, Direction Requirement 23). How to sign off on Requirement 1 Traditional sign off over financial statements. (see also Template 1) Requirement 1 signed off by Accountable Officer and Responsible Body at agency level; and CFAO at department level. Example of potential steps and detail for Requirement 1 Discussions with relevant management and staff with a view to: satisfying themselves that the process supporting the preparation of financial reports was robust and that the financial reports are complete, accurate and reliable; understanding any key assumptions and accounting policies which underpin material balances (including changes to assumptions or accounting policies since the previous year); considering key areas where significant judgement was exercised in determining accounting treatments; and understanding the nature and rationale of any significant period end adjustments. Reviewing performance against financial budgets carried out throughout the course of the year with a view to: ensuring that all material transactions have been captured within underlying financial accounting systems; developing an understanding of the reasons for variances between budgeted and actual financial results and their reasonableness; and comparing year-end financial reports to management accounts and understanding large adjustments made at year end as well as other impacts potentially affecting the robustness of the financial management process. 12 Considered? At Government Departments the CFAO provides this statement. At other agencies, the CFAO and Accountable Officer provide this statement. 14 Financial Management Compliance Framework user guide Updated August 2013 Example of potential steps and detail for Requirement 1 Considered? Reviewing the financial reports prior to release by: completing a comparison to last year’s financial reports and consideration of significant movements in results, balances and disclosures; and understanding changes that have occurred to relevant Accounting Standards and Directions under the FMA to ensure that they have been captured. Considering the findings of the financial statement audit process this is achieved through discussions with financial accounting staff, the external auditor and internal auditor (where relevant), including a summary of adjusted and unadjusted differences. Requirement 2: Statement over risk management, internal compliance and control The CFAO and/or the Accountable Officer6 have an obligation to provide a statement to the Responsible Body stating that the financial report is founded on a sound system of risk management, internal compliance and control which implements the policies adopted by the Responsible Body. Further explanation for Requirement 2 Requirement 2 focuses on the design effectiveness of internal controls within the financial reporting process. Internal controls over the financial reporting process would be considered to be designed effectively if, assuming they were operating as intended, they provided reasonable assurance that material misstatements in financial reports would be prevented or detected by management. Requirement 2 reinforces the fact that the CFAO and Accountable Officer are ultimately responsible for ensuring that the Agency has adequately designed internal controls over the financial reporting process. The nature of internal controls that an agency has over financial reporting will vary from agency to agency depending on factors including, but not limited to: the size of the agency; the nature and volume of accounting transactions processed by the agency; the information technology environment within the agency; and the nature and complexity of financial report disclosures required by the agency under Financial Reporting Directions and accounting standards. Links to other Directions Financial risk management (Standing Direction 2.3, Direction Requirement 5); Policies and procedures (Standing Directions 3.1.3 and 3.4, Direction Requirement 12); and Risk management compliance (Standing Direction 4.5.5 – refer to Victorian Government Risk Management Framework). How to sign off on Requirement 2 Sign off that internal controls have been designed effectively so that they provide reasonable assurance that material misstatements in financial reports are prevented or detectable. This may require: a representation from the Accountable Officer and CFAO to the Responsible Body – refer Template 1; and where appropriate, a series of management/staff representations to the Accountable Officer/CFAO – refer Template 2. Requirement 2 signed off by Accountable Officer and Responsible Body at agency level; and CFAO at department level. Financial Management Compliance Framework user guide Updated August 2013 15 Example of potential steps and detail for Requirement 2 Identify significant accounts and disclosures. Identification of significant accounts and disclosures in financial reports. Examples include: items separately disclosed in financial reports; qualitative and quantitative factors; and materiality at the consolidated financial statements level. Account mapping Map significant accounts and disclosures to accounting policies, procedures and processes that generate the information reported. Identify the relevant financial statement assertions For each significant account and disclosure, identifying the relevant financial statement assertions. Assertions examples are as follows: existence or occurrence; completeness; valuation or allocation; rights and obligations; and presentation and disclosure. Account/Disclosure X. Identify risks of misstatement For each of the significant accounts and disclosures, identifying risks of misstatement with reference to the financial statement assertions. Identify mitigating controls Based on the risks identified, and with reference to accounting policies, procedures and processes, identifying the key controls which reduce either the likelihood or impact of the risk occurring. Sufficiency of mitigating controls Consider whether key controls identified are designed such that they provide reasonable assurance that material misstatements would be prevented or detected by management throughout the year. Develop and implement remediation plan Where significant deficiencies in the design of internal control over financial reporting have been identified: implement immediate corrective action to ensure reported results are not adversely affected; and develop and implement appropriate remedial action plans. Considered? Requirement 3: Statement over efficient and effective operation of risk management, internal compliance and control systems The CFAO and/or the Accountable Officer6 have an obligation to provide a statement to the Responsible Body stating that the agency’s risk management and internal compliance and control system is operating efficiently and effectively in all material respects. Further explanation for Requirement 3 Requirement 3 is intended to consider and report against operating effectiveness of controls, i.e. are internal controls being applied and operated as intended throughout the entire reporting period? 16 Financial Management Compliance Framework user guide Updated August 2013 Requirement 3: Statement over efficient and effective operation of risk management, internal compliance and control systems Links to other Directions Financial management governance and oversight (Section 2 – Standing Directions 2.1 to 2.6, Direction Requirements 1 to 8); and Financial management structure, systems, policies and procedures (Section 3 – Standing Directions 3.1 to 3.4 Direction Requirements 9 to 21). How to sign off on Requirement 3 Sign off that internal controls are being applied and operated as intended throughout the entire reporting period. This may require: a representation from the Accountable Officer and CFAO to the Responsible Body – Refer Template 1; and where appropriate, a series of management/staff representations to the Accountable Officer/CFAO – refer Template 2. Requirement 3 signed off by Accountable Officer and Responsible Body at agency level; and CFAO at department level. Example of potential steps and detail for Requirement 3 Conclusions? Gather information about the implementation and operation of internal controls in the organisation. For example, this may include results of staff surveys re: knowledge and understanding of internal controls in day to day operations, the extent to which internal and external audit recommendations have been implemented, completion of risk assessment processes within finance and accounting functions, evidence that system generated financial reports have been prepared and disseminated on a timely basis. Develop and execute an evaluation plan on control activities For key control activities identified during the evaluation of design effectiveness, develop and execute an evaluation plan with a view to determining whether they were operating as intended throughout the course of the year. This may involve a combination of: direct testing of a sample of significant control activities conducted by internal audit; risk and control self-assessment by management and staff; and management and staff representations over the operation of internal controls. Evaluate results to determine if deficiencies represent material weakness Review the information obtained together with results of testing to determine whether deficiencies either individually or in aggregate represent material weaknesses. Where deficiencies are identified (be they material or immaterial), develop and implement appropriate remedial action plans (immediate and longer term). Notification of any control weaknesses Prepare and provide representation to the Responsible Body noting any material control weaknesses identified based on the evaluation of control effectiveness. Financial Management Compliance Framework user guide Updated August 2013 17 Attachments Templates for formal statements 18 Template 1 Example representation from Accountable Officer and CFAO to Responsible Body Template 2 Example representation from Management and Staff to the Accountable Officer and CFAO. Financial Management Compliance Framework user guide Updated August 2013 Template 1 Example representation from Accountable Officer and CFAO to Responsible Body Statement to the Responsible Body of <insert agency name> The Accountable Officer and Chief Finance and Accounting Officer state that: (a) with regard to the integrity of the financial reports of <insert agency name> for the year ended 30 June <insert year> that: (i) the financial statements and notes thereto comply with accounting standards in all material respects; (ii) the financial statements and notes thereto give a true and fair view, in all material respects, of the financial position and performance of the agency and consolidated entity; (iii) in our opinion, the financial statements and notes thereto are in accordance with the Financial Management Act 1994 and associated directions; and (iv) in our opinion, there are reasonable grounds to believe that the agency will be able to pay its debts as and when they become due and payable. (b) with regard to risk management and internal compliance and control systems of <insert agency name> for the year ended 30 June <insert year>: (i) the statements made in (a) above regarding the integrity of the financial statements and notes thereto are founded on a sound system of risk management and internal compliance and control systems which, in all material respects, implement the policies adopted by the Responsible Body; (ii) the risk management and internal compliance and control systems underpinning financial management processes are operating effectively and efficiently, in all material respects, based on an evaluation against the elements of the agency’s defined internal control framework; and (iii) nothing has come to our attention since 30 June <insert year> that would indicate any material change to the statements in (i) and (ii) above. <insert name> Accountable Officer <insert name> Chief Finance and Accounting Officer <Date of annual report> * <Date of annual report> * * To be dated as same date as annual report. Statement should be made at least annually to the Responsible Body upon completion and before the public release of the annual report Template 1 Example representation from Accountable Officer and CFAO to Responsible Body 19 Template 2 Example representation from management and staff to the Accountable Officer and CFAO Statement to the Accountable Officer and CFAO of <insert agency name> This statement is to verify that I have: 1) Identified the financial management requirements of my <insert cost centre/division>. 2) Put in place a structure to ensure transactions of the <insert area/office> have been processed in accordance with these requirements and including: <insert reference to approved policies and procedures> <insert reference to approved delegations of authority> 3) Monitored transactions and processes in my <insert cost centre/division> in accordance with my financial management responsibilities 4) In this process, identified the following issues that have or may impact financial management structures or processes under my responsibility: <insert any areas that need improvement> <insert any areas that need improvement> 5) Put in place the following rectification plans to address the above issues: <insert rectification plan and when date it is expected to be completed> This statement has been prepared to the best of my knowledge and confirms that no other issues that would impact on financial management have come to my attention. <Manager/staff name> <Title> <Date of report> 20 Template 2 Example representation from Management and Staff to the Accountable Officer and CFAO Direction requirement 4 Financial governance – Audit Committee Introduction Direction 2.2 (Direction Requirement 4) of the Standing Directions of the Minister for Finance (the Directions) requires an agency to appoint an audit committee to oversee and advise on matters of accountability and internal control affecting the operations of the agency, unless an exemption has been obtained.13 The detailed requirements for audit committees are outlined in the Procedures to Direction 2.2 specifically: establishment and exemptions Procedure (e) charter, roles, responsibilities, meetings Procedures (h)-(j) membership and member qualifications Procedures (f), (g), (k)-(q), (s) member induction Procedure (r) relationships and reporting Procedures (t)-(v). This material provides: guidance to agencies for the implementation of the requirements in relation to audit committees; and an overview of other audit committee requirements under the Directions. The checklists in this material identify the mandatory requirements relevant to each of the detailed requirements for audit committees. The checklists also contain elements that represent good practice. Please note that this material should be read in conjunction audit committee requirements detailed in Directions for internal audit (2.5, Direction Requirement 7) and external audit (2.6, Direction Requirement 8). Audit committee establishment and exemptions The Directions permit agencies to apply for an exemption from establishing an audit committee. A number of parameters must be met to ascertain whether an agency is permitted to apply for an exemption. The exemption process is outlined in the steps below. Also, Attachment 1 provides a template for the exemption application. Where an audit committee has been established, it is usually a sub-committee of the Board (Responsible Body). While the establishment of an audit committee supports the Board’s performance in the discharge of its financial governance and oversight responsibilities, it does not release the Board from its responsibilities. 13 Procedure (e) under Direction 2.2 from the Standing Directions of the Minister for Finance under the Financial Management Act 1994. Financial Management Compliance Framework user guide Updated August 2013 21 Step 1 Majority of non-executive directors Step 2 Audit Committee exemption process Majority of non-executive independent directors Are the majority of directors on the Board non-executive directors? If yes, continue to Step 2. Are the majority on non-executive directors independent? If yes, continue to Step 3. If there are at least three non-executive directors (and two of these are independent), an Audit Committee can be established in accordance with the Directions. Step 3 Agency size Step 4 Agencies with an aggregate score (across all four parameters) of: size and eligibility for exemptions. – less than equal to 10 are able to seek an exemption, continue to Step 4; or The parameters include: Total budget, total assets, number of full time – more than 10 cannot seek an exemption. equivalent employees, and financial risk profile must be totalled. The table below provides scores for each parameter. Agencies that meet the requirements can seek an exemption via a written submission to the Minister. A copy of the submission must be sent to DTF with a set of the agency’s most recently audited financial statements. See the example template exemption letter. Exemption application Step 5 A number of parameters are taken into account when determining an agency’s Exemption approval Exemption applications are assessed on a case by case basis and DTF may request additional information. Exemptions are only granted for the one compliance year (1 July to 30 June). Agencies granted an exemption must follow the ‘exemption confirmation process’ the following year. Notes for Step 1 A non-executive director is an agency director that is: 1. part of the Responsible Body 2. not employed on a full time basis by the Responsible Body 3. is not involved in the day to day management of the agency. Notes for Step 2 Guideline 3 to Direction 2.2 defines an independent person as one who: 1. is independent of management of the agency 2. has not been employed in an executive capacity by the agency or related organisation or been a director after ceasing to hold such employment within the last three years. 3. has not been a principal of a material professional advisor or a material consultant to the agency or a related organisation, or an employee materially associated with the service provider within the last three years. 4. is not a material supplier or customer of agency or related organisation or an officer or otherwise directly or indirectly associated with a material supplier or customer 5. has no material contractual relationship with the agency or a related organisation other than as committee member of the agency 6. has not served on the Responsible Body (if it is a board) or the Committee for a period which could, or could reasonably be perceived to materially interfere with the person’s ability to act in the best interests of the public sector agency 7. is free from any interest and any business or other relationship which could, or could reasonably be perceived to, materially interfere with the Committee member’s ability to act in the best interests of the agency. 22 Financial Management Compliance Framework user guide Updated August 2013 Also, 1. family ties and cross-directorships may be relevant in considering interests and relationships which may compromise independence 2 ‘materiality’ should be considered from the perspectives of both the public sector agency and the individual Committee member/candidates. Scoring parameters for Step 3 Audit Committee exemption: Parameter Small Score Medium Score Large Score Total Budget1 Total Assets2 Number of full time equivalent employees3 <$5m <$5m <20m 2 2 2 $5m-$15m $5m-$20m 20-50 4 4 4 >$15m >$20m >50 6 6 6 Financial Risk Profile Details Low Agency has responsibility for managing their budget with no significant financial transactions with third parties. 2 Moderate Agency has responsibility for managing their budget with limited significant financial transactions with third parties. 4 High Agency has responsibility for managing its budget with significant transactions with third parties. 6 1 Total Budget $m refers to Total Budgeted Expenditure. Total Assets $m amount should be derived from the last audited financial statements. 3. A measurement equal to one staff person working a full-time work 2 Score Processes for obtaining exemption confirmation for an audit committee Exemptions are granted by the Minister for one financial year (from 1 July to 30 June) only. Agencies requiring extensions on their exemptions need to complete the exemption process outlined in the steps below. Exemption Confirmation Process When? What? How? Dec-Jan Agencies notify DTF Feb Assessment Mar DTF extends exemptions Agencies that have previously been provided exemptions must confirm with DTF that: an exemption is still required; and there have been no changes in the circumstances surrounding the agency. Agencies must inform DTF of situations where: there has been or will be some change to its operating or governance structures; its operating functions or parameters have or will be altered; it is subject to litigation or pending litigation; the agency has previously been the subject of media attention regarding its financial management activities; the agency is subject to an internal or external review of any kind; a significant or material internal control weakness has been identified and is yet to be rectified; the Auditor-General has provided a qualified audit opinion; the Auditor-General has been unable to provide an audit opinion on the agency’s financial statements; or there has been a change in the financial and/or political circumstances surrounding the agency. Agency responses are collated and assessed accordingly. If the circumstances of the agency have altered, the agency will be assessed using the exemption criteria. DTF writes to agencies, informing them if their exemption(s) has been extended for the current compliance year. Audit committee charter, roles, responsibilities and meetings The role, responsibilities, composition, structure and membership requirements of an audit committee should be defined in an audit committee charter. Areas to consider including in an audit committee charter Included Purpose of the charter Detail the functional and organisational framework for the audit committee to operate, for example: The audit committee is a sub-committee of the Responsible Body. The audit committee is established to assist the Responsible Body fulfil its governance and oversight responsibilities including the: financial reporting process including annual financial statements; effectiveness of the internal audit function; scope of work, independence and performance of the external auditor; and agency’s process for monitoring compliance with laws and regulations and financial code of conduct. Financial Management Compliance Framework user guide Updated August 2013 23 Areas to consider including in an audit committee charter Included Roles and responsibilities Define the requirements for roles and responsibilities of the audit committee, for example: ensuring management has appropriate processes for identifying, assessing and responding to risks; evaluating the overall effectiveness of the internal control and risk management frameworks and consider if management has implemented recommendations made by internal and external auditors; overseeing the periodic financial reporting process implemented by management and review interim financial statements, annual financial statements and preliminary announcements before release; reviewing the effectiveness of the system to monitor against compliance with laws, regulations and internal policies; reviewing external audit’s proposed audit scope and approach for current year and discuss with external audit significant findings and recommendations; and reviewing the activities, resources and organisational structure of the internal audit function. Accountability and reporting be fully accountable to the Responsible Body;14 state the attendance and meeting requirements, for example: – meetings are to be held not less than four times a year;2 – meetings should correspond with agency’s financial reporting cycle; – only committee members are entitled to attend meetings; – the Accountable Officer and CFAO are to attend relevant sections of the meetings by standing invitation – they are not members of the committee; and15 – other invitees can be included, e.g. internal audit and external audit representatives. 24 its responsibilities;2 minutes are to be provided to the Responsible Body at the next meeting (or at agreed interval where Responsible Body is not a board); meeting attendance and schedule; and 15 State the accountability and reporting requirements for the audit committee, for example: meetings are to be minuted to ensure audit committee is addressing discharging 14 This is a mandatory requirement as per Direction 2.2 (i) (Direction Requirement 4 (i)). This is a mandatory requirement as per Direction 2.2 (k) (Direction Requirement 4 (k)). Financial Management Compliance Framework user guide Updated August 2013 Audit committee membership requirements and member qualifications Requirements for audit committee membership are designed to ensure the committee has the appropriate skills and experience required to fulfil its roles and responsibilities effectively. Membership requirements should be specified in the charter. Areas to consider including in an audit committee charter Included Composition, structure, membership and skills Outline the membership requirements and structure of the audit committee,16 including for example: the number of members comprising the audit committee;17 at least two members of the audit committee are to be independent; 5 independent members are acknowledged as being independent in the annual report;5 each member of the audit committee must have and maintain a number of skills including for example, basic financial literacy, relevant industry knowledge and business experience;18 at least one member must have appropriate expertise in financial accounting or auditing; 6 the Chairperson is to be one of the independent members and not also the Chairperson of the Responsible Body unless exemption has been obtained;19 the Responsible Body is to review membership at least every three years; and20 new members are provided with all relevant and necessary information by the CFAO.21 Audit committee member induction Audit committee members require a range of information to develop their knowledge and fulfil the obligations of their role. Agencies should consider developing an induction program to ensure audit committee members have access to the relevant information and are able to gain an adequate understanding about the agency and its operations. The following is a list of areas to consider in the development of an induction program. Suggested information/steps to include in an induction kit Included Meet with key personnel To assist in obtaining an adequate understanding of the financial situation and industry within which the public sector agency operates Members should meet: – the Accountable Officer (where applicable); – the Board, or representatives from the Board (where applicable); and – appropriate senior or key members of management (for example the CEO, CFAO etc.). 16 This is a mandatory requirement as per Direction 2.2 (h) (Direction Requirement 4 (h)). This is a mandatory requirement. Please refer to Direction 2.2 (f) and (g) for specific membership details (Direction Requirement 4 (f),(g)). 18 This is a mandatory requirement. Further detail is outlined in Direction 2.2 (n), (o), (p) and (q) and Guidelines 6 and 7 (Direction Requirement 4 (n),(o),(p),(q)). 19 This is a mandatory requirement. Further detail is outlined in Direction 2.2 (l) and (m). 20 This is a mandatory requirement as per Direction 2.2 (s) (Direction Requirement 4 (s)). 21 This is a mandatory requirement as per Direction 2.2 (r) (Direction Requirement 4 (r)). Also refer to further information available in this material. 17 Financial Management Compliance Framework user guide Updated August 2013 25 Suggested information/steps to include in an induction kit Provide general information about the agency Outputs, products and services of the agency. Overview of the governance, risk management and internal control framework. Major statutory or other reporting requirements. Financial and accounting policies along with details of major financial reporting systems. Areas of risk (both financial and non-financial) ideally presented in a summary risk profile or equivalent. Overview of any outsourced service arrangements or major contracts. Areas of recent or immediate particular concern. Any involvement in litigation or other disputes with third parties. Contingencies being faced. Code of Conduct, Code of Financial Practice and the audit committee’s role in overseeing management’s monitoring of compliance with the Codes. Organisational structure with details about the senior management team. Any recent or planned systems modifications or organisational restructures. Provide audit committee information The audit committee charter outlining its role and responsibilities, composition, structure and membership requirements. Copies of recent audit committee minutes and reports from the audit committee to the Responsible Body. The annual audit committee programmes/plan detailing the number, date, time and standing agenda items for each meeting etc. Other committee arrangements Details of relevant Responsible Body sub committees and other relevant committees including their charters, for example Finance Committee, Risk Management Committee etc. External advisors available to support the relevant committees, including the audit committee. public sector agency staff available to support the relevant committees, including the audit committee. Internal audit arrangements The governance and reporting arrangements for internal audit. The responsibilities of the internal audit function, i.e. fraud, risk management, internal controls etc. This could be achieved by providing a copy of the Internal Audit Charter and/or contract with outsourced provider (where relevant). Details about the internal audit team – their qualifications/experience, scope of services, period of contract, fees etc. (where relevant). The current year’s internal audit plan, and future years if applicable and the status of work against the approved plan. Examples of information the audit committee receives from internal audit, e.g. recent and previous reports. Results of recent independent reviews that were not included in the internal audit plan. External audit arrangements The scope and timing of the external audit and/or latest audit strategy and status for the current year. Examples of information the audit committee receives from the external auditors. The audit committee’s relationship with the Auditor-General’s Office and/or its service providers. 26 Financial Management Compliance Framework user guide Updated August 2013 Included Audit committee relationships and reporting The audit committee should report directly to the Responsible Body. It is usually a sub-committee of the Responsible Body that has no separate authority unless this has been specifically delegated. The responsibility for decisions, performance and outcomes of the agency therefore remain with the Responsible Body. It is essential that the audit committee, management, internal and external auditors work with a common purpose in improving financial reporting and greater effectiveness of internal controls. To succeed with this, audit committees should work closely with management and internal audit within an agency to ensure relevant information is obtained and reported in a timely manner. Areas to consider including in an audit committee charter Included 22 Relationships and access Outline the audit committee’s access to, for example: – the internal and external auditors without the presence of management; – the Accountable Officer, CFAO and management; – independent expert advice; and – Include that the audit committee has the right to seek explanations, additional information and the ability to seek assistance to undertake its oversight responsibilities. Detail the evaluation and review responsibilities including: evaluate at least annually the committee’s own performance and report the results to the Responsible Body2 including a review of the individual members and collectively as a committee – see Attachment 2 for a template questionnaire; formally assess the achievement of duties specified in the charter and report findings to the Responsible Body; requirements for the approval and review of the audit committee charter including for example: – review the audit committee charter periodically but at least every three years with recommendations for updates approved by the Responsible Body;4 – that the Responsible Body is to approve the audit committee charter (including any proposed changes and/or amendments); and4 – details of a resolution process for situations where the audit committee or individual members cannot obtain adequate access to or response from the Responsible Body, CFAO and/or management. 22 These are mandatory requirements as per Direction 2.2 (t), (u) and (v) (Direction Requirement 4 (t),(u),(v)). Financial Management Compliance Framework user guide Updated August 2013 27 Overview of other audit committee requirements under the Directions There are a number of other Direction requirements to be met by audit committees other than those articulated in Direction 2.2. The table below provides a summary of the high level detail of the Directions that relate to audit committees. Please refer to the Directions for specific information. High level detail of Directions relating to audit committees Complete? Direction 2.2 Financial governance – audit committees Mandatory requirements for this Direction are outlined in the audit committee charter checklists above. Direction 2.5 Internal audit Approve the internal audit charter. Approve the internal audit plan. Annually review the focus of the internal audit plan and its fit with the risk profile and work of external audit. Annually review internal audit’s performance. Annually confirm that the internal auditor has not been influenced by management and/or has had problems with management. At least annually meet privately with internal audit. Fulfil the following tasks: – approve management response to audit recommendations; – monitor actions taken to resolve audit issues identified; and – advise management to adopt recommendation on a timely basis. Direction 2.6 External audit Members are to have a clear understanding of the role of the external auditor (the Auditor-General). Consider results from the external audit. Invite the external auditor to attend relevant meetings. Discussions are to include: – proposed audit objectives – briefing on the process – accounting issues potentially impacting the financial statements – outcomes of the audit At least annually meet privately with external audit. Monitor rectification of issues identified by the Auditor-General and investigate reasons for any material adjustments to the accounts. Direction 4.2 Reporting requirements in terms of Part 7 of the FMA Review and recommend the financial statements prior to finalisation and submission (if relevant, e.g. if delegated by Responsible Body). 28 Financial Management Compliance Framework user guide Updated August 2013 High level detail of Directions relating to audit committees Complete? Direction 4.5.1 Compliance with Directions Annual review of FMCF compliance certification checklist (where relevant, e.g. if delegated by Responsible Body)23 and including: – review the results of the annual Financial Management Compliance Framework certification process prior to its finalisation based on: an understanding of the business; prior management reporting of the implementation of financial management compliance action/rectification plans; internal audit findings on work performed; and findings of any external audit reviews. make enquiries of management in relation to any identified or emerging issues and their associated rectification plans; include financial management compliance as a standing audit committee agenda item; ensure that internal audit continue to be proactive in the monitoring of financial management compliance and risk areas; encourage management to implement a culture of compliance throughout the entity; and review implementation of the Victorian Government Risk Management Framework and check annual attestation by the Accountable Officer. Direction 4.5.2 Taxation Annual tabling of certification of compliance with tax rules (where relevant, e.g. if delegated by Responsible Body);12 Active involvement in tax compliance matters; and24 Obtain regular reports and updates from management on the tax position, any issues and compliance status of the agency.13 Direction 4.5.3 Purchasing card To oversee the compliance with the Rules and consider them in the broader risk management strategy of the agency, e.g. include in internal audit program.13 In the event of a significant instance of unauthorised use of the purchasing card obtain a report as soon as the inquiry into the issue is complete. Note that the report is also sent to the Minister for Finance and agency’s minister. Where the Accountable Officer uses a purchasing card the Chairperson is to authorise expenses incurred. Direction 4.5.4 Thefts and losses Active involvement in the monitoring and reporting of thefts and losses.13 Direction 4.5.5 Risk management compliance Agree with the agency’s attestation of compliance with the Victorian Government Risk Management Framework. 13 23 Note: This is not a mandatory requirement as per the Directions, rather good practice as outlined in the Guideline to the Direction. 24 Note: This is a requirement of the Rules or Framework accompanying this Direction. Financial Management Compliance Framework user guide Updated August 2013 29 Attachment 1 Template for an Audit Committee and/or Internal Audit exemption application User note: this template is generic and must be amended to suit. <Minister for Finance> <name and address details> <> <> <Date> Application for exemption – Standing Directions of the Minister for Finance under the Financial Management Act 1994 Dear Minister I am writing to apply for an exemption from certain provisions of the Standing Directions of the Minister for Finance issued pursuant to section 8 of the Financial Management Act 1994 for the <insert financial year> financial year. The table below details the specific Direction(s) which this agency seeks an exemption from, the reason for exemption and the proposed alternative procedure(s) or action(s). Direction reference Direction Reason Alternative procedure/action <insert ref> <insert ref> <insert Direction> <insert Direction> <insert reason> <insert reason> <insert procedure/action> <insert procedure/action> <Attach appropriate documentation to support reason for exemption> <Attach copy of latest audited financial statements and accompanying notes> Should you wish to discuss the matter, please contact <insert names and phone numbers of relevant contacts>. Yours sincerely <signed by the Chair of the Responsible Body> <Title> <Agency> cc: Manager, Financial Management Framework Team, Department of Treasury and Finance.25 25 A copy of this letter should be sent to the Manager, Financial Management Framework Team, Department of Treasury and Finance, Level 4, 1 Treasury Place, East Melbourne, VIC, 3002. 30 Financial Management Compliance Framework user guide Updated August 2013 Attachment 2 Template for an Audit Committee Audit Committee self-assessment questionnaire User note: This template is generic and must be amended to suit. Audit Committee self-assessment questionnaire Introduction The purpose of the review is to enable the Audit Committee members to critically assess the Committee’s operations and performance and either: confirm the appropriateness of existing procedures; or provide suggestions for improvements to procedures. The survey asks you to consider how well the committee has performed in relation to the major functional areas defined in the charter.26 The results of the survey, and its discussion at the meeting, will form the basis of a report to the Responsible Body. Process Action Timing Committee members complete survey. Survey results to be consolidated by <insert appropriate officer>. Committee discusses survey results and potential improvements. Committee agrees a self-assessment rating and actions it will undertake to improve performance. Committee reports agreed survey results and suggested improvements to the Responsible Body for endorsement Please complete and return the attached questionnaire to <insert appropriate officer> by <insert date> in order for the results to be collated and a report prepared for <insert date of appropriate Audit Committee>. The Audit Committee’s charter and annual work-plan27 should be referred to when answering the questionnaire. Respondents are not limited to the space provided. If additional space for comments is required, please either use the reverse side of the page, or attach an additional sheet at the end of the questionnaire. If you have any queries about the questionnaire itself or the process and timing of its completion, please contact <insert appropriate officer>. Survey – rating scale Questions ask you to assess the performance of the committee in relation to its activities as described in the charter using the rating scale below as a guideline circle the number that best reflects your assessment. 26 This survey is based on the ‘Purpose and Objectives’ as described in the example Audit Committee Charter provide as part of the guidance material to accompany the Ministerial Directions to the Financial Management Act 1994. Refer Appendix A for detail. The specific questions will need to be tailored to the specific requirements of the public sector agency’s Audit Committee’s Charter and Membership. 27 Where an annual plan exists. Financial Management Compliance Framework user guide Updated August 2013 31 Rating Description 0 No evidence that the committee has met any of its responsibilities in this area. Extensive improvements required, approaching worst in field. The committee has partially met some of its responsibilities in this area. Considerable improvements required. The committee has fully undertaken some of its responsibilities in this area. Major improvements required, approaching middle of field. The committee has fully undertaken most of its responsibilities in this area. Minor improvement required, but approaching best in field. The committee has fully undertaken all its responsibilities in this area. It would be expected that independent assessment would find that <insert name of public sector agency> is a leader in this field. 2–3 5 7–8 10 32 Financial Management Compliance Framework user guide Updated August 2013 Name: 1. How well is the Audit Committee achieving its purpose and objective to oversee: a. Financial performance and the financial reporting process, including the annual financial statements. 0 1 2 3 4 5 6 7 8 9 10 b. The scope of work, performance and independence of internal audit. 0 1 2 3 4 5 6 7 8 9 10 c. Ratifying the engagement and dismissal by management of any chief internal audit executive. 0 1 2 3 4 5 6 7 8 9 10 d. The scope of work, independence and performance of the external auditor. 0 1 2 3 4 5 6 7 8 9 10 e. The operation and implementation of the risk management framework. 0 1 2 3 4 5 6 7 8 9 10 f. Matters of accountability and internal control affecting the operations of the public sector agency. 0 1 2 3 4 5 6 7 8 9 10 g. The effectiveness of management information systems and other systems of internal control. 0 1 2 3 4 5 6 7 8 9 10 h. The acceptability of and correct accounting treatment for and disclosure of significant transactions which are not part of the public sector agency’s normal course of business. 0 1 2 3 4 5 6 7 8 9 10 i. The sign off of accounting policies. 0 1 2 3 4 5 6 7 8 9 10 j. The public sector agency’s process for monitoring compliance with laws and regulations and its own code of conduct and code of financial practice. 0 1 2 3 4 5 6 7 8 9 10 k. Reasons for your assessment. l. What are your suggested improvements? Financial Management Compliance Framework user guide Updated August 2013 33 2. How well has the Audit Committee interact with the internal audit function of <insert name of public sector agency>? 0 1 2 3 4 5 6 7 8 9 10 a. Reasons for your assessment. b. What are your suggested improvements? 3. How well has the Audit Committee undertaken its responsibility to provide an independent and objective review of the financial statements presented by <insert name of public sector agency> to Parliament? 0 1 2 3 4 5 6 7 8 9 10 a. Reasons for your assessment. b. What are your suggested improvements? 4. How well has the Audit Committee undertaken its responsibility to report periodically to the Responsible Body and senior management on the activities of the committee? 0 1 2 3 4 5 6 7 8 9 10 a. Reasons for your assessment. b. What are your suggested improvements? 5. How well has the Audit Committee undertaken its responsibility to satisfy itself that appropriate action is taken on matters raised in respect of <insert name of public sector agency> by the Auditor-General and Internal Audit? 0 1 2 3 4 5 6 7 8 9 10 a. Reasons for your assessment. b. What are your suggested improvements? 34 Financial Management Compliance Framework user guide Updated August 2013 User guide to Standing Direction 2.3 Direction requirement 5 Financial risk management Introduction Direction 2.3 of the Standing Directions of the Minister for Finance (the Directions) outlines a number of requirements that agencies need to adopt in relation to managing risks associated with financial management. In particular, Direction 2.3 requires agencies to: ensure that there is a financial risk management policy and internal control system in place; and implement an effective framework to identify, assess, monitor, manage and report, on an ongoing basis, the significant financial risks to which the agency is exposed to as a result of, and in the course of its activities and responsibilities. Implementation and operation of an agency’s financial risk management framework rests with management within that agency. Oversight of the framework and its operation rests with the Responsible Body. The management of financial risks may be a component of an agency’s overall enterprise wide risk management framework in line with the Victorian Government’s Risk Management Framework.28 This material provides an overall checklist for: oversight by the Responsible Body of the framework and its operation; and steps to assist in the implementation of the agency’s financial risk management framework. Oversight by the responsible body The Responsible Body may use its Audit Committee to oversee the effective operation of the financial risk management framework. As detailed within Direction 2.3(a) of the Directions the Responsible Body must: Requirements in Direction 2.3(a) Achieved Yet to be achieved The responsible body has: ensured that there is a financial risk management policy in place within the agency; ensured that the financial risk management policy outlines roles, responsibilities and accountabilities of the Responsible Body, audit committee, management and internal audit; ensured management has implemented an effective financial risk management framework; a clear understanding of the significant financial risks facing the agency; 28 Direction 4.5.5 outlines the requirements in relation to Risk Management Compliance and the Victorian Government’s Risk Management Framework. Financial Management Compliance Framework user guide Updated August 2013 35 Requirements in Direction 2.3(a) Achieved Yet to be achieved regularly, and at least annually, critically appraised and challenged the financial risk profile prepared by management; provided clear guidance on the level and categories of financial management risk it regards as acceptable for the agency; provided oversight and supervision of financial management risks and the implementation of the related management plans/treatment strategies; and regularly and at least annually, reviewed the effectiveness of the agency’s system of risk management and internal control. Implementation of a financial risk management framework In order to satisfy the requirements of Direction 2.3, a financial risk management framework could be structured using the following components. Financial risk management framework and processes in relation to: Day-to-day financial activities; Budgeting processes; and Monitoring and reporting activities. Guidance for potential steps within each component has been detailed below in the form of a checklist. Day-to-day financial and risk management processes Step Example of detail for potential steps 1 Identification of significant financial management processes. This may vary from agency to agency depending on the nature of operations of the agency. Ensure that adequate and up-to-date policies and procedures exist for significant financial management processes. Document the key ‘compliance’ and ‘operations’ objectives for each financial management process identified. 29 No less than annually, identify and assess the risks relevant to the achievement of those objectives. Based on the risks identified, identify the key controls which reduce their likelihood and/or impact and determine whether residual risk is reduced to an acceptable level (i.e. assess design effectiveness). Where deficiencies in internal control are identified, develop action plans to remediate. 2 3 4 5 6 Yes No N/A 29 Supplementary Material on Direction 2.2 ‘Financial Governance’ outlines the steps that should be taken in order to manage risks associated with the financial reporting process. It is recommended that the steps outlined here be read in conjunction with that Supplementary Material and that agency’s combine their activities to respond to Directions 2.2 and 2.3. 36 Financial Management Compliance Framework user guide Updated August 2013 Step Example of detail for potential steps 7 Develop and undertake a program of activities to obtain assurance that the key elements of internal control operate effectively throughout the year (i.e. assess operating effectiveness). This may include a combination of: testing of key internal control activities by internal audit; risk and control assessment by management and staff; and management and staff representations over the operation of internal controls. Where internal controls are not operating as intended, develop and implement appropriate remedial action plans. 8 Yes No N/A Budgeting processes Step Example of detail for potential steps 1 At the commencement of each budget planning process an agency should take into account the following: the strategic plan, the annual plan development with project identification; identification of risks and risk response strategies; communication to relevant internal and external stakeholders; and potential funding arrangements. Each agency should develop detailed financial budgets consistent with the framework, either on a rolling or annual basis to be aligned with strategic and other business plans. As part of the budget development process, sensitivity analysis should be conducted around those assumptions and variables that could materially impact budgeted outcomes. For each variable that could materially impact budgeted outcomes, risk response strategies should be considered and action plans developed as appropriate. Management should submit the proposed budget to the Responsible Body for approval. The Responsible Body should review the proposed budget, including sensitivity analysis around key assumptions and variables as well as management’s proposed risk response strategies, and approve where satisfied. 2 3 4 5 6 Yes No N/A Monitoring and reporting activities Step Example of detail for potential steps 1 Continue to monitor financial performance against budget throughout the course of the year both at Management and Responsible Body levels. Identify new financial risks as they emerge and/or change 2 3 Yes Re-forecast budgets at least quarterly, or more frequently if necessary, and submit to Responsible Body for review. No N/A Financial Management Compliance Framework user guide Updated August 2013 37 38 Step Example of detail for potential steps 4 Periodically throughout the course of the year review the financial risk profile at both management and Responsible Body levels. This would include: status of key assumptions and variables underlying budgets; status of key risks identified in financial processes (including any new risks identified); status of action plans arising from financial risk assessment exercise; the operation of key financial control activities (as per assurance activities described above); and any control related observations made by the agency’s assurance providers, e.g. external and internal auditors. Financial Management Compliance Framework user guide Updated August 2013 Yes No N/A User guide to Standing Direction 2.4 Direction requirement 6 Authorisations Introduction The Standing Directions of the Minister for Finance (the Directions) require agencies to establish and maintain authorisations for the overall financial management of the agency under Direction 2.4 (Direction Requirement 6). The authorisations must include any financial obligations including contingent liabilities arising on behalf of the agency. Direction 2.4 outlines a number of detailed requirements in relation to authorisations. The table below outlines areas to consider in relation to the implementation of authorisations. Areas and detail to consider in relation to authorisations Considered? The agency has clearly defined authorisations/delegations in place for all financial obligations made on behalf of the agency that: refer to positions rather than specific individuals; and are allocated to positions that have an appropriate level of authority.* Processes are in place to ensure: – authorisations cease immediately when the position has a change in title or there is a material change in the duties of the position; – internal controls are not compromised where multiple financial authorisations are assigned to a single position; – continuous running of the agency in the absence of the holders of an authorised position, e.g. a person acting in a position;* and – re-assessment of financial authorisations where the agency is restructured, e.g. a restructure affecting 50 per cent or more of the positions.* Documentation to support authorisations is: retained in line with legal requirements for document retention and record keeping, including an ability to track changes made to authorisations over time; and maintained in a register of financial authorisations. The register of contains, for example the: – list of positions holding financial authority for transaction types; – transaction types, e.g. requisitions, liabilities, payment approval;* – dollar amounts and caps for transaction and authorisation types;* and – list of staff names holding positions with regular updates of the list.* The Responsible Body30 at least annually reviews and where relevant makes changes to, the agency’s authorisations including the: positions holding authorisations; categories and types of financial authority; processes and controls over authorisations;* and maintenance of the register of financial authorisations. In the case of a Government Department, the Responsible Body for the purposes of this Direction is the Minister. The Minister may delegate to the Department’s Secretary some or all of the responsibilities for this Direction, but only up to the Secretary’s Accreditation Limit as defined by the Victorian Government Purchasing Board’s purchasing accreditation of the Department. Refer to the Standing Directions for further detail. 30 Financial Management Compliance Framework user guide Updated August 2013 39 Areas and detail to consider in relation to authorisations Considered? A financial authorisation cannot be given to: another position without appropriate authority/approval, i.e. not just an authorised individual; or a contractor or consultant. * denotes considerations that are not mandatory requirements in Direction 2.4. Further considerations for the Responsible Body The Responsible Body should also consider the following as a part of the annual review: Is there any evidence of non-compliance with authorisations? Are there instances where authorisations are not operating effectively? Is there any evidence of fraud? Are there any concerns about conflicting authorisations? Have there been any significant changes to the structure, objectives and roles of agency? If there the answer to any of the above questions is ‘yes’, the matter should be investigated further and a complete review of the authorisations and relevant controls and processes should be considered. 40 Financial Management Compliance Framework user guide Updated August 2013 User guide to Standing Direction 2.5 Direction requirement 7 Internal audit Introduction Direction 2.3 (Direction Requirement 7) of the Standing Directions of the Minister for Finance (the Directions) require, unless an exemption has been obtained, an agency to establish and maintain an adequately resourced independent internal audit function appropriate for its needs. Purpose of internal audit The Institute of Internal Auditors globally define internal auditing as follows: Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an agency to accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. Internal audit is a part of an agency’s governance framework. It works with management and the Responsible Body to provide an independent and objective assessment of the efficiency and effectiveness of controls, potential control gaps and whether controls in place are working as intended. The role of internal audit also includes the development of practical and useful recommendations for improvement – to enhance opportunities and control deficiencies. Internal audit coverage Internal audit can cover all aspects of an organisation’s functions for example: financial processes and controls; operational processes and controls; risk management framework monitoring; IT controls including: information quality, integrity, reliability; project/program management; and special investigations and ad hoc reviews. Resourcing internal audit The work for internal audit is to be carried out by suitable qualified staff that are independent of management and free from operational duties. The internal audit function can be resourced in-house through a co-sourcing arrangement or fully outsourced. Access for internal auditors The internal auditors should have access across the organisation to ensure an in-depth understanding of the business, culture, systems and processes can be developed. Financial Management Compliance Framework user guide Updated August 2013 41 Processes for obtaining exemption for an internal audit function The Directions permit agencies to apply for an exemption from establishing an internal audit function. A number of parameters must be met to ascertain whether an agency is permitted to apply for an exemption. The exemption process is outlined in the steps below. Also, Attachment 1 provides a template for the exemption application. Internal audit exemption process A number of parameters are taken into account when determining an agency’s size and Step 1 eligibility for exemptions. The parameters include: Total budget, total assets, number of full time equivalent Agency size Step 2 Exemption application Step 3 Exemption approval employees, and financial risk profile must be totalled. The table below provides scores for each parameter. Agencies with an aggregate score (across all four parameters) of: – less than equal to 10 are able to seek an exemption, continue to Step 4; or – more than 10 cannot seek an exemption. Agencies that meet the requirements can seek an exemption via a written submission to the Minister. A copy of the submission must be sent to DTF with a set of the agency’s most recently audited financial statements. See the example template exemption letter. Exemption applications are assessed on a case by case basis and DTF may request additional information. Exemptions are only granted for the one compliance year (1 July to 30 June). Agencies granted an exemption must follow the ‘exemption confirmation process’ the following year. Scoring parameters for Step 1 Internal Audit exemption Parameter 1 Total Budget Total Assets2 Number of full time equivalent employees3 Small Score Medium Score Large Score <$10m <$10m <20m 2 2 2 $10m-$20m $10m-$20m 20-50 4 4 4 >$20m >$25m >50 6 6 6 Financial Risk Profile Details Low Agency has responsibility for managing their budget with no significant financial transactions with third parties. Agency has responsibility for managing their budget with limited significant financial transactions with third parties. Agency has responsibility for managing its budget with significant transactions with third parties. Moderate High 1 Total Budget $m refers to Total Budgeted Expenditure. Total Assets $m amount should be derived from the last audited financial statements. 3 A measurement equal to one staff person working a full-time work 2 42 Financial Management Compliance Framework user guide Updated August 2013 Score 2 4 6 Processes for obtaining exemption confirmation for an internal audit function Exemptions are granted by the Minister for one financial year (from 1 July to 30 June) only. Agencies requiring extensions on their exemptions need to complete the exemption process outlined in the steps below. Exemption Confirmation Process When? What? How? Dec-Jan Agencies notify DTF Feb Assessment Mar DTF extends exemptions Agencies that have previously been provided exemptions must confirm to DTF that: an exemption is still required; and there have been no changes in the circumstances surrounding the agency. Agencies must inform DTF of situations where: there has been or will be some change to its operating or governance structures; its operating functions or parameters have or will be altered; it is subject to litigation or pending litigation; the agency has previously been the subject of media attention regarding its financial management activities; the agency is subject to an internal or external review of any kind; a significant or material internal control weakness has been identified and is yet to be rectified; the Auditor-General has provided a qualified audit opinion; the Auditor-General has been unable to provide an audit opinion on the agency’s financial statements; or there has been a change in the financial and/or political circumstances surrounding the agency. Agency responses are collated and assessed accordingly. If the circumstances of the agency have altered, the agency will be assessed using the exemption criteria. DTF writes to agencies, informing them if their exemption(s) has been extended for the current compliance year. Financial Management Compliance Framework user guide Updated August 2013 43 Internal audit charter An agency should define the purpose, responsibilities and accountability of its internal audit function in an internal audit charter. The development of an internal audit charter is a Direction requirement. The following checklist outlines areas and detail to consider including in an internal audit charter. Please note that the mandatory Direction requirements are referenced. Areas and detail to consider including in an internal audit charter Included Purpose of the charter Detail the functional and organisational framework for internal audit to operate Role of internal audit Define the role of internal audit, for example: The role of internal audit is to provide objective assurance to the Audit Committee/Board on the state of risks and internal controls, providing management with recommendations to improve the management of the agency’s risks and enhance controls. The role of internal audit is also to assist management in improving the entity’s business performance. Authority and accountability Outline reporting and authority of the internal audit function including for example: that the internal function reports to senior management;31 that the head of internal audit reports to the audit committee who approves and advises the Board on the appointment or dismissal of the head of internal audit; and that the head of internal audit is responsible for setting the overall direction of internal audit activities and reports. Independence 31 44 State the independence requirements, for example: Internal audit must be independent of the activities and processes it appraises in order to be able to perform its duties in an objective manner and provide impartial advice to management and the board.1 Internal audit has no line responsibility or authority over any of the activities or operations they review. Access Ensure that the internal auditor has direct access to the Chairman of the audit committee.1 State internal audit’s accessibility to information, for example: Internal audit has full, free and unrestricted access to all records and documentation to fulfil its responsibilities. 1 Internal audit has the authority to seek any information it requires to fulfil its responsibilities from any employee.1 This is a mandatory requirement for the internal audit charter as per Direction 2.5 (a) (Direction Requirement 7(a)). Financial Management Compliance Framework user guide Updated August 2013 Areas and detail to consider including in an internal audit charter Included Internal audit planning Detail the requirements in relation to the internal audit plan including for example: that the internal auditor is to develop an annual internal audit plan to address the relevant elements of the agency’s risk profile;32 that the internal audit plan is to be approved by the audit committee;33 that the audit committee annually review the adequacy and focus of the internal audit work plan and its fit with the public sector agency’s risk profile and work of the external auditors; and34 that the internal audit plan is typically developed for a three year period to show the coverage across the business over a three year cycle. Reporting Outline internal audit’s reporting requirements including, for example: report on the overall state of controls to the audit committee at least once annually; provide a quarterly summary report to be provided to the audit committee; discuss all reports with management before they are finalised and issued; issue a report for every review performed containing contain at a minimum: – scope of review; – findings/issues/observation identified as result of the review that are rated by priority and/or risk level; – recommendations for improvement relating to findings/issues raised and overall observations; and – agreed management actions and/or remediation plans with timelines and responsibilities Implementation and monitoring of internal audit outcomes Outline the requirements for implementation and monitoring of internal audit including, for example: that the audit committee approve, review and direct (where appropriate) management’s planned actions and response to advice and recommendations received from the internal auditor;35 that the audit committee monitor actions taken by management to resolve issues raised by the internal auditor;5 and that the audit committee advise management to adopt and address the accepted recommendations from the internal auditor on a timely basic.5 Review of the internal audit function Outline the review requirements in relation to the internal audit function including, for example: that the audit committee annually review the internal audit function’s performance, its authority, the adequacy of its resources and the proposed allocation of those resources;36 that the audit committee annually take steps to confirm that the internal auditor has not been unduly influenced by management or experienced any problems with management; and6 that the audit committee annually meet separately and privately with management and the internal auditors if necessary to ensure free, frank and open communications.6 32 This is a mandatory requirement for internal audit as per Direction 2.5(b) (Direction Requirement 7(b)). This is a mandatory requirement for internal audit as per Direction 2.5(c) (Direction Requirement 7(c)). 34 This is a mandatory requirement for internal audit as per Direction 2.5(d) (Direction Requirement 7(d)). 35 This is a mandatory requirement for internal audit as per Direction 2.5(e) (Direction Requirement 7(e)). 36 This is a mandatory requirement for internal audit as per Direction 2.5(d) (Direction Requirement 7(d)). 33 Financial Management Compliance Framework user guide Updated August 2013 45 Areas and detail to consider including in an internal audit charter Included Approval and review of the internal audit charter Detail the requirements for the approval and review of the internal audit charter including for example: the audit committee is to approve the internal audit charter (including any proposed changes and/or amendments); and1 review the internal audit charter at least annually to ensure it remains consistent with current strategy and objectives. Annual internal audit plan Agencies must develop internal audit plan annually that sets out the key areas for internal audit review for the upcoming year. Ideally the internal audit plan would be a three year rolling plan that identifies areas to be covered across a three year period including those reviews undertaken annually, i.e. high risk areas and/or reviews to meet legislative requirements, e.g. payroll in large organisations and/or purchasing card reviews as per FMCF requirements. The internal audit plan should be developed in conjunction with the internal auditor (and approved by the audit committee) to address relevant elements of the agency’s risk profile. Considerations include: Does the internal audit plan address key risks of the agency? What operational processes and key controls are involved in these risk areas? Are sufficient time and resources allocated in the plan to reviewing the control environment for the risks? 46 Financial Management Compliance Framework user guide Updated August 2013 Attachment 1 Template for an audit committee and/or internal audit exemption application User note: This template is generic and must be amended to suit. <Minister for Finance> <name and address details> <> <> <Date> Application for exemption – Standing Directions of the Minister for Finance under the Financial Management Act 1994 Dear Minister I am writing to apply for an exemption from certain provisions of the Standing Directions of the Minister for Finance issued pursuant to section 8 of the Financial Management Act 1994 for the <insert financial year> financial year. The table below details the specific Direction(s) which this agency seeks an exemption from, the reason for exemption and the proposed alternative procedure(s) or action(s). Direction Reference Direction Reason Alternative procedure/action <insert ref> <insert ref> <insert Direction> <insert Direction> <insert reason> <insert reason> <insert procedure/action> <insert procedure/action> [Attach appropriate documentation to support reason for exemption] [Attach copy of latest audited financial statements and accompanying notes] Should you wish to discuss the matter, please contact <insert names and phone numbers of relevant contacts>. Yours sincerely <signed by the Chair of the Responsible Body> <Title> <Agency> cc: Manager, Financial Management Framework Team, Department of Treasury and Finance.37 37 A copy of this letter should be sent to the Manager, Financial Management Framework Team, Department of Treasury and Finance, Level 4, 1 Treasury Place, East Melbourne, VIC, 3002. Attachment 1 Template for an audit committee and/or internal audit exemption application 47 User guide to Standing Direction 2.6 Direction requirement 8 External audit Introduction The Victorian Auditor-General is responsible for the external audit of financial operations and resource management of the Victorian public sector. Direction 2.6 (Direction Requirement 8) of the Standing Directions of the Minister for Finance (the Directions) requires an agency to establish and maintain a constructive, open working relationship with the Auditor-General and the appointed representatives. It is also a requirement of the Direction for the Responsible Body to ensure that agency staff adopt a cooperative and conservative approach with the external auditors on relevant auditing matters. The specific requirements for this Direction should be considered in conjunction with Direction 2.2 Procedures (e) to (v) in relation to the audit committee. Defining an external audit The objective of an external audit of the financial statements is to determine whether, in the auditor’s opinion, the statements present fairly in all material respects, the agency’s financial position, results of operations and cashflows. Qualified auditors that are independent of the entity conduct the external audit. In the Victorian public sector the Victorian Auditor-General conducts the audits as required by the Audit Act 1994. An external audit comprises of a review of: an entity’s financial statement; the data sources, processes and reports used to compile the financial statement; the control environment surrounding financial systems and processes within an entity; the information technology procedures and controls that support the entity; the overall internal control environment; and any issues raised as a result of the audit and identify and material misstatements in the financial statements. 48 Financial Management Compliance Framework user guide Updated August 2013 External audit preparation The following checklist outlines a number of suggestions to consider when preparing for the annual external audit. It is also advisable to check with the auditor for any specific requirements and/or requests for information. Areas and detail to consider when preparing for an annual external audit Included General Copy of financial statements at 30 June. Copy of trial balance at 30 June. Copy of trial balance mapping to financial statements. Working papers to supporting notes to the accounts. Revenue Obtain copy of confirmation for contributions received 30 June. Listing of grants received from the Department and other sources 30 June. Transaction listing of other revenue. Transaction listing of sales of goods. Expenditure Transaction listing of payments – include expenditure account codes. Payroll Gross pay per payroll cycle including number of staff paid per cycle. Payroll reconciliation – reconciling payroll system to finance system/general ledger and financial statements at 30 June. Cash Bank reconciliation at 30 June. Access to monthly bank statements. Copy of responses of bank confirmations for 30 June. Supporting documentation for agency’s bank balances at 30 June. Receivables Trade debtors reconciliation at 30 June. Aged trade debtors listing at 30 June. Listing of other receivables at 30 June. Analysis of trade debtors and doubtful debts. BAS as at 30 June. Inventories Listing of inventories at 30 June. Assessment of inventories – provision for obsolescence. Prepayments Schedule of prepayments at 30 June. Financial Management Compliance Framework user guide Updated August 2013 49 Areas and detail to consider when preparing for an annual external audit Included Property, plant and equipment Listing of asset additions at 30 June. Listing of asset disposals at 30 June. Fixed asset reconciliation between fixed asset register and general ledger at 30 June. Fixed asset movement schedule at 30 June. Asset revaluation report (if applicable). Supporting work papers of analysis Revaluation of PPE. Payables Trade creditors reconciliation at 30 June. Aged trade creditors listing at 30 June. Listing of accrued expenditure at 30 June. Sundry creditors reconciliation at 30 June. Sundry creditors listing at 30 June. Employee provisions Long service leave liability calculation at 30 June Annual leave liability calculation at 30 June. Supporting documentation for other employee provisions at 30 June. Commitments Schedule of capital expenditure commitments at 30 June. Schedule of lease commitments at 30 June. Schedule of other expenditure commitments at 30 June. Cashflow Working papers to support cashflow calculations. Financial information Report on movements in equity and reserves at 30 June. Supporting documentation for auditor’s remuneration at 30 June. Supporting documentation for Executive Officer remuneration at 30 June. Supporting documentation for superannuation disclosure at 30 June and applicable actuary reports for defined benefit superannuation schemes. Correspondence responses received from solicitors for 30 June. Access to recurring/standing journal folder for financial year. Supporting documentation for trust account balances and/or corporate donations at 30 June. Supporting documentation for contingent assets and liabilities at 30 June. 50 Financial Management Compliance Framework user guide Updated August 2013 User guide to Standing Direction 3.1 Financial management structure Including: 3.1.1 Direction Requirement 9 3.1.2 3.1.3 3.1.4 3.1.5 Direction Requirement 10 Direction Requirement 11 Direction Requirement 12 Direction Requirement 13 Direction Requirement 14 Direction Requirement 15 Public sector agency Financial Management Team Structure Chief Finance and Accounting Officer (CFAO): CFAO Credentials CFAO Endorsement Policies and procedures Chart of Accounts Managing Outsourced Financial Services: Outsourcing governance Audit scrutiny Financial Management Compliance Framework user guide Updated August 2013 51 User guide to Standing Direction 3.1.1 Direction requirement 9 Public sector agency financial management team structure Introduction Standing Direction 3.1.1 (Direction requirement 9) of the Minister for Finance outlines requirements in relation to an agency’s financial management team structure. The Direction states that: The Chief Finance and Administration Officer (CFAO) must ensure that there is a structure for the financial management team with clearly defined roles and responsibilities to adequately support sound financial management. This supplementary material provides an outline and high level guidance in relation to the detail within the Direction. Financial management team documentation Direction 3.1.1 specifically requires an agency’s financial management team to have defined and documented the: team structure; roles and responsibilities for each position with effective and efficient allocation of tasks and resources; and prerequisite skills, qualifications and experience required for each position. Documentation should take into account: review and monitoring processes across the finance function to ensure responsibilities are allocated to specific positions; segregation of conflicting duties, i.e. no one person should have the ability to perform, approve or oversee the preparation, processing and reviewing of an overall financial function or transaction without the involvement and/or oversight by others; and roles that have a number of duties across the agency, e.g. within the financial function, administration and management of an agency and/or human resources. Financial management functions There are a number of functions within financial management including: budgeting; financial reporting; accounts receivable/payable; procurement; taxation; asset management; financial systems; accounting policies; cash management; 52 Financial Management Compliance Framework user guide Updated August 2013 project management – financial aspects (for further details see User Guide for Standing Direction 3.2.4 – IT Development); payroll; and management reporting. These areas and functions should be considered when defining the structure and allocating roles and responsibilities within the financial management team. Roles that cover financial management functions A financial management team may include the following roles (depending on the size and nature of the agency/department): CFAO; Financial controller(s); Supervisors/managers for key financial activities (for example, accounts payable, accounts receivable, management reporting, budgeting, payroll, general ledger etc.); Clerical/administrative/processing for each key financial activity; Corporate card, fleet, lease, asset management administrator(s); Contract administrator; Payroll administrator; and System administrator(s) for the various financial management systems. Financial Management Compliance Framework user guide Updated August 2013 53 User guide to Standing Direction 3.1.2 Direction requirements 10 and 11 Chief Finance and Accounting Officer (CFAO): credentials and endorsement Introduction Standing Direction 3.1.2 of the Minister for Finance relates to the financial management leadership within a public sector agency (agency). The Direction outlines requirements for an Agency to appoint a Chief Finance and Accounting Officer’s (CFAO) with the appropriate credentials, i.e. suitable experience and qualifications (Direction Requirement 10). The Direction also requires the CFAO’s to endorse financial reports to senior management, the Responsible Body and other boards or management groups (Direction Requirement 11). This supplementary material provides an outline and high level guidance in relation to the detail within Direction 3.1.2 including: CFAO credentials (Direction Requirement 10); qualifications; potential examples of competencies for a CFAO; potential examples of key responsibilities for a CFAO; CFAO endorsement of financial information (Direction Requirement 11); endorsement; and access to the Responsible Body. CFAO credentials (direction requirement 10) The role of the CFAO must have a clearly defined position description with prerequisite skills, qualifications and experience. The duties, rights and responsibilities must also be clearly defined and documented. Qualifications The guidelines to the Direction state that a CFAO should hold at least tertiary level qualifications and membership of the Institute of Chartered Accountants in Australia (ICAA), CPA Australia, National Institute of Accountants (NIA), or equivalent. Potential examples of key responsibilities for a CFAO The following is a list of key responsibilities to consider for the role of CFAO: establishing and directing the public sector agency’s financial administrative activities and operational procedures to ensure sound financial management; in consultation with other senior management, making recommendations and devising financial policy approach and strategy of the public sector agency as well as planning the financial operations; overseeing the development, implementation and monitoring of financial accounting and related systems; 54 Financial Management Compliance Framework user guide Updated August 2013 communicating changes in accounting standards (and guidance material) and taxation rulings or legislative requirements; directing the collection of financial and accounting information and the preparation of budgets, reports, forecasts and the various statements as required by the Model Report for Departments (issued annually by DTF); directing and coordinating economic research, major feasibility studies involving detailed financial analysis, and estimates of future returns on proposed investment; evaluating the financial aspects of proposed acquisitions, investments, or the sale of assets and giving assessments of proposals involving financial expenditure and of the financial status of syndicates, joint venture parties etc.; representing the agency in dealings with stakeholders, legal advisers and others as required; making policy decisions and accepting responsibilities for operations, performance of staff, achievement of targets and adherence to budgets, standards and procedures; and managing the selection and training of finance staff, establishing lines of control and delegating responsibilities to subordinate staff. CFAO endorsement of financial information (direction requirement 11) Endorsement The CFAO must endorse all financial information submitted to senior management, the Responsible Body and peak boards and management groups. The CFAO must endorse/approve by physically signing or other electronic means the financial information to ensure it is: complete; reliable; and accurate. Access and involvement with to the Responsible Body, executive and senior management To assist with the understanding of financial information presented to the Responsible Body it is recommended that the CFAO has access to Responsible Body. The direct access creates the opportunity to question and clarify as well as independently explain the information presented for completeness, accuracy and improved quality. Consideration should also be given to including the CFAO in relevant: executive/senior management forums to present financial reports and to discuss financial risk management issues; audit committee meetings particularly when internal audit reports relating to financial administration of the agency are presented and the financial statements are being presented for review; and other forums where key decisions with financial management implications are made. Financial Management Compliance Framework user guide Updated August 2013 55 User guide to Standing Direction 3.1.3 Direction requirement 12 Policies and procedures Please refer to Section 3.4 of the user guide 56 Financial Management Compliance Framework user guide Updated August 2013 User guide to Standing Direction 3.1.4 Direction requirements 13 Chart of accounts Introduction The Standing Directions of the Minister for Finance (the Directions) require public sector agencies to: establish and maintain a chart of accounts to accurately reflect transactions in the financial records for management decision-making purposes and to ensure compliance with external reporting requirements (Direction 3.1.4, Direction Requirement 13). The Direction also requires that: the CFAO (or an approved delegate) is responsible for the development and maintenance of the chart of accounts; there is effective and efficient communication about the chart of accounts across an agency; Government departments must use the chart of accounts issued by the Minister for Finance to align activities and reporting for consistency; and the nature and purpose of each account within the chart of accounts is explained so that capital, revenue and expense items set down and to assist with the categorisation of transactions. Structure of the chart of accounts A chart of accounts outlines accounts that are used to record transactions in a general ledger. Details within a chart of accounts include the: account name; and account number. A chart of accounts is flexible and can be tailored to suit the needs and structure of an organisation. The chart of accounts is typically structured to include: balance sheet accounts: – assets; and – liabilities. income statement accounts: – revenue; – expenses; – profits; and – losses. Additional categories should be included in each account for example, within revenue and expenses business functions such as producing, selling, administrative and financing could be added. Financial Management Compliance Framework user guide Updated August 2013 57 Additional accounts/information should also be reflected in the balance sheet to ensure consistency. Depending on the agency’s operations, the chart of accounts could be based on the agency’s organisational structure. For example, each business area/division could be responsible for its own expenses and oncosts such as salaries, supplies, communications, accommodation, etc. An account for each expense would then be created for each business area/division. Alignment of the chart of accounts An agency should ensure the structure of the chart of accounts fulfils the requirements of the portfolio and the Department of Treasury and Finance. A chart of accounts that is structured to align with the portfolio would enable straightforward and consistent reporting. A consistent chart of accounts enables financial information to be: analysed and compared over time (current vs previous data) published in a consistent and clear format across government. Financial reporting against the chart of accounts Agencies should consider the structure of the chart of accounts in line with reporting requirements (annual and progressive estimates) and ensure consistency with the audited financial statements. It is recommended that agencies limit their use of ‘other' categories in the chart of accounts, to ensure comprehensive identification of transactions and minimise queries from the portfolio and the Department of Treasury and Finance at year end. Overall considerations for a chart of accounts The checklist (aside) provides an outline of high level considerations of the chart of accounts in relation to: development and structuring; day to day financial operations; and review and maintenance. Chart of accounts (CoA) – checklist Included Development and structure of the CoA Has there been a restructure or machinery of government change impacting the CoA? Have any changes or updates to the CoA be approved by your agency’s CFAO or their delegate? Is the CoA sufficiently detailed and logically structured to allow useful and timely management reporting and financial reporting? Is the CoA consistent with legislative and professional accounting requirements? Does the CoA provide for effective departmental budgeting, reporting and monitoring of the output management principles and practices? Are ‘other’ categories used? Can they be reclassified? 58 Financial Management Compliance Framework user guide Updated August 2013 Chart of accounts (CoA) – checklist Included Operations Is the CoA incorporated into the financial process, e.g. updating the general ledger and relevant accounts during financial payments? Is your CoA communicated efficiently and effectively to all officers within your public sector agency? Review and Maintenance Does your agency’s CoA align with the reporting requirements of the Department of Treasury and Finance (DTF), e.g. is there a map or a relationship table between your agency’s CoA and whole of government requirements as issued by DTF? Has the CoA been maintained and updated in a timely manner so that it meets the objectives of your agency? Is there a map to reference changes across years for year to year comparison? Financial Management Compliance Framework user guide Updated August 2013 59 User guide to Standing Direction 3.1.5 Direction requirements 14 and 15 Managing outsourced financial services: outsourcing governance and audit scrutiny Introduction The Standing Directions of the Minister for Finance (the Directions) require that agencies ensure effective management of outsourced financial functions and related services (Direction 3.1.5, Direction Requirements 14 and 15). This supplementary material has been developed to assist agencies in implementing and managing their own outsourced services; and to provide guidance for maintaining appropriate control over the end to end life cycle of outsourced functions. The material also details elements of cost benefit analysis and audit scrutiny to assist with specific aspects of Direction 3.1.5. This supplementary material includes the following information: the definition of outsourcing. impact of legislation on outsourcing. spectrum of outsourcing. outsourcing lifecycle: 1. strategy and approach. 2. requirements and selection. 3. negotiation and agreement. 4. transition and implementation. 5. maintenance and management. 6. realisation of benefits. 7. amendment or termination. cost benefit analysis. audit scrutiny of outsourced services. The definition of outsourcing Outsourcing is a process by which a specific service or group of services is provided for the agency by a third party through an agreement, e.g. contract. Typical drivers for outsourcing include cost savings, improved quality, access to specialised skills and other efficiencies. Impact of legislation on outsourcing Where an agency relies on outsourced services, appropriate procedures should be in place to manage the associated risks to ensure all legislative requirements are being met. The public sector agency should be aware that outsourcing does not diminish the responsibilities of the Chief Finance and Accounting Officer (CFAO) and the Accountable Officer for the outsourced function – in summary, a service can be outsourced but the risk cannot. 60 Financial Management Compliance Framework user guide Updated August 2013 Direction 2.2(d) and (w) requires annual sign-off that the agency’s: (i) financial reports are presented fairly; (ii) risk management, internal compliance and control framework is sound; and (iii) internal control framework is operating effectively and efficiently. This is relevant for all functions within an agency including those outsourced. Direction 3.1.5 also outlines specific requirements for outsourced financial functions. The underlying concepts included in this Direction are relevant to all outsourced services. As stated in Guideline (i) to Direction 3.1.5: The public sector agency remains responsible for ensuring that the third party provider is meeting the requirements of the FMA, these Directions and any other relevant legislation. This supplementary material provides guidance on outsourced services in addition to the requirements outlined in Direction 3.1.5 and is relevant to outsourced financial functions as well as other outsourced services. Spectrum of outsourcing There is a broad spectrum of models to deliver services. The following table provides an overview of the spectrum of service delivery models. Internal delivery Full outsourcing Co-sourcing Insourcing/shared services38 Selective sourcing Delivery of the service is managed and resourced internally. Third parties may provide discrete products or services. Where a single contract with a single supplier exists usually covering a broad scope of services and needs. This model is typically implemented as a strategic partnership between management and the service provider and is usually put in place for the long-term. Responsibility for delivery of service is spilt between an outsourcer and internal delivery. This model often involves an internal delivery team working with the outsourcer as a single group. Insourcing or shared services disconnect a service from the organisation via a separate business unit. The business unit is usually set up with its own profit/loss statement. An agreement such as a Service Level Agreement (SLA) is commonly in place to govern the provision of the service and payment levels. The underlying concept is to run the separate unit like a business and emulate outsourcing services and pricing. The benefits of this type of arrangement are that organisations can achieve consolidation, integration, and standardisation while maintaining direct control of the service provider and openness to changing market options. Where multiple contracts are set up with multiple suppliers. This type of arrangement is common in the public sector. This model is often implemented when the sourcing strategy is undefined and there is a variety of service delivery options. Benefits of this type of outsourcing model include the ability to leverage the markets’ best capabilities in a very competitive environment. Innovation is available and ‘switching costs’ are typically minimal. When managed effectively, agility, flexibility, and scalability are readily available. 38 Whilst the supplementary material can be applied to a shared services function, it does not address the additional organisational and other aspects that need to be considered when establishing a shared service function. Financial Management Compliance Framework user guide Updated August 2013 61 Outsourcing lifecycle An inherent risk of outsourcing is that the intended benefits are not realised, be they cost, quality or other benefits. The typical outsourcing lifecycle is outlined in the diagram (aside) with further detail for each step provided in the form of checklists. The checklists provide information to assist with mitigating against the risk of benefits not being realised. It includes guidance for the end-to-end lifecycle of an outsourced function from strategy and approach through to termination. Steps within an outsourcing lifecycle 1. Strategy and Approach 2. Requirements and selection 3. Strategy and Approach 4. Transition and implementation 5. Maintenance and management 6. Realisation of benefits 7. Amendment or termination 62 Financial Management Compliance Framework user guide Updated August 2013 Step 1. Strategy and approach Prior to embarking on a decision to outsource a business process, it is important to have a full understanding of the business drivers for considering outsourcing, i.e. the business reasons for outsourcing the function and how they align to the agency’s strategy. The following aspects should be considered: 1.0 Strategy and approach 1.1 Understand, define and document business drivers and intended benefits. Consider: improved service quality; cost savings; software fees and maintenance charges; hardware capital costs, leases and maintenance charges; fixed cost, flexibility (e.g. additional capacity available); clarity of accountability; access to wider skill base; staff costs; freeing up existing staff; and enabler of change. Verify that the drivers align with the business strategy and overall objectives. 1.2 1.3 1.4 Included Define outsource components. Consider: clearly defined scope of services to be outsourced: – clearly state the business functions and processes to be outsourced; – define parts to be retained in-house and ongoing in-house responsibilities; and – specify exclusions to reduce risk of ambiguity classification of activities, for example: – strategic and non-strategic/non-core and core competencies. in-house control over strategic direction of outsourced service; key service level requirements define Key Success Factors (KSF): – aligning with identified business drivers defined in 1.1; – using essential criteria and desirable criteria; and – categories for KSFs: (a) financial; (b) technical/functional; (c) market; (d) approach; or (e) other, e.g. post implementation, support, HR requirements, time constraints. Consider current environment/market place capability including: assessment of what other Agencies have done, and whether there is opportunity to achieve synergies of scale; areas for improvement in processes/functions/operations; review of service delivery options other than outsourcing; potential constraints; and sources of service and experience of others: – technological advances; or – regulatory changes. Financial Management Compliance Framework user guide Updated August 2013 63 1.0 Strategy and approach 1.5 Select sourcing options including: internal delivery; full outsourcing; co-sourcing; insourcing/shared services; and selective sourcing. Understand and clarify risks considering for example: financial risks – costs data used in the selection process is inaccurate and/or lack firm costs estimates; regulatory/legal risk; technical risk – the risks associated with continuing the project, e.g. interfacing new systems with legacy systems; capability risk – the capability and capacity of the organisation to execute the project and make the necessary changes required; benefits risk – the risks affecting the potential achievement of the intended outsourcing benefits and meeting key objectives; operational risk – the risk that operations of the agency may be impacted; erosion of competitiveness (confidentiality, uniqueness, responsiveness, flexibility); loss of in-house skills and understanding; level of difficulty and expense to bring back in-house; technology stagnation; and cost of planning and transition. Mitigating these risks: undertake a thorough risk analysis as part of investment appraisal; and ensure risk management activities feature in the implementation plan and on-going management model. Conduct feasibility study/cost benefit analysis to: define objectives and project scope; identify the options; identify costs and benefits; complete sensitivity analysis; and identify and report on preferred option. See also detailed checklist in this material. Develop business case (using information from work conducted) to: define objectives and define scope; analyse of the current situation and the need for change; outline end benefits that can be achieved (e.g. improved efficiency of the new system through reduced costs); define measures for the intended benefits; describe options and consider: – criteria for selecting preferred solution; and – preferred option. provide estimates of establishment and implementation costs; estimate on-going costs and of the financial benefits; consider qualitative and quantitative evaluation options; explain and clarify risks and proposed mitigation strategies; develop a proposed timeline and key milestone and decision dates; summarise the cost versus benefit versus risk assessment; and summarise impacts on agency processes. 1.6 1.7 1.8 64 Financial Management Compliance Framework user guide Updated August 2013 Included 1.0 Strategy and approach 1.9 Establish project – work to be completed includes: develop a project plan with key milestones, timeframes, resource requirements etc. establish project governance and procedures: – allocate sponsor responsible for the project plan and delegation to authorise project funding; – establish a steering group with responsibility for the project; – consider if project requires a project manager and project team; – establish a project tracking, reporting and monitoring process; and – ensure strong business representation and buy-in. considering whether to leverage a project methodology such as Prince II; and develop communications strategy: – define stakeholders; – identify key messages to be communicated; – consider nature, level and frequency of communication required, e.g. email, newsletter; and – integrate with the project plan. Assess the maturity of the function to be potentially outsourced. Consider the following: how efficient and effective the function is currently; and whether the above assessment has bearing on the contract price, intended costs/savings, other factors. 1.10 Included Step 2. Requirements and selection Once a potential outsourcing solution has been identified, the functional and service delivery requirements need to be defined in sufficient detail to enable potential suppliers to submit proposals. The processes involved in this step are outlined below. Agencies will note that internal procurement and purchasing policies form part of this step. 2.0 Requirements and selection 2.1 Prepare statement of requirements consider and include: a comprehensive request for proposal focused on business issues, business requirements and required benefits; potential major contractual issues; third-party consents; personnel issues; conditions for hiring third parties for new services if required; and appropriate approval. Map requirements to business case (drivers and risks) ensure drivers and risks have been considered. Define selection criteria and weightings consider the following: skills; financial impact; service levels; flexibility; core expertise; stability; market share; cultural compatibility; quality service attitude; and vertical expertise. 2.2 2.3 Included Financial Management Compliance Framework user guide Updated August 2013 65 2.0 Requirements and selection 2.4 Issue request for services in accordance with agency’s internal policy and procedures (and where appropriate, Victorian Government Purchasing Board guidance material39). Evaluate responses ensuring defined selection criteria and weightings are used; vendor competition continues until decision is made; due diligence, best and final offer invitation, is completed; and references are checked. Select preferred supplier in accordance with agency’s internal policy and procedures. Define basis for proceeding communicate to all parties involved the next steps in the processes. Update project plan and business case. 2.5 2.6 2.7 2.8 Included Step 3. Negotiation and agreement When finalising the contractual terms for outsourcing, it is particularly important that the agreement covers all the necessary legal aspects and that the Service Level Agreement contains sufficient detail to enable the agency to monitor the adequacy of the services provided. There are also a number of mandatory areas, such as access for audit (internal and external) and business continuity arrangements that should be addressed. The agency may also consider staffing issues and transition or exit requirements in this step so that they can be included in the agreement where necessary. The checklist identifies some issues to consider in the negotiation and agreement step. These steps should be considered in conjunction with Victorian Government Purchasing Board (VGPB) guidance material and other standard procedures relevant to the agency. 39 66 3.0 Negotiation and agreement 3.1 Refine and confirm solution to ensure drivers and risks are addressed. 3.2 Review terms of contractual agreement in accordance with agency’s internal policy and procedures (and where appropriate, Victorian Government Purchasing Board guidance material). Consider: pricing structure; confidentiality; exclusivity; regulatory requirements, e.g. audit access; performance reporting; management structure; deadlock resolution; penalty and reward clauses; and extension clauses. Included For more information on Victorian Government Purchasing Board guidance material , please refer to www.vgpb.vic.gov.au Financial Management Compliance Framework user guide Updated August 2013 3.0 Negotiation and agreement 3.3 Define the Service Level Agreement: to include service delivery considerations and measures; to include information and measures for the assessment of realisation of overall business drivers (benefits realisation); ensuring performance measures are SMART: – Specific – Measurable – Action oriented – Realistic – Time-bound Refer to User Guide Standing Direction 4.4 Financial Performance Management and Evaluation for more detail detailing reporting requirements: – content (including regulatory requirements); – stakeholders/audiences; – timeframes; and – frequency. Establish agreements (contractual and SLA). Ensure: areas of uncertainty have been clarified and defined; the best and final offer is included; there is flexibility catering for potential changes in the business; all parties understand and accepted the agreement; and the business case is approved. Include transition and termination and amendment clauses in accordance with agency’s internal policy and procedures (and where appropriate, Victorian Government Purchasing Board guidance material). Assess legal sign-off requirements on the contracts and supporting materials. 3.4 3.5 3.6 Included Step 4. Transition and implementation This step is focused on addressing the activities and processes in relation to the implementation and transition of the outsourced service. Most of the information required for this step should have been developed during agreement negotiations, although there will be some issues and circumstances that will not have been included or foreseen. In order to manage transition and implementation effectively as well as safeguard the agency’s relationship with the service provider, it is important to apply sound project management practices. Some considerations are outlined below. 4.0 Transition and implementation 4.1 Establish process for managing relationships and staff. Consider: nominating a relationship manager; agreement on contact point arrangements; retaining sufficient in-house staff to manage the agreement; and clear and simple procedures. Develop implementation plan. Consider: human resources issues, e.g. training, change management; implementation activities, e.g. data conversion and test environments, responsibilities identified; transferring/assigning contracts and agreements; plans for transition of physical, legal and taxation considerations, e.g. buildings, equipment, other assets; and due diligence by supplier to allow detailed planning of the transition by accessing information, e.g. monthly reports, asset register. 4.2 Included Financial Management Compliance Framework user guide Updated August 2013 67 4.0 Transition and implementation 4.3 Update business case. Ensure: business drivers are fulfilled and risks are mitigated; and agreement with supplier reflects all requirements including transition arrangements. Prepare handover and undertake transition. Ensure: documentation complete, authorised and signed by both parties; work undertaken in accordance with implementation plan; and milestones are monitored. Manage business change arising from implementation. Consider: communicating changes throughout organisation; keeping relevant stakeholders updated on progress (positive and negative); remaining in-house processes may need to be amended to optimize the change; updating organisational risk profile; and other impacts such as: – agency’s employee satisfaction with the services being outsourced; – impact on staff structure; and – privacy of information and legislative requirements (potential training requirements). 4.4 4.5 Included Step 5. Maintenance and management It is important to have maintenance and management procedures in place for the outsourced service once it is implemented. The relationship with the outsourced provider needs to be managed proactively to ensure the smooth operation of services. The business process needs to be adequately controlled, monitored and reported on. Any changes should be adequately controlled and implemented, and service should continue at the required quality and cost levels and within agreed timeframes. The checklist below provides an outline for potential management and maintenance processes. Where the processes or activities outsourced have some impact on the financial management, financial processing or financial statements of an agency, there is a need to obtain specific assurance on the control procedures at the service entity. Even where there is no impact, there may still be a need to obtain assurance over control procedures to enable: the agency to ensure the requirements of the FMA, the Directions and any other relevant legislation are being met; and the Accountable Officer and CFAO to make the annual statement required under Direction 2.2(d) for public sector agencies, or (w) for government departments. 68 Financial Management Compliance Framework user guide Updated August 2013 The primary reason for this is that outsourcing does not diminish the responsibilities and accountabilities of the agency for sound financial management. 5.0 Maintenance and management 5.1 Manage ongoing service delivery. Consider: budget, costs, charges; relationship management; manage risks and plan for contingencies; and reporting on the SLA: – service delivery; – key controls; – performance measures; – regulatory compliance; and – annual review. Provide ongoing management and monitoring. Consider: implementing customer satisfaction surveys; implementing a continuous improvement programme; and conducting audits at supplier’s premises. Obtain appropriate levels of assurance – as per Direction 3.1.5(d). Consider requirements for Direction 2.2(d) and (w) sign-off. 5.2 5.3 Included Note: see audit scrutiny section in this material for further information. 5.4 5.5 5.6 Review aspects of the functions retained internally. Consider remaining in-house processes as they may need to be amended to optimize the change. Review outsourcing strategy. Consider: periodically assess requirements are met and amended; and re-tendering regularly. Report to demonstrate drivers are met and risks managed. Step 6. Realisation of benefits After the outsourcing is operational and the management processes are in place, an assessment of the operational and financial benefits originally intended in the business case should be conducted. The results of the assessment should be communicated and necessary improvements need to be managed and implemented. Outsourcing projects have the potential to fail to deliver the intended benefits because of the lack of focus on post implementation issues. The checklist outlines some ideas for benefits realisation processes. 6.0 Realisation of benefits 6.1 Implement a process to identify, monitor and report against the originally intended benefits as well as other intended benefits identified throughout the process. Consider: implementation of a strong reporting and governance framework to keep focus on delivery of benefits; operational and financial benefits; and regular monitoring of benefits and business drivers, e.g. 6 monthly. Review costs and benefits Conduct an assessment of costs and benefits against the business case to determine whether costs and benefits have been achieved. 6.2 Included Financial Management Compliance Framework user guide Updated August 2013 69 6.0 Realisation of benefits 6.3 Independent review/assessment/audit. Consider: independent assessment to obtain an impartial review of the implementation; benchmarking to confirm costs and benefits are in line with the market; obtaining information on potential areas for improvement; and assessment frequency to be at least annual. Included Step 7. Amendment or termination Once the outsourced service is implemented and reviewed some changes may be required that effect the agreement. Alternatively, the agreement may need to be terminated. Potential reasons for termination include reaching the end of a defined agreement term or failure of one of the parties to comply with the terms of agreement. The process for managing an agreement termination or amendment should be clear and well-organised. The checklist provides some suggestions for this. 7.0 Amendment or termination 7.1 Assess options and business case. Include: reassessment of current service position; review of contract termination provisions; calculation of a financial model for termination options; a strategy for managing supplier; and update/review business case. Negotiate term or amend agreement. Include: transition activities and associated costs; severance costs; agreement on contract and financial reconciliation issues; resolution of ‘blame’ if termination due to failure to provide service; timeframes for activities, milestones, etc.; and resources from both parties. Terminate arrangements. Consider: planning and executing transition; and updating business case. 7.2 7.3 Included Cost benefit analysis This section provides a cost benefit analysis checklist to assist with the preparation and evaluation of the cost benefit analysis. The use of this checklist will also assist to define the scope and thoroughness required for the evaluation. Steps to consider when conducting a Cost Benefit Analysis Step 1: Define objectives and project scope Why is the proposal/project proposed? Are the objectives consistent with overall agency objectives and strategies? What type of proposal is it? Temporary or permanent or new? What is the scope of the proposal? Has it been evaluated previously or been subject to other forms of analysis, e.g. risk analysis or value management? 70 Financial Management Compliance Framework user guide Updated August 2013 Included Steps to consider when conducting a Cost Benefit Analysis Included Is it part of a larger program or strategy? What major stakeholders are likely to be impacted – internal and external, public, private, community sectors? What consultation was undertaken and how was it done? Step 2: Identify the options What are the options to achieve the objectives? What is the base case? (What would happen without the project/proposal?) What other relevant information is available? Has this project been undertaken elsewhere? Where was the information sourced? How can it be used? Step 3: Identify costs and benefits What are the capital (equipment, facilities, structures, project management, construction, decommissioning etc.) costs? Over what timeframe? Is refurbishment or system upgrade costs needed? What are the recurrent costs – labour, training, maintenance, utilities etc. What are the operating parameters, e.g. levels of service, hours of operation availability, expectations of growth in use/demand etc? What data may be required for monitoring/reporting? Do policies, procedures need to be amended or changed, e.g. security, operations? What are the user benefits? What are the cost savings (avoidable capital and recurring costs, sale of assets, risk, efficiency, economies of scale, etc.)? What are the external costs and benefits? How will these costs and benefits be presented? Have you considered a discounted cash flow analysis to present financial cost and benefit information in current dollars? Are user comfort and convenience issues a factor? How will risk issues be managed? Step 4: Sensitivity analysis Is there are need for sensitivity analysis based on optimistic and pessimistic estimates of costs and benefits? Have the values of costs and benefits been adjusted for real price variations over time? What is the length of the evaluation period – over how many years was the discounted cash flow analysis be undertaken and is the evaluation period based on the life of the expected outsourcing arrangement? What are the major areas of uncertainty and risk in the project? How have these been dealt with, i.e. specific analyses? Which assumptions need to be tested? Financial Management Compliance Framework user guide Updated August 2013 71 Steps to consider when conducting a Cost Benefit Analysis Included Step 5: Identify and report on preferred option What is the preferred option when the initial evaluation of costs and benefits, sensitivity analysis and all qualitative factors are taken into account? Does the risk analysis impact on the outcomes significantly? Has a report been prepared and include: the objectives of the outsourcing strategy and alignment with agency objectives and strategies? a description of the evaluation framework, assumptions and key input data? a description of all the costs and benefits? the assumptions underpinning the evaluation? the evaluation results with cost, sensitivity and qualitative analysis? comparison of preferred option with other options? recommendations for the preferred option? Audit scrutiny of outsourced activities An agency must ensure effective management of outsourced activities to obtain the required levels of service and maintain compliance with regulatory requirements such as the Standing Directions of the Minister for Finance the Financial Management Act 1994 (Direction 3.1.5). The Direction requires outsourced financial services to be subject to internal and external audit scrutiny (Direction 3.1.5(d)). An agency should take into account the risk profile of an outsourced activity to determine the nature and extent of information required to be subject to audit scrutiny. The purpose of audit scrutiny is to enable the agency to obtain an appropriate level of assurance that the: provider is complying with the agreed terms and conditions (e.g. performance measures and relevant legislation as outlined in the contract or Service Level Agreement); controls for activities and processes impacting financial management are efficient and effective resulting in accurate financial and other relevant information being reported; control environment surrounding the outsourced services provided is robust, efficient and effective to enable complete and accurate processing of underlying transactions and/or data; agency’s responsibilities and accountabilities for good governance and sound financial management are not negatively impacted by the outsourced activities; and the Accountable Officer and CFAO can sign-off on the accuracy, effectiveness and efficiency of the financials, internal control and compliance systems and risk management within an agency on an annual basis (as per Direction 2.2(d) and (w)). 72 Financial Management Compliance Framework user guide Updated August 2013 How to obtain assurance using internal or external audit It is strongly recommended that an agency liaise with its own internal and/or external auditors to discuss the best approach to obtaining assurance. However, the following options are provided for consideration: Option 1: Outsourced service provider provides assurance through either: a publicly available opinion on internal control (usually this will be an opinion in accordance with Australian Auditing Standards that is made available to all customers of the outsourced service provider); and an opinion or report specifically designed for the use of the agency (in these instances, a tailored scope of work will typically be requested by the agency, but the work is performed, and report provided, by the outsourced service provider’s internal or external auditors). Option 2: Agency arranges for an independent party/auditor to visit the outsourced service provider to obtain assurance (in these instances, the scope of work will be determined by the agency and results will often be reported in format that the agency is familiar with). Interpreting the results from audit scrutiny to determine the level of assurance provided. It is strongly recommended that the agency obtain assistance from its internal or external auditors to interpret the information received as a result of audit scrutiny. Factors that need to be considered in interpreting results include, but are not necessarily limited to: What type of opinion or report has been issued? Is there reference to an auditing standard? If so, is there an expression of the level of assurance being provided and are there any limitations on scope referred to? What does the conclusion say? What period of time is covered by the opinion or report? Is this consistent with the period of interest to the agency? What locations, specific business processes and/or transactions have been reviewed and reported on? Do these cover the full scope of the agency’s activities or transactions provided by the outsourced service provider? If not, are the activities or transactions not covered material or significant to the agency? What issues or concerns have been identified? What resolution plans has the provider put in place? What is the impact of the identified issues and resolution plans on the agency? Financial Management Compliance Framework user guide Updated August 2013 73 User guide to Standing Direction 3.2 Information technology systems Including: 3.2.1 3.2.2 3.2.3 3.2.4 3.2.5 74 Direction requirement 16 Direction requirement 17 Direction requirement 18 Direction requirement 19 Direction requirement 20 Financial Management Compliance Framework user guide Updated August 2013 Information technology management Information technology operations Security Development Change control User guide to Standing Direction 3.2.1 Direction requirement 16 Information technology management Introduction The Standing Directions of the Minister for Finance have a number of requirements in relation to information technology (IT). Direction 3.2.1 specifically requires an agency to ensure that the direction, strategy and use of information technology is consistent and appropriate for sound financial management. In addition the Responsible Body must at least annually: review the use of information technology for financial management; and conduct or review an assessment of information technology risks and their impact on financial management. This material outlines guidance to assist with the compliance of these requirements and includes: management and integration of IT within an agency; annual IT management reviews; use of IT for financial management; manual processes and spreadsheets; IT risk assessment for financial management; and outsourced IT for finance functions. Management and integration of IT within an agency The management of IT operations should be integrated into an agency’s day to day business practices and processes. IT operations (and expenditure requirements) should be considered and linked, where relevant, to the agency’s strategic plan, goals and business plans to ensure IT needs are met and appropriately managed. IT systems and operations with financial management functions should be identified to ensure governance and compliance requirements are monitored and fulfilled. An agency may establish an IT steering committee to assist with the management of IT operations. An IT steering committee typically: comprises of representatives from the executive team, IT division as well as various areas within the agency to ensure users are represented. Members are usually from the agency’s management team; meets regularly to oversee all IT activities within an agency; oversees the resourcing for IT operations across the agency as well as any outsourced IT activities; reviews all proposals for IT projects, prior to sign-off and oversees the prioritisation of projects, expenditure, resourcing, contract and vendor management (e.g. rollout of disaster recovery plan, new implementations); Financial Management Compliance Framework user guide Updated August 2013 75 ensures the IT strategy is implemented and reviewed taking into account alignment with the business strategy; reviews IT policy and procedure documentation for currency and relevance; and reviews and resolves IT related risks and issues. Annual IT management reviews The purpose of annual IT management reviews are to: assess the effectiveness of current technology used for financial management and reporting; identify any new or changed technology requirements in relation to financial management; monitor the extent to which alternative (i.e. unapproved) technology solutions may be in use across the agency; and examine the risks in relation to IT systems supporting the agency’s financial management. Annual review – use of IT for financial management The annual review of IT for financial management may be undertaken in a number of forms. Upon reflection an agency may find that there is a variety of work conducted during the normal course of business that would contribute to a review of IT for financial management. Examples of this may include: internal documentation, e.g. memos, reports, emails, that discuss risks/issues associated with financial management and provide comment how the risks would be managed including the technological implications, i.e. are upgrades or software changes required; and information regarding alternative technologies, databases or spreadsheets being used across an agency to supplement the core finance system. This information could be identified in reports by internal audit or external reviews, e.g. a division of the agency keeps its own spreadsheet to record certain financial transactions and circumvents the main system. Management response and subsequent actions to these findings form part of the annual review process. The annual review of IT for financial management should also consider and include: any work conducted on business continuity and disaster recovery planning for financial management should also be included in the review; annual budget and/or corporate planning information which may highlight decisions for new technologies around financial management; the resources and skills available to support the IT environment within the agency and whether external support is required; the appropriateness and current level of reliance on IT at the agency; the control environment surrounding IT systems and operations; and the adequacy, impact, management and understanding of changes to financial applications and IT infrastructure (where relevant). 76 Financial Management Compliance Framework user guide Updated August 2013 The outcomes of the review should be reported to the Responsible Body and outline: current technology for financial management; risks and opportunities; and actions/changes planned and recommendations (where relevant). Note: This information could be included in the CFAO’s report on the plan for preparation and finalisation of the financial statements. Also an agency may wish to consider including the requirements to monitor the use of technology for financial management in the CFAO’s annual performance plan. Manual processes and spreadsheets Manual processes and spreadsheets are a common aspect of many financial management systems that have higher risks when used outside of the core financial system. An agency should consider the use of manual processes in the annual review of IT for financial management. The checklist below provides some areas for consideration. Step Checklist for processes outside the financial management system 1 Identify all spreadsheets, manual processes etc. across the agency. 2 Consider whether processes identified in Step 1 capture significant financial transactions, calculations or processes. Identify the risks, e.g. the risk of error in the financial management information sourced from processes identified in Step 1. Review mitigation and management strategies for the risks, e.g. review of data input and output, use of formulae. Review need for processes identified in Step 1. Consider implementation of formal, automated or system based processes within existing financial management applications to replace manual processes. Report findings, actions, recommendations and mitigation strategies to Responsible Body as part of the annual review process. 3 4 5 6 Considered? Annual review – IT risk assessment The agency’s annual assessment of IT risks and their impact on financial management should be reported to the Responsible Body. The risk assessment should seek to cover the following areas (where applicable): backup, recovery and contingency planning; change management; delivery, support, operations and procedures; physical and logical security; planning, organisation and resourcing; project management and systems development; and strategic IT management. Financial Management Compliance Framework user guide Updated August 2013 77 For further information about IT risk management refer to: Standards Australia – security risk management documentation; and Government services group on the Department of Treasury and Finance website (www.dtf.vic.gov.au). Outsourced/shared IT services Where IT services and/or operations are outsourced, co-sourced or shared etc., the agency needs to seek an annual assessment of the services/operations from the provider to ensure this Direction and the specific requirements are met. The assessment should be documented and provided to the Responsible Body. The agency is responsible for the implementation of this Direction in relation to IT for financial management irrespective of the provider. That is, if the provider is another agency or department, the documented assessment is to be submitted to the Responsible Body. For further information refer to the User Guide for Direction 3.1.5 – Outsourcing governance. 78 Financial Management Compliance Framework user guide Updated August 2013 User guide to Standing Direction 3.2.2 Direction requirement 17 Information technology operations Introduction The Standing Directions of the Minister for Finance (the Directions) require that agencies strongly support financial management systems with particular requirements for disaster recovery and business continuity management. These requirements are outlined under Direction 3.2.2 Procedure (a) and include: formal assessment, at least annually, of the impact of financial management systems not being available for an extended period; and review and testing of a formally documented disaster recovery plan and business continuity plan. This supplementary material has been developed to assist public sector agencies in developing and implementing their own business continuity and disaster recovery plans. This supplementary material includes the following information: understanding business continuity; understanding disaster recovery; developing business continuity and disaster recovery plans; business continuity and disaster recovery plan methodology: – scoping – definition and awareness; – business impact analysis; – strategy selection and evaluation; – plan development and documentation; – implementation and testing; and – maintenance and update. Attachment 1 – template for a business continuity and disaster recovery plan. Understanding business continuity Business continuity is a state where the agency’s critical functions and operations continue with minimal interruption in the event of a disruption. Examples of disruptions can include natural disasters, human error, loss of resources and/or suppliers. Business continuity management (BCM) is an integrated approach that includes policies, standards, and procedures for ensuring operations can be maintained or recovered in a timely fashion in the event of a disruption. Its purpose is to minimise the operational, financial, legal, reputational and other material consequences arising from a disruption. Business continuity plans (BCP) are a component of BCM. Business continuity plans are documented contingency plans that outline actions and methods required to recover agency operations from particular disruptions. Financial Management Compliance Framework user guide Updated August 2013 79 The development of the business continuity plan follows a methodology that identifies critical business processes, activities and related risks to ensure the continuity of business operations in the event of a disruption. The methodology also proactively aims to minimise risks and potential losses. The implementation of a developed plan should reduce the time spent in the contingency or recovery phase in the case of a disruptive event. Understanding disaster recovery Disaster recovery focuses on the recovery of information technology (IT) systems infrastructure used to support an Agency’s operations in the event of disruption (to one or more systems for a period of time). A disaster recovery plan (DRP) specifically documents the technical recovery procedures to be implemented to regain critical IT systems and/or components for an agency’s operations to continue. Disaster recovery plans are referred to in business continuity plans as a part of the complete recovery of an agency’s operations. Developing business continuity and disaster recovery plans This material provides an outline of methodology used to develop business continuity and disaster plans as well as an example template to document the plans (see Attachment 1). As business continuity and disaster recovery requirements differ between agencies this material should only be used as a guide for agencies. The information can be tailored to suit an Agency’s needs, size and operational type. For further information about disaster recovery and business continuity capability refer to government services group on the Department of Treasury and Finance website (www.dtf.vic.gov.au). Business continuity and disaster recovery planning methodology The typical methodology for developing business continuity and disaster recovery plans is outlined in the diagram (aside) with further detail for each step provided in the form of checklists. This methodology can be used for business continuity and disaster recovery planning across all functions within an agency. The requirements of the Financial Management Compliance Framework (FMCF), however, solely focus on information technology operations that support financial management. This methodology aims to assist public sector agencies in implementing an effective business continuity and disaster recovery capability with focus on: engaging the appropriate stakeholders; documenting a Business Impact Analysis (BIA) with a focus on critical business activities. Under the FMCF, focus will be on those that have an impact on financial management; identifying risk reduction measures and selecting recovery strategies; documenting continuity and recovery plans as appropriate to the agencies requirements; and testing continuity and recovery solutions and plans and training relevant staff in recovery processes. 80 Financial Management Compliance Framework user guide Updated August 2013 The methodology used to develop a BCP is similar to that required for a DRP as the checklists outlined in this material indicate. When preparing the plans it is advisable to develop them separately to ensure all steps are implemented. Figure 1 – Steps within a business continuity and disaster recovery planning methodology 2. Business impact analysis 3. Strategy selection and evaluation 4. Plan development and documentation 6. Maintenance and update 1. Scoping 5. Implementation and testing Step 1. Scoping – definition and awareness The first step in the development of a BCP and/or DRP is to define the objectives and scope and understand the timelines, assumptions, resource allocation and milestones for the project. The following outlines the details to be considered in this step. Example tasks BCP DRP Identify key stakeholders. Organise a briefing session. Ensure the staff involved in documenting the BCP and DRP have the appropriate: skills; and knowledge of the organisation and functional areas. Assign responsibilities for plan ownership and administration, including plan testing and maintenance activities. Assign responsibilities for collaborative plan development with process/activity owners. Assign responsibilities for collaborative plan development with IT personal and where possible functional area representatives. Develop and document project objectives. Develop draft BCP and DRP assumptions (may need to revisit as plan develops). Define in-scope and out-of-scope activities. Obtain current copy of the organisation chart. Obtain current copy of the organisational structure for the IT department/division. Financial Management Compliance Framework user guide Updated August 2013 81 Example tasks BCP DRP Review existing BCP and DRP documentation (where available) and assess the relevance/opportunity for integration with existing arrangements, responsibilities and recovery strategies. Define timelines and milestones and assign adequate resources for the BCP and DRP activities. Step 2. Business impact analysis A business impact analysis (BIA) identifies and measures (quantitatively and qualitatively) the business impact or loss of business processes in the event of a disruption. It also defines recovery priorities as the critical business processes and activities are identified. BIA’s analyse and evaluate the impact and probabilities of failures and critical business processes. The results of a BIA are crucial to the development of a BCP and DRP. The processes outlined below provide high level detail of what is required to complete a BIA. Example tasks BIA Identify key business processes and activities. For each business process and activity, identify dependencies, such as Information Technology (IT), resources, other activities, locations, other. For each business process and activity, identify critical time periods, i.e. daily, end of week, month-end, quarter-end, year-end, other. For each business process and activity, identify potential failure events or disaster scenarios, i.e. describe how the activity is able to fail. For each business process and activity, rate the impact of not having the business process and activity available. For each business process and activity, identify the remaining impact and maximum tolerable outage40 to be addressed. For each business process and activity, identify controls to prevent an event from occurring. Step 3. Strategy selection and evaluation This step defines the recovery strategies for critical processes and systems identified in the BIA that require continuity planning. The strategies provide actions to deal with impacts of business interruption efficiently. Recovery strategies are pre-defined, pre-tested, management approved actions that are employed in response to a business disruption, interruption or disaster. The tasks below should be considered when developing recovery strategies for BCPs and DRPs. Example tasks BCP Identify recovery strategies, including approach, escalation plan process and decision points. Identify recovery strategies specifically related to IT systems, including approach, escalation plan process and decision points. Ensure the recovery strategies are cost effective and meet agreed maximum acceptable outage requirements. Implement proposed response strategies and solutions. 40 DRP Maximum Tolerable Outage (MTO) – the maximum period of time that critical business processes can operate before the loss of critical resources affects their operations. 82 Financial Management Compliance Framework user guide Updated August 2013 Step 4. Plan Documentation This step results in the documentation of plans. Example tasks Document the BCP. BCP Document the DRP. DRP 41. 2. Identify systems/applications/infrastructure which may require more detailed policies and procedures. Document as necessary. Approval and endorsement of BCP and DRP. Step 5. Implementation and testing Regular testing of continuity and disaster recovery plans is one of the most important aspects of successful business continuity. Plans should be tested as least once a year to ensure they are kept up to date, new systems and processes are included and staff are familiar with their individual roles and responsibilities. Consideration could be given to testing the BCP and the DRP at the same time. Testing validates the usability of contingency and recovery plans and identifies changes. Example tasks BCP DRP Determine testing approach to be followed (approaches documented within BCP and DRP). Hold testing briefing with all participants. Test developed plans following to adopted approach. Undertake a testing debrief This process will identify gaps/additional needs in the current plans. Incorporate necessary changes into BCP and DRP. Publish and distribute final copies of BCP and DRP to responsible parties. Step 6. Maintenance and update To ensure plans are current and up to date with an agency’s systems and processes they should be reviewed and updated on a regular basis. This will help to ensure that the contingency and recovery measures remain current and accurate. Annual testing programs will assist in identifying areas within the plan that require maintenance and update. 41 Attachment 1 provides an example template for the documentation of a BCP and DRP. Financial Management Compliance Framework user guide Updated August 2013 83 Some considerations for this step are outlined below. 84 Example tasks BCP During the updates, at a minimum, the following details must be checked: business processes; criticality of assessed processes and elements; third-party interfaces; organisation structure; responsible persons assigned to carry out tasks; deadlines; and appendices, including contact lists. Ensure IT change management procedures include the requirement to consider IT DRP arrangements and backup strategies During the updates, at a minimum, the following details must be checked: criticality of assessed IT systems/applications/infrastructure; changes in IT systems/applications/infrastructure; IT organisation structure; responsible persons assigned to carry out tasks; deadlines; and appendices, including contact lists. Financial Management Compliance Framework user guide Updated August 2013 DRP Attachment 1 Template for a business continuity and disaster recovery plan User note: This template is generic and does not therefore use terminology that is restricted to business continuity planning for financial management purposes. <Insert organisation name> <Insert site name> business continuity and disaster recovery plan Organisation address: <Insert address> Contents: Purpose and objectives objective scope out of scope Contingency strategy overview of contingency strategy recovery team structure Fast action summary checklist Business continuity recovery procedures <Insert system/application/infrastructure name> <Insert system/application/infrastructure name> Disaster recovery tasks <Insert system/application/infrastructure name> <Insert system/application/infrastructure name> Testing and maintenance procedures Appendix 1 BIA findings and conclusions Version Control Version # Updated Author Changes 1.0 <insert date> <Insert author> <Insert changes made> Attachment 1 Template for a Business Continuity and Disaster Recovery Plan 85 Purpose and objectives Objective The objective of this business continuity plan (BCP)42 and disaster recovery plan (DRP)43 is to provide guidance to <insert organisation name> management for the restoration of facilities, critical business processes and Information Technology (IT) facilities by defining, at a high level, the recovery procedures required to continue/restore core services in the event of a disaster. This plan describes the organisational framework and procedures to be activated in the event of a disaster occurring to enable recovery of services provided to <Insert organisation name>’s customers, including the public, and the relevant business units supporting these services. Scope This plan is confined to the main business processes of the following business units: <Insert applicable business units> Out of scope The following are not considered by this plan: <Insert any relevant exclusions, such as non-critical business functions, separate incident plans, non-financial business processes and activities> Contingency strategy Overview of contingency strategy The contingency strategy aims to recover operations with minimal, if any, impact on the services supplied to our customers. The contingency strategy focuses on resolving issues relating to information technology, suppliers and service factors for services offered to <insert organisation name> customers and, where appropriate the public. Specifically the contingency strategy focuses on: immediate welfare of staff employed at the service site; assessing the workload requirements for business unit(s); establishing priorities for, and allocating the use of, technological and human resources; delegating responsibilities for critical recovery procedures of each functional service area; overall control of recovering operations; and communicating the status of the event to customer representatives, management and alternate sites. 42 A BCP describes the methods and procedures required to recover business operations from particular disaster scenario’s or events. 43 The DRP focuses on recovery of IT systems infrastructure to support the recovery of the business. The DRP is a subset of the BCP and outlines separate recovery procedures defined by the IT team for the technical recovery of IT systems or components to support the business operations. 86 Attachment 1 Template for a Business Continuity and Disaster Recovery Plan Recovery team structure The recovery team structure is critical to the success of the recovery process. The recovery team structure consists of a combination of representatives for recovery of service and business units at <insert organisation name>. Key roles and responsibilities are as follows: Role Name Contact details Alternate contact Alternate contact details <insert role> <insert name> <insert details> <insert name> <insert details> Fast action summary checklist The initial response procedures are critical to efficiently manage a disaster scenario and reduce the impact on business operations at <insert site(s)>. The following key tasks are required to be completed and are used as the trigger for the initial response to the relevant disaster scenario. The following table acts as a checklist to ensure all relevant activities have been performed within the required time frames. Ref Example activities 1 Notify recovery team leader of the incident including: time of incident; and manner in which incident was identified. Liaise with Police, Fire Brigade or Ambulance services (where appropriate) Conduct initial assessment of incident and determine severity Notify First Aid/Occupational Health and Safety or Human resource Officers of incident to ensure adequate attention is provided to employees impacted by event Notify security (if loss of facilities is the incident) to distribute additional security to affected <insert organisation name> area Notify recovery team members of severity 2 3 4 5 6 7 8 9 Determine availability of: backup data for recovery of IT systems; access to customer data delivered prior to the incident; receiving and processing data by alternate means; and redirecting service to alternate site. Contact back up facilities as necessary Determine if incident is likely to publicly impact <insert organisation name> Responsibility Required timeframe Sign-off Immediate upon identification of incident Every 5-15 minutes 1-5 minutes of incident 2-5 minutes of incident 2-5 minutes of incident 15 minutes of incident 15-20 minutes of incident 15-20 minutes of incident 45 minutes of incident Attachment 1 Template for a Business Continuity and Disaster Recovery Plan 87 Ref Example activities 10 Assess the need to release a communications briefing and release as determined appropriate Monitor and review the detailed recovery procedures relevant to the service and scenario 11 Responsibility Required timeframe Sign-off 60 minutes of incident Continuously Business continuity recovery procedures The following high level recovery procedures are required to be completed if for each critical business process (as identified during the Business Impact Assessment as per Appendix 1) <insert organisation name> cannot operate under normal capacity; this may be due to loss of site, loss of key personnel, loss of IT systems, loss of suppliers, etc. <Insert system/application/infrastructure name> The <Insert system/application/infrastructure name> recovery tasks are outlined below. Period44 Task Requirement Responsibility 0-2 hours <Insert> <Insert> 2-4 hours <Insert> <Insert> Sign-off etc. <Insert system/application/infrastructure name> [Repeat as per 4.1 for each critical system/application/infrastructure to be covered.] The <insert system/application/infrastructure name> recovery tasks are outlined below. Disaster recovery tasks <Insert system/application/infrastructure name> [Repeat for each critical system/application/infrastructure to be covered.] The <insert system/application/infrastructure name> recovery tasks are outlined below. Objectives <Insert objectives for the recovery of the system/application/infrastructure, including the required recovery timeframe (i.e. maximum tolerable outage> Pre-Conditions <Insert any pre-conditions here. For example, where a systems or applications recovery depends on the recovery of infrastructure, make reference here> Supporting Documentation <Insert any supporting documentation here. For example, if detailed policies and procedures have already been documented elsewhere, do not repeat this information, rather refer to the documentation and ensure it is appropriately accessible> 44 These represent the time frames after the initial incident was identified. The period indicates that the Task Requirements are required to be completed during the time frame indicated for the period. 88 Attachment 1 Template for a Business Continuity and Disaster Recovery Plan Task Task Requirement Responsibility 1 [Document the tasks required to enable the IT department (or other party as required) to recover the critical system/application/infrastructure in the required timeframe. The tasks should include the acquisition of computer hardware and communications equipment, installation of system software and/or application from original CD, retrieval and loading of backup tapes, reference to security standards to be implemented, etc.] Sign-off 2 <Insert system/application/infrastructure name> [Repeat as per 5.1 for each critical system/application/infrastructure to be covered] Testing and maintenance procedures Testing and maintenance of the BCP and DRP is critical to ensuring that the planned procedures remain both relevant and reliable for use in the event of a disaster. The document owner is responsible for updating the document to ensure that it accurately reflects the customer services provided, contact listing details and additional references that may change from time to time. The schedule below depicts the anticipated time frames in which testing, and subsequently maintenance, will be performed. Section within the BCP/DRP Recovery Procedures Business Continuity Recovery Procedures Disaster Recovery Tasks Example appendices Appendix 1 – Business Impact Analysis Appendix 2 – Software and Application Contacts Appendix 3 – Required Information/ Data Locations Appendix 4 – Internal Telephone Directory Appendix 5 – External Suppliers’ Contact List Testing conducted Annually Annually Annually Annually Annually Semi annually Semi annually Attachment 1 Template for a Business Continuity and Disaster Recovery Plan 89 Appendix 1. BIA Findings and Conclusions Based on the workshops held as part of this BIA and the questionnaires completed, <insert number> business activities and <insert number> instances where a failure event would have an impact on <insert organisation name> operations were identified. A break down by functional area is outlined below. Business process Business activity Event failure <Functional area name> <Functional area name> <Functional area name> 90 Attachment 1 Template for a Business Continuity and Disaster Recovery Plan Dependencies – IT MTO (hrs) system/software/supplier/ 3rd party/PPE User guide to Standing Direction 3.2.3 Direction requirement 18 Security Introduction The Standing Directions of the Minister for Finance requires an agency’s financial management system have appropriate security level in place that only allow authorised access to transactions (Direction 3.2.2, Direction Requirement 18). The Direction requires an annual formal assessment of the security and controls surrounding financial management information that is sensitive to the agency and stakeholders. The assessment must consider the adequacy of the following controls: security policies; password controls, for both applications and operating platforms; segregation of duties; user access levels in line with roles and responsibilities; and restricted physical access to the computer room and other sensitive financial management technology assets. This material provides guidance in relation to different aspects of information technology (IT) security. Basic IT security governance and controls The governance structure for IT security should be outlined in a detailed policy that: is approved by management and annually reviewed for currency and validity; is based on clearly defined business and regulatory requirements and supports relevant standards and procedures; ensures establishment of acceptable information risks including the agency’s risk appetite; ensures impact reduction is implemented through use of control measures, i.e. the agency’s ability to prevent, detect and recover from an incident; requires regular monitoring and reporting of information security issues/events; and is regularly communicated across the agency. The IT security controls to be implemented as a minimum across all agencies are listed below. implement mandatory passwords for individuals and passwords that have composition to prevent guessing, e.g. contains numbers and letters; maintain a user listing to monitor all login IDs (active and inactive); implement procedures to revoke access to IT network and deactivate login IDs for terminations; ensure user access rights are restricted to those processing functions and data files required for the users’ normal duties and to enforce an appropriate level of segregation of duties; Financial Management Compliance Framework user guide Updated August 2013 91 ensure network servers are protected from hazardous operations, and fire detection and extinguishing equipment are nearby; ensure operations personnel restrict and monitor visitor access to terminals; ensure IT equipment is physically tagged, inventoried periodically, and reconciled to the general ledger; and Software licenses are current, compliant and updated with relevant security patches. Good practice IT security There are a number of elements to an IT security framework that take into account physical, logical, environmental and technological issues. The following checklist outlines the elements within an IT security framework that should be considered for good practice. Examples of potential IT security elements Logical security automatic disabling of access and logon after: – a prescribed number of logon failures (usually three); and – a set period of inactivity (usually two months). revoke logon access upon employee termination or relocation; user access rights are restricted to processing functions and data files required for the users’ normal duties; approval required for changes to user access rights, proof of approval is retained for audit trail requirements; regular review of user access rights for propriety to ensure inline with position requirements etc. (e.g. biannual review); and individual password controls requiring: – minimum length (generally between six-eight characters); – password composition to be designed to prevent guessing (for example alpha and numeric characters); – maximum three attempts before lockout; – minimum 12 previous passwords stored; and – intruder lockout set at 120 minutes. Physical security physical security perimeters are clearly defined; regular review of access to sensitive areas and ensure access is revoked when no longer required; physical security controls are typically: – operations personnel restrict and monitor visitor access to areas containing sensitive information or assets; – computer equipment is physically tagged, inventoried periodically, and reconciled to the general ledger; – commercial software on computers and PCs is licensed; – servers are stored in secure cabinets; and – access to the computer room is restricted at all times (e.g. lock and key). regular testing of physical security controls (alarms, locks etc.). Environmental security Typical environmental controls for IT server rooms include: uninterruptible power supply; raised floors; air-conditioning that is separate to the building and ensures constancy; and fire suppression system. Cryptographic controls encryption of sensitive information while it is stored/at rest or being transmitted over open or public networks. 92 Attachment 1 Template for a Business Continuity and Disaster Recovery Plan Considered Examples of potential IT security elements Considered Vulnerability management installation of anti-virus programs to protect sensitive information and programs and prevent, detect and remove malicious programs; sensitive information systems are regularly checked for compliance with security implementation standards, e.g. through penetration testing; regular review to ensure security patches are installed and up to date; and logging and active monitoring of security events. For further guidance on information security refer to: Information systems audit and controls association (www.isaca.org.au). Standards Australia – Security Risk Management documentation. The Department of Treasury and Finance website (www.dtf.vic.gov.au). Best management practices (www.best-management-practice.com). Financial Management Compliance Framework user guide Updated August 2013 93 User guide to Standing Direction 3.2.4 Direction requirement 19 Development Introduction The Standing Directions of the Minister for Finance (the Directions) require the CFAO of an agency to regularly review developments in financial management systems to ensure appropriate technological support for financial management practices. The specific requirements include: implementation of a formal methodology for information technology (IT) development in relation to financial management systems and technology; developments to IT systems impacting financial management: – must have a business case approved by the IT steering committee (or Responsible Body or Executive Team) and end user representatives prior to project commencement; and Note: see user guide for Direction 3.2.1 IT management for further information about IT steering committees – must follow project management practices. annual review of manual financial processes including the use of spreadsheets to assess whether automated systems are available; Note: see user guide Direction 3.2.1 IT management for further information about manual processes and spreadsheets. This supplementary material outlines guidance in relation to: IT development methodology; key steps within an IT development methodology; and project management: – project scope; – project governance; – project steering committee; and – project stages. IT development methodology Potential steps for an IT development methodology are outlined in the diagram below with further detail for each step provided in the form of checklists. This methodology can be used for IT development projects across all functions within an agency. The requirements of the Financial Management Compliance Framework (FMCF), however, solely focus on information technology operations that support financial management. 94 Attachment 1 Template for a Business Continuity and Disaster Recovery Plan 1. Design a. build b. specify and design 2. Develop a. build b. integration testing 3. Deliver a. implement b. operate Packaged/off the shelf products Where an off the shelf product is being implemented agencies should follow the three phases of the IT development methodology to ensure the chosen product: fits requirements as defined in the design phase; is modified and integrated as defined in the develop phase, e.g. developing reports and customising terminology structure, etc; and is implemented and operational as per the delivery phase. It is recommended that customisations for off the shelf products are kept to a minimum to ensure the integrity of the product is maintained. Key steps within an IT development methodology The following table outlines the key steps in an IT development methodology which should be considered. 1. Design 1.a Initiate and plan Identify business requirement. Define project requirements/scope. Develop business case* for IT Steering Committee (or Responsible Body) approval, as per Direction requirements, outlining: – cost benefit analysis (see user guide for Direction 3.1.5 Outsourcing for a detailed checklist); – approach for the development; – defined measures for the development; – proposed budget; and – key risks and migration strategies (for more detail see user guide for Direction 3.1.5 Outsourcing, Step 1.8). Establish the project (for more detail see user guide for Direction 3.1.5 Outsourcing, Step 1.9): – implement project management practices as per Direction requirement; and – establish project steering committee (see ‘Steering Committee’ below for further detail). Secure and plan resources for the project. Define security requirements, i.e. the impact of the development on the existing security environment. Financial Management Compliance Framework user guide Updated August 2013 95 1.b Specify and design Analyse requirements and develop detailed functional specifications that include user needs analysis. Develop detailed systems design document outlining how functionality is to be delivered. Design testing requirements/cases/procedures based on specifications. Finalise and formalise approvals (with IT steering committee, project committee, etc.) for all relevant project documentation including specifications and contracts. 2. Develop 2.a Build Produce hardware and executable software based on specifications, e.g. databases, coding, programs compiled and refined, systems acquired and installed. Develop environment for testing. Conduct initial testing of software and hardware as it is assembled and integrated. Integration testing Complete testing of requirements using test data in the test environment to ensure conformance with detailed functional specifications. Complete User Acceptance Testing (UAT) to ensure the specification, privacy, security and other mandated requirements are met. 2.b 3. Deliver 3.a Implement Resolve test issues. Sign-off of test results and issue resolutions prior to ‘go-live’. Install the system for operation in the production environment: – sign-off data migration/conversion; – user groups are installed with segregated duties. Operate System is operational. Finalise system documentation: – procedures to operate and maintain system; – user guides/manuals. Conduct post-implementation review after the production environment has stabilised using key metrics to measure impact and success. Monitor system continued performance in accordance with user requirements. Incorporate system modifications as/when required. 3.b Project management processes Project management is the combination of resources, tools and processes used to manage a project successfully. Project scope Projects vary in size, complexity and involve change that affect a combination of areas within an organisation, e.g. people, policies, technology, structure and work practices. Projects have: a finite and defined life span; defined and measurable deliverables; a corresponding set of activities to achieve the required outcome; a defined amount of resources; and a governance structure to manage the project, e.g. project manager, working group, project board/steering committee. 96 Attachment 1 Template for a Business Continuity and Disaster Recovery Plan Project governance Well defined and implemented project governance assists a successful outcome for a project. Project governance structures are used to: resolve issues that arise; consider recommendations on project deliverables; agree/approve changes to a project's scope, timelines or budget; and ensure the documentation trail for the project is maintained, e.g. approvals, changes, etc. Without a rigorous approach to governance projects can potentially experience scope creep, poorly-defined requirements, overruns with timelines and budget. Project steering committee If defining the governance structure for a project an agency may decide to establish a project steering committee for projects of a particular size and/or complexity. The project steering committee would work with the IT steering committee and other parts of the governance structure such as the executive team and Responsible Body. Substantial consultation with all parts of the governance structure usually occurs at the beginning of a project and then declines once the project is underway, even so the governance structures remain active throughout the project's life. The project steering committee should: have a clear and well defined role that is formalised/documented in the form of a charter or terms of reference; meet at least every two months; approve the business case and project initiation and project close phases; Note: The business case should also be approved by the IT Steering Committee for IT development projects. approve the request for tender and tender decision; Note: The tender decision should also be approved by the Responsible Body and/or relevant delegate. monitor the project’s progression as well as any changes (within approved delegations); provide direction and resolution of issues and risks; provide advice, updates and referrals (as required) to the Responsible Body or relevant delegate; communicate project outcomes, benefits, changes, etc; and facilitate change management programs required as a result of the project. Financial Management Compliance Framework user guide Updated August 2013 97 Project stages Agencies should have project management methodologies that are specific to their organisation as required by Direction 3.2.4(d). The checklist below can be used as a high level guide to project management across the four phases of a project. Potential project management steps to consider during a project Phase A: Initiation Is the project scoped and defined? Has the business case been developed? Note: consider financial implications in relation to the objective and need for the project. Is the project in line with the strategic plan? Has the project received sign off by sponsor, IT steering committee, Responsible Body or delegate, etc? Phase B: Planning Are governance structures/levels of authority for the project clear? Are roles/resources appropriate, explicit and documented? Has the project steering committee been appointed? Have risks been assessed with an action to mitigate/monitor them? Has an implementation plan with schedules and phases been developed? Have the project quality/cost/time drivers been identified? Have clear project control/reporting procedures been established? Are tools to manage the project being used, e.g. monitor milestones using Gantt charts? Has the critical path for the project been identified? Has an overall project budget been set up and approved? Have outsourced services been identified/approved/appointed? Are financial milestones included in payment terms and conditions Is there a communications plan that is included in the project plan/Gantt charts? Is risk analysis conducted and reported throughout the project? Considered? Phase C: Implementation Have appropriate controls been identified to monitor project implementation and delivery? Are there regular meetings of the project steering committee to monitor progress, discuss risks, changes, etc? Are project reporting requirements being met and managed, e.g. status reporting for contract, timelines, deliverables? Project costs are tracked and monitored through detailed cost estimates and expenditure reporting. Deviations are reported and additional expenditure is approved. Is there a clear procedure for managing and approving change and/or variations (to scope, timelines, contracts, milestones, etc.)? Is the planned versus actual schedule current/reported/monitored? Is there agreement on the level of tolerance? Is the executive, Responsible Body or delegate periodically updated on progress? 98 Attachment 1 Template for a Business Continuity and Disaster Recovery Plan Potential project management steps to consider during a project Considered? Phase D: Closure and review Have all products been completed and delivered? Have the communications, change and training programs been implemented? Has the project review been completed including assessment of: overall outcomes vs initial objectives? financial outcomes in relation to the initial/revised budget? intended benefits? the learnings? Where relevant, is there a case for abandoning the project – where it is off schedule or has not been fully delivered? Has formal approval to close the project been obtained from the project steering committee following tabling of the project review report? Financial Management Compliance Framework user guide Updated August 2013 99 User guide to Standing Direction 3.2.5 Direction requirement 20 Change control Supplementary material in relation to change control Introduction The Standing Directions of the Minister for Finance (the Directions) require authorisation to be obtained for changes made to financial management systems. It also requires changes to be implemented in a controlled manner through a change control and management process to ensure the integrity of financial management data is maintained (Direction 3.2.5, Direction requirement 20). A ‘change control‘ process is required to ensure major impacts of a proposed change can be identified and adequately managed while designing and implementing the changes required. Benefits of change control The benefits of change control include: improved oversight and communication of changes to be implemented; increased certainty that only changes that will benefit agency business will be approved and implemented; ensure that business priority, infrastructure impact and project risk of proposed changes are considered prior to implementation; improved ability to move back to the previous environment in case of change failure or unanticipated results; and streamlining and efficiency of change implementation including minimisation of disruptions to ongoing services. Key aspects of a change control process All aspects of changes to the IT environment should be controlled including the initial proposal/submission for the change, analysis, decision making, approval and implementation of any changes as well as documentation to ensure appropriate recording of the change. The key aspects of a change control process are outlined below: 1. 2. 3. 100 Change requirements and approval Change requirements are clearly defined and approved by management Project management Consider project team structure, communication between dependent parties, level of involvement and commitment from senior management, property reporting and escalation of project issues, post implementation support model Project monitoring Consider deadlines, milestones, resources, activities, monitoring costs against budget and monitoring status of progress against milestones Attachment 1 Template for a Business Continuity and Disaster Recovery Plan 4. 5. 6. 7. 8. 9. Risk/issue management Potential impacts, including security impacts, of changes has occurred and processes exist to capture and escalate project issues, risk mitigation plans, ensuring that people with appropriate authority can resolve issues, contingency planning Process requirements New processes defined (system design documentation) and approved by process owners with sufficient training provided to majority base of users Segregation of duties Duties are segregated between users who develop changes and users who test and promote changes to the production environment Testing Testing procedures exist around development, regression and user acceptance tests, data conversion activities etc. Fall back procedures Procedures exist including defined responsibilities for aborting/recovering from unsuccessful changes Sign Off Sign-off for ‘Go Live’ (migration to the production environment) based on agreed acceptance criteria has been provided and is appropriately controlled Financial Management Compliance Framework user guide Updated August 2013 101 User guide to Standing Direction 3.3 Direction requirement 21 Education and training Introduction It is a requirement of the Standing Directions of the Minister for Finance to review, at least annually, the education and training needs for financial management staff within a public sector agency (Direction 3.3). The Direction also states that a program for the identified needs should be developed. This supplementary material outlines a checklist of areas to consider to fulfil the requirements of this Direction. Specifically, the checklist includes consideration of an agency’s: overall approach to education and training; organisation of training/education for staff; and post training activities. Education and training checks Overall approach Is there an education and training strategy implemented across the agency that includes all sites and business units? Are there policies and procedures in place for the application and approval of education and training for staff? Are there links between the identification of training needs and position requirements/competencies? Does management discuss training and education opportunities and requirements with each staff member as part of their annual review process? Are outcomes of the annual review discussion in relation to training reflected in: individual performance plans? business unit/division plans? agency wide training plans/program? Is there an education and training program for the agency that is aligned to the overall strategy and supports identified training needs of individuals? Are specific training requirements considered/reflected in the annual budget process? Organising training Have workloads and skill requirements been considered in the preparation and timing of training courses? Does the education/training cover training needs that have been identified? Post training activities Are details of staff education and training documented and recorded centrally/by business unit/on personnel records? Are the training strategy and individual programs regularly reviewed (including the assessment of whether training should be delivered in-house or externally)? 102 Attachment 1 Template for a Business Continuity and Disaster Recovery Plan Included User guide to Standing Directions 3.1.3 and 3.4 Direction requirement 12 Policies and procedures Introduction The Standing Directions of the Minister for Finance (the Directions) require agencies to establish and maintain documented policies and procedures in relation to financial administration and management under Direction 3.1.3. The specific policies and procedures required are outlined in Direction 3.4. In addition, the Directions require agencies to: communicate policies and procedures to staff; and adopt quality assurance mechanisms to monitor, review and assess compliance with policies and procedures. The table below outlines the required policies and procedures and indicates whether example internal control checklists are included in this material: Direction Financial management element requiring policy and procedure 3.4.1 3.4.2 3.4.3 3.4.4 3.4.5 3.4.6 3.4.7 3.4.8 3.4.9 3.4.10 3.4.11 3.4.12 Revenue Cash handling Bank accounts Cash flow forecasting Procurement Expenditure Employee costs Commission on employee payroll deductions Physical and intangible assets Liabilities Reconciliations Administration of discretionary financial benefits 3.4.13 Information collection and management Internal control checklist available This material outlines detail in relation to: the definition of policy and procedure; authorisations and approvals; maintenance, monitoring and access; content; internal controls; and example internal control checklists for: – revenue; – cash handling; – expenditure; and – physical and intangible assets. Financial Management Compliance Framework user guide Updated August 2013 103 Definitions Definition of policy Policies are principles, rules or guidelines that regulate and direct actions and activities. They are formulated and adopted to ensure good governance, compliance and fulfilment of organisational goals. Definition of procedure Procedures outline the specifics of day-to-day operations of the organisation explaining how to and who will implement policies. They are specific, factual, succinct and to the point. Well-developed procedures identify and define controls within a process, e.g. authorisation requirements for payments. Procedures generally refer to the process rather than the result. Together, policies and procedures contribute to good governance and fulfilment of the Responsible Body’s directions/instructions. Authorisations and approvals Policies are approved at an executive level and should be ratified by the Board/Responsible Body or relevant delegate, e.g. audit committee. Procedures should be ratified by the CFAO. Content The guideline to Direction 3.1.3 suggests that policies and procedures for financial administration and management should incorporate: the legislation under which the agency operates; the financial management structure of the agency; the agency’s chart of accounts; policy and procedure details for areas of financial management covered detailed in Direction 3.4, including use of information technology related to financial matters, where appropriate; standard forms to be used in financial management; a list of exemptions obtained from the Minister for Finance and all relevant supporting documentation; Accounting Standard Pronouncements of the Australian Accounting Standards Board; and conflict of interest details. Maintenance, monitoring and access Systems for the maintenance and monitoring of policies and procedures should be implemented to ensure they are regularly reviewed and updated to reflect requirements. Monitoring activities could be conducted by agency staff as well as internal audit. Policies and procedures should be reviewed at least every two years. Reviews should be designed to continuously improve the policies and procedures and reflect changes in the business/operations, technologies and best practice trends in financial management. 104 Attachment 1 Template for a Business Continuity and Disaster Recovery Plan Review triggers The following is a list of circumstances that could trigger a review (outside of the two year process) of policies and procedures to ensure they are in line with requirements and agency direction: significant change in the underlying business of the agency, e.g. organisational restructure, merging or alteration of finance structure, changes to staff numbers or the finance team; legislation or regulation introduction/amendment with financial impact (these changes often impact procedures rather than policies); new accounting standards or policies; whole of government or departmental change to financial management, e.g. implementation shared services; and machinery of government change. Version control In addition, policies and procedures should clearly outline version control details as well as role and responsibility information (i.e. who is responsible for the maintenance, review and implementation of the policy/procedure). Agencies should ensure that only authorised versions are in use at any point in time. Access Policies and procedures should be accessible to staff at all times. Details of how and where to access the documents should be circulated to staff regularly. Staff should also be aware of any changes and updates made to policies and procedures. Internal controls Internal controls prevent or detect irregularities in financial management processes. Internal controls can be used to assist with: ensuring compliance; monitoring activities; communication to staff regarding the relevance and significance of the policy and procedures; and the assessment of risks associated with that procedure. Example checklists for internal controls are outlined below. These controls can be incorporated into financial management procedures. Example checklists for internal control activities The following checklists provide example control objectives and examples of potential control activities. The material should be used as a guide to assist the agency with internal control activities. Revenue (Direction 3.4.1) Public sector agencies must implement and maintain an effective internal control framework over revenue transaction processing and management to ensure that revenue is completely and accurately identified, recorded and collected. Financial Management Compliance Framework user guide Updated August 2013 105 Accounts receivable – invoicing Example control objective: Sales invoice is generated for every approved provision of services. Invoices are sequentially pre-numbered and accounted for. A manual or system check is performed to ensure documents are not missing or duplicated or fall outside of a specified range of numbers. All rejected, suspense, or missing items are researched, corrected and re-entered on a timely basis. Example control objective: Invoices generated represent actual provision of services. Sales personnel reconcile control totals of the daily invoices generated with the total shipments per the shipping system (if applicable). A manual or system check is performed to ensure data is not duplicated or falls outside a specified range of numbers (check can be preventive or detective). All rejected, suspense or missing items are investigated, corrected and re-entered on a timely basis. Example control objective: Price, amount, and other information on the invoice are correct. Management approval is required for discounts and allowances in excess of predefined limits. Invoicing personnel examine the sales order for evidence of appropriate approval before input. Invoices that are not approved are placed in a suspense file that is reviewed by management for clearance on a regular basis. Potential system control: System edits exist to validate invoice data input (e.g. customer name and number, pricing, amounts, other information) against approved standing data in the sales order system. Invalid data is rejected for re-entry or stored in a suspense file where it is investigated, corrected and re-entered for completeness. Example control objective: Duplicate recording of invoices is prevented. A manual or system check is performed to ensure invoice numbers are not duplicated or fall outside a specified range of numbers (check can be preventive or detective). All rejected, suspense or missing items are investigated, corrected and re-entered on a timely basis. Example control objective: Periodic updates for batch processing are complete and accurate. For invoices that are input into a temporary file before sub-ledger updates, batch totals are utilised before processing is complete. Input documents are grouped and a numerical total is calculated (i.e. number of documents, dollar amount, hash totals). These totals are compared to post input/update reports. All out of balance conditions are researched and re-entered on a timely basis. Example control objective: Duties are adequately segregated. Appropriate segregation of duties should be maintained over, for example: order entry, determining credit limits, inventory custody, shipping, invoicing, returns acceptance, returns approval, credit note approval, cash receipts, cash disbursements, bank reconciliations, approval of bank reconciliations, A/R accounting/maintenance, and G/L maintenance functions. Exceptions noted are investigated and resolved. If management accepts incompatible duties, appropriate mitigating controls exist. Example control objective: Ability to post to the accounting records is restricted to authorised users. Formal approval by application owner is required for access to specific accounting records. Management reviews access rights periodically to ensure only authorised individuals have access and for segregation of duties. Exceptions noted are investigated and resolved. 106 Attachment 1 Template for a Business Continuity and Disaster Recovery Plan Accounts receivable – invoicing Example control objective: Unauthorised access to the accounting records is prevented and detected. Management investigates and resolves all instances where unauthorised access has been obtained. Potential system control: Access controls such as user IDs and passwords are utilised and specific to each application. Potential system control: Multiple failures to log on invalidate the user ID and are reported via an exception report. The exception report is reviewed by management on a regular basis. Credit notes Example control objective: Ability to raise credit notes is restricted and subject to review. Credit notes are sequentially numbered and access to physical credit notes restricted. Any gap in credit notes sequential numbering is investigated. Credit notes are raised and approved by a separate authority within delegation. All applications for credit notes are supported by the original invoice and other relevant information regarding the credit note. Credit notes are only raised to correct transactions relating to an incorrect accounts receivable balance and/or charge. Finance personnel regularly review outstanding credit notes. Any credit notes linked to a customer’s account will be utilised before cash payment is accepted for the customer. Bad debts Example control objective: Doubtful debts are accounted for correctly. Senior Finance Management regularly review outstanding payments to ensure all debts are recoverable. Management ensure that all outstanding debts over XX days are included in the provision for doubtful debts. Example control objective: Ability to write-off bad debts is subject to approval. All write-offs are subject to review and approval within delegated authority limits. All submissions for write-off have supporting documentation. Financial Management Compliance Framework user guide Updated August 2013 107 Cash handling (Direction 3.4.2) Public sector agencies must implement and maintain an effective internal control framework over cash handling and banking so that cash from all sources is completely and accurately identified, banked and recorded in the financial records. Cash receipting Example control objective: Cash receipts are accurately recorded and in the proper period. The organisation/department directs all cash receipts to its lockbox(es). A summary report and electronic file of receipts is provided by the bank to the agency on a daily basis. Total amount of cash receipts from the bank summary report is recorded as cash and unapplied accounts receivable. The electronic files are provided to the accounts receivable clerk for application to customer accounts. Bank statements are reconciled to cash accounts: – discrepancies are researched, corrected, and adjusted as necessary on a timely basis; and – the reconciliations are reviewed and approved by appropriate management. Example control objective: Cash receipts relate to sales and are recorded against the correct customer account: – detailed accounts receivable aging is reviewed monthly and any long outstanding balances or other unusual balances (i.e. credit balances) are investigated. Potential system control: The electronic file of receipts into the lockbox interfaces with the accounts receivable sub-ledger and applies cash receipts to the debtor accounts based on a matching of debtor name, number, invoice number, etc: – unmatched cash receipts are investigated and manually applied. Example control objective: All cash receipts are input for processing. Cash posting personnel reconcile control totals of the cash receipts received for the day (from lockbox files/reports) with the total of cash receipts applied to customer accounts. All rejected, suspense or missing items are researched, corrected and re-entered on a timely basis. Example control objective: Periodic updates for batch processing are complete and accurate. For systems where application of cash is input into a temporary file before sub-ledger updates, batch totals are utilised before processing is complete: – input documents are grouped and a numerical total is calculated (i.e. number of documents, dollar amount, hash totals). These totals are compared to post input/update reports; and – all out of balance conditions are researched and re-entered on a timely basis. Example control objective: Duties are adequately segregated. Appropriate segregation of duties are to be maintained for the following: order entry, determining credit limits, inventory custody, shipping, invoicing, returns acceptance, returns approval, credit note approval, cash receipts, cash disbursements, bank reconciliations, approval of bank reconciliations, A/R accounting/maintenance, and G/L maintenance functions): – exceptions noted are investigated and resolved; and – if management accepts incompatible duties, appropriate mitigating controls exist. 108 Attachment 1 Template for a Business Continuity and Disaster Recovery Plan Cash receipting Example control objective: Ability to post to the accounting records is restricted to authorised users. Formal authorisation by application owner is required for access to specific accounting records: – management reviews access rights periodically to ensure only authorized individuals have access and for segregation of duties; and – exceptions noted are investigated and resolved. Example control objective: Unauthorised access to the accounting records is prevented and detected. Potential system control: access controls such as user IDs and passwords are utilised and specific to each application: – multiple failures to log on invalidate the user ID and are reported via an exception report; and – management investigates and resolves all items. Example control objective: Cash receipts are protected before they are deposited. Physical access to cash receipts is limited to the cash receipts personnel prior to posting to the system: – incompatible functions and related duties are subject to a regular review by management; and – discrepancies and exceptions noted are investigated and resolved. Petty cash Example control objective: There is restricted access over petty cash. The petty cash box is locked and kept in a secure location. No more than two staff members have access to the petty cash fund. Example control objective: All requests for petty cash are valid and accounted for. A set limit for petty cash requests should be in place and should not go over this level. All petty cash requests should be documented on a standard form/petty cash book detailing date, amount required, reason, and signature of employee requesting petty cash. The finance personnel with access to petty cash review each request for petty cash and determine if it is appropriate. Petty cash payments should not be over $X level and should not be used for payments that should be made with a purchase order or can be paid via an expense reimbursement process. Example control objective: Unauthorised expenditure of petty cash is prevented and detected. Petty cash should be reconciled on a regular basis (e.g. fortnightly) Appropriate segregation of duties should be in place so that the reconciliation is performed by finance personnel who do not have access to the petty cash fund. Spot checks are performed on petty cash floats on a regular basis. Example control objective: Replenishment of petty cash fund should be appropriately approved. Replenishment of the petty cash fund should be done on a regular basis, either when reconciled or when funds have diminished to below a particular threshold (e.g. x%). The replenishment amount should be reviewed and approved by an appropriate member of finance personnel. Financial Management Compliance Framework user guide Updated August 2013 109 Expenditure (direction 3.4.6) Public sector agencies must implement and maintain an effective internal control framework over expenditure transaction processing and management to ensure that disbursements (including but not limited to grants, capital expenditure, salaries and wages, and other recurrent expenditure) are appropriately authorised and incurred in accordance with business needs, and captured in the financial records. Invoice processing Example control objective: Invoices are processed for payment after goods are received. When goods/services are received, the finance system is updated to reflect the receipt. All invoices are date stamped and signed by appropriate personnel and forwarded to the finance department for payment. Invoices received by the finance department are reconciled to the accounting system to ensure the good/service has been received: – if the invoice is not found in the finance system, it is passed to the receipting department for authorisation that the good/service has been received prior to returning the invoice to the finance department for payment. Potential system control: appropriate financial limits are established within the payables function of the finance system. Potential system control: an exception report is reviewed to identify instances where the financial limits established have been overridden when raising purchase requisition or purchase order. Discrepancies are followed up on a timely basis by management. Example control objective: Ability to enter goods receipts is restricted to authorised users. Formal authorisation is required for access to the purchasing module of the system and key purchasing transactions. Management reviews access rights periodically to ensure only authorised individuals have access and that duties are appropriately segregated. Potential system control: Attempts to access the system are prevented if access is not authorised. Example control objective: Duties are adequately segregated. Purchasing and accounts payable duties are segregated. Incompatible functions and related duties are subject to a regular review by management. Discrepancies and exceptions noted are promptly investigated. Raising and editing of purchase requisitions or purchase orders is restricted to authorised users. Potential system control: Users with access to the purchasing module do not have access to the vendor maintenance, goods receipts, accounts payable and processing disbursements functions within the system. Example control objective: All invoices received are input for processing. Accounts payable personnel reconcile daily batch totals of the invoices entered with a post input report of invoices entered into the Accounts Payable system. All non-reconciling items are investigated, corrected and re-entered on a timely basis. Batch totalling is completed for the re-entered data. Review long standing purchase orders and purge from the system if no longer current. 110 Attachment 1 Template for a Business Continuity and Disaster Recovery Plan Invoice processing Example control objective: Invoices are input for processing correctly. Potential system controls: system edits ensure vendors, quantities, price, extensions, payment terms (including available discounts), supplier name and code, GST Classification, purchase order reference and accuracy of the account distribution are agreed between the invoice, receiving report and purchase order. items that do not match are researched, corrected and re-entered prior to approving the invoice for payment. duplicate invoice numbers are not permitted. incorrect entry of price, quantity, amounts, vendor or general account numbers is prevented or detected; and mismatched purchase orders or receiving reports are investigated and resolved. Example control objective: Expenditure is allocated to the correct cost centre. Accounts payable officers check the cost centre coding per the accounting system (or stamped to the invoice if applicable) to the nature of the good/service per the invoice and the delivery details: – any overrides to cost centre coding are checked on a regular basis by the accounts payable supervisor. Example control objective: Periodic updates for batch processing are complete and accurate. For systems where invoices are input into a temporary file, batch totals are utilised before processing of invoices is complete. Input documents are grouped and a numerical total is calculated (i.e. number of documents, dollar amount, hash totals). These totals are compared to post input/update reports: – all non-reconciling items are researched and re-entered on a timely basis. Example control objective: Duplicate recording of invoices are prevented. Invoices and supporting documents are stamped as ‘entered’ to prevent re-submission for payment. Potential system control: Once a purchase order is matched to an invoice, the system identifies the purchase order as 'closed'. Closed purchase orders cannot be selected again for matching. Example control objective: Routine services (e.g. rent, utilities) are recorded A process exists to capture recurring costs on a monthly basis. For example, accounts payable group maintains an excel spreadsheet. When an invoice is received from a recurring bill or open purchase order, accounts payable checks the bill/purchase order against the spreadsheet to ensure the amount has not been processed, the invoice amount matches to the list of normal recurring bills, and the amount is not outside of the expected dollar range. Example control objective: Payments against capital expenditure are recorded. When invoices are received in relation to capital expenditure projects (which may not have a corresponding purchase order) a designated project accountant/manager is responsible for monitoring these costs and signing invoices for approving payment: – frequent monitoring of expenditure against budget/approved capital expenditure plan should be performed by an independent person (e.g. fixed assets manager). Example control objective: Postings to expense and/or inventory in the general ledger are complete, accurate and valid. A monthly report is generated that lists receipts for which a supplier invoice has not been received. This report is utilised by accounts payable to accrue for these materials/services in the month of their receipt. Procedures exist to ensure that period end reconciliation of the accounts payable ledger to the general ledger and cut-off errors are corrected on a timely basis: – accounts payable suspense accounts are included in the period end reconciliation process. Financial Management Compliance Framework user guide Updated August 2013 111 Invoice processing Example control objective: Duties and taxes on purchases are accounted for correctly. Tax components in an invoice are compared with the tax estimate in the purchase order. Significant variances are reviewed. Example control objective: Data input for invoicing is restricted to authorised users. Accounts payable personnel who are responsible for updating invoice information should be different to those who sign cheques. Potential system control: attempts to access the finance system are prevented if access isn’t authorised. Example control objective: Duties over invoice processing are adequately segregated. Fraudulent invoices cannot be created. Invoice processing is restricted to authorised users independent from vendor maintenance, goods receipts, and processing disbursements. Incompatible functions and related duties are subject to a regular review by management. Discrepancies and exceptions noted are promptly investigated. Payments Example control objective: Disbursements are input for processing in a complete manner. An accounts payable aging report is reviewed periodically to ensure payments have been recorded. Example control objective: Disbursement is for the correct invoice. Payments are not made on invoices that have not been matched to a receiving report and purchase order. This may be a manual or a system control. Potential system control: The system may be configured to allow payments that have not been matched. Appropriate segregation of duties must be in place over who can alter and override those configurations. Example control objective: Disbursement is to the correct payee and vendor. Statements received from suppliers are reconciled to the supplier’s accounts in the accounts payable sub ledger regularly and differences are investigated. Potential system control: Payee name and address are automatically extracted from the vendor master file. Example control objective: Disbursement input is for the correct amount. Any differences between the payment amount and the invoice amount are automatically put into a suspense file. Management must clear items in the suspense file on a timely basis. Payment amount information is automatically input from the invoice matching process. Example control objective: Payments in foreign currency are accurately calculated. Potential system control: All payments in foreign currencies are flagged by the system and foreign currency translation is calculated off line by an accounts payable clerk and reviewed by the accounts payable manager. Example control objective: Disbursement input is in the proper period. Potential system control: The system does not allow for differences between the payment date and the date of the cheque. Management approval is required for any override of this control. 112 Attachment 1 Template for a Business Continuity and Disaster Recovery Plan Payments Example control objective: Correct postings are made to the purchase ledger control account and cash in the general ledger. The total of cheques issued is reconciled with the updates to the accounts payable sub-ledger and cash account. Reconciling items are researched and corrected as necessary. A list of outstanding purchase orders for which ownership of goods is transferred prior to delivery is prepared for accrual purposes. Management reviews and approves the listing. Potential system control: The system updates the corresponding cash and accounts payable accounts as of the cheque run date. Reconciliations are performed to ensure transactions are posted correctly. Example control objective: Purchase discounts are accurately calculated and recorded. Potential system control: The system is configured to calculate applicable discounts per management policy. If the discount policy can be overridden, monitoring procedures exist for detection and resolution of any system overrides. Example control objective: Signed cheques are mailed out promptly to the correct payee. Bank reconciliations are performed to check for old reconciling items. Exceptions are investigated and corrected as necessary. An accounts payable aging report is reviewed periodically to ensure payments have been recorded. Example Control Objective: Missing, duplicate or long outstanding cheques are investigated. When a payment is made in the system a reference is made to a specific invoice and the system does not allow the payment to be made again: – accounts payable staff adopt a consistent approach to entering invoice/supplier details to ensure no invoices are duplicated for payment; and – only original invoices are accepted for processing payments in the accounting system. Cheques outstanding >30 days are reviewed and resolved on a monthly basis. All cheques must be paid in sequential order. Bank reconciliations are performed on a regular basis to determine outstanding cheques and reconciling items. Exceptions are investigated and corrected as necessary. Example control objective: Periodic updates for batch processing are complete and accurate. Input documents are grouped and a numerical total is calculated (i.e. number of documents, dollar amount, hash totals). These totals are compared to post input/update reports. All out of balance conditions are researched and re-entered on a timely basis. Potential system control: For systems where disbursements are input into a temporary file, batch totals are utilised before processing of payments is complete. Example control objective: Cash and electronic funds payments are approved. The release of cheques for printing and signing or release of electronic funds is approved by personnel separate from those who enter and match invoices. Appropriate authority limits are established for approvals. Financial Management Compliance Framework user guide Updated August 2013 113 Payments Example control objective: Electronic funds transfers are controlled. One-off and initial standing wire transfer requests are accompanied by appropriate supporting documentation. Only authorised treasury personnel can initiate wire transfers. Bank call-back verification procedures are in place: – potential system control: electronic fund transfers require dual authorisation. All bank accounts are reconciled on a timely basis and all wire transfer activity accounted for. Example control objective: Duplicate payments are prevented. Potential system control: The system does not allow an invoice to be paid twice. Example control objective: Payments made are for goods or services actually ordered or rendered and received. Payments can only be made from 'closed' invoices. Invoices are closed after matching to a receiving report and purchase order. Example control objective: Urgent payment requests are approved. Requests for manual cheques are supported by purchase agreements, receiving reports, original invoices, or other documentation that indicates the purpose of the expenditures: – the cheque request amount is compared to the initiator or approvers maximum delegation amount to determine if a second signature is required; and – cheques in excess of established dollar amounts (or equivalent) are forwarded to a second designated cheque signatory for approval with supporting documentation. Example control objective: Access to unissued cheques and cheque signing machines is restricted. Duties over the release of cheques for printing and signing are segregated from those of entering and matching invoices for approval. Unused cheques are kept in a locked location. Mechanical cheque signers and signature plates are safeguarded. Access to cheque signing privileges is limited to a minimum number of people. – Multiple signatures are required for cheques over a certain amount. Cheque stock is sequentially pre-numbered: – sequential cheque numbers are reviewed and reconciled on a regular basis. Any missing cheque numbers are researched immediately; and – cheque runs are reviewed for any inaccurate, spoiled or illegible cheques. Example control objective: Input and generation of payments is restricted to authorised users. Attempts to access the system are prevented if access isn’t authorised. Example control objective: Duties are adequately segregated. Access to process disbursements is segregated from vendor maintenance, purchasing, goods receipts, and accounts payable. Incompatible functions and related duties are subject to a regular review by management. Discrepancies and exceptions noted are promptly investigated. 114 Attachment 1 Template for a Business Continuity and Disaster Recovery Plan Masterfile changes to accounts payable Example control objective: Approved changes are input for processing completely and accurately. An appropriate officer approves changes to standing data prior to input. Each change must be supported by sufficient documentation. A one-to-one check of changes input into the system is completed via a comparison between post input/update reports to the change source documents for completeness and accuracy. Discrepancies are resolved and the re-entered data is subject to the same control. To ensure that data remains accurate, the standing data owners complete a regular review. Any changes noted by the owners are entered via the standard standing data change process. Potential system control: For changes to certain types of standing data and/or changes outside certain parameters, the system produces a report of these changes which is forwarded to management for review. Acceptance of these changes by the system is dependent upon management review of supporting documentation and approval. Example control objective: Periodic updates to standing data via batch processing are complete and accurate. Where batch totals are utilised, input documents are grouped and a numerical total is calculated (i.e. number of documents, dollar amount, hash totals). These totals are compared to post input/update reports. All out of balance conditions are investigated and re-entered on a timely basis. Example control objective: Duties are adequately segregated. Segregation of duties is maintained between the update of standing data and the maintenance of financial records (i.e. posting or approval of adjustments, reconciliations, etc.). Exceptions noted are investigated and resolved. If management accepts incompatible duties, appropriate mitigating controls exist, such as regular review of system access. Example control objective: Ability to post to the accounting records is restricted to authorised users. Formal authorisation by the application owner is required for access to specific accounting records: – management reviews access rights periodically to ensure only authorised individuals have access to the accounting system and there is adequate segregation of duties. Exceptions noted are investigated and resolved. Example control objective: Unauthorised access to accounting records is prevented and detected. Access controls such as user IDs and passwords are utilised and specific to each application and user: – multiple failures to log on invalidate the user ID and are reported via an exception report. Management investigates and resolves all items on the exception report. Example control objective: Vendors in the masterfile are current. Potential system control: A report of vendors with no purchasing activity for 12 months or more is generated periodically (e.g. quarterly) to ensure that all vendors in the masterfile are current. Financial Management Compliance Framework user guide Updated August 2013 115 Physical and intangible assets (direction 3.4.9) Public sector agencies must implement and maintain an effective internal control framework for asset management to ensure that assets are identified, recorded accurately and accounted for in accordance with Australian Accounting Standards. Asset additions Example control objective: Capital expenditure requests are recorded completely. Capital expenditure forms are sequentially pre-numbered and accounted for. Alternatively, every capital expenditure request is assigned a unique number to eliminate the risk of duplication: – a manual or system check is performed to ensure documents are not missing or duplicated or fall outside a specified range of numbers. All rejected, suspense or missing items are researched, corrected and re-entered on a timely basis. Potential system control: If an automated purchasing system is used, specific application controls may be embedded in the system. Example control objective: Capital expenditure requests are approved. The pre-numbered capital expenditure forms (for both internally constructed assets and external purchases)/capital expenditure requests are approved by an appropriate level of management and forwarded to either the internal engineering group or the purchasing department, respectively: – all changes to capital expenditure forms require formal approval from management in accordance with appropriate delegations of authority (see below). Established policies and procedures define spending limits and approval procedures for capital expenditure. Potential system control: Approval limits are configured in the system, which allow authorised users to enter and approve acquisitions within approved limits. These are systematically applied and attempts to override are prevented. Example control objective: Approved capital expenditure request are recorded accurately. Approved capital expenditure forms are input into a capital expenditure request tracking system or fixed asset/projects sub-ledger: – a one-to-one check between the entered information and source documentation occurs for accuracy of key data fields. Any discrepancies are re-entered and subject to the same control. Note that ordering, receipt, invoice processing and payments related to capital expenditure are covered in the Internal Control checklists of Expenditure. Example control objective: Capital expenditure requests are appropriately updated upon receipt of asset. The finance department performs a monthly review of the open capital expenditure forms per the capital expenditure request tracking system/fixed assets/project sub-ledger. Items are researched and resolved as necessary. Potential system control: When capital items are received and matched to the purchase order, the system automatically notifies the appropriate personnel so that the capital expenditure request tracking system or fixed assets/projects sub-ledger can be updated. 116 Attachment 1 Template for a Business Continuity and Disaster Recovery Plan Asset additions Example control objective: Fixed asset acquisitions are input accurately and in the correct period. Subsequent to receipt, fixed asset records are updated. A one-for-one check between the internal and external supporting documents (i.e. invoice) and the fixed asset sub ledger/fixed asset register occurs. Any discrepancies are identified and re-entered. The check occurs again for re-entered data. The fixed asset manager/appropriate personnel reviews all fixed asset additions and approves the classification, useful lives, depreciation method, etc. Periodically, management reviews acquisition reports and compares to budgets or other data for reasonableness of acquisitions by category of asset, location or division. Discrepancies are followed up and corrected as necessary. Example control objective: Where applicable, the organisation/department holds a valid title. Where applicable, internal legal counsel ensures that the organisation/department holds legal title to recorded fixed assets. Where a physical title is received, it is maintained in a secure location. Example control objective: Duties and taxes on fixed asset transactions are recorded in accordance with applicable laws and regulations. Periodically, the tax department reviews the tax consequences of fixed asset additions to determine appropriate treatment. Due to complexity, all foreign taxes are reviewed by the tax department. Example control objective: Interests that can be capitalised on financed capital projects are recorded completely and accurately. All debt and interest expense information is stored in a central repository, including the purpose of the debt: – the information used to calculate the capitalisation of interests is reviewed by management and matched against the repository; and – discrepancies are identified, investigated and re-entered. Example control objective: Capitalised interest is recorded in the proper period. The finance department generates a report on debt used to finance acquisitions. This report is reconciled by management to the interest capitalised: – any discrepancies are identified and re-entered. The interest capitalised is compared against a separate approved budget file. Items that do not match are investigated, corrected and re-entered as necessary on a timely basis. Capitalised interest is approved. Significant differences between actual and budgeted capitalised interest are approved. Example control objective: Capitalisation of payroll cost for services rendered for construction purposes are recorded completely and accurately. Employees charge hours worked on capital projects to specific time codes. Edit checks lead to the rejection of invalid codes or storage in a suspense file where it is investigated, corrected and re-entered. If applicable, the engineering department provides a report on the involvement of employees in capital projects. This report is reconciled by management to the personnel costs capitalised. Any discrepancies are identified and re-entered. The payroll costs capitalised are matched against a separate approved budget file. Items that are not matched are investigated, corrected and re-entered on a timely basis. Example control objective: Capitalised payroll is approved. Significant differences between actual and budgeted capitalised payroll are approved. Financial Management Compliance Framework user guide Updated August 2013 117 Asset additions Example control objective: Constructions-in-progress is input accurately and in the correct period. There is a one-for-one check between the project status report and the construction in process sub-ledger. Any discrepancies are identified and re-entered. The check occurs again for re-entered data. Periodically, management reviews the construction in process sub ledger against the project status reports and budgets to assess the status of projects. Final costs for completed projects are provided for posting to the fixed asset sub-ledger. Example control objective: Duties are adequately segregated. Adequate segregation of duties exists between the physical custody of assets, acquisition/disposal approval and finance duties. Example control objective: Unauthorised input to Fixed Asset sub-ledgers is prevented and detected. Potential system control: Access controls such as user ID’s and passwords are utilised and specific to each application. Multiple failures to logon invalidates the user ID and are reported via an exception report for investigation by management. Formal authorisation by the application owner is required for access to the fixed asset sub-ledgers of the system: – management reviews access rights periodically to ensure only authorised individuals have access and for segregation of duties; and – discrepancies and exceptions are promptly investigated. Example control objective: Ability to post to the fixed asset sub-ledger is restricted to authorised users. Incompatible functions and related duties are subject to a regular review by management. Discrepancies and exceptions noted are promptly investigated. Potential system control: Attempts to access the system are prevented if access isn’t authorised. Depreciation Example control objective: Information necessary to calculate the depreciation (e.g. depreciation rates, estimated useful lives) is recorded in the system completely and accurately. The fixed asset sub-ledger utilises a standard form to record all relevant information for fixed asset additions. Additions are not accepted without information necessary to compute depreciation. Edit checks ensure that the information input to calculate the depreciation is reasonable. Potential system control: Invalid data is rejected for re-entry or stored in a suspense file where it is investigated, corrected and re-entered on a timely basis. Example control objective: Property, plant and equipment accounts have an assigned depreciation rate. Useful lives and other information are standardised: – management reviews system reports on changes to depreciation rates and methods. Changes not in compliance with policies are identified and corrected. Potential system control: Program limits and reasonableness checks identify deviations from these standards that are investigated and re-entered if appropriate. Example control objective: Fixed assets are depreciated appropriately. Management performs reasonableness tests of depreciation expenses. Results that are outside an expected range are investigated and corrected as necessary. 118 Attachment 1 Template for a Business Continuity and Disaster Recovery Plan Depreciation Example control objective: Fixed assets are depreciated appropriately and correct postings are made to accumulated depreciation, depreciation expense and the general ledger. Management reviews periodic reports and compares to budgets or other data for reasonableness of depreciation charges by category of asset, location or division. Discrepancies are followed up and corrected as necessary. Example control objective: Information necessary to calculate the depreciation expense (e.g. depreciation rates, estimated useful lives) is approved. The methods of fixed asset depreciation are formally documented, approved and consistently applied through manual or system processes. Assets valuation and stocktakes Example control objective: All fixed asset accounts are tested for valuation issues on a timely basis. Significant fixed asset accounts are reviewed quarterly by management for impairment, including an assessment of current and future utilisation. Example control objective: All damaged or idle fixed assets are assessed for impairment. Periodic physical inspections of fixed assets and construction-in-progress are compared to manually or system recorded data: – discrepancies are investigated, corrected, and reprocessed as necessary on a timely basis. Example control objective: All construction-in-progress projects are assessed for impairment. Appropriate reports are prepared for all construction in progress projects. Regular on site meetings are held by management to identify and assess valuation issues. Example control objective: Appropriate information is used to calculate the impairment. The information needed for fixed asset valuation is formally documented in accordance with policies. A one-for-one check between all source documents and information recorded in the fixed asset sub ledger occurs: – any discrepancies are identified and re-entered. The check occurs again for re-entered data. Example control objective: Valuation calculations/recordings are approved. Significant impairments require management approval to be processed: – on a quarterly basis, management reviews all impairments. Example control objective: Ability to post to the Fixed Asset sub-ledger is restricted to authorised users. Incompatible functions and related duties are subject to regular review by management. Discrepancies and exceptions noted are promptly investigated. Potential system control: Attempts to access the system are prevented if access is not authorised. Financial Management Compliance Framework user guide Updated August 2013 119 Asset disposals Example control objective: All disposals are completely and accurately input for processing. Fixed asset disposal documents are sequentially pre-numbered and accounted for: – those with custody over fixed assets regularly report the disposals/retirements of fixed assets under their custody to the finance department using these pre-numbered forms. Periodic physical counts of fixed assets are compared to the fixed asset register. Differences to the information in the sub ledger/fixed assets ledgers are identified, investigated and when applicable, the ledger is corrected. Refer to stocktake procedures above. Example control objective: Periodic updates for batch processing are appropriately executed. For systems where disposals are input into a temporary file before sub-ledger updates, batch totals are utilised before processing is complete. Input documents are grouped and a numerical total is calculated (i.e. number of documents, dollar amount, hash totals). These totals are compared to post input/update reports. All out of balance conditions are investigated and re-entered on a timely basis. Example control objective: Information that is used to calculate asset disposals/retirements is complete and accurate. The fixed asset sub-ledger utilises a standard form to record all relevant information for fixed asset disposals: – disposals are not accepted without information necessary to process the impact of the disposal. Potential system control: Edit checks ensure that the information input to calculate the disposal is complete: – invalid data is rejected for re-entry or stored in a suspense file where it is investigated, corrected and re-entered on a timely basis. Example Control Objective: Net proceeds/costs associated with asset retirement are recorded accurately. A one-for-one check between disposal source documents (i.e. cash proceeds, removal costs, etc.) and the disposal form in the fixed asset system occurs: – any discrepancies are identified and re-entered. The check occurs again for re-entered data. Example control objective: Correct postings are made to fixed assets, accumulated depreciation and the general ledger. A one-for-one check occurs to ensure the fixed asset to be disposed per the approved disposal request matches the fixed asset removed from the fixed asset ledger and that the correct related accumulated depreciation is removed and the net amount booked to gain or loss on disposal, including a check related to date removed from service. Example control objective: Disposals/retirements of fixed assets are approved. Those with custody over fixed assets have to obtain approval from management before they process a fixed asset for disposal/retirement. Example control objective: Recordings of disposals/retirements of fixed assets are approved. Management reviews and approves monthly reports on disposals/retirements generated by the finance department. Example control objective: Duties are adequately segregated. Adequate segregation of duties exists between the physical custody of assets, acquisition/disposal approval and finance duties. 120 Attachment 1 Template for a Business Continuity and Disaster Recovery Plan User guide to Standing Direction 4.1 Direction requirement 22 Internal financial management reporting Introduction The Standing Directions of the Minister for Finance (the Directions) require the agencies implement and maintain internal financial reporting that is timely, accurate, appropriate and effective. The reports should provide strong financial analysis and are to be used to support management decision making and broader operations. A number of specific requirements are outlined under Direction 4.1 including that: an agency must identify its financial management information requirements; financial management reports must be presented to the Responsible Body; the CFAO must sign off on financial management reports; and financial systems must support internal financial management reporting. This supplementary material provides guidance in relation to each of the specific requirements for internal financial reporting as outlined in Direction 4.1. The purpose of internal financial management reporting Internal financial management reporting should take the ‘pulse’ of an agency and provide management with the information required to support effective, timely decision making. Internal financial management reporting should assist with: early identification of potential problems through the use of performance measures, trend analysis, forecasting, benchmarks, etc; data-driven decision making, i.e. information and measures to assist management in decision making processes; quality improvement programs, based on clear identification of areas for improvement that align with business plans across the agency; and allocation of responsibilities/accountabilities. In substance, the fundamental objective is to provide clear and common understanding of: ‘What has happened?’ so that management can focus their efforts on ‘What does this mean?’ and ‘What do we need to do?’ While the focus of this guidance material is on internal financial management reporting, an effective suite of management reports require a balance of financial, operating and risk and control indicators, as these are essential to the holistic monitoring of agency performance. Note: for further detail please refer to material for Direction 4.4 Financial Performance Management and evaluation (KPIs). Financial Management Compliance Framework user guide Updated August 2013 121 Good practice reporting Internal reporting requirements depend on the nature of the agency’s business, the operational and strategic drivers and expectations of management and the Responsible Body. Internal management reporting should consistently reflect and align with strategic objectives and only provide key information that drives an agency performance in achieving business objectives. The table below provides some good practice principles for internal reporting. 1. Reports fulfil business needs Internal financial management reports should be developed to meet an agency’s financial management reporting requirements, to: understand agency strategy (e.g. improve resource utilisation); identify which factors are critical to the achievement of the strategy (e.g. manage resource expenditure); identify impacts on these factors (e.g. overtime); identify which of these factors can be controlled by the agency; assess which factors to report (based on significance, degree of control, etc.); and Consider: whether the benefit derived from reports exceeds the cost of producing the report; using existing measurement/reporting frameworks to streamline the process; and the example pulse questions below to check whether reports will meet requirements. Are we on track? To manage the day to day operations as appropriate. Will we deliver the strategy? To monitor and track their progress against organisational priorities and the strategic plan. Is the performance optimal? To manage the internal control environment, efficiency and effectiveness of operations. What do we need to change to make it right? To implement corrective actions, e.g. resource re-allocation. 2. Reports are clear and relevant Ensure reports: contain clear and concise information that is usable, digestible and have widely accepted definitions; include useful information that is relevant to the users and represents the reality of the business; and have appropriate measures that are presented clearly through tables, graphics, text numbers, etc. 3. Reports are accurate, reliable and timely Reports should: be valid, reliable, dependable and free from error and bias by using data sources that are reliable and accurate; use information that is current to ensure timely reporting; and enable informed, effective and decision making in a timely manner. Processes should be developed to ensure sufficient time for preparation, review and distribution of reports, e.g. develop annual reporting timetable with timelines and responsibilities. 122 Attachment 1 Template for a Business Continuity and Disaster Recovery Plan 4. Reports are complete and consistent Financial information must be consistent and complete to ensure reliability and allow for comparability over time and financial periods. Measurement processes should be applied to enable consistency over time for quality analysis and assurance purposes. An adequate audit trail for the production of reports should be kept to detail changes made and comparisons to the underlying financial systems. 5. Reports comment, evaluate and compare Financial reports must include commentary to evaluate and compare results. Results can be compared across time periods, across different agencies and/or portfolios – comparisons should be appropriate to ensure relevancy. Evaluations can take into account variations that are seasonal or cyclical, for example: Comments can be structured using Cause, Impact and Action for example: Cause – What happened and how did it happen? The result. The financial/non-financial outcome effecting the result. The main driver causing the outcome. Impact – What is the result to our expected/planned benefit? The impact on the financial/non-financial benefit? The impact of the benefit into the future? The impact on our expectations of the benefit? Action – What are we doing as a result and who is charged with it? The decision required to take action? The action taken to mitigate the risk or maximise the opportunity. Representing financial information graphically can assist report users in ‘digesting’ the information presented. Where it is inappropriate to present large volumes of financial information in a graph, the application of a few simple principles can help to draw attention to the key areas of interest. The example below demonstrates that for better understanding the rounding to 000’s assist users to digest numbers more easily and attention is drawn to variance analysis through the use of the traffic light system, i.e. use of colours and arrows to indicate financial movements. Statement of financial position Month ($’000) Income Actual Budget Variance Full Year ($’000) LY Variance Budget Forecast Grant income Onshore student income Offshore student income Other fees and charges 1 233 303 700 466 1 800 300 100 577 (567) ▼ 3 600 ▲ (111) ▼ 333 ▲ (1 000) ▼ 150 100 21 600 3 600 1 200 6 924 14 796 3 636 8 400 5 592 Total student related income 2 702 2 777 (75) ▼ (417) ▼ 33 324 32 424 Financial Management Compliance Framework user guide Updated August 2013 123 Meeting good practice The checklist below can be used to assist in assessing whether an agency’s internal financial management reports are meeting requirements and good practice Question in consideration of good practice What information is being reported? e.g. income, expenditure, safety indicators, enrolments information etc. How is it being reported? e.g. tabular, graphical, textual, numerical etc. When is it being reported? e.g. daily, weekly, monthly, annually, is there a report timetable in place To whom is it being reported? e.g. manager, senior managers, portfolio heads etc. What decision making does it support? e.g. daily operational decision making, strategic planning etc. Who is involved in the production of the report? e.g. finance What resources are required? Is there reliable data available? e.g. time taken to produce reports/how complex is it/is the time and effort worth it? Who owns the report? e.g. finance 124 Attachment 1 Template for a Business Continuity and Disaster Recovery Plan Considered? User guide to Standing Direction 4.2 Direction requirement 23 Reporting in terms of part 7 of the FMA Introduction The Standing Directions of the Minister for Finance (the Directions) require agencies to develop procedures for the timely and accurate preparation of reports to ensure compliance with Part 7 of the Financial Management Act 1994 (FMA). The FMA requires agency’s to submit: an annual report with a number of specific requirements; and financial information for the purposes of meeting the State’s Consolidated Financial Reporting requirements. Procedures for FMA reporting To comply with the Directions, agencies must ensure there are procedures in place to support the implementation of Part 7 of the FMA. Procedures should consider: tasks to be completed to meet the requirements; identification of appropriate resources; responsibilities for tasks (at a role level); approval processes across the agency; and timelines that ensure requirements are met and appropriate approvals have been obtained. Annual report The annual report is the medium through which agencies discharge their accountability to Parliament, government and the Victorian public. The FMA requires an annual report to consist of: a Report of Operations; and Financial Statements The information provided in relation to an agency’s finances, performance operations and other general details is valuable information that is used for planning and resource utilisation decisions. Report of Operations The Report of Operations provides users of financial statements with general information about the entity and its current and future activities (by providing qualitative and quantitative information) and other relevant information that is not included in the financial statements. This report is to be prepared in accordance with the requirements of Financial Reporting Directions, and presented in accordance with the guidelines contained in the Model Report for Victorian Government Departments, as issued annually by the Department of Treasury and Finance. Financial Management Compliance Framework user guide Updated August 2013 125 Government departments are also required to include in the unaudited section of the annual report a comparison between their portfolio financial statements published in Budget Paper No 4 and actual results for the portfolio for the corresponding financial year. This is known as ‘Budget Portfolio Outcomes’ and must be presented as a set of financial statements in the same format and consolidation basis as those prepared for the agency. The Report of Operations must be signed and dated by the Accountable Officer in the case of a government department or, in the case of any other agency, a member of the Responsible Body. Financial statements The financial statements must be prepared in accordance with: Australian accounting standards and interpretations (AAS’s) which include Australian equivalents to International Financial Reporting Standards; Financial Reporting Directions; and business rules. Consistent with professional accounting requirements, the financial statements are to comprise the following: comprehensive operating statement; balance sheet; statement of changes in equity; cash Flow Statement; and notes to the financial statements. The financial statements are to be signed and dated by the Accountable Officer, CFAO and a member of the Responsible Body, stating that the financial statements have been presented fairly, in accordance with applicable Financial Reporting Directions and applicable accounting standards. Model Report Each year the Department of Treasury and Finance issues a Model Report to assist agencies with the planning and preparation of their FMA reporting requirements. The Model Report is available on the Department of Treasury and Finance website (www.dtf.vic.gov.au). Consolidated financial reports for the State Financial Reports for the State of Victoria are key elements of the government’s financial reporting framework. The FMA requires agencies to submit financial information for the preparation of quarterly, mid-year and annual Consolidated Financial Reports for the state. The information is submitted to the Department of Treasury and Finance through the State Resource and Information Management System. Quarterly financial reporting and mid-year financial reporting were introduced in the 2000-01 financial year, following the introduction of amendments to the Financial Management Act 1994. The reporting framework is a key component of the government's commitment to openness and accountability in financial management. 126 Attachment 1 Template for a Business Continuity and Disaster Recovery Plan User guide to Standing Direction 4.3 Direction requirement 24 Other external reporting Introduction The Standing Directions of the Minister for Finance (the Directions) require agencies to ensure all other external reporting requirements are met through the development of procedures. The procedures should also ensure other external reports are completed in a timely and accurate manner. External reports must: be identified by the agency to ensure all external reporting requirements are met; be delivered completely, accurately and in a timely manner; and be reviewed by the CFAO or delegate prior to release. Procedures for other external reporting To comply with the Directions, agencies must ensure there are procedures in place to support the implementation of other external reporting requirements. Procedures should consider: tasks to be completed to meet the requirements; identification of appropriate resources; responsibilities for tasks (at a role level); approval processes across the agency; and timelines that ensure requirements are met and appropriate approvals have been obtained. The strategic management framework The strategic management framework (SMF)45 provides a guide for departments and agencies on best practice approaches to core management processes. The framework is structured around six core elements: analyse, plan, allocate resources, implement and monitor, evaluate and report and describes key activities to integrate and align strategic priority setting and planning with resource allocation, service and asset delivery implementation and monitoring, evaluation and reporting. The key objectives of the SMF are to ensure that: key activities and processes are stable and certain; management activities are not focussed on seeking new resources to the detriment of focusing on the efficient and effective use of existing resources; and quality financial and non-financial performance information from departments and agencies informs government decision making and policy approaches. 45 Internal financial management reporting is a critical process for the efficient and effective management of departments and agencies and a key component of the SMF. Financial Management Compliance Framework user guide Updated August 2013 127 The diagram below outlines the SMF: Analyse Report Please refer to the DTF website for further information (www.dtf.vic.gov.au). 128 Attachment 1 Template for a Business Continuity and Disaster Recovery Plan User guide to Standing Direction 4.4 Direction requirement 25 Financial performance management and evaluation Introduction The Standing Directions of the Minister for Finance (the Directions) require that agencies develop appropriate financial management performance indicators and monitor performance against these to identify key statistics and trends for use in management decision-making. The Directions outline a number of specific requirements, under Direction 4.4, for financial key performance indicators (KPIs) including that KPIs: must be developed by the Responsible Body working with management, including the Chief Financial Accounting Officer (CFAO) and the Accountable Officer; must be designed to measure and monitor financial management performance of the public sector agency; must be measured, monitored and reported against on a regular basis (at least quarterly, unless the financial KPI is an annual measure) to the Responsible Body; and are implemented by the Responsible Body with procedures to ensure they are monitored. This material provides guidance in relation to developing an agency’s internal KPIs to assist in monitoring financial performance. It is designed to assist agencies in considering, designing and developing the types of KPIs that may be appropriate for their agency activities. This material specifically relates to financial KPIs only does not include overall KPIs required for annual performance reporting. This material includes the following information: performance management and KPIs; purpose of KPIs; types of KPIs; KPI development and design; KPI characteristics; implementation of KPIs; and examples of KPIs relating to: – revenue; – expenditure; – cash handling; – investments; and – liabilities. Financial Management Compliance Framework user guide Updated August 2013 129 Performance management and KPIs Performance management is a combination of approaches, measures, processes and systems that organisations use to monitor and manage their performance. KPIs are a fundamental component of performance management that communicate strategic goals across the agency. KPIs can be used across all levels of an organisation, from business plans at divisional/department levels to individual employee work programs and activities. An organisation can use KPIs from across the different areas and levels to align and feed into overall strategic organisational measures. Well defined KPIs can be monitored to measure how effectively the overall organisation strategy is being implemented – ‘strategy to execution’ – and will also provide a mechanism that allows early action to be taken if issues arise – ‘opportunity for action’. Performance management cycle A typical performance management cycle is depicted in the diagram aside. The initial step is to define the key business drivers for the agency. Steps 2 and 3 consider the design and development of KPIs. The collation and recording of data (as per Step 4) for KPI monitoring typically provides a challenge for agencies; though this is less of an issue for financial KPIs which are usually sourced from the core financial systems. The performance management cycle uses the reporting results (from KPI monitoring and reporting) as a basis to assess the need for change and implement it as required. It also analyses the results (Steps 6 and 7) to consider the reward for successful achievement of goals. Diagram of a performance management cycle 1. What are the key business drivers in the agency strategy? 7. How are set budgets compared with actual results? 2. How is the strategy translated into KPIs? Business analytics 6. How are individuals and agencies rewarded for achieving their KPIs? 3. How is KPI progress measured? Reporting 5. How can the data be used to implement sustainable change? 130 Planning Attachment 1 Template for a Business Continuity and Disaster Recovery Plan 4. What data and systems are available to collate information for management? Purpose of KPIs KPIs provide a means for monitoring agency performance, and understanding how effective and efficient that agency is in achieving its objectives and desired outcomes. KPIs are a way for an agency to effectively establish measures and monitor progress for the following overall organisational questions: Where do we want to be? How will we know when we get there? What are we doing to get there? KPIs that are designed to support the overall strategic objectives of an organisation represent its ‘vital signs’. When part of a comprehensive system of measures implemented across an organisation, KPIs inform the CFAO, management and the governing body and employees of what and how they are progressing towards achieving overall agency objectives. Types of KPI There are a number of different categories into which KPIs can be grouped. These include: Financial: Stakeholder: Process: People: focus on financially driven measures. It is this category of KPI that is the focus of Direction 4.4 and for which illustrative examples of potential indicators are included in this supplementary material (for revenue/ receivables, expenditure/accounts payable and cash receipting). focus on service to, and satisfaction of various stakeholders who are impacted by the agency’s activities. This could include response times or service satisfaction levels. target the key processes or activities that allow an agency to meet its strategic objectives and are operational in nature. focus on the recruitment, development, appraisal and retention of staff within the agency. KPIs developed and implemented across all agency activity areas using these different categories provide a balanced and comprehensive view of expectations, outcomes and activities that can be monitored and reported against. KPI development and design The process for designing and implementing effective KPIs commences with consideration of an agency’s strategy, vision, and goals as well as the drivers that support those goals. The link to strategy is achieved most effectively by starting at the strategy level and moving to the task and activity level (rather than the other way). Using the agency’s strategy, vision and goals, KPIs are identified with defined metrics. The annual budget process provides a good opportunity to identify KPIs and targets each year. Once KPIs are defined it is important to ensure processes are in place to collect data for the monitoring of the KPI. Indicators and metrics can be incorporated into a single source, e.g. a scorecard, to input and collate data for tracking KPIs. A scorecard of indicators provides an effective tracking device for: financial and non-financial performance; short-term and long-term performance; and lag measures (which represent past performance) and lead measures (which indicate future performance). Financial Management Compliance Framework user guide Updated August 2013 131 Once initial KPIs are established agencies should consider the process for reviewing and revising KPIs. The process should be efficient and well controlled and may take into account use of appropriate technology and software for performance management to help achieve this. Process for developing KPIs The diagram below illustrates the process for developing KPIs, monitoring and reporting activities. Define strategy Identify KPIs Budgeting process should incorporate targets for KPIs Define metrics/ scorecards Develop data collection processes Report metrics KPI characteristics To be meaningful and effective, performance indicators should be ‘SMART’. The table below outlines the characteristics of ‘SMART’ KPIs: Specific: Measurable: Action oriented: Realistic: Time-bound: linked to a specific desired outcome or goal that is clearly defined and understood, e.g., accelerate cash collections cycle capable of being measured in a timely and efficient manner linked to the desired actions that are expected of the people being measured based on facts and agreed targets should be achievable refers to how frequently the KPI should be measured and reported, e.g. will the KPI be reported weekly, monthly, quarterly or yearly Implementation of KPIs Public sector agencies must develop, measure, monitor, evaluate and report against financial KPIs. Ultimately, financial KPIs are tailored to an agency’s business and assist management in strategic planning and resource allocation. KPIs can also provide information from ongoing activities to assist in highlighting instances where corrective action is required on a timely basis. CFAO’s should not take KPI results as just a static ‘point in time’ measure. The results should be analysed in the context of their overall trend, generally across three to five periods. 132 Attachment 1 Template for a Business Continuity and Disaster Recovery Plan The checklist below provides an overall guide in relation to developing KPIs. KPI checks Included Is there a clear link between portfolio level goals and/or government level goals/aspirations and agency level desired outcomes and services? Does the KPI enable assessment of service delivery by key stakeholders, including Portfolio departments? Does the KPI assist CFAO’s in strategic planning, resource allocation as well as highlighting instances where corrective action is required on a timely basis? Is the KPI comparable with similar agencies? Can data be readily collected and reported against the indicator when required? Have the KPIs been endorsed by the CFAO? This supplementary material sets out a number of illustrative KPIs for across the following financial processes: revenue; expenditure; cash receipting; investments; and liabilities. The KPIs provided are examples only and are not a complete list of all possible KPIs. Other suitable financial KPIs may also exist The material should be used as a guide to assist the agency select KPIs which are specific to their business in order to provide meaningful information to management. Example of KPIs relating to revenue/receivables Revenue KPI: Revenue growth Description This KPI measures the percentage growth in revenue for the current period. Objective To ensure that revenue growth is in line with the target set by agency. KPI calculation (Current period revenue – prior period revenue)/Prior period revenue. Example target Revenue growth to be greater than or equal to xx per cent. KPI: Actual revenue vs budgeted revenue Description This KPI measures the variance between actual and budgeted revenue. Objective To ensure that actual vs budget meet internal targets set by the agency to improve forecasting. KPI calculation (Actual revenue – budgeted revenue)/budgeted revenue. Example target Actual revenue to deviate from forecast revenue by xx per cent. KPI: Operating margin Description To measure the percentage of revenue which converts into operating income. Objective To ensure that each dollar of revenue that translates into operating Income, (profitability measure) is in line with the targets set by the agency. KPI calculation (Total operating revenue – total operating expenditure)/revenue. Example target Operating margin to be greater than or equal to xx per cent. KPI: Significant revenue items as a percentage of total revenue Description This KPI measures significant revenue items as a percentage of total revenue (e.g. premiums). Financial Management Compliance Framework user guide Updated August 2013 133 Revenue Objective To ensure that significant revenue items as a percentage of total revenue is in line with the target set by the agency. KPI calculation Revenue for specific revenue item/total revenue. Example target The total significant revenue items as xx per cent of total revenue or lower (direction). KPI: Grant monies as a per cent of total revenue Description This KPI measures the percentage contribution that grant monies make to overall revenue. Objective To ensure that the grant monies as a percentage of revenue is in line with the target set by the agency. KPI calculation Total grant monies/total revenue. Example target Total grant monies as a percentage of revenue is in line with the target set by the agency by xx per cent. Revenue – accounts receivable KPI: Accounts receivable (AR) cost as a percentage of total revenue Description This KPI measures the AR processing cost as a percentage of total revenue. Objective To ensure that the cost of AR processing as a percentage of total revenue is in line with the target set by the agency. KPI calculation Total AR processing cost/total revenue. Example target The total cost of AR processing as a xx per cent of total revenue or lower/higher (direction). KPI: Ageing of receivables Description This KPI measures the spread of receivables across each ‘days outstanding’ tranche, e.g. 30 days, 60 days or 90 days. Lead indicator for bad debts. Objective To monitor the ageing of receivables on a regular basis. KPI calculation n/a Example target Tranche 1: (xx days): xx per cent Tranche 2: (xx days): xx per cent Tranche 3: (xx days): xx per cent KPI: Total cost of the AR function as a percentage of sales Description This KPI measures the cost of an agency’s accounts receivables function as a percentage of total sales. Objective To ensure that the cost of the AR function as a percentage of total sales is in line with the target set by the agency. KPI calculation Total AR cost/total sales. Example target The total cost of the AR function as a xx% of total sales or lower/higher (direction). 134 Attachment 1 Template for a Business Continuity and Disaster Recovery Plan Revenue – bad debts KPI: Credit worthiness of customers Description This KPI measures the creditworthiness of customers. Lead indicator for bad debts. Objective To ensure that the provision for bad debts is appropriate and to manage the number of receivables that ‘go bad’. KPI calculation Total number of customers with a credit rating of > xx/total number of customers. Example target The per cent of customers with a credit rating of a xx or higher is xx per cent. KPI: Bad debts as a per cent of accounts receivable Description This KPI measures the percentage of receivables not recovered by the entity, e.g. bad debts ‘gone bad’. Objective To minimise bad debts as a per cent of receivables. KPI calculation Total bad debts/total receivables. Example Target Bad debts as a per cent of total receivables is less than or equal to xx per cent. KPI: Bad debts as a per cent of sales Description This KPI measures the number of receivables not recovered by the entity, as a percentage of sales. Objective To minimise bad debts as a per cent of sales. KPI calculation Total bad debts/total sales. Example target Bad debts as a percentage of total sales is less than or equal to xx per cent. KPI: The provision for bad debts greater than xx days outstanding Description This KPI measures the receivables which may not be recovered by the entity as a percentage of receivables which are greater than xx days outstanding. This may indicate when the provision for bad debt is understated. Objective To minimise bad debts as a percentage of receivables. Lead indicator for bad debts. KPI calculation Total provision for bad debt/total average receivables > xx days outstanding. Example target The provision for bad debts as a per cent of total receivables > xx days is consistently xx per cent. Financial Management Compliance Framework user guide Updated August 2013 135 Example KPIs relating to expenditure/payables Expenditure KPI: On-time payment percentage Description This KPI measures the percentage of invoices paid on time (within invoice terms). Objective To maximise the frequency of on-time payment. KPI calculation Total invoices paid on-time/total invoice payments. Example target The on-time payment percentage is xx per cent or higher. KPI: AP turnover days Description This KPI measures how long it takes to pay the vendor, once the liability is established. Objective To ensure that the AP turnover days is in line with the targets set by the agency. KPI calculation Average AP balances/total purchase costs x 360 days. Example target The AP turnover days is in line with the target set by the agency by xx per cent. KPI: Ageing of payables Description This KPI measures the spread of payables across each ‘days outstanding’ tranche, e.g. 30 days, 60 days or 90 days this will allow improved visibility over cash flow. Objective To monitor the ageing of payables on a regular basis. Lead indicator for on-time payments. KPI calculation n/a Example target Tranche 1: (xx days): xx per cent Tranche 2: (xx days): xx per cent Tranche 3: (xx days): xx per cent KPI: YTD expenditure to budgeted expenditure Description This KPI measures the deviation of expected expenditure to budgeted expenditure. Objective To ensure that YTD expenditure does not deviate significantly to budgeted expenditure and to improve forecasting. KPI calculation (YTD expenditure – budgeted expenditure)/budgeted expenditure. Example Target Variance between actual and budgeted expenditure is xx per cent or lower. KPI: Total wages expense to budgeted wages expense Description To ensure that total actual wages expense does not deviate significantly to budgeted wages expense and to improve forecasting. Objective This KPI measures the deviation of expected wages expenditure to budgeted wages expenditure. KPI calculation (Total wages expenditure – budgeted wages expenditure)/budgeted wages expenditure. Example target Variance between actual and budgeted wages expenditure is xx per cent or lower. KPI: Total project expense to total budgeted/approved expense Description This KPI measures the deviation of total project expenditure to budgeted/approved project expenditure. Objective To ensure that total project expense does not deviate significantly to budgeted (approved) project expense and to improve forecasting. KPI calculation (Total project cost – total budgeted/approved project cost)/total budgeted/ approved project cost. Example target Variance between actual and budgeted/approved project expenditure is xx per cent or lower. 136 Attachment 1 Template for a Business Continuity and Disaster Recovery Plan Expenditure KPI: Overtime as a percentage of wages Description This KPI measures expected expenditure to budgeted expenditure. Objective To ensure that the per cent of overtime of total wages is in line with the target set by the agency. KPI calculation Total overtime expense/total wages expense. Example target The overtime expense as xx per cent of wages or lower. KPI: Total wages expense to total expenditure Description This KPI measures total wages expense as a percentage of total expenditure. Objective To ensure that the total wages expenditure as a per cent of total expenditure is in line with the target set by the agency. KPI calculation Total wages expenditure/total expenditure. Example target The total wages expense as xx per cent of total expenditure or lower. KPI: Total contractors expense to total expenditure Description This KPI measures total contractors expense as a percentage of total expenditure. Objective To ensure that the total contractors expenditure as a percentage of total expenditure is in line with the target set by the agency. KPI calculation Total contractors expenditure/total expenditure. Example target The total contractors expense as xx per cent of total expenditure or lower. KPI: Foreign exchange gains or losses Description This KPI measures the foreign exchange gains or losses as a percentage of total expenditure. Objective To ensure that gains or losses resulting from exposure to changes in foreign exchange rates are within the tolerance thresholds set by the agency. Also measures the effectiveness of management of FX risk (realised and unrealised). KPI calculation Total gains or losses related to expenditure/total expenditure. Example target The total gains or losses is within xx per cent -xx per cent of total expenditure. KPI: Significant expense items as percentage of total expenditure Description This KPI measures significant expense items as a percentage of total expenditure (e.g. claims). Objective To ensure that significant expense items as a percentage of total expenditure is in line with the target set by the agency. KPI calculation Total expense (for specific expense item)/total expenditure. Example target The total significant expense items as xx per cent of total expenditure or lower (direction). Example KPIs relating to cash receipting Cash KPI: Proportion of cash payments made via electronic means Description This KPI measures the proportion of all cash receipts processed electronically as a proportion of total cash receipts. Objective To maximize the efficiency of the cash receipt processing through the use of technology, for example, internet banking. KPI calculation Number of cash receipts paid electronically/total number of cash receipts. Example target The number of cash receipts processed electronically is xx per cent of total cash receipts or higher. Financial Management Compliance Framework user guide Updated August 2013 137 Cash – petty cash KPI: Petty cash disbursements Description This KPI measures petty cash disbursements as a percentage of total cash disbursements. Objective To ensure that petty cash disbursements are in line with internal requirements (policies and procedures) as set by the agency. KPI calculation Total petty cash disbursements/total cash disbursements. Example target Petty cash requests should be less than or equal to xx per cent. Cash – liquidity KPI: Current ratio (working capital ratio) Description This KPI measures an agency's ability to cover its short-term liabilities with its current assets. Objective To ensure that the current ratio complies with target set by the agency. KPI calculation Current assets/current liabilities. Example Target The current ratio is xx or higher. KPI: Quick (acid test) ratio Description This KPI measures an agency's ability to cover its short-term liability with its most liquid assets. Objective To ensure that the quick ratio complies with target set by the agency. KPI calculation (Current assets – inventory)/current liabilities. Example target The quick ratio is xx or higher. KPI: Debt as a percentage of net working capital Description This KPI measures the liquidity of an agency. Objective To ensure that the working capital ratio complies with agency target set. KPI calculation Long term debt (excluding current portion)/net working capital. Example target Ratio is xx or lower. KPI: Debt/capital ratio Description This KPI measures the leverage of an agency. Objective To ensure that the debt to capital ratio complies with agency target set. KPI calculation Long term debt (excluding current portion)/total invested capital. Example target Ratio is xx or lower. KPI: Debt refinancing for the upcoming quarter Description This KPI measures the amount of debt which requires refinancing within the next quarter which will impact on an agency’s cash flow. Objective To ensure that debt obligations are monitored and managed given their direct impact on the availability of cash. KPI calculation Total dollar value of debt expiring within the upcoming quarter. Example target Total value of debt is xx or lower. 138 Attachment 1 Template for a Business Continuity and Disaster Recovery Plan Cash – cash flow KPI: Total cash flow to budget Description This KPI measures cash flow. Lead indicator of solvency. Objective To ensure that total cash flow is in line with the budget operating cash flow requirements as set by the agency. KPI calculation Total cash flow actuals/total cash flow budget. Example target Total cash flow actuals to budget is within xx per cent -xx per cent. KPI: Operating cash flow (OCF) growth Description This KPI measures the OCF growth over a given period. Lead indicator of solvency. Objective To ensure operating cash flow growth to meet internal target set by the agency KPI calculation (OCF current period – OCF prior period)/OCF prior period. Example target OCF growth to be equal to or greater than xx per cent. KPI: Net change in cash Description This KPI measures the change in cash and cash equivalents within a period. Objective KPI calculation Example target To ensure that significant changes in cash and cash equivalents are monitored. Cash and cash equivalents at period end – cash and cash equivalents at the beginning of the period. Movement in cash and cash equivalents is within +/-$xx or +/- per cent xx. Cash – invoice processing KPI: Cash collections cycle Description This KPI measures the average number of days required to collect cash from sales. Objective To ensure the cash collections cycle is in line with targets set by the agency (terms). KPI calculation Days taken from date of sale to date of collection of cash. Example target The days taken from date of sale to collection of cash does not exceed xx days. KPI: Average processing time Description This KPI measures the average time taken to process cash receipts. Objective KPI calculation Example target To minimise processing time of cash receipts in accordance with targets set by the agency (where appropriate). (Total time spent on cash receipts processing)/number of receipts processed. Average processing time of cash receipts does not exceed xx hours. Example KPIs relating to liabilities (also see examples in cash receipting – liquidity) Liabilities KPI: current liabilities as a percentage of total liabilities Description This KPI measures current liability as a percentage of total liabilities. Objective To ensure that the ratio of short-term liabilities complies with the target set by the agency. KPI calculation Current liabilities/total liabilities. Example target The ratio of current liabilities is within xx per cent -xx per cent. Financial Management Compliance Framework user guide Updated August 2013 139 Liabilities KPI: non-current liabilities as a percentage of total liabilities Description This KPI measures non-current liability as a percentage of total liabilities. Objective To ensure that the ratio of liabilities not due in the current year complies with the target set by the agency. This ratio can be used/calculated at an aggregate level or by liability type. KPI calculation non-current liabilities/total liabilities. Example target the ratio of current liabilities is within xx per cent -xx per cent. Example KPIs relating to investments Investments – capital KPI: The average Net Present Value (NPV) of investments Description This KPI measures the average NPV of investments (i.e. the current value of the expected future cash inflows/outflows associated with the investment). Objective To ensure that the average NPV of investments is in line with targets set by the agency. KPI calculation Sum of total investment NPVs/total number of investments. Example target The average investment NPV is greater than $xx. KPI: The average pay back period for investments Description This KPI measures the average payback period for investments (i.e. the time taken for the expenditure relating to the investment is recouped). Objective To ensure that the average payback period for investments is in line with targets set by the agency. KPI calculation Sum of total investment payback period/total number of investments. Example target The average investment payback period is less than xx weeks/months/years. KPI: the average Return on Investment (RoI) of investments Description This KPI measures the average RoI (i.e. the earnings generated by an investment expressed as a percentage of the investment). Objective To ensure that the average RoI of investments is in line with targets set by the agency. KPI calculation Sum of total investment RoIs/total number of investments. Example target The average investment RoI within xx per cent -xx per cent. KPI: The average Internal Rate of Return (IRR) of investments Description This KPI measures the average IRR of investments (i.e. the return required for the NPV to equal zero). Objective To ensure that the average IRR of investments is in line with targets set by the agency. KPI calculation Sum of total investment IRRs/total number of investments. Example target The average investment IRR is less than xx per cent. 140 Attachment 1 Template for a Business Continuity and Disaster Recovery Plan Investment – non-capital KPI: Short/medium/long term investments as a percentage of total investments (deposits) Description This KPI measures short/medium/long term investments as a percentage of total investments (deposits). Objective To ensure that the percentage of short/medium/long term investments (deposits) is in line with targets set by the agency. KPI calculation (Sum of short/medium/long term investments)/total number of investments. Example target The percentage of short/medium/long term investments is within xx per cent and xx per cent. KPI: The average rate of return for investments(deposits) Description This KPI measures the average rate of return for investments (deposits). Objective KPI calculation Example target To ensure that the rate of return for investments (deposits) is in line with targets set by the agency. Sum of total investment returns/total number of investments. The average rate of return for investments (deposits) is greater than xx per cent. Financial Management Compliance Framework user guide Updated August 2013 141 User guide to Standing Direction 4.5 Financial management compliance obligations Including: 4.5.1 4.5.2 4.5.3 4.5.4 4.5.5 4.5.6 4.5.7 4.5.8 142 Direction requirement 26 Direction requirement 27 Direction requirement 28 Direction requirement 29 Direction requirement 30 Direction requirement 32 Direction requirement 33 Direction requirement 34 Attachment 1 Template for a Business Continuity and Disaster Recovery Plan Compliance with directions Taxation Purchasing card Thefts and losses Risk management compliance Treasury risk management Foreign exchange risk management Commodity risk management User guide to Standing Direction 4.5.1 Direction requirement 26 Compliance with directions Introduction The Standing Directions of the Minister for Finance (the Directions), under Direction 4.5.1, require agencies to certify that they have complied with all applicable Directions. The Direction specifically requires agencies to: certify annually, using the form provided by DTF for the purpose, that they have complied with all applicable Directions; conduct an annual review of their obligations under these Directions; and identify and rectify any failure or deficiency in complying with these Directions. Certification of compliance should be made annually to the Responsible Body or relevant delegate, e.g. audit committee. Agencies subject to the Financial Management Compliance Framework (FMCF) are also required to annually certify compliance with these Directions to their Minister. This material provides guidance in relation to: compliance with Directions: – Direction Requirements. compliance levels: – definitions; – determining compliance level; – documentation; and – partially or not compliant certification responses. certification: – overview; – annual FMCF certification process; and – certification requirements for newly created or structurally changed agencies. Compliance with directions Entities are required to comply with each of the mandatory components of the Directions. Direction requirements Direction Requirements have been developed to assist and simplify annual certification against the Directions. The Direction Requirements incorporate the key themes and principles from the Directions. The Direction Requirements included in the annual certification process are outlined in the certification checklist. Financial Management Compliance Framework user guide Updated August 2013 143 Each Direction Requirement has a: high level requirement that is used for certification purposes, i.e. agencies submit their level of compliance against each high level requirement; and number of elements (mandatory requirements) that must be considered when certifying the level of compliance. These elements are taken from the detail within the Directions. Compliance levels Compliance level definitions Agencies are required to certify their level of compliance against each of the Direction Requirements in the annual certification process. The compliance level definitions are detailed in the table below: Compliance level Definition Compliant A compliant level of compliance means that the agency is fully compliant with all elements within the Direction and Direction Requirement. A partially compliant level of compliance means that the agency is partially compliant with any element within the Direction and Direction Requirement as at 30 June. A not compliant level of compliance means that the agency is not compliant with any element within the Direction and Direction Requirement as at 30 June. A not applicable compliance level means that the Direction is not applicable to the agency. This response is only appropriate for a limited number of Directions and Direction Requirements. Partially Compliant Not Compliant Not Applicable Additional information Direction Requirements that are certified (in the annual certification process) as not compliant or partially compliant must contain information that outlines: reasons for the partial compliance or non-compliance rectification plans to achieve full compliance. Note: These responses should be added in the comments field in the compliance monitoring system and/or certification checklist. Direction Requirements that are certified (in the annual certification process) as not applicable must detail reasons for the response. Note: If the response is not applicable due to an exemption, please provide details regarding the exemption, e.g. date, period of exemption, etc. Determining compliance levels To determine the compliance level for each Direction Requirement agencies need to: use the certification checklist to review compliance against each element within a Direction Requirement; assess the overall compliance of the Direction Requirement based on the compliance levels of the elements, i.e. are all, or a majority, or less than a majority of elements within the Requirement compliant? select a compliance level based on the definitions. Note: Any queries relating to compliance responses should be directed to portfolio coordinators. 144 Attachment 1 Template for a Business Continuity and Disaster Recovery Plan Documentation of compliance levels certified Agencies should maintain a documentation trail to support the level of compliance certified each year. Documentation could be in the form of references to relevant policies, meeting minutes, files, etc. This could be recorded in the comments section of the certification checklist. Partially compliant and not compliant certifications The focus for agencies with areas of partial or non-compliance is to address the issues through the development and implementation of action plans that will effectively achieve compliance with the Directions. Agencies are expected to actively work towards and be able to demonstrate progress in becoming fully compliant with the Directions over time. Where an agency is partially or not compliant with the Directions, consideration should be given to disclosing the compliance level to the Auditor-General prior to an audit. This would assist: in maintaining an open and constructive relationship with the Auditor-General (as per Direction 2.6 – external audit); and in ensuring that the Auditor-General is provided with all relevant information that could potentially influence a positive outcome for the entity. Certification Overview Agencies are required to certify their compliance against the Directions, through the Direction Requirements, on an annual basis to their portfolio Minister. Portfolios each report their FMCF status to the Minister for Finance via the Department of Treasury and Finance (DTF). The diagram below details the process: 1. Department/Agency Complete certification process with a letter prepared by the department/agency and signed off by the Accountable Officer (Secretary/CEO). Timing: between 1 July and 30 September each year 2. Portfolio Portfolio summary report prepared by the portfolio and signed off by the Departmental Secretary on behalf of the Portfolio Minister. Portfolio Minister Timing: by 31 October each year 3. Whole of government Whole of government report prepared by DTF and approved by DTF’s Secretary for the Minister of Finance. Finance Minister Financial Management Compliance Framework user guide Updated August 2013 145 Certification period and financial year end The FMCF compliance year is from 1 July to 30 June, i.e. agencies must certify their compliance with the Directions (through the Direction Requirements) as at 30 June. For certification purposes, the last set of annual financial accounts/statements must be used to certify again relevant Direction Requirements in Sections 2 and 4. Certification approval and sign-off The Chief Executive Officer of each entity is required to approve and sign the FMCF certification letter and exceptions compliance summary attachment. The Responsible Body or delegate, e.g. audit committee must also review and approve the certification. Annual certification process – compliance monitoring system The annual certification process contains a number of parts including: complete review requirements; assess compliance; obtain sign-off; and complete and submit certification. Please refer overleaf for a detailed outline of each part of the process. Agencies use the compliance monitoring system (CMS) to complete their certification. The CMS is an online tool that is accessed through a website. It is suggested that agencies obtain approval for the certification from the CEO and Audit Committee once they assess their compliance prior to entering the detail into the CMS (as per process overleaf). The CMS generates a certification letter and exceptions compliance summary attachment. The certification letter is a standard template that is populated with an agencies compliance details. The compliance summary attachment is an exceptions report that details rectification plans and reasons for partially or not compliant responses. Agencies are able to add additional comments to the certification letter and exceptions report. Note: The CMS is open to agencies from 1 July to 30 September annually. Please refer to the Department of Treasury and Finance website (www.dtf.vic.gov.au) for further information. 146 Attachment 1 Template for a Business Continuity and Disaster Recovery Plan Annual FMC certification process The following flowchart outlines the steps within the annual FMCF certification process at the agency and portfolio level. The timing of tasks are provided as a guide Please refer to guidance material in the FMCF toolbox for further information. Data integrity framework – Process overview When? Throughout the year June – July July – August August – September What? Complete review requirements Assess compliance Obtain sign-off Complete and submit certification How? There are requirements within the FMCF to complete reviews over a number of areas throughout the year, e.g. policy documents and the financial risk profile (see Supplementary Material flyer for Direction review requirements). 1. Complete relevant reviews 2. Where required, obtain endorsement by the CEO/CFO (or delegate) or the Board/ Audit Committee. 3. The FMCF compliance certification checklist provides detailed guidance of compliance requirements for each Direction. 4. 5. Keep documentation supporting 6. evidence of these reviews. 7. Use the compliance certification checklist to review the compliance status against 8. each of the mandatory elements within the 29 Direction Requirements. Determine the compliance level (compliant, partially compliant, not compliant) using results from step 4 and complete the ‘certification checklist’ as at 30 June. Obtain required approval, e.g. Board/Audit Committee upon completion of the ‘compliance certification checklist’. 9. Complete online certification via the compliance monitoring system (CMS) website: www.cms.dtf.vic.gov.au Finalise detailed sign-off over 10. Provide signed certification letter Direction 2.2(d) and (w), including: and exception compliance summary attachment (where applicable) to – internal controls; the relevant Portfolio Minister and – risk management; and copied to the portfolio coordinator – financial statements. Note: the compliance summary attachment is an exceptions report that details rectification plans and reasons for partially or not compliant responses. Agencies can also add further comments in this attachment Ensure there is evidence to support the compliance levels certified (where relevant). Department/portfolio process September When? When? 11. Agency compliance certification received by the Portfolio Minister via the portfolio department October 12. Portfolio summary report prepared by Portfolio Coordinator and signed off by the Department Secretary. 13. Portfolio summary report presented to the Minister for Finance and copied to DTF Financial Management Compliance Framework user guide Updated August 2013 147 Certification requirements for newly created or structurally changed agencies Agencies created during the compliance year Agencies created during a compliance year that are required to comply with the FMCF must apply the FMCF from the date of establishment. The FMCF is mandatory for agencies: that are a government department or are defined as a public body in Section 3 of the Financial Management Act 1994; and that feed into Victoria’s Whole of Government Consolidated Annual Financial Report. Merger of agencies during the compliance year In cases where two or more agencies are merged during a compliance year, i.e. between 1 July and 30 June, a single FMCF certification is required for the merged agency. The certification must reflect the compliance environment of the newly merged agency. The certification should detail the reasons for the compliance level and state the details of the merger. Any relevant instances of non-compliance identified by the agencies prior to the merger should be documented in the certification. Partially merged agencies Where agencies partially merge, a certification for each agency is required. Certification should reflect the compliance status of the agencies as at 30 June and detail any areas that are partially or not compliant. The certification should detail the reasons for the compliance level and state the details of the merger. Departmental division moves to a different department Departments should detail the level of financial management compliance achieved by all its divisions as at 30 June in the certification. The certification should include divisions that have moved from one department to another during the compliance year. Agencies moves portfolios Agencies that move to a different portfolio during a compliance year should certify to the portfolio to which the agency belongs as at 30 June. The certification should incorporate the compliance status for the entity for entire compliance year. Closing of an agency Agencies that close during a compliance year should contact DTF for advice to determine if certification is required for that financial year, and to arrange access to the compliance monitoring system if necessary. Note: the compliance monitoring system (CMS) will be updated to reflect any changes to agencies and portfolios prior to 30 June certification. 148 Financial Management Compliance Framework user guide Updated August 2013 User guide to Standing Direction 4.5.2 Direction requirement 27 Taxation Introduction The Standing Directions of the Minister for Finance (the Directions) require agencies to demonstrate compliance with Commonwealth Government taxation obligations and concessions (Direction 4.5.2, Direction requirement 27). The Direction stipulates that agencies must: annually review compliance with taxation and concession requirements; annually certify that taxation compliance and concession requirements have been met; develop and maintain taxation policies and procedures; develop and implement a taxation education program; and identify and rectify any taxation compliance issues. Taxation compliance rules A set of taxation compliance rules (the rules) supplement Direction 4.5.2 to assist agencies in meeting the requirements. The rules set out principles and specific procedures to follow so that compliance with the Direction is achieved. Specifically, the rules assist VPS agencies to meet their compliance obligations in relation to: Australian Business Number (ABN); Goods and Services Tax (GST); Pay As You Go (PAYG); Fringe Benefits Tax (FBT); Deductible Gift Recipient (DGR); Income Tax Exempt Charity (ITEC); and Fuel Tax Credits Scheme (FTCS). Application of taxation compliance rules The rules apply to agencies that must comply with the FMCF, that is agencies that: meet the ‘public body’ definition contained within section 3 of the Financial Management Act 1994; have an Australian Business Number (ABN); and have Commonwealth taxation obligations (including GST, FBT and PAYG). Compliance requirements Compliance with the taxation direction and procedure is monitored through the taxation compliance rules and associated guidance. The Tax Compliance Review Questionnaire is used to assess compliance with the rules. This should be the starting point of the annual taxation compliance assessment process. Financial Management Compliance Framework user guide Updated August 2013 149 Certification of compliance should be made annually to the Responsible Body and/or audit committee (or equivalent). Ultimate responsibility for taxation compliance rests with the agency. Accordingly, it is anticipated that the Chief Finance and Accounting Officer, the Accountable Officer and the Audit Committee are actively involved in taxation compliance matters. More information The taxation compliance rules are available in the ‘Standing Directions associated rules’ section of the DTF website. 150 Financial Management Compliance Framework user guide Updated August 2013 User guide to Standing Direction 4.5.3 Direction requirement 28 Purchasing card Introduction The Standing Directions of the Minister for Finance (the Directions), under Direction 4.5.3, require agencies that operate purchasing cards to: establish a facility account, with a maximum monthly account limit, with the card provider; ensure only one card is issued to employee cardholders: – that are approved; – with maximum limit of $25 000 per card, unless approved by the Minister for Finance; – that have a financial delegation and that individual transaction limits do not exceed this delegation; – requiring supporting documentation for all transactions and ensure expenditure is approved under delegates prior to settling the monthly account with the card provider; and ensure cardholders use the card for official business and that purchases of goods and services are for government purposes. Monitoring and certification Agencies must: ensure adequate monitoring and security procedures are in place; include a review of the card scheme and the use of cards issued in the internal audit program; and certify annually that they have followed the purchasing card procedure. Unauthorised use The Direction also requires that: any instance of unauthorised use46 of a purchasing card must be reported to the Minister for Finance and the audit committee following an inquiry by the accountable officer; and all instances of unauthorised use of purchasing cards for the period ending 30 June are to be reported annually to the Minister for Finance. Note: All reports of unauthorised use of purchasing cards should also be provided to the Audit Committee. Internal controls for purchasing cards When implementing the necessary internal controls for the card, public sector agencies and cardholders are to apply the principles set out in the purchasing card rules for use and administration (the rules), issued by the Department of Treasury and Finance. The rules outline guiding principles and procedures that should be followed in relation to the use and administration of the card. 46 An instance of unauthorised use is defined in Section 7 ‘Unauthorised Use’ of the Purchasing Card Rules for Use and Administration. Financial Management Compliance Framework user guide Updated August 2013 151 Purchasing card rules for use and administration The Purchasing Card Rules for Use and Administration (the rules), supplement Direction 4.5.3 and have been developed to assist cardholders and agencies in the interpretation and application of the legislative requirements. The rules aim to ensure agencies administer procurement using purchasing cards within a controlled environment of strict procedures and guidelines, with clear consequences for public servants or statutory officers who misuse cards. Key principles for conduct The following key principles are outlined in the rules for conduct of cardholders: cardholders must always act in the interests of the State, as opposed to their own personal interests or convenience; and cardholders must perform their duties honestly, with skill and care. Liability for charges The liability for any charges on purchasing cards rests with the State and not the individual cardholder. For this reason, the rules must be strictly adhered to as a means of limiting the financial exposure of the State. More information The Purchasing Card Rules for Use and Administration are available in the ‘Standing Directions associated rules’ section of the DTF website. Please contact your portfolio coordinator directly if you have problems with access. 152 Financial Management Compliance Framework user guide Updated August 2013 User guide to Standing Direction 4.5.4 Direction requirement 29 Thefts and losses Introduction The Standing Directions of the Minister for Finance (the Directions), under Direction 4.5.4, require the Responsible Body to ensure ‘all cases of suspected or actual theft, arson, irregularity or fraud in connection with the receipt or disposal of money, stores or other property of any kind whatsoever under the control of the agency are notified to the Minister for Finance and the Auditor-General.’ Notification requirements Where the receipt or disposal of money is: equal to or exceeds $1 000, the incident must be reported at the time of the occurrence and an incident report must be submitted within two months; or less than $1 000 the incident must be reported annually for the period ending 30 June together with an incident report. For stores and property of any kind with a value: equal to or exceeding $20 000, must be reported at the time of occurrence and an incident report must be submitted within two months; or less than $20 000 must be reported annually for the period ending 30 June together with an incident report. Incident report The incident report must outline: whether internal controls and systems: – have been reviewed; and – have identified weaknesses and that have or will be rectified. the status of any proceedings, investigations or disciplinary actions; what has been recovered, whether by way of money, stores, other property or insurance; and any other information that it appears appropriate to include. Notification reports and incident reports provided to the Minister for Finance and the Auditor-General should also be provided to the relevant Minister. Thefts and losses rules Direction 4.5.4 is supplemented by a set of Thefts and Losses Rules (the rules) which have been developed to assist agencies. The rules set out the principles and procedures to be followed in relation to the thefts and losses monitoring and reporting requirements. Financial Management Compliance Framework user guide Updated August 2013 153 More information The Thefts and Losses Rules are available in the ‘Standing Directions associated rules’ section of the DTF website. This supplementary material contains the following: Attitudes to fraud. Definition of fraud. Fraud control framework: a. Fraud control policy. b. Responsibility structures. c. Fraud monitoring. d. Fraud risk profile. e. Employee awareness. f. Fraud reporting systems. g. External requirements. h. Investigation procedures. i. Code of conduct and discipline procedures. This outline of a fraud control framework serves to raise awareness of, and therefore minimise, the consequences of fraudulent or corrupt behaviour in relation to the conduct of public service sector agencies’ business or activities. Attitudes to fraud State Government The Victorian State Government is committed to the aims and objectives of good corporate governance. It does not tolerate improper conduct by its employees and recognises the value of transparency and accountability in its administrative and management practices. This supplementary material has been developed: to assist agencies in developing a fraud control framework to suit the particular operational requirements and circumstances of their business; and to assist agencies in reviewing, revising and implementing their own fraud control framework. Agencies Effective fraud control requires the commitment and involvement of all public service sector agencies, employees and external service providers. All agencies are potentially exposed to losses as a result of fraud and corruption which may have an impact on reputation and inappropriate or inefficient use of financial or physical resources. Agencies should be committed to minimising the risk of fraud, not tolerating any act of internal fraud or corrupt conduct and take steps to manage the risks of external fraud. The guidelines for unacceptable behaviour are outlined in the Victorian Public Service Code of Conduct which is the standard by which public sector behaviour is measured. Definition of fraud For the purpose of this supplementary material, fraud against the State of Victoria is defined as ‘dishonestly obtaining a benefit by deception or other means’. 154 Financial Management Compliance Framework user guide Updated August 2013 This definition includes, but is not limited, to the following types of fraud: theft; obtaining property, a financial advantage or any other benefit by deception; providing false or misleading information to the State Government, or failing to provide information where there is an obligation to do so; causing a loss, or avoiding or creating a liability by deception; creating, using or possessing forged or falsified documents; bribery, corruption or abuse of office; unlawful use of public sector equipment including interfering with or hacking into computers, misuse of vehicles, telephones and other property or services; relevant bankruptcy offences; and any offences of a like nature to those listed above. Fraud can be perpetrated by: a public sector employee against a public sector agency or its programs; an agency or external individual against such an agency or its programs; a contractor or service provider against an agency or its programs; and any combination of the above, acting in collusion or otherwise. Fraud control framework It is vital that public sector agencies establish a fraud control framework to protect themselves against loss or reputation damage. The strategy should include a range of proactive and reactive strategies designed to mitigate fraud. The following table outlines the components of a fraud control framework. Each component is discussed in detail in sections (a) to (i) in this supplementary material. Please note that this list is guide only and there are many other steps that an agency can incorporate into their own framework to minimise fraud and tailor to their individual requirements, such as the introduction of a conflicts of interest policy. a. b. c. d. e. f. g. Fraud control policy As a part of the fraud control framework an agency should adopt a fraud control policy that integrates components of the framework and is designed to meet the specific needs of the organisation. Responsibility structures An agency should define the organisational responsibility for fraud control to implement and give effect to a fraud control framework. Fraud monitoring On-going fraud monitoring activities can be encompassed into existing assurance programs. Fraud risk profile Developing a fraud risk profile includes undertaking a fraud risk assessment across areas of the organisation on a periodic basis, e.g. every two years. The assessments examine the internal and external fraud risks (employee and contractor/customer fraud) and also the potential for collusion. Employee awareness Fraud awareness training for all employees is essential to provide an understanding of what constitutes fraud and to assist in recognising fraudulent behaviour. Fraud reporting systems A fraud control framework should have internal and external reporting arrangements which include formal and informal mechanisms for reporting fraud. External requirements Policies and procedures should include consideration of the requirement to report incidents of fraud or corruption to external authorities. Financial Management Compliance Framework user guide Updated August 2013 155 h. i. Investigation procedures Formalised, documented procedures for internal investigations including reporting matters to the police and other external parties should be implemented as a part of the framework. Code of conduct and discipline procedures An agency’s Code of Conduct should support a culture of honesty and integrity where fraud, corruption and dishonest acts will be detected, investigated and if required, disciplined. a. Fraud control policy A fraud control policy designed to meet the specific needs of an agency should be developed and implemented. The table below provides an example of a structure for fraud control policy and procedures. Example of potential structure for fraud control policy and procedures Executive summary Introduction to policy; Objectives of the policy, e.g. management’s commitment for its responsibility towards identifying fraudulent activity and establishing procedures for prevention and detection; Definition of fraud; Agency’s statement of attitude towards fraud, which may incorporate and/or refer to the code of conduct; Responsibility structures including: – appointment of Fraud Control Officer and/or external support role; and – fraud control responsibilities. Fraud control strategies Fraud monitoring activities including: – internal audit reviews; – internal compliance reporting; and – external obligation requirements. Fraud risk profiling and assessment; Implementation of proposed actions; and Employee awareness and conduct. Fraud reporting Procedures for internal reporting of fraud; Procedures for external anonymous reporting; Protection for discloser reporting suspected fraud (see whistle-blowers); Procedures for reporting to police and external parties; and Reporting requirements. Fraud investigation Procedures for internal investigations and reporting to external parties; and Documentation of results of investigation. Disciplinary matters Included b. Responsibility structures The Accountable Officer and the Responsible Body are responsible for the system of internal control, which includes the prevention and detection of fraud. The audit committee also plays a role in the oversight of the operation and implementation of the risk management framework. 156 Financial Management Compliance Framework user guide Updated August 2013 Agencies should ensure that appropriate resources are allocated to fraud monitoring and control. Each agency should allocate appropriate personnel to: implement their fraud and corruption control initiatives; coordinate the fraud risk assessment procedures; record fraud incident reports; and conduct investigations of allegations of fraud. Allocation of these resources may also require the assistance of specialist skilled internal or external resources to the agency. Alternatively existing staff may need to be trained to perform these roles. Larger agencies should consider appointing a Fraud and Corruption Control Officer who can implement practical fraud and control procedures, as well as training of all staff in identification of risks. When defining the responsibility structure an agency may wish to bear in mind that management are responsible for the prevention of fraud, however operational line management are often in a better position to prevent and detect fraud by monitoring the continued operation of controls to prevent fraud. The Audit Committee are also responsible for overseeing an agency’s operation and implementation of their risk management framework. c. Fraud monitoring Reviews for the monitoring and prevention of fraud can be encompassed into an agency’s assurance programs and should also be reflected in the responsibility structure. Agencies can ensure fraud is monitored through existing assurance programs such as internal audit, internal review and other review mechanisms. Ideas for the scope of these reviews include: proactive fraud detection can be achieved by performing regular data mining reviews using an automated detection program. This program assists an agency to identify anomalous transactions and other data records that appear to be suspicious and therefore might be worth further investigation; fraud risk reviews should be undertaken on a recurring basis to regular monitor all agency processes; monitoring of calls to the whistle-blowers hotline; and regular screening of new and/or promoted employees. d. Fraud risk profile A fraud risk profile includes the completion of a fraud risk assessment which identifies weaknesses in procedures and controls and links them to risks across functions within an organisation. When preparing a fraud risk profile, high risk functions should be considered to determine what controls are in place to prevent, detect, or deter fraudulent activity. An assessment of whether the controls in place are sufficient can then be made and an agency can determine if fraud control obligations can be met and whether external support is required to determine the fraud risk profile. Each agency’s requirements will vary when developing a fraud risk profile. The table below outlines potential steps to consider when developing a fraud risk profile. Financial Management Compliance Framework user guide Updated August 2013 157 Example of potential steps to consider when developing a fraud risk profile 1. 2. 3. 4. 5. 6. 7. 158 Consideration of the size of the agency: are the internal controls robust in a large agency? are there any set guidelines to follow in a small agency? Determine the number of staff working for an agency and identify associated risks: does the agency enforce segregation of duties? in a small agency are there only a few staff responsible for accounting procedures? in a large agency are staff rotated on a regular basis to reduce the chances of supplier familiarity which can lead to improper relationships? Management accountability: has management effectively implemented the agency’s antifraud controls? is the code of conduct is adhered to? has it been demonstrated that internal controls are important? Undertake a fraud risk assessment – identify the risks: A fraud risk assessment considers fraud schemes and circumvention of existing controls. The fraud risk assessment should be conducted on a systematic basis and could include: interviews with agency employees at different levels identify risks relevant to their role and area; the identification and risk assessment of the reliance on process of each area within the agency; identification of possible fraud risks that might occur in a typical administrative situation; and review outcomes of previous risk treatment activities. Undertake a fraud risk assessment – rate the risks: Assessment of the probability and impact of the fraud needs to be considered. Risk weightings can be assigned to each fraud risk, such as: probable (rating 1); reasonably possible (rating 2); and remote (rating 3). The impact and significance of fraud should also be identified. This could be completed: by focussing on one area within a fraud risk profile at a time (e.g. HR); consider all the fraud risks associated with that area; consider existing control measures to mitigate the risks; assess whether the control measures are actively in place; and assess the rating of the control measure using the rating weightings. Consideration of circumvention and overriding of controls by management. Effectively designed internal controls should be in place to respond to the assessment of risk of management override. Fraud control plan: Following the risk assessment and evaluation of potential fraud risks, a fraud control plan should be implemented. These control activities should be designed and implemented to mitigate identified fraud risks. The risks acknowledged in the fraud control plan should be monitored on a regular basis to ensure new risks are identified. Financial Management Compliance Framework user guide Updated August 2013 Included Areas and elements within a fraud risk profile A fraud risk profile considers the potential for fraud across areas within an organisation. A potential fraud exposure can be described as an element. The table below outlines examples of areas and potential fraud elements within an area and can be used to assist in the development of a fraud risk profile. Area Example of elements of potential fraud within an area Payroll Accounts payable Petty cash Accounts receivable Physical assets Tendering and contracting Communications HR Duplicate payroll payments for personal gain. Continued payments to employees who have been terminated. Fraudulent payments in excess of authorised salary. Excessive payments of overtime as a proportion of gross salary. Fictitious employees on payroll. Lack of segregation of duties between accounting processes. Creation fictitious invoices or bogus vendors. Duplicate invoice numbers and payments. Payments to vendors where the bank account matches the account number of an employee and the vendor name is different from the employee name. Favourable payment of invoices (within five days). Misuse of purchasing card/cab charges/travel and expense claims. EFT fraud. Misappropriation of funds. Poor controls over cash under lock and key. Lack of segregation of duties from receiving cash, issue of receipts and bank deposits. Regular reconciliations not performed. Infrequent cash deposits, allowing cash to accumulate. Lack of control or system processes over generation of invoice numbers. Lack of segregation of duties between processing of accounts receivable, posting to ledger and issuing of receipts. Frequent credit notes and write offs. No reconciliation of accounts receivable sub ledger to general ledger control account. Poor controls over asset records. Personal use of assets. Theft of assets. Unlawful disposal of assets. Falsification of asset statements. Selection of a preferred supplier for personal gain, e.g. kickbacks. Paying the contractor more than what they are entitled. Payment to supplier of services not performed. Conflicts of interest. Misuse of sensitive information in contracting. Fraudulent dealing in relation to capital projects. Collusion between employees and contractors. Unauthorised acquisition of information. Fraudulent release of information. Fraudulent application of sponsorships/donations. Pre-employment screening. Fraudulent recording of attendance and/or changes to leave entitlements. Fraudulent worker’s compensation claims. Unauthorised disclosure of confidential employee information for profit. Financial Management Compliance Framework user guide Updated August 2013 159 Area Example of elements of potential fraud within an area Information technology Unauthorised release of login and password details. Inadequate controls over software resulting in unauthorised staff Motor vehicles accessing systems. Downloading of inappropriate material from the internet. Installation of pirated software of organisation’s computers. Theft of data, hardware, software. Manipulation of output from IT processes for fraud. Unauthorised private use of vehicles. Theft or substitution of accessories or tools. Use of petrol card for private vehicles. Falsification of vehicle logs. Detailed elements within an area In order to explain how an element within an area can be included in a fraud risk profile an example on pre-employment screening has been provided below. Area: Element: Explanation: HR Pre-employment screening Pre-employment screening is the verification of a candidate’s background for employment purposes. The screening of potential employees has proven to be a valuable risk management tool and is considered by experts to be the most effective way of minimising and guarding against potential security risks by identifying undesirable employees before they join the organisation. Potential steps for a pre-employment screening process 1. 2. Development of an effective pre-employment screening process for employees before the commencement of employment, promotion and prior to the completion of the probationary period, paying particular attention to those positions with higher risk exposures. Enquiries should be undertaken as part of the employment process to verify identity, credentials and validate employment history. These checks could include: the verification of two forms of identification such a driver’s licence or a passport; a Victoria Police criminal history search; verbal reference checks with the candidate’s last two employers; consideration and the reasons for any discrepancies or gaps in employment history provided on the candidate’s curriculum vitae; or confirmation of any formal qualifications obtained. A review of a fraud risk profile for the element in this area would include examination of documented procedures and testing of controls. e. Employee awareness Employee awareness about fraud is important for the prevention and control of both internal and external fraud. For a fraud awareness program to be effective training should be delivered to all staff initially. It is important to update and present the program on a regular basis to ensure the continuing identification of fraud weaknesses and development of controls (from regular fraud risk assessments) is communicated. The agency should determine its own regularity for fraud awareness training. Induction programs for new staff could include information and training about fraud prevention, detection and reporting of fraud or corruption as well as employee malpractice. 160 Financial Management Compliance Framework user guide Updated August 2013 A fraud awareness program for employees could include information about the following: Considerations for developing a fraud awareness program for employees Included Fraud awareness training should be provided to all staff. Development of a training program to raise the level of awareness of fraud issues to assist employees to identify, prevent and control fraud. Fraud awareness training should cover: culture and ethics code of conduct identification of fraud prevention detection fraud profiles, e.g. behavioural characteristics responsibility structure reporting and obligations consequences. Short training sessions (one to two hours) should be scheduled on a periodic basis. Supporting documentation should be available on hard copy and available on intranet. A record of the training sessions, including dates and attendees should be kept. f. Fraud reporting systems A fraud control framework should have internal and external reporting arrangements which include formal and informal mechanisms for reporting fraud. It should also include documented procedures for the receipt, retention and treatment of complaints and confidential, anonymous disclosures of concern by employees or external third parties. Best practice is the establishment of an independent ethics/whistle-blower hotline to allow employees to make protected disclosures in relation to unethical behaviour. Agencies need to ensure that all employees are able to report suspicious behaviour or unethical conduct. This could include reporting through the agency’s usual organisation structure or internal/external anonymous reporting channels, for example, a whistle-blower hotline discussed earlier. Whistle-blower Agencies should encourage employees to report suspicions of fraud and the Whistleblowers Protection Act 2001 (the Act) provides protection to employees making disclosures of improper conduct by public bodies or public sector employees. Financial Management Compliance Framework user guide Updated August 2013 161 The three key areas of inappropriate conduct falling within the realm of whistle-blower reporting are: 1. ‘Improper conduct by a public body or public official’. This incorporates conduct that is corrupt, a substantial mismanagement of public resources, or conduct involving substantial risk to public health or safety or to the environment. 2. ‘Corrupt conduct’ Includes conduct that adversely affects the honest performance of a public officer’s or public body’s functions, conduct that amounts to a breach of public trust or misuse of information or material acquired in the course of their official functions; the performance of an employee’s functions dishonestly or with inappropriate partiality, a conspiracy or attempt to engage in any of the aforementioned conduct. 3. ‘Detrimental action’ A detrimental action makes it an offence for a person to take action against a person in reprisal for a protected disclosure, including action causing injury, loss or damage, intimidation or harassment; and discrimination or disadvantage in relation to a person’s employment, including taking disciplinary action. The following table outlines steps to consider when developing a policy and procedures for whistle-blower reporting. Steps to potentially consider when developing whistle-blower’s policy and procedures: 1. 2. 3. 4. 5. 6. 7. 8. 9. 162 Establishment of a policy which outlines the agency’s commitment to a culture of corporate compliance and ethical behaviour. A statement in the policy which determines unethical behaviour and encourages reporting to approved personnel. A statement emphasising the benefits and significance of a whistle-blower system. The policy should also encourage immunity for whistle-blowers. The objectives of a whistle-blower system are to: encourage reports of corruption and illegal practices that can cause loss to an agency or reputation damage; enable an agency to protect the identity of the whistle-blower; enable an agency to protect the whistle-blower from reprisal; and provide the framework including the nomination of a Coordinator, Welfare Officer and Investigator as well as alternative means of reporting. Provision of resources to support a whistle-blowers procedure that include the appointment of a whistle-blower protection officer, a whistle-blower investigations officer; an internal reporting line, regular training for all relevant employees and a mechanism for appeals. Establishment of reporting mechanisms which detail how and where to report suspicions of fraud. Details of these mechanisms should be communicated to all employees and be easily accessible, e.g. an intranet site. A policy statement guaranteeing that the reporting of reportable conduct will be held in the strictest confidence. Communication by the agency that the whistle-blower will be kept informed of the outcomes of investigation. Reported conduct should be investigated by the Whistle-blower Investigations Officer. All reportable conduct investigated by the whistle-blower Investigations Officer should be reported to the CEO or other senior executive. Financial Management Compliance Framework user guide Updated August 2013 Included In addition to the Whistle-blower Investigations Officer within a public sector agency, reports of improper or corrupt conduct may be made in writing or by telephone to your agency’s nominated Protected Disclosure Officer. Alternatively, disclosures may be directly to the Ombudsman for Victoria. g. External Requirements An agency should have formal procedures outlining external notification of obligations, and mechanisms to record outcomes and reporting requirements. External notification and reporting obligations are set out in the Financial Management Act 1994 (the ‘FMA’). All incidents of theft or losses must be reported to the Minister for Finance and the Auditor-General. The reporting timeframe will depend on the value of the theft or loss. Agencies should refer to the Theft and Losses Rules pursuant to the Financial Management Act 1994 for further details on reporting thresholds and timeframes. In addition, the agency is to provide an incident report to the Minister for Finance and the Auditor-General. The incident report must outline the following: whether internal controls and systems have been reviewed; whether these weaknesses identified have been rectified; the status of any proceedings, investigations or disciplinary actions; and what has been recovered? h. Investigations procedures Best practice suggests that agencies should establish standardised procedures for tracking, responding to, investigating and assessing allegations of fraud. Procedures could include a written plan for tracking and responding to allegations of misconduct. Where appropriate, the investigative process should allow for an investigation independent of management. Consideration should also be given to ensuring that any initial action or full investigation is concerned with the preservation of evidence, following other legal rules and principles do not complicate any formal investigation. i. Code of conduct and discipline procedures It is important that an agency’s code of conduct supports a culture of honesty and integrity where fraud, corruption and dishonest acts will be detected, investigated and if required, disciplined. The Victorian public sector Code of Conduct is a public statement of how agencies should conduct their business and how they should treat their clients and colleagues. It supports the legislation in relation to public administration in Victoria. Agencies should be committed to effectively managing discipline and misconduct to ensure that their standard of work performance and conduct are maintained. Financial Management Compliance Framework user guide Updated August 2013 163 Other references There are a number of other references that should be considered when developing a fraud control framework for example: legislation and regulations in relation to: – financial management; – public sector administration; – whistle-blowers protection; and – information privacy. codes of practice and/or good practice guides such as: – code of conduct (Victorian public sector); – financial code of practice; and – whistle-blower guidelines (Ombudsman's Office). Australian Standards in relation to: – fraud and corruption control; – organisational codes of conduct; and – whistle-blower protection. 164 Financial Management Compliance Framework user guide Updated August 2013 User guide to Standing Direction 4.5.5 Direction requirement 30 Risk management compliance Introduction The Standing Directions of the Minister for Finance (the Directions) require agencies to implement and maintain risk management governance, systems and reporting requirements as outlined in the Victorian Risk Management Framework. Direction 4.5.5 requires agencies to: conduct an annual review of their obligations under this Direction; identify and rectify any failure or deficiency in complying with this Direction; and provide an attestation that their risk identification and management plan is consistent with AS/NZS ISO 31000:2009 or equivalent. Compliance requirements For details regarding compliance requirements for this Direction, agencies must refer to the Victorian Risk Management Framework issued by the Minister for Finance in July 2007. The framework document outlines the requirements and also contains example attestation. More information The Victorian Risk Management Framework can be obtained from the Department of Treasury and Finance or found at www.dtf.vic.gov.au. Financial Management Compliance Framework user guide Updated August 2013 165 User guide to Standing Direction 4.5.6 Direction requirement 32 Treasury risk management Introduction The Standing Directions of the Minister for Finance require agencies to undertake all borrowings, investments and financial arrangements with a financial institution that is either a State owned entity or has a credit rating, assigned by a reputable rating agency, that is the same as or better than the State of Victoria. Note that there are a number of exceptions to this Direction: Where a public sector agency has been granted specific borrowing or investment powers under its constituting legislation, this Direction will not apply (see explanatory note); Where the investment is cash on hand in a transactional bank account with an authorised deposit-taking institution (ADI); Where the financial arrangement is a foreign currency hedging transaction of less than $1 000 000 undertaken with an ADI; Where a public sector agency is operating a bank overdraft as part of its normal transactional banking operations; Where amounts invested by the public sector agency with an ADI, excluding cash on hand in a transactional bank account, do not in aggregate exceed $2 000 000; Where the public sector agency holds money, other than money held on trust for the State or a public body, invested pursuant to a statutory function to hold it on trust for a known beneficiary; or Where, following consultation with the public sector agency’s portfolio Minister, the Treasurer has in writing approved otherwise. Explanatory note: Where a public sector agency merely has general powers to do things necessary or convenient to perform its functions or achieve its objects, this Direction will apply to that agency’s borrowings or investments. Where specific borrowing and/or investing powers are provided, e.g. investment powers for registered funded agencies under the Health Services Act 1988, this Direction will not apply to those investments. Agencies must: conduct an annual review of their obligations under this Direction; and identify and rectify any failure or deficiency in complying with this Direction. Application for other exceptions Any investments held by government agencies outside the centralised framework, apart from the above exceptions must be approved by the Treasurer and reported to the Department of Treasury and Finance semi-annually. Applications for approval and reporting of such investments should be forwarded to: The Director Financial Assets and Liabilities Group Department of Treasury and Finance Level 5, 1 Treasury Place Melbourne VIC 3002 166 Financial Management Compliance Framework user guide Updated August 2013 Centralised treasury and investment policy A centralised treasury and investment policy has been issued by the Treasurer. High level details of the policy are included below. Background The objectives of the policy are to ensure that treasury risks are effectively identified, assessed, monitored and managed by public sector agencies, and that the strategies adopted by public sector agencies are consistent with the overall objectives of the government. The State has a conservative philosophy for the management of treasury risks and accordingly, public sector agencies are encouraged to develop specific measures that best address the borrowing and investment risks of their business. As part of the State’s prudent approach to financial risk management, the government has established the Treasury Corporation of Victoria (TCV) and Victorian Funds Management Corporation (VFMC) as centralised agencies to manage the borrowing, investing and financial market activities of public sector entities. A key reason for taking this action is so that the government has assurance that government agencies are dealing with bodies that are owned by the State and therefore have a credit rating equal to that of the State. In order to minimise the State’s overall financial risk it is important that the State’s borrowing and investment activities be undertaken through these agencies. Operating guidance TCV manages borrowings and short-term deposits, facilitates financial arrangements to hedge, protect or manage the value of assets and liabilities, and executes the associated transactions. VFMC manages long-term investments, advises and/or implements diversified investment strategies, and executes the associated transactions. These centralised arrangements create significant benefits as they: provide the capacity to net the State’s borrowings and investments prior to approaching financial markets, thus reducing its overall borrowing program; create economies of scale which reduces execution and administration costs; enable the State’s overall counterparty risk to be monitored and managed; improve prudential oversight of the State’s overall borrowings and investments; and allow the concentration of appropriate financing and investment expertise, rather than being spread thinly across a range of public sector agencies. Under the centralised framework all borrowings, short term investments and financial arrangements should be dealt through TCV which can advise on appropriate funding, hedging and investing structures taking into account the financial requirements and risk appetite of the public sector agency. Where it is clear that an entity has a long term investment need, the entity should approach VFMC directly (where appropriate, TCV will refer the entity to VFMC). Relevant approval processes are to be followed before the transactions can be undertaken. Financial Management Compliance Framework user guide Updated August 2013 167 Transition arrangements In terms of transition arrangements, there may be a number of public sector agencies that, prior to the issuance of this policy, have entered into short term investments, such as term deposits with commercial banks that may incur break costs if they are withdrawn prior to maturity. Where substantial break costs for early withdrawal exist, these short term investments are permitted to continue to maturity, after which the proceeds must be invested with the centralised agencies. 168 Financial Management Compliance Framework user guide Updated August 2013 User guide to Standing Direction 4.5.7 Direction requirement 33 Foreign exchange risk management Introduction This Standing Direction requires a public sector agency that: has a foreign currency exposure that is in aggregate AUD $1 million or more and is known with certainty (with respect to the timing and a minimum quantity), to fully hedge the exposure with Treasury Corporation of Victoria (TCV); and has a foreign currency exposure that is in aggregate less than AUD $1 million and is known with certainty, to hedge the exposure where it is considered material with TCV or an authorised deposit-taking institution (ADI). Hedging transactions greater than AUD $1 million outside of TCV will require the written approval of the Treasurer. Definition and example of foreign currency exposure Foreign exchange risk is a risk to operating result or capital due to a change in foreign exchange rates. Foreign exchange risk arises: when a cash payment or receipt is denominated in a foreign currency; or an Australian dollar cash payment or receipt is determined by a foreign currency amount converted to Australian dollars at an exchange rate prevailing at some future date. Exposure to changing foreign exchange rates often arises indirectly in the normal course of business. It may occur when purchasing products from a foreign supplier and a fall in the value of the Australian dollar may reduce the operating margin. In some instances the foreign currency exposure may be embedded in the terms of a contract, such as an agreement to purchase goods from an offshore supplier. To assist public sector agencies to determine exposures, it is important to consider the likely amount and timing and the degree of certainty attached to both. The direction is not intended to cover investments such as foreign equities that form part of a diversified portfolio. Foreign exchange hedging Hedging is the process of ‘locking in today’ the exchange rate for a transaction that will take place at some future date. Hedging is a means of protecting against exchange rate uncertainty. A public sector agency will be able to buy or sell at an agreed price, regardless of how the actual exchange rate changes. Hedging protects against adverse exchange rate changes but also excludes any benefit arising from favourable movements. The most common instrument used to hedge foreign exchange currency exposures is a forward foreign exchange contract (see example below). With a forward foreign exchange contract a foreign exchange rate for any future date can be set today. When the future date arrives, the foreign exchange transaction is settled based on the agreed exchange rate regardless of where the actual exchange rate is on settlement day. These contracts and other foreign exchange instruments can be provided by TCV, see contact details below. Financial Management Compliance Framework user guide Updated August 2013 169 On 30 August, a public sector agency signs a contract to buy some medical equipment from a supplier in Germany for EUR €1 million, with an agreed payment date of September 30. If the current one month forward exchange rate is .75, the cost of the equipment in Australian dollars is $1.3 million. In this example the exposure is in excess of AUD $1 million and the amount and timing are certain, the public sector agency is required to hedge with TCV. If the public sector agency does not hedge and the exchange rate on September 30 is .71, it will cost the public agency AUD $1.4 million to purchase the equipment. State purchase contracts When a public sector agency purchases goods and services using fixed price state purchase contracts they are reducing their foreign currency and commodity price exposure. This is because the prices are fixed for a period of time, for sometimes three or more years, and generally should not fluctuate. This includes items purchased under health purchasing Victoria contracts and whole of Victorian Government contracts. There could be a higher exposure to foreign exchange or commodity price risk when a public sector agency negotiates pricing directly for goods and services with the supplier, for example when a public sector agency purchases directly from an overseas supplier in an overseas currency. Public sector agencies purchasing goods and services directly from a supplier and negotiating individual pricing needs to aware of the requirements of the Standing Direction 4.5.7 and 4.5.8. Materiality A public sector agency that has a foreign currency exposure that is in aggregate less than AUD $1 million and is known with certainty must hedge the exposure where it is considered material. Determining what is a material risk is the responsibility of the public sector agency. Below is some high level guidance: Materiality is the concept of establishing the importance of information in accordance with Australian Accounting Standard AAS 5. In general an item of information is material if its omission, nondisclosure or mis-statement from the financial statements would adversely affect a user’s decisions about the allocation of scarce resources. It is expected that public sector agencies will include within the policy a definition for materiality based on their knowledge of the agency’s circumstances. Authorised deposit-taking institution (ADI) For a complete list of ADIs please visit the Australian Prudential Regulation Authority’s website. http://www.apra.gov.au/adi/Pages/adilist.aspx Accounting Implications Public sector agencies are required to comply with relevant Australian accounting standards and Financial Reporting Directions (FRDs). For guidance regarding accounting for financial instruments and hedge transactions, please refer to FRDs 114A and 116. 170 Financial Management Compliance Framework user guide Updated August 2013 Exemptions Agencies with a legitimate business reason not to comply with this direction must seek the written approval of the Treasurer. An example of where an exemption might be considered is where TCV could not provide a suitable hedging product. Agencies seeking an exemption should first contact DTF using the contact details below. The Director, Financial Assets and Liabilities Group Department of Treasury and Finance Level 5, 1 Treasury Place Melbourne VIC 3002 Telephone: 9651 0922 TCV contact For further information regarding hedging instruments and process, please consult TCV. Treasury Client Services Treasury Corporation of Victoria Level 12, 1 Collins Street Melbourne VIC 3000 Tel: 9650 7577 Fax: 9650 7557 Foreign exchange risk policy content It is expected that public sector agencies will have a policy in place to address foreign exchange risk, and may be incorporated in an overall treasury management policy. The policy should include the following: Objective of policy Definition of foreign exchange risk Definition of materiality Level of exposure to foreign exchange risk Each public sector agency is expected to determine their level of exposure to foreign exchange risk for inclusion within the policy. Risk owner Each public sector agency is expected to assign a person within the organisation to be the risk owner, who is responsible for the management of foreign exchange risk, and include his/her details within the policy. Responsibilities List of board, committee/s and/or person/s responsible for foreign exchange risk, including details of their responsibilities of each in relation to foreign exchange risk. Foreign exchange risk management Details on how the foreign exchange risk will be managed. This is expected to include what products would be used to hedge the agency’s foreign exchange risk, and any applicable restrictions (e.g. no historical rate rolls, no sold positions on options, no trading, no leveraging). Financial Management Compliance Framework user guide Updated August 2013 171 Monitoring Details of how foreign exchange risk is to be monitored by the public sector agency. This should include details on periodic monitoring or reporting, and procedures in place to monitor any policy breaches. Delegation of authority Details of any delegated authorities and any limitations on the authority. Frequency of review Details on how often policy is to be reviewed. Sample foreign exchange policy Foreign exchange risk Definition Foreign exchange risk is the risk of financial loss due to adverse movements in exchange rates. A foreign exchange exposure is considered material if the value of the exposure is in excess of AUD$250 000. The current operation of agency ABC does not create exposure to foreign exchange risk. If foreign exchange risks are identified, the matter will be referred to the audit and risk committee and Board. Objective The objective is to ensure that when such risks are identified, the audit and risk committee and Board are notified promptly. Then the objective will be to identify all foreign exchange exposures and ensure that material exposures which are known with certainty in respect of both timing and amount are fully hedged. Responsibilities Executive Manager Finance and Customer Services to: (a) ensure that all borrowings are through TCV and hence there should be no foreign exchange exposures from borrowings; (b) inform the audit and risk committee and Board of any foreign exchange risks identified and the appropriate actions taken or will be taken in managing the risk; and (c) raise any other matters that may need to be considered by the audit and risk committee and Board in relation to the management of foreign exchange risk. Audit and risk committee To recommend to the Board: (a) to consider any matters in relation to the management of foreign exchange risk. Board (a) to note the hedging of any foreign exchange exposures which are known with certainty in respect of both timing and amount; and (b) to consider any other matters in relation to the management of foreign exchange risk. 172 Financial Management Compliance Framework user guide Updated August 2013 Foreign exchange risk management The financial arrangements to hedge, protect or manage foreign exchange exposures as authorised by DTF are: (a) forward foreign exchange contract; (b) option on foreign exchange; and (c) any combination of the above. Historic rate rolls are not permitted in terms of this policy. In relation to options on foreign exchange, sold position are specifically not permitted. Usage of risk management products to manage financial risk is restricted to bona fide hedging purposes only. For the purpose of this policy document, the following criteria must be met to constitute a hedge: (a) the item to be hedged must expose agency ABC to financial risk from exchange rate movements. In particular, the item must not already be effectively hedged by an offsetting risk; (b) the instrument must be designated as a hedge at the time of taking out the hedge; (c) no trading is permitted. All hedges must match an underlying exposure; and (d) the underlying exposure shall not be levered through the use of derivatives or any other instruments that have a leveraging effect. Material foreign currency positions must be marked-to-market on a regular basis, at least monthly. The methodology used to value the foreign currency positions must conform to generally accepted commercial practice. Financial Management Compliance Framework user guide Updated August 2013 173 User guide to Standing Direction 4.5.8 Direction requirement 34 Commodity risk management Introduction This Standing Direction requires that: a public sector agency develop appropriate policies and procedures for managing exposure to specific commodity risk where it is considered these risks could have a material impact on the business; and a public sector agency must consider whether fully hedging the exposure is appropriate. It is important to note that fully or partial hedging of the exposure is not a requirement but should be considered by the public sector agency where the exposure is material to the business. Definition and example of commodity risk Commodity risk is a risk to operating result or capital due to a change in the price of a commodity that is a key input or output of a business.47 For example a transport organisation will be required to purchase fuel to operate its fleet. A commodity price risk arises because the future price of fuel is uncertain. If fuel prices are rising the organisation will have to pay more for fuel and this might reduce the organisations operating margins if the increased prices cannot be passed on to the customers.48 Commodity is defined as: A tradable item that can generally be further processed and sold; includes industrial (metals such as aluminium), agricultural (wool, wheat, sugar, etc.), and bulk (coal, iron ore) goods. Commodities are important to the Australian economy as they account for the majority of our exports. From Australian dictionary of investment terms. Examples of a definition of commodity price risk that could be included in a policy are below: Commodity price risk is the risk that a change in the price of a commodity that is a key input or output of a business will adversely affect its financial performance; and Commodity price risk is defined as the risk that changes in commodity prices will have an impact on the cost of purchased raw materials and the proceeds received for commodities sold. Commodity hedging Hedging is the process of reducing or removing the price risk associated with a particular exposure. Hedging is a means of protecting against price uncertainty. The most common hedging strategy is to set a future price of a commodity today by using a forward rate contract. These contracts can be provided by the Treasury Corporation of Victoria (TCV), see contact details below. By using this type of contract a public sector agency can have certainty today what price it will pay in the future for a commodity. Regardless of how the actual commodity price changes, a public sector agency will be able to buy at an agreed 47 48 174 Whole of State Risk Map. http://www.invesco.com.au/web/webdict.nsf/lookuptermsmall/commodity?opendocument. Financial Management Compliance Framework user guide Updated August 2013 price. The forward contract protects against price rises but also excludes any benefit arising from falling prices. If the regular course of business does not involve speculating on future commodity prices and commodity exposure is seen as material, consideration should be given to hedging. State purchase contracts When a public sector agency purchases goods and services using fixed price state purchase contracts they are reducing their foreign currency and commodity price exposure. This is because the prices are fixed for a period of time, sometimes for three years or more, and generally should not fluctuate. This includes items purchased under Health Purchasing Victoria contracts and whole of Victorian Government contracts. There could be a higher exposure to foreign exchange or commodity price risk when a public sector agency negotiates pricing directly for goods and services with the supplier, for example when a public sector agency purchases directly from an overseas supplier in an overseas currency. Public sector agencies purchasing goods and services directly from a supplier and negotiating individual pricing needs to aware of the requirements of the Standing Direction 4.5.7 and 4.5.8. Materiality It is the responsibility of the public sector agency to develop policies and procedures for managing exposure to specific commodity risk where it is considered these risks could have a material impact on the business. Determining what is a material risk is the responsibility of the public sector agency. Below is some high level guidance: materiality is the concept of establishing the importance of information in accordance with Australian Accounting Standard AAS 5. In general an item of information is material if its omission, nondisclosure or mis-statement from the financial statements would adversely affect a user’s decisions about the allocation of scarce resources. Accounting implications Public sector agencies are required to comply with relevant Australian accounting standards and Financial Reporting Directions (FRDs). For guidance regarding accounting for financial instruments and hedge transactions, please refer to FRDs 114A and 116 published on the DTF website. Treasury Corporation of Victoria contact details For further information regarding hedging instruments, please contact TCV. Treasury Client Services Treasury Corporation of Victoria Level 12, 1 Collins Street Melbourne VIC 3000 Tel: 9650 7577 Fax: 9650 7557 Financial Management Compliance Framework user guide Updated August 2013 175 Commodity risk policy content The commodity risk policy may be incorporated in an overall treasury management policy. The policy should include the following: Objective of policy Definition of commodity risk Definition of materiality Level of exposure to commodity risk Each public sector agency is expected to determine their level of exposure to commodity risk for inclusion within the policy Risk owner Each public sector agency is expected to assign a person within the organisation to be the risk owner, who is responsible for the management of commodity risk, and include his/her details within the policy Responsibilities List of Board, committee/s and/or person/s responsible for commodity risk, including details of their responsibilities of each in relation to commodity risk. Commodity risk management Details on how the commodity risk will be managed. This is expected to include what products would be used to hedge the agency’s commodity risk, and any applicable restrictions (e.g. no sold positions on options, no trading, no leveraging). Monitoring Details of how commodity risk is to be monitored by the public sector agency. This should include details on periodic monitoring or reporting, and procedures in place to monitor any policy breaches. Delegation of authority Details of any delegated authorities and any limitations on the authority Frequency of review Details on how often policy is to be reviewed. Sample commodity risk policy Definition Commodity risk is the risk of financial loss resulting from movements in price of commodity inputs and/or outputs. The current operation of ABC does not create exposure to commodity risk. If commodity risks are identified, the matter will be referred to the audit and risk committee and the Board. Objective The objective is to ensure that when such risks are identified, the audit and risk committee and Board are notified promptly. 176 Financial Management Compliance Framework user guide Updated August 2013 Responsibilities Executive Manager Finance and customer services (a) To inform the audit and risk committee and Board of any commodity risks identified and the appropriate actions taken or will be taken in managing the risk; and (b) To raise any other matters that may need to be considered by the audit and risk committee and Board in relation to the management of commodity risk. Audit and Risk committee To recommend to the Board: (a) To note any commodity risk and the actions to be taken to manage the risk; and (b) To consider any other matters in relation to the management of commodity risk. Board (a) To note any commodity risk and the actions taken to manage the risk; and (b) To consider any other matters in relation to the management of commodity risk. Delegation of authority This section outlines the schedule of delegated authorities in executing treasury transactions. Transactions required to hedge underlying commodity exposures must be undertaken through TCV. Responsibilities Number of authorisations required Authorising officers Transaction limit (1) Approve hedging transaction. TCV = 2 Other = 2 Managing Director Executive Manager Finance and Customer Services Manager Financial Services Unlimited Unlimited $2 million Financial Management Compliance Framework user guide Updated August 2013 177 178 Financial Management Compliance Framework user guide Updated August 2013 www.dtf.vic.gov.au www.dtf.vic.gov.au Financial Management Compliance Framework user guide Updated August 2013 179