3. Knowing your entity’s business

Better-practice entities appreciate that a greater understanding of their business allows them to make better-informed decisions, relating to planning for and adopting particular approaches to financial statements.

The finance team’s ability to prepare high-quality financial statements, on time, is enhanced if they possess both financial acumen and a sound knowledge of the entity, its operations and business environment.

As the environment within which an entity operates is continually changing, it is critical to monitor changes on an ongoing basis in areas such as legislation, government policy and accounting requirements.

3.1 Knowing the applicable legislation and requirements

Each entity needs to be familiar with relevant requirements of the applicable financial reporting framework. This includes legislation, policy requirements and related guidance that may affect its financial management and reporting responsibilities.

Non-compliance with legislative requirements could result in the under-collection of revenue, overpayment of entitlements and over-delivery or non-delivery of Government services. Incorrect interpretations of complex legislation may also result in the inappropriate recognition of transactions or incomplete transactions.

3.1.1 Legislation and governance requirements

Australian Government entities are diverse, which means classification is not always straightforward. There are three high-level groupings of entities:

  • Non-corporate Commonwealth entities

  • Corporate Commonwealth entities, and

  • Commonwealth companies.

    Legislation affects an entity’s administration and financial reporting responsibilities and the PGPA Act further clarifies an entity’s financial and corporate governance requirements.

Government entities are also classified as either ‘material’ or ‘non-material’ based on the extent to which their financial information has a material impact on the whole of government financial statements or if they are considered material in nature, such as departments of state.

The following publications and guides assist entities in clarifying applicable requirements:

  • Governance structures in the public sector —provides an overview of the types of structures used across the Commonwealth public sector

  • PGPA Flipchart and entity list —a reference to all entities subject to the PGPA Act, the position title for each accountable authority (for the purpose of the PGPA Act) and whether the entity is currently classified as ‘material’

  • Governance policy —considerations and decisions influencing the design of a body’s governance structure. A comprehensive regime of internal control is essential for effectively managing the risks that may affect the financial statements preparation process. Entities need to have in place appropriate governance programs including:

    • control activities —activities such as delegations, authorisations, reconciliations, segregation of duties, physical security of assets, systems access and security are important controls that individually or in combination with others, can help prevent, or detect and correct misstatements in classes of transactions, account balances, or note disclosures

    • policies —well defined policies should be developed to:

      • set clear directions on how an entity approaches and discharges its external accountability responsibilities

      • provide a link between the financial statements process and other business processes such as budgeting and business operations, and

      • clearly defines roles and responsibilities, structures, plans, performance and management oversight arrangements.

    • training and recruitment —the selection and training of staff, a clear understanding of roles and responsibilities, and an understanding of financial reporting and accountability requirements are important factors in preventing non-compliance with legislation and ensure sound financial management and reporting

    • procedures —clearly documented procedures provide guidance for all those who have financial management responsibilities. In this context, procedures include Accountable Authority Instructions (AAI) or their equivalent, financial and administrative procedures, financial management information system manuals, checklists and templates. To be effective, these must be kept up-to-date and readily accessible to staff, and

    • information systems —better-practice entities have financial management information systems capable of producing complete, accurate and reliable financial and related information. It is also important that system functionality supports processing and information requirements for the financial statements.

  • Commonwealth Government Business Enterprises – Governance and Oversight Guidelines Resource Management Guide No. 126 ( RMG 126 ) is relevant to Government Business Enterprises ( GBEs ) that are Commonwealth entities or wholly owned Commonwealth companies. RMG 126 outlines the oversight arrangements for entity GBEs and company GBEs that are prescribed in the PGPA Rule, and provides guidance regarding board and corporate governance, planning and reporting, financial governance and other governance matters.

3.1.2 Legislative and policy compliance

Compliance with legislation and relevant government policies is a central element of public sector administration. Entities need to have in place appropriate systems of internal control, risk management and oversight that are designed to ensure officials and service providers comply with relevant legislative and policy requirements.

Entities should periodically identify and review the legislative and policy requirements with which it must comply. Better-practice entities also implement appropriate educational and learning and development programs aimed at providing relevant staff with sufficient knowledge and understanding of their specific responsibilities.

3.1.3 Resources

Resource name

Resource description

Governance structures in the public sector

Provides an overview of the types of structures used across the Commonwealth public sector

PGPA Flipchart and entity list

A Finance site that provides a series of resources on Government structures, portfolios, entities, accountable authorities etc.

Governance policy

A Finance site that provides information on Commonwealth governance structures policy (governance policy) and identifies efficient and fit-for-purpose governance arrangements.

Government Business Enterprises (GBEs)

Links to a Finance site that provides the rules and guidance for prescribing GBEs.

RMG 126

A Finance site with RMG 126 and other information for GBEs.

3.2 Knowing the entity’s purpose, plans and performance

Each entity produces various documents that provide invaluable information about the entity, its purpose, objectives and measures of success, including the corporate plan, portfolio budget statements and the annual report.

3.2.1 The enhanced Commonwealth performance framework

A key focus of the enhanced Commonwealth performance framework (ECPF) is ensuring that program managers, the accountable authorities of entities, ministers, the Parliament and the public are able to use performance information to draw clear links between the use of public resources and the results achieved.

There are three key components of the ECPF, the:

  • corporate plan

  • Portfolio Budget Statements, and

  • annual performance statements (which are included in an entity’s annual report).

3.2.2 Corporate plans

Corporate plans are the primary planning document of a Commonwealth entity and company. It sets out the purposes of the entity, the activities it will undertake to achieve its purposes and the results it expects to achieve over a minimum four-year period. It explains how the entity’s performance will be measured and assessed.

Corporate plans also describe the environment in which the entity operates, the capability required to undertake activities and a discussion on entity risk.

Corporate plan requirements are determined by Section 16E of the PGPA Rule. RMG 132 Corporate plans for Commonwealth entities (RMG 132) provides more information about corporate plans.

3.2.3 Portfolio Budget Statements (PBS)

The PBS supports Annual Appropriations. It is tabled in Parliament to support the Annual Appropriation Bills. It informs Senators and Members of Parliament of the proposed allocation of resources to government outcomes and programs.

The PBS provides high-level performance information for current and ongoing programs, including a forecast of performance for the current year. It provides more detailed performance information for proposed new budget measures that require a new program or significantly change an existing program. Performance information in the PBS is mapped to the corporate plan by explicitly linking a program to the entity’s purpose as expressed in the corporate plan.

The PBS also provides links to relevant programs undertaken by other entities.

The content of the performance section of a PBS is determined by the Secretary of Finance direction on the requirements for performance information included in PBS.

3.2.4 Annual reports

Annual reports are a key element of the ECPF, established under the PGPA Act.

Annual reports serve to inform the Parliament (through the responsible Minister), other stakeholders, educational and research institutions, the media and the general public about the performance of entities in relation to activities undertaken. The reporting of the actual performance of entities in the annual report against the planned performance information outlined in their PBS and corporate plans are important parts of the Commonwealth’s resource management framework.

Annual reports are also a key reference document for internal management and staff. They form a critical part of the historical record.

3.2.5 Annual performance statements

The annual performance statements are included in an entity’s annual report. They report on the actual performance results for the year against the forecasts made in the corporate plan and PBS, and provide other performance information relevant to the entity. The entity must provide an analysis of the factors that contributed to the entities performance results.

Annual performance statement requirements are determined by Section 16F of the PGPA Rule. RMG 134 Annual performance statements for Commonwealth entities ( RMG 134 ) provides more information about annual performance statements.

3.2.6 Resources

Resource name

Resource description

Enhanced Commonwealth performance framework

A Finance site that provides guidance on requirements of the enhanced Commonwealth government performance framework.

RMG 132


Provides guidance on corporate plans for Commonwealth entities.

Direction on the requirements for performance information in PBS.

Provides the requirements for performance information to be included in the PBS.

RMG 134


Provides guidance for preparing annual performance statements for Commonwealth entities.

3.3 Knowing the entity’s financial governance arrangements

Good practice in financial reporting throughout the year enables entities to better respond to change in a timely manner and significantly enhances the quality of their financial statements.

Although broader in application, both good risk management practices and ICT controls have a direct impact on the preparation of financial statements and the quality of the final product. More information is included at: 4. Planning for year-end financial statements.

In addition, outsourcing functionality through shared services arrangements is becoming increasingly common in Government. As entities continue to be accountable for the quality of data in these circumstances, it is important to maintain close working relationships with shared services providers and obtain appropriate data assurances. More information is included at: 7. Development processes and procedures and: 7.9 Shared services.

Better understanding of their business, enables entities to assess the maturity of their financial statement preparation approach to support risk management activities and identify areas for improvement in future years. More information is included at: 4. Planning for year-end financial statements.

3.3.1 The accountable authority

Each Commonwealth entity has an accountable authority. This is either a person or group of persons with responsibility for, and control over, the entity’s operations.

Commonwealth entities – both corporate and non‑corporate – are led by a Secretary, Chief Executive, or governing board accountable authority.

The following table, from subsection 12(2) of the PGPA Act, sets out the person(s) or body that is the accountable authority of an entity:

If the Commonwealth entity is:

The entity’s accountable authority is:

A Department of State

The Secretary of the Department

A Parliamentary Department

The Secretary of the Department

A listed entity

The person or group of persons prescribed by an Act or the PGPA Rules as the accountable authority

A body corporate established by
a law of the Commonwealth

The governing body of the entity, unless otherwise prescribed by an Act or the PGPA Rules

3.3.2 Responsibilities of the accountable authority

The PGPA Act sets out the requirements for the governance, reporting and accountability of Commonwealth entities and Commonwealth companies and confers responsibilities and powers on these people in relation to financial management and reporting matters.

The accountable authority, among other responsibilities, is responsible for:

  • the overall resource management of their entity, causing accounts and records to be kept in a manner that properly records and explains the entity’s transactions and financial position (subsection 41(1) of the PGPA Act)

  • establishing an audit committee as required by S45(1) of the PGPA Act, ensuring that:

    • the audit committee’s function of reviewing the appropriateness of financial statements is included in the written charter for the audit committee (subsection 17(2) of the PGPA Rule), and

    • the audit committee has appropriate knowledge, skills and/or experience to perform its functions under the charter (subsection 17(3) of the PGPA Rule).

  • the preparation of the financial statements in accordance with section 42 of the PGPA Act and is a signatory to the financial statements, certifying whether, in their opinion, the financial statements:

    • comply with the AAS and any other requirements prescribed by the rules, and

    • present fairly the entity’s financial position, financial performance and cash flows.

It is also important that the accountable authority ensures that the CFO’s responsibility for preparing the financial statements is well understood.

When authorising a new Commonwealth entity spending initiative, the accountable authority should confer with the Australian Government Solicitor, to ensure the proposed expenditure has sufficient constitutional and legislative authority.

3.3.3 The Chief Financial Officer

An entity’s CFO is responsible for preparing the financial statements in accordance with relevant legislative and policy requirements. The CFO will also generally have operational responsibility for the main financial systems that underpin the financial statements, along with the guiding policies and procedures.

A key element in the CFO fulfilling these responsibilities is the maintenance of effective relationships with relevant business areas of the entity, the ANAO, Finance and other entities that collect money and/or expend money on the entity’s behalf.

The CFO relies on input from business areas in preparing the financial statements. It is therefore essential that the CFO has well-established relationships with these areas. It is generally the responsibility of the CFO to identify, in consultation with the relevant business areas, the nature and timing of the necessary information flows between the finance area and business areas.

Demonstrating positive leadership and adopting an open and constructive approach, rather than a policing role, is more likely to lead to business areas meeting their responsibilities in the context of an entity’s financial statements.

The relationship between the CFO and the audit committee is an important one in the context of the committee’s function to review the appropriateness of financial statements. The CFO is not permitted to be a member of the audit committee but is often an ‘advisor’ with a key responsibility to provide assurance (generally by way of signoff) that the financial statements are accurate.

Arrangements should be in place for the CFO to advise the audit committee, in a timely manner, of:

  • significant accounting and financial reporting issues that may affect the financial statements

  • the underlying systems of internal control, and

  • actions taken to address issues.

3.3.4 Audit committees

Audit committees are integral to good corporate governance of Commonwealth entities. A strong audit committee can significantly assist the accountable authority in meeting their duties and responsibilities under the PGPA Act.

Under the PGPA Rule (subsection 17(1)), the accountable authority of a Commonwealth entity must determine the functions of the entity’s audit committee by written charter. The charter is the accountable authority’s blueprint for the audit committee’s operations. The PGPA Rule (subsection 17(2)) states that the functions must include reviewing the appropriateness of the accountable authority’s:

  • financial reporting

  • performance reporting

  • system of risk oversight and management, and

  • system of internal control for the entity.

The role of the audit committee is expected to include actively reviewing the entity’s processes and systems for preparing financial reporting. As part of this active process, the entity has to stay informed of changed requirements in relation to financial reporting throughout the year.

Once mandatory requirements are met, the accountable authority may want to specify other functions of the audit committee, as well as other matters relevant to the committee’s operation. The charter should be developed to meet the needs of the accountable authority, allowing for its entity’s objectives and culture, and the context in which it operates. In reviewing the entity’s year-end financial statements, the audit committee may provide written advice to the accountable authority on the outcome of its review. To support the audit committee in performing this function effectively, it is important that the committee is kept informed throughout the year (not just at year-end), of all significant issues that may directly or indirectly affect the entity’s resource management and financial reporting arrangements.

For more information see RMG 202: Audit committees.

3.3.5 Other management committees

Most entities will operate various management committees as part of the governance arrangements. In the context of an entity’s financial statements, finance committees may be established and given overall management responsibility for their preparation.

When the accountable authority directs the creation of a finance committee, the committee’s role may include supporting the audit committee in discharging its financial reporting review function. Often a member of the audit committee chairs the finance committee, which assists in streamlining information back to the audit committee. Use of a finance committee does not reduce or diminish the audit committee’s responsibilities. In setting up finance committees, audit committee members should ensure that they are not delegating their responsibilities or independence and that they continue to meet their obligations under the PGPA Rule.

To ensure the independence of the audit committee, it is not appropriate for the roles of a finance committee and an audit committee to be combined, and it is important that the respective roles of these committees are well-defined and there are agreed lines of communication between them.

3.3.6 The entity’s internal audit arrangements

Depending on the role and mandate of the entity’s internal audit arrangements, the internal audit function can have an important role in validating the appropriateness of the entity’s resource management and financial reporting arrangements, and assessing the appropriateness of an entity’s financial statements.

Areas where internal audit can support the preparation of the financial statements include:

  • reviewing new systems during the implementation stage to help ensure that adequate control mechanisms and governance arrangements are put in place

  • providing objective assistance in developing financial management systems to ensure compliance with relevant accounting requirements and the provision of timely and reliable information for financial reporting purposes

  • reviewing high risk financial statements items

  • reviewing the robustness of management sign-offs

  • following up remedial actions by management to assess whether they have been implemented in a timely manner

  • conducting periodic checks to monitor progress against the financial statements preparation timetable

  • undertaking quality assurance reviews of data quality and financial statements processes. This may include reviewing working papers and draft financial statements for compliance with the FRR and relevant entity policies, and/or

  • providing assurances about the effective and ethical use of resources and legal compliance, specifically targeting high risk issues that may have a material effect on the financial statements.

3.3.7 The Auditor-General and external audit processes

The Auditor-General for Australia is an independent officer of the Parliament with responsibility under the Auditor-General Act 1997 for auditing Commonwealth entities and reporting to the Australian Parliament. The Auditor-General is supported by the ANAO.

The primary role of the Auditor-General is to assist the Australian Parliament in its role of scrutinising the exercise of authority and the expenditure of public funds by the Executive arm of the Commonwealth of Australia. The ANAO’s primary relationship is therefore with the Australian Parliament, particularly the Joint Committee of Public Accounts and Audit (JCPAA). The JCPAA is the ANAO’s oversight committee under the Public Accounts and Audit Committee Act 1951.

The ANAO supports the work of the Parliament by providing input to the Auditor-General’s independent assurance and opinions, and by providing information, assistance and briefings to parliamentarians and committees of the Parliament.

Through the audit and related services provided to the Parliament by the Auditor-General and ANAO, the Australian public can have confidence that the Auditor-General is examining and reporting on the actions of Commonwealth entities and whether public resources are being used economically, efficiently, effectively and ethically.

The ANAO supports the Auditor-General’s conduct of the full range of audits and related services under the Act. These include:

  • providing assurance on the fair presentation of financial statements of the Australian Government and its entities by providing independent audit opinions

  • presenting two reports annually, addressing the outcomes of the financial statements audits of Australian Government entities and the consolidated financial statements of the Australian Government

  • conducting performance audits of Australian Government programs and entities, including reporting key learnings for all Australian Government entities

  • providing other assurance reviews, including the Defence Major Projects Report and audits by arrangement

  • reporting directly to the Parliament on any matter, such as information reports, and

  • publishing audit insights and key learnings from audit work.

    In relation to financial statements, the ANAO tables two consolidated reports in the Parliament each year. The first details the results of the interim phase of the audit of the financial statements of major entities, and the second report provides a summary of the results of all financial statements audits undertaken in each year.

The ANAO has an important relationship with the accountable authorities of Commonwealth entities, who have primary responsibility for, and control over entities’ operations. This relationship is also supported by the ongoing engagement undertaken with officials of audited entities and entities’ audit committees.

The ANAO engages with auditees at a number of levels to strengthen relationships and promote improved public sector performance.

More information on the role of the ANAO in auditing the entity’s financial statements is included at: 10. Foundations for a smooth external audit process.

3.3.8 The finance team

The CFO and the finance team have primary carriage of the preparation and coordination of the annual financial statements. Their responsibilities include:

  • preparing the financial statements within the required timeframe. This involves:

    • ensuring that the statements are supported by an entity’s accounts and records

    • that all figures and information are capable of audit verification, and

    • that the financial statements comply with relevant legislative, policy and professional requirements.

  • explaining major variances of reported amounts from budgeted and previous year actual amounts

  • providing leadership in developing financial management strategies and policies

  • providing periodic (generally monthly) financial reports and related analysis to the accountable authority and other levels of management

  • conducting quality assurance reviews of information provided by business areas and external parties

  • managing and monitoring the timely remediation of financial statement audit findings

  • promoting sound accounting policies and practices, including implementing and providing guidance on applicable accounting standards, and

  • maintaining the entity’s financial management information systems (FMIS).

3.3.9 Officials of the entity

Financial management is the responsibility of all officials who exercise delegations and expend relevant moneys. In doing so, it is important that officials in Commonwealth entities are aware of their responsibility to comply with relevant legislative and policy requirements, including any instructions/directions from their accountable authority, and maintain records in accordance with an entity’s recordkeeping policies as provided in their AAI and the entity’s delegations.

Officials should also:

  • read, understand and focus upon the contents of financial reports

  • consider whether the financial statements are consistent with their knowledge of the entity’s financial position

  • consider the statutory requirements

  • apply the knowledge he or she has of the affairs of the entity

  • where appropriate, challenge unusual or unexpected trends or balances, and

  • make further inquiries, if matters revealed in the financial statements call for such inquiries.

    Accountable authorities (or members of accountable authorities e.g. board members) should acquire a degree of financial literacy, including a knowledge of the entity’s finance polices, as well as accounting practices and standards, so they are able to appropriately review and monitor the financial statements.

3.3.10 Resources

Resource name

Resource description

Accountable authority

Provides guidance on role and responsibilities of accountable authorities with links to related PGPA Act and PGPA Rule provisions.

RMG 202

Provides guidance on the role of audit committees including matters that the accountable authority could consider when determining the audit committee's functions, structure and conduct.

3.4 Knowing your entity’s risks and assurance processes

Section 16 of the PGPA Act provides that accountable authorities of all Commonwealth entities must establish and maintain appropriate systems of risk oversight, management and internal control for the entity.

  • Non-corporate Commonwealth entities —must comply with the Commonwealth Risk Management Policy, which supports the requirements of section 16 of the PGPA Act.

  • Corporate Commonwealth entities —are not required to comply with the Commonwealth Risk Management Policy, but should review and align their risk management frameworks and systems with this policy as a matter of good practice.

In preparing the financial statements, entities need to design, implement and maintain risk management practices and internal controls to:

  • comply with relevant legislative and policy requirements

  • accurately record all relevant financial transactions, and

  • prevent or detect and correct misstatements, whether due to fraud or error.

3.4.1 The entity’s financial risk appetite and tolerance

Risk appetite is the amount of risk an entity is willing to accept or retain in order to achieve its objectives. It is a statement, or series of statements, that describes the entity’s attitude towards risk taking and assists entities to make better choices by considering risk more effectively in decision making.

Risk tolerance represents the practical application of risk appetite and is typically aligned to categories of risk such as strategy, financial, people or reputation.

Risk appetite sets the tone for risk-taking in general, whilst tolerance informs:

  • expectations for mitigating, accepting and pursuing specific types of risk

  • boundaries and thresholds of acceptable risk taking, and

  • actions to be taken or consequence for acting beyond approved tolerances.

The risk assessment process enables an entity to understand how much risk it is exposed to, and defining risk appetite and tolerance allows them to articulate how much risk the entity is willing to accept. Only when both risk appetite and tolerance are clearly understood can the entity understand if its risk exposure is acceptable. Some key questions that finance teams should consider are:

3.4.2 Fraud control

Fraud is a threat that affects every Commonwealth entity in all areas of business, including benefits, taxation, procurement, grants and internal procedures.

The misappropriation of assets, for example, the theft of physical assets or payment for fictitious goods and services, will diminish the financial resources of an entity and can lead to a lack of confidence in public sector administration. In addition, fraudulent financial reporting, such as the falsification of accounting records, the intentional omission of transactions or the misapplication of accounting principles, has the potential to mislead users of the financial statements.

In order to manage fraud related risks, the Government has developed the Commonwealth Fraud Control Framework under the PGPA Act.

The Fraud Control Framework consists of three tiered documents each with a different binding effect as set out below:

  • Section 10 of the PGPA Rule (Fraud Rule) —a legislative instrument binding all Commonwealth entities setting out the key requirements of fraud control

  • the Commonwealth Fraud Control Policy (Fraud Control Policy) —a Government Policy binding non-corporate Commonwealth entities setting out procedural requirements for specific areas of fraud control such as investigations and reporting, and

  • RMG 201. Preventing, detecting and dealing with fraud (RMG 201) —a better practice document setting out the Government’s expectations in detail for fraud control arrangements within all Commonwealth entities.

Non-corporate Commonwealth entities must comply with the Fraud Rule and Fraud Control Policy. While they are not bound by RMG 201, the Government considers it as better practice and expects that entities will follow the fraud guidance where appropriate in meeting the requirements of the Fraud Rule and Fraud Control Policy.

Corporate Commonwealth entities must comply with the Fraud Rule. While they are not bound by the Fraud Control Policy or RMG 201, the Government considers both documents as better practice for corporate Commonwealth entities and expects that these entities will follow the Fraud Control Policy and RMG 201, where appropriate, in meeting the requirements of the Fraud Rule.

The table below shows the three tiers of the Commonwealth Fraud Framework and the different binding effect for non-corporate and corporate entities.


Fraud Rule

Fraud Control Policy

RMG 201




Better practice



Better practice

Better practice

Entities are required to implement procedures designed to prevent the occurrence of fraud.

This may include:

  • control activities —activities such as delegations, authorisations, reconciliations, segregation of duties, physical security of assets, systems access and security are important controls that individually or in combination with others, can help prevent and detect fraud

  • training and recruitment —the selection and training of staff, a clear understanding of roles and responsibilities, and an understanding of financial reporting and accountability requirements are important factors in detecting fraud, and

  • information systems —better-practice entities have financial management information systems that reduce manual processing which reduces the risk of fraud. More information on internal controls is included at: 3.1.1 Governance policy.

3.4.3 Resources

Resource name

Resource description

Example: Risk framework for financial statements

This framework sets out the risk and assurance profile for the financial statements process for an entity.

Example: Risk analysis for financial statements

This risk analysis process for financial statements can assist management to prioritise the resources allocated to the preparation of the financial statements.


This online resource links sections of the PGPA Act to related rules and guidance.

Commonwealth Risk Management Policy

Provides the requirements of section 16 of the PGPA Act for systems and internal controls to manage risk.

Comcover Risk Management Resources

Provides Comcover risk management information sheets, relevant to all Commonwealth employees.

Commonwealth Fraud Control Framework

Outlines the Government's requirements for fraud control.

3.5 Knowing your entity’s information and communication technology controls

Both good risk management practices and ICT controls have a direct impact on the preparation of financial statements and the quality of the final product.

Entity ICT systems are used extensively for the processing of financial information that is used to prepare its financial statements. ICT controls include entity-wide general controls that establish an entity’s ICT infrastructure, policies and procedures, together with specific application controls that validate, authorise, monitor and report financial and human resource transactions.

Auditing Standard ASA 315 Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment ( ASA 315 ), issued by the Auditing and Assurance Standards Board (AUASB), provides guidance on identifying and assessing the risks of material misstatement of financial statements, including risks associated with an entity’s ICT environment. Where those risks are applicable to its particular business and operational circumstances, it is expected that an entity will implement appropriate controls to mitigate them.

3.5.1 Protective security and ICT controls

The Protective Security Policy Framework ( PSPF ), developed by the Attorney­-General’s Department, articulates government protective security policy. It also provides guidance to entities to support the effective implementation of the policy across the areas of security governance, personnel security, physical security and information.

The PSPF includes a core requirement that each entity must have in place security measures during all stages of ICT systems development. This includes certifying and accrediting ICT systems in accordance with the Australian Government Information Security Manual (ISM), as published by the Australian Cyber Security Centre (ACSC).

ACSC has also developed Strategies to Mitigate Cyber Security Incidents, to help organisations mitigate incidents caused by various cyber threats.

3.5.2 Risk management and ICT controls

The ISM specifies a broad set of ICT controls, designed to encompass the wide range of potential implementation scenarios for ICT systems. It is generally considered an entity’s responsibility to filter this list of ICT controls based on the functionality and componentry of ICT systems they implement and make risk-based assessments on the application of those ICT controls within the context of each specific ICT system as well as the broader networks or environments which house them.

  • Where scenarios are found to exist that are not described or covered within the ICT controls detailed in the ISM, vendor and industry best practice is also used to inform the approach to applying ICT controls.

Further information is available at:

3.5.3 Resources

Resource name

Resource description

ASA 315

An AUASB compilation of auditing standards relating to risks of material misstatement.


Attorney-General’s Department site that provides the PSPF.


Australian Cyber Security Centre site that provides cyber security guidelines within the ISM.

Strategies to Mitigate Cyber Security Incidents

Australian Cyber Security Centre site that complements the ISM and discusses strategies to mitigate cyber security incidents.

Essential Eight Maturity Model

Australian Cyber Security Centre site that complements the advice in the strategies to mitigate cyber security incidents .

3.6 Anticipating and responding to change

The CFO and other key staff should keep abreast of developments affecting financial statements so that new or changed requirements are incorporated into revised procedures and practices as early as possible.

It is important that the finance team identifies new or varied requirements arising from changes in legislation and accounting standards and assess their effect on the entity’s financial statements.

3.6.1 Changes to the entity’s operating environment

The operating environment of Commonwealth entities is continually changing. It is therefore critical to constantly monitor changes in areas such as legislation, Government policy and accounting requirements.

Changes in an entity’s business environment can affect the preparation of an entity’s financial statements. It is therefore important that the finance team keeps abreast of changes or potential changes to an entity’s operations, to determine if decisions need to be made about the accounting and/or financial reporting implications.

Important sources of information include:

  • AASB pronouncements (standards and interpretations)

  • finance guidance

  • client seminars conducted by Finance, and

  • the ANAO CFO Forum.

3.6.2 Implementing changes to accounting requirements

The following steps can be taken to assist an entity in identifying and implementing changes in accounting requirements:

  • assign specific responsibility for monitoring, identifying and assessing new and revised requirements. Attendance at Finance and ANAO CFO Forums provides two avenues for keeping up to date with accounting developments relevant to the public sector

  • where changes to accounting requirements will affect, in a substantive way, the entity’s accounting policies and presentation and disclosure in the financial statements, position papers should be prepared outlining the implications of the changes, including how those changes will be implemented. The ANAO should be consulted promptly to obtain early agreement

  • conduct reviews of the statements at least annually, and assess whether the most appropriate accounting policies have been selected and whether presentation can be improved. Changes to an accounting policy should be made only if required by an AAS, or if they would result in the financial statements providing more reliable or more relevant information about the effects of transactions, other events or conditions on the entity’s financial position, financial performance or cash flows

  • prepare draft statements including accounting policy notes for review and agreement by the ANAO well in advance of the year-end, and

  • brief the accountable authority, as required, on any changes that are likely to have significant implications on the financial statements, how these affect the financial performance and position of the entity, and obtain approval of proposed changes, where appropriate.

The timely and comprehensive identification and assessment of risks, both financial and operational, that may give rise to misstatements in the financial statements is critical to the production of good quality financial information. Better-practice entities have robust internal control systems and practices in place to detect, prevent, and mitigate the risk of misstatement of an entity’s financial statements.

3.6.3 Machinery of Government changes

The terms ‘Machinery of Government’ (MoG) and ‘administrative arrangements’ changes are interchangeable and are both used to describe a variety of organisational or functional changes affecting the Commonwealth. Common MoG changes are:

  • changes to the Administrative Arrangements Order (AAO) following a
    Prime Ministerial decision to abolish or create a Commonwealth entity or to move functions/responsibilities between Commonwealth entities, or

  • movement of functions into, or out of, the Australian Public Service.

The APSC, in conjunction with Finance has developed Machinery of Government (MoG) Changes: A Guide as a source of practical guidance to help entities implement MoG changes.

3.6.4 Government policy initiatives

Government policy initiatives in particular may have accounting and/or financial reporting implications. It is important that an entity’s business areas and finance team work collaboratively at an early stage, so that the implications of policy initiatives on financial statements are considered in a timely manner.

In some cases, the accounting or financial reporting issues arising from policy initiatives will have broader Australian Public Service (APS) implications that will require close liaison with Finance and the ANAO.

3.6.5 Business development changes

Business development changes are dictated by Government or the entity’s business priorities. The timing of such changes may not dovetail with the financial statements process. It is important for entities to be alert to any financial statement implications of such developments on an ongoing basis, not just at the time the financial statements are being prepared.

3.6.6 Resources

Resource name

Resource description

Checklist: Machinery of Government restructures

A checklist considering a range of issues relating to the implementing MoG changes in relation to an entity’s financial statements.

AASB pronouncements

AASB site that provides guidance for accessing required pronouncements.


An AASB site which lists the latest version (by operative date) of each Accounting Standard.

MoG Changes: A Guide

An APSC site providing guidance on MoG changes with links to other related sites.


Did you find this content useful?