Docstoc

Financial Controls Checklist

Document Sample
Financial Controls Checklist Powered By Docstoc
					The Financial Management Compliance
    Framework (FMCF) User Guide
                                                                                 Supplementary material
                                                                               to be used as guidance only


Table of contents
User Guide to Standing Direction 1 ........................................................................................................................................................................... 1
  Introduction .............................................................................................................................................................................................................. 1
User guide to Standing Direction 2.1 ........................................................................................................................................................................ 7
  Financial Code of Practice ....................................................................................................................................................................................... 7
User guide to Standing Direction 2.2 ...................................................................................................................................................................... 13
  Financial Governance – Responsible Body ............................................................................................................................................................ 13
  Financial Governance – Formal Statements .......................................................................................................................................................... 16
  Financial Governance – Audit Committee .............................................................................................................................................................. 25
User guide to Standing Direction 2.3 ...................................................................................................................................................................... 41
  Financial Risk Management ................................................................................................................................................................................... 41
User guide to Standing Direction 2.4 ...................................................................................................................................................................... 45
  Authorisations ........................................................................................................................................................................................................ 45
User guide to Standing Direction 2.5 ...................................................................................................................................................................... 47
  Internal Audit .......................................................................................................................................................................................................... 47
User guide to Standing Direction 2.6 ...................................................................................................................................................................... 57
  External Audit ......................................................................................................................................................................................................... 57
User guide to Standing Direction 3.1 ...................................................................................................................................................................... 61
  Financial Management Structure ........................................................................................................................................................................... 61




                                                                                                                                                                                                                                  i
                                                                              Supplementary material
                                                                            to be used as guidance only


Table of contents (continued)
User Guide to Standing Direction 3.1.1 ................................................................................................................................................................... 62
  Financial Management Structure – Public Sector Agency Financial Management Team Structure ....................................................................... 62
User Guide to Standing Direction 3.1.2 ................................................................................................................................................................... 65
  Financial Management Structure – Chief Finance and Accounting Officer (CFAO): Credentials and Endorsement .............................................. 65
User guide to Standing Direction 3.1.3 ................................................................................................................................................................... 68
  Policies and Procedures ........................................................................................................................................................................................ 68
User Guide to Standing Direction 3.1.4 ................................................................................................................................................................... 69
  Financial Management Structure – Chart of Accounts .......................................................................................................................................... 69
User Guide to Standing Direction 3.1.5 ................................................................................................................................................................... 72
  Financial Management Structure – Managing Outsourced Financial Services: Outsourcing Governance and Audit Scrutiny ............................... 72
User guide to Standing Direction 3.2 ...................................................................................................................................................................... 86
  Information Technology Systems ........................................................................................................................................................................... 86
User Guide to Standing Direction 3.2.1 ................................................................................................................................................................... 87
  Information Technology Systems - Information Technology Management ............................................................................................................. 87
User Guide to Standing Direction 3.2.2 ................................................................................................................................................................... 91
  Information Technology Systems – Information Technology Operations ................................................................................................................ 91
User Guide to Standing Direction 3.2.3 ................................................................................................................................................................. 105
  Information Technology Systems – Security ........................................................................................................................................................ 105




                                                                                                                                                                                                                        ii
                                                                              Supplementary material
                                                                            to be used as guidance only


Table of contents (continued)
User Guide to Standing Direction 3.2.4 ................................................................................................................................................................. 108
  Information Technology Systems - Development ................................................................................................................................................. 108
User Guide to Standing Direction 3.2.5 ................................................................................................................................................................. 113
  Information Technology Systems – Change Control ............................................................................................................................................ 113
User Guide to Standing Direction 3.3 .................................................................................................................................................................... 115
  Education and Training ........................................................................................................................................................................................ 115
User Guide to Standing Directions 3.1.3 and 3.4.................................................................................................................................................. 117
  Policies and Procedures ...................................................................................................................................................................................... 117
User guide to Standing Direction 4.1 .................................................................................................................................................................... 133
  Internal Financial Management Reporting ............................................................................................................................................................ 133
User guide to Standing Direction 4.2 .................................................................................................................................................................... 137
  Reporting in terms of Part 7 of the FMA ............................................................................................................................................................... 137
User guide to Standing Direction 4.3 .................................................................................................................................................................... 140
  Other External Reporting ..................................................................................................................................................................................... 140
User guide to Standing Direction 4.4 .................................................................................................................................................................... 142
  Financial Performance Management and Evaluation ........................................................................................................................................... 142
User guide to Standing Direction 4.5 .................................................................................................................................................................... 154
  Financial Management Compliance Obligations .................................................................................................................................................. 154




                                                                                                                                                                                                                        iii
                                                                                 Supplementary material
                                                                               to be used as guidance only


Table of contents (continued)
User guide to Standing Direction 4.5.1 ................................................................................................................................................................. 155
  Compliance with Directions .................................................................................................................................................................................. 155
User guide to Standing Direction 4.5.2 ................................................................................................................................................................. 161
  Taxation ............................................................................................................................................................................................................... 161
User guide to Standing Direction 4.5.3 ................................................................................................................................................................. 163
  Purchasing card ................................................................................................................................................................................................... 163
User Guide to Standing Direction 4.5.4 ................................................................................................................................................................. 166
  Thefts and Losses ................................................................................................................................................................................................ 166
User guide to Standing Direction 4.5.5 ................................................................................................................................................................. 177
  Risk Management Compliance ............................................................................................................................................................................ 177
User guide to Standing Direction 4.5.6 ................................................................................................................................................................. 179
  Treasury Risk Management ................................................................................................................................................................................. 179




                                                                                                                                                                                                                                 iv
User Guide to Standing Direction 1

Introduction
                                Contents:
                                   Introduction to Standing Directions of the Minister for Finance
                                   Attachments:
                                        o Overview of the Financial Management Compliance
                                          Framework
                                        o Annual FMCF Certification Process



FMCF supplementary material: Internal Controls v1/June 2006                                           1
                           Standing Direction 1 - Introduction to the Financial Management Compliance Framework

The Financial Management Compliance Framework (FMCF) is a                    Application and compliance with the FMCF
framework to assist Victorian Public Sector (VPS) agencies establish and
maintain effective financial management to support the achievement of        The FMCF applies to all VPS agencies who:
agencies‟ key objectives and goals.                                                   are a “public body” (defined in section 3 of the FMA) and are
                                                                                      included in the whole of government consolidated “Annual
It also helps the Victorian government monitor the standard of financial              Financial Report for the State of Victoria”.
management in line with the Standing Directions of the Minister for
Finance (the „Directions‟).
                                                                             Annual compliance certification
The FMCF was launched by the Department of Treasury and Finance
(DTF) in July 2003 and was subsequently updated in July 2005 and
                                                                             Agencies certify compliance with the Directions Requirements (that are
August 2007.
                                                                             derived from the Directions) of the FMCF via the Compliance Monitoring
                                                                             System (CMS) website: www.cms.dtf.vic.gov.au.
The Directions are designed to supplement the Financial Management Act
1994 (FMA).
                                                                             Certification takes place annually from July to September each year.

                                                                             An overview of the annual certification process can be found in within this
Objectives of the FMCF
                                                                             section.
The FMCF was developed to:
•   promote effective financial management
•   meet the government‟s requirements for accountability
•   provide Ministers (including the Minister for Finance) with reasonable
    assurance that VPS agencies have implemented appropriate systems
    to comply with the Directions and to use public resources efficiently
    and responsibly
•   assist agencies in identifying and documenting their financial
    compliance status




FMCF User Guide: Standing Direction 1                                                                                                                 2
                             Standing Direction 1 - Introduction to the Financial Management Compliance Framework

The structure and components of the Directions                                 D


The Directions have four components. Section 1 is the Introduction,            Presentation of the Directions
Sections 2, 3 and 4 are based components of sound financial                    Each Standing Direction is comprised of the following:
management as depicted below:
                                                                                     Background           Direction        Procedure       Guidelines        Supplementary
                                                                                                                                                                material

                            Key components ofof leading
                            Key components leading                                 Explanatory         A statement      Sets out the    Serve to explain    Information
                            edge financial management                              section providing   which sets out   method of       and clarify the     designed to
                            edge financial management                              users with an       the compliance   achieving the   principles and      assist in
                                                                                   understanding of    obligation       compliance      objectives of the   achieving
                                                                                   the compliance      (mandatory).     obligation      direction           compliance with
                                                                                   obligation.                          (mandatory).    (reference only).   the Directions.
                         Section
                        Financial 2         Section
                                          Financial 3     Financial4
                                                          Section
                         Financial
                      Management            Financial
                                        Management        Financial
                                                         Management
                       Management
                      Governance          Management
                                          Structure,      Management
                                                          Reporting
                       Governance
                           and              Structure,
                                           Systems        Reporting
                            and
                       Oversight            Systems
                                        Policies and
                         Oversight        Policies and
                                         Procedures
                                           Procedures




Section 2 - Financial Management Governance and Oversight
Governance is about the processes by which a Public Sector Agency is
directed, controlled and held to account. The Directions on financial
management governance and oversight set standards for Public Sector
Agencies, which should be incorporated as fundamental elements in an
overall governance framework.
Section 3 - Financial Management Structure, Systems, Policies and Procedures
The Directions for financial management structure, systems, policies and
procedures set standards for all Public Sector Agencies to achieve sound
systems of internal control to support financial management.
Section 4 - Financial Management Reporting
The Directions for financial management reporting set standards for Public
Sector Agencies to assist them in measuring and managing performance
and to ensure financial management reporting is consistent with applicable
statutory reporting obligations.




FMCF User Guide: Standing Direction 1                                                                                                                               3
                             Standing Direction 1 - Introduction to the Financial Management Compliance Framework

Exemptions                                                                       Definitions

Agencies may seek exemptions from the Minister for Finance for specific           Accountable Officer     as per section 3 of the FMA.
Direction Requirements including:
     to establish and maintain a proper functioning Audit Committee              Business Rules          are the rules made by the Deputy Secretary, Budget and
                                                                                                          Financial Management, Department of Treasury and
      (Direction 2.2, procedure (e));                                                                     Finance
     to establish and maintain an Internal Audit function (Direction 2.5);       Directions              mean these Standing Directions
     that the Audit Committee chair is an independent chair (Direction 2.2,
                                                                                  Financial Reporting     are directions given by the Minister for Finance for the
      procedure (l)); and                                                         Directions              accounting treatment and reporting of financial
                                                                                                          transactions.
     that the chair of the Audit Committee is not also the chair of the board
      (or responsible body) (Direction 2.2, procedure (m)).                       Government Department   same as “Department” as defined in section 3 of the FMA.

Exemptions must be sought in writing and include the reasons for the              Public Sector Agency    any public body as defined in section 3 of the FMA or any
                                                                                                          Government Department.
exemption as well as proposed alternative actions or procedures.
                                                                                  Responsible Body            for a Government Department - the Accountable
Government Departments are not eligible for exemptions.                                                        Officer
                                                                                                              for every other Public Sector Agency - the Board
Section 2.2 and 2.5 of the User Guide provide detail on the exemption
process and evaluation criteria.                                                                          In the event that a person or body is declared to be an
                                                                                                          authority for the purposes of the definition of “authority” in
                                                                                                          section 3 of the FMA, anything in these Directions applying
                                                                                                          or referring to a Government Department applies or refers
Abbreviations                                                                                             also to that person or body, unless a Direction explicitly
                                                                                                          provides otherwise.
    AASB        Australian Accounting Standards Board
    ATO         Australian Taxation Office
    BFMG        Budget and Financial Management Guide
    CFAO        Chief Finance and Accounting Officer
    CFO         Chief Finance Officer
    DTF         Department of Treasury and Finance
    FBT         Fringe Benefits Tax
    FMA         Financial Management Act 1994
    FRD         Financial Reporting Directions
    GST         Goods and Services Tax




FMCF User Guide: Standing Direction 1                                                                                                                                 4
                                                                          Supplementary material
                                                                        to be used as guidance only
An overview of the Financial Management Compliance Framework (FMCF)
 What is the FMCF?                                  What are the objectives?                      Who needs to comply?                              How and when do agencies certify?

 The FMCF is a framework to assist Victorian        The FMCF was developed to:                    The FMCF applies to all VPS                       Agencies certify compliance with
 Public Sector (VPS) agencies establish and         • promote effective financial management      agencies who:                                     the Directions Requirements (that are
 maintain effective financial management to         • meet the government‟s                       • are a “public body” (defined in section 3       derived from the Directions) of the FMCF
 support the achievement of agencies‟ key              requirements for accountability               of the FMA) and                                via the Compliance Monitoring System
 objectives and goals.                                                                            • are included in the whole of                    (CMS) website: www.cms.dtf.vic.gov.au.
                                                    • provide Ministers (including the Minister
 It also helps the Victorian government monitor        for Finance) with reasonable                  government consolidated                        Certification takes place annually
 the standard of financial management in line          assurance that VPS agencies have              “Annual Financial Report for                   from July to September each year.
 with the Standing Directions of the Minister for      implemented appropriate systems               the State of Victoria”                         Refer overleaf for an overview of
 Finance (the „Directions‟).                           to comply with the Directions and to use                                                     the annual certification process.
 The FMCF was launched by the Department of            public resources efficiently and
 Treasury and Finance (DTF) in July 2003 and           responsibly
 was subsequently updated in July 2005.             • assist agencies in identifying and
                                                       documenting their financial compliance
                                                       status



 Details of the Directions
                                                    What are the key components of
 How did the Directions come about?                                                               How are the Directions presented?
                                                    the Directions?

 The Directions are designed to supplement the      The Directions are based on the following                                                                                      Supplementary
                                                                                                      Background            Direction         Procedure          Guidelines
 Financial Management Act 1994 (FMA).               three components of sound financial                                                                                               material

 They are pursuant to section 8 of the FMA.         management:                                     Explanatory         A statement        Sets out the       Serve to explain    Information
                                                    • Financial Management,                         section providing   which sets out     method of          and clarify the     designed to
                                                                                                    users with an       the compliance     achieving the      principles and      assist in
                                                        Governance and Oversight                    understanding of    obligation         compliance         objectives of the   achieving
                                                    • Financial Management, Structure,              the compliance      (mandatory).       obligation         direction           compliance with
                                                        Systems, Policies and Procedures            obligation.                            (mandatory).       (reference only).   the Directions.

                                                    • Financial Management Reporting



 Further information and assistance
 www.dtf.vic.gov.au                                                                                                         •   Extensive information sessions across Victoria for VPS
                                        Online information resource which includes support and
 (See Budget & Financial Management     guidance such as supplementary material and templates.
                                                                                                  DTF Initiatives:              agencies
 and Financial Compliance)                                                                                                  •   Formal presentations and seminars


FMCF User Guide: Standing Direction 1                                                                                                                                                               5
                                                                             Supplementary material
                                                                           to be used as guidance only
Annual FMCF Certification Process
FMCF Certification is completed by agencies on an annual basis. The following flowchart outlines the steps within the certification process at the agency and portfolio level. The timing of
tasks has also been provided as a guide.


                                                                                      Agency process

 When?                Throughout the year                                 June – July                                  July – August                            August – September

 What?
                     Complete review                                                                                                                             Complete and
                                                                Assess compliance                                 Obtain sign-off
                      requirements                                                                                                                             submit certification


 How?         There are requirements within the FMCF        DTF‟s „Assessment Tool‟ provides detailed      7. Obtain required approval e.g. Board/      9. Complete online certification via the
              to complete reviews over a number of          guidance of compliance requirements for           Audit Committee upon completion of           Compliance Monitoring System
              areas throughout the year e.g. policy         each Direction (see DTF website for latest        the „Compliance Certification                (CMS) website:
              documents, and                                assessment tool)                                  Checklist‟                                   www.cms.dtf.vic.gov.au.
              the financial risk profile (see
              Supplementary Material flyer for              4. Use the assessment tool against each        8. Finalise detailed sign-off over           10. Provide signed certification letter to
              Direction review requirements)                   of the Direction Requirements to               Direction 2.2 (d) & (w) including:            the relevant Portfolio Minister and
                                                               determine compliance status                    - internal controls                           copied to the Portfolio Coordinator
              1. Complete relevant reviews                     (compliant, partially compliant, not           - risk management
                                                               compliant) with each of the 29
              2. Where required obtain endorsement                                                            - financial statements
                                                               Directions as at 30 June
                 by the                                                                                       (see supplementary material)
                 CEO/CFO (or delegate)                      5. Complete the „Compliance Certification
                 or the Board/Audit Committee                  Checklist‟ using the results from the
                                                               „Assessment Tool‟ (see DTF website
              3. Keep documentation supporting
                                                               for latest checklist)
                 evidence of these reviews
                                                            6. Ensure there is evidence to support
                                                               the stated certification level (where
                                                               required)


                                                                             Department / Portfolio Process

When?                        September                                                                                              October

What?                      Agency compliance                                                Portfolio summary report                                       Portfolio summary report
              11.      certification received by the                            12.          prepared by Portfolio                           13.         presented to the Minister for
                        Portfolio Minister via the                                        Coordinator and signed off by                                  Finance and copied to DTF
                          Portfolio Department                                             the Department Secretary



FMCF User Guide: Standing Direction 1                                                                                                                                                                6
User guide to Standing Direction 2.1
Direction Requirement 1

Financial Code of Practice




FMCF User Guide: Standing Direction 2.1 (Direction Requirement 1) – Financial Code of Practice   7
Version 1 (September 2009)
                                                Supplementary material to be used as guidance only
                                                                Financial Code of Practice
Introduction                                                                                     Supporting the Code
Direction 2.1 of the Standing Directions for the Minister for Finance (the                       Processes to support the Code should be developed to:
Directions) requires each agency to implement and maintain a Financial                              ensure it is up to date and consistent with changes in the internal and
Code of Practice (the Code) that outlines standards and practice in relation                         external environment
to the probity of their financial management.
                                                                                                    identify employees required to comply with the code
Developing a code                                                                                   prompt regular (at least annual) review of changing roles within the
                                                                                                     agency to identify relevant employees with direct or indirect
The Code must cover the following areas (as per Direction 2.1):                                      responsibilities for financial transactions, group of transactions, or
   independence, integrity, accountability, confidentiality                                         other financial matters for example initiation, authorisation/approval,
                                                                                                     processing, reporting
   procurement, tendering, credit cards
                                                                                                    handle queries, monitor compliance and manage breaches of
   conflicts of interest
                                                                                                     the Code.
   personal relationships with the public sector agency‟s customers
    and providers
                                                                                                 Communication and education
   corporate opportunities
                                                                                                 The Code should be communicated to relevant employees to ensure
   fair dealing
                                                                                                 it is understood and enhance compliance. Communication of the Code
   protection and proper use of the public sector agency‟s assets                               could include:
   encouraging the reporting of unlawful or unethical behaviour.                                     access to the document
Agencies will have detailed policies and procedures in place for some of                              explanation of individual involvement in financial management for the
the areas listed above e.g. whistleblower, procurement, conflict of interest.                          agency e.g. explanation of roles and responsibilities, delegations, etc.
The Code should not duplicate, but direct the reader to the agency‟s                                  explanation of responsibilities under the Financial Management Act
existing detailed policies and procedures which provide further guidance                               and the Directions
and detailed procedures in relation to the items listed in the Code. The                              a requirement for individuals to acknowledge receipt and
Code should not replace detailed policies and procedures but should                                    understanding of the Code i.e. signing and returning an
provide a high level statement about employee conduct required for                                     acknowledgement form (that is kept to demonstrate that the agency
specific areas.                                                                                        has complied with the requirements of the Direction).
The Code should also be consistent with the Victorian Public Service Code
of Conduct and the Directions. Consideration could also be given to good                         Example
practice in the public and private sector bodies e.g. Principle 3 „Promote                       An example of a Financial Code of Practice template is attached.
ethical and responsible decision-making‟ of the ASX Corporate
Governance Council Principles of good corporate governance and best                              The template is generic and does not specifically address each agency‟s
practice recommendations, March 2003.                                                            requirements. It is the basis of Code that is tailored to suit the individual
                                                                                                 needs of the agency.
FMCF User Guide: Standing Direction 2.1 (Direction Requirement 1) – Financial Code of Practice                                                                                 8
Version 1 (September 2009)
                         Template for a Financial Code of Practice
                              to be used as guidance only


Attachment 1
Template for a Financial Code of Practice




                                          <Insert Organisation Name>

                               <Insert Site Name> Financial Code of Practice




Organisation Address:                           <Insert Address>




User Note:
This template is generic and should be amended to suit the
purposes of the organisation.


<Insert Organisation Name> <Insert Site> Financial Code of Practice                              9

FMCF User Guide: Standing Direction 2.1 (Direction Requirement 1) – Financial Code of Practice
Template for a Financial Code of Practice Version 1 (September 2009)
                                                                     Template for a Financial Code of Practice
                                                                          to be used as guidance only

Table of contents
Introduction ............................................................................................................................................................................................................... 11
Public Funds ............................................................................................................................................................................................................. 11
Declaration of Financial and other interests .......................................................................................................................................................... 11
Financial Inducements, Gifts and Hospitality ......................................................................................................................................................... 12
Secondary Employment ........................................................................................................................................................................................... 12
Tendering and Procurement Process ..................................................................................................................................................................... 12
Corporate Credit Cards ............................................................................................................................................................................................ 12
Use of Property, Facilities or Equipment ................................................................................................................................................................ 12
Confidentiality ........................................................................................................................................................................................................... 12




<Insert Organisation Name> <Insert Site> Financial Code of Practice                                                                                                                                                         10

FMCF User Guide: Standing Direction 2.1 (Direction Requirement 1) – Financial Code of Practice
Template for a Financial Code of Practice Version 1 (September 2009)
                           Template for a Financial Code of Practice
                                to be used as guidance only
Introduction
This Financial Code of Practice sets the standards of conduct expected from <Insert Organisation
Name> employees. It applies to all employees of the <Insert Organisation Name> it forms parts of the
terms and conditions of employment 1. If any of the provisions contained within this Financial Code of
Practice are not fully understood, employees should seek clarification from their line managers.
Employees are expected to act at all times in the best interest of the <Insert Organisation Name> and
should conduct all dealings with integrity and fairness.
The <Insert Organisation Name> may apply its disciplinary procedures against employees who are in
breach of this code. Instances of non compliance with this Code may be reported through <insert
details of the breach reporting process>.
<Insert Organisation Name> procedures are consistent with the requirements of the Victorian
Government Whistleblower Legislation.2

Public Funds
The <Insert Organisation Name> acknowledges the responsibility it has for the administration of
public funds. The <Insert Organisation Name> emphasises both to the public, the Government and to
its employees the importance it places upon propriety, financial control and honest administration.
The <Insert Organisation Name> arrangements for the prevention and detection of fraud and
corruption will be kept under constant review, and suspected irregularities will be investigated.
Where employees have direct responsibility for financial transactions, for example the ordering of
goods and services on behalf of the <Insert Organisation Name>, then they must be fully acquainted
with the Standing Directions of the Minister for Finance pursuant to Section 8 of the Financial
Management Act 1994 and comply with these.

Declaration of Financial and other interests3
Employees must declare any personal interests, which may affect or be affected by a <Insert
Organisation Name> transaction.
Interests should be declared to the <to be determined by the agency and must be consistent with the
agency‟s enabling legislation and culture>.
Employees must not influence the awarding of any contract in which they have any interest.
Employees who act as panel members in the interview and selection process must also declare any
knowledge they have of candidates. Any such knowledge must be disclosed to <to be determined by
agency and must be consistent with the agency‟s enabling legislation and culture> at the earliest
opportunity.




1
  The Financial Code of Conduct should be distributed as part of the induction process. New employees should sign to
acknowledge that they have read its contents. Further, upon promotion or transfer, employees should be required to reconfirm
and sign to acknowledge their understanding of the contents of the Code with regard to their new role.
2
  This legislation should be referred to in developing procedures.
3
  Conflicts of interest requirements will vary from public sector agency to public sector agency, for example compare a hospital
agency with the Victorian Police. It is imperative that guidelines are established to ensure that staff are aware of the
requirements to disclose interests and gifts offered and received.

<Insert Organisation Name> <Insert Site> Financial Code of Practice                                                           11

FMCF User Guide: Standing Direction 2.1 (Direction Requirement 1) – Financial Code of Practice
Template for a Financial Code of Practice Version 1 (September 2009)
                            Template for a Financial Code of Practice
                                 to be used as guidance only
Financial Inducements, Gifts and Hospitality
Employees may not accept gifts that may be, or may be construed as, rewards or inducements for
directing business towards that body/person.
Any monetary gifts handed over to employees must be passed to the <to be determined by agency
and must be consistent with the agency‟s enabling legislation and culture>.
Goods, vouchers, non-cost payments etc received from suppliers or agents (other than goods
officially ordered) shall be declared to the <to be determined by agency and must be consistent with
the agency‟s enabling legislation and culture>.
This rule is waived in respect of small items such that have a value not exceeding <to be determined
by agency and must be consistent with the agency‟s enabling legislation and culture>.
In areas of doubt advice should be sought from the appropriate manager <to be determined by the
agency>. Employees should also refer to the Official Hospitality Principles issued by the Department
of Premier and Cabinet from time to time4.

Secondary Employment
Staff members may not undertake employment outside <Insert Organisation Name> or engage in the
conduct of a business, trade or profession without written permission.
Employees considering taking up a second post should take into account whether this might conflict
with their employment with the <Insert Organisation Name> and should seek guidance from <to be
determined by the agency>.

Tendering and Procurement Process
All tendering and procurement activity must be compliant with the Victoria Purchasing Board‟s
Guidelines, where applicable <if VGPB Guidelines are not applicable, replace with “policies and
procedures”>.

Corporate Credit Cards
All usage of Corporate Credit Cards must be complaint with the Standing Directions of the Minister for
Finance under the Financial Management Act 1994.

Use of Property, Facilities or Equipment
Employees of the <Insert Organisation Name> often have access to facilities, including office
equipment such as computers, telephones, photocopiers and fax machines to use in carrying out their
official duties.
Excessive personal use of any <Insert Organisation Name> equipment or removal of any property
from the work place for any purpose is not permitted without line manager approval. Any use for
personal gain is not permitted under any circumstances.

Confidentiality
Staff are expected to maintain and respect the confidentiality and privacy of financial information and
other matters of a financial nature that they come across during the course of their employment.
Unless authorised, staff are not to use confidential information for personal use or to benefit another
third party.




4
    The most recent version is dated 14 July 1998 and replaces Circular 90/1on Entertainment Expenditure Guidelines .

<Insert Organisation Name> <Insert Site> Financial Code of Practice                                                     12

FMCF User Guide: Standing Direction 2.1 (Direction Requirement 1) – Financial Code of Practice
Template for a Financial Code of Practice Version 1 (September 2009)
User guide to Standing Direction 2.2
Direction Requirement 2

Financial Governance – Responsible Body




FMCF User Guide Standing Direction 2.2 (Direction Requirement 2) – Financial Governance Responsible Body   13
Version 1 (September 2009)
                                                Financial Governance – Responsible Body
Introduction                                                                                  Delegation of responsibilities
The governance and oversight of the financial management of an agency                         The Responsible Body may delegate some of its responsibilities under the
is the responsibility of the Responsible Body as per Direction 2.2(a) in the                  Directions to an Audit Committee, Finance Committee or equivalent (as
Standing Directions for the Minister for Finance (the Directions).                            per Direction 2.2(c))
                                                                                              However, the Responsible Body cannot delegate or diminish ultimate
Definitions                                                                                   responsibility for:
Responsible Body defined                                                                         overseeing the financial performance of agency
                                                                                                 ensuring the integrity of financial reporting
The Directions define „Responsible Body‟5 to mean:
                                                                                                 retaining oversight responsibility for the relevant actions and activities
   the Accountable Officer for a Government Department, or                                       of its delegates.
   the Board for all other Public Sector Agencies.
                                                                                              The Directions do not prevent operational aspects of the Responsible
                                                                                              Body‟s oversight and governance role from being delegated to
Accountable Officer defined                                                                   management.7
 „Accountable Officer‟6 means:
                                                                                              Documentation of role and responsibilities
    the department head for a department
    the chief executive officer for a public body (or the relevant title of this             The roles, responsibilities and delegations of the Responsible Body should
     position)                                                                                be documented in a Charter or equivalent document.
                                                                                              The document should detail the responsibility and accountability of
                                                                                              relationships between the Minister, the Responsible Body, the
                                                                                              Accountable Officer and the CFAO.




5
  Refer to S. 1.1 in the Directions for more information re: where a person or body is
declared to be an “authority” under S. 3 of The Financial Management Act 1994
6                                                                                             7
  Defined under S. 3 of The Financial Management Act 1994                                         This must be completed in accordance with Direction 2.4 (Authorisations)


FMCF User Guide Standing Direction 2.2 (Direction Requirement 2) – Financial Governance Responsible Body                                                                     14
Version 1 (September 2009)
Requirements of the Responsible Body
The Responsible Body has a number of requirements outlined in Direction                       Requirements of the Responsible Body under Direction 2.2 (b)                  Considered?
2.2(b) that are part of its financial oversight and governance role. The                      Review all financial reports that are provided to parties external to the           
requirements are outlined in the checklist below and should be considered                     Public Sector Agency, prior to their release but subsequent to the
in developing the Charter or equivalent. Please note that Guideline 1 to                      approval of the reports by the CFAO in accordance with Direction 4.3(c)
Direction 2.2 also details a number of suggested tasks for the Responsible                    Work with management to develop the strategic directions for the Public             
Body.                                                                                         Sector Agency, set performance indicators, set performance targets,
                                                                                              review performance management information and reports against those
In addition to Direction 2.2(b) the Responsible Body has a number of other                    targets
requirements8 under the Financial Management Compliance Framework.                            Monitor and oversee the financial performance of the Public Sector                  
Please refer to the Directions and relevant supplementary material for                        Agency on an ongoing basis ensuring appropriate human and financial
information about this.                                                                       resources are available9
                                                                                              Oversee and ensure that procedures are in place that will result in                 
                                                                                              effective and efficient budgeting
                                                                                              Ensure a balance of authority so that no single individual has unfettered           
                                                                                              powers over the finances of the Public Sector Agency
                                                                                              Ratify the appointment or removal of the CFAO, where appropriate10                  
                                                                                              Review, ratify and oversee the Public Sector Agency‟s systems of risk               
                                                                                              management and financial internal controls
                                                                                              Approve and monitor the progress of major capital expenditure, capital              
                                                                                              management, acquisitions and divestitures
                                                                                              Meet often enough to undertake its financial governance role                        
                                                                                              effectively, if it comprises more then one person(e.g. at least 4 times a
                                                                                              year)
                                                                                              Establish appropriate arrangements to ensure that public funds and                  
                                                                                              resources are used economically, efficiently, effectively, with due
                                                                                              propriety, and in accordance with the statutory or other authorities that
                                                                                              govern their use
                                                                                              Undertake an annual review of its own performance in respect of its                 
                                                                                              financial governance




                                                                                              9
                                                                                                This is also consistent with its role under Direction 4.1 Internal Financial Management
                                                                                              Reporting and Direction 4.4: Financial Performance Management and Evaluation to work with
8
  Examples of other Directions with requirements for the Responsible Body include:            management to develop financial KPIs and receive reports on financial performance
                                                                                              10
Directions 2.3, 2.4, 2.6, 3.1.3, 3.1.5, 3.2.1, 3.4.1, 3.4.3 and elements of Directions in        This is also consistent with its role under Direction 3.1.2: Chief Finance and Accounting
relation to Financial Management Reporting as detailed in Directions 4.1 to 4.5.              Officer to ensure the Agency has financial management leadership from a suitably qualified
Please note this list is not complete.                                                        CFAO


FMCF User Guide Standing Direction 2.2 (Direction Requirement 2) – Financial Governance Responsible Body                                                                               15
Version 1 (September 2009)
                                               Supplementary material to be used as guidance only

User guide to Standing Direction 2.2
Direction Requirement 3

Financial Governance – Formal Statements




FMCF User Guide: Standing Direction 2.2 (Direction Requirement 3) – Financial Governance Formal Statements   16
Version 1 (September 2009)
                                                      Supplementary material to be used as guidance only
                                                    Financial Governance – Formal Statements
Introduction
                                                                                               Timing of formal statement
The Standing Directions for the Minister for Finance (the Directions) under
Direction 2.2 require an agency to:                                                            It would be expected that the formal statement of compliance would be
                                                                                               made in writing at least annually upon completion, and before public
              “…establish robust and transparent financial governance policies                 release of the annual financial report. There are example formal
              and procedures directed to the oversight of its financial                        statement templates included in this material:
              management which should be incorporated as fundamental
              elements of a Public Sector Agency’s overall governance                              Template 1 - Example representation from Accountable Officer and
              framework.                                                                            CFAO to Responsible Body
                                                                                                   Template 2 - Example representation from Management and Staff to
              Particular attention must be paid to the systems of financial                         the Accountable Officer and CFAO.
              reporting, risk management, internal control and the adequacy of
              management reporting.”
                                                                                               Difference between 2.2(d) and 2.2(w)
The Directions mandate an annual formal statement of compliance with
the following three distinct requirements of 2.2(d) for agencies and 2.2(w)                    The requirements under Direction 2.2(d) are identical in nature to 2.2(w)
for government departments11:                                                                  the only differences are:
                                                                                                   Direction 2.2(d)
                Requirement 1:                                                                         relates to agencies
                Presentation of agency‟s financial reports                                           requires the Accountable Officer and the CFAO to make the formal
                Requirement 2:
                                                                                                    statement to the Responsible Body.
                That the risk management, internal compliance and controls
                form the basis of the financial report
                                                                                                   Direction 2.2(w)
                Requirement 3:                                                                         relates to government departments
                That the risk management, internal compliance and control                              requires the CFAO to make the formal statement to the Audit
                systems operate effectively and efficiently                                              Committee and the Accountable Officer.

The requirements of Direction 2.2 and in particular, 2.2(d) and 2.2(w)
serve as the foundation for the Financial Management Compliance
Framework.




11
     Note: This material explains each of these requirements in further detail overleaf.

FMCF User Guide: Standing Direction 2.2 (Direction Requirement 3) – Financial Governance Formal Statements                                                            17
Version 1 (September 2009)
                                                    Supplementary material to be used as guidance only
Explanation of the three Requirements
                                                                                               Example of potential steps and detail for Requirement 1                     Considered
The following tables provide detailed explanation of each of the
Requirements under 2.2(d) and (w) and include a list of potential steps that
                                                                                               1. Discussions with relevant management and staff with a view to:
                                                                                                   satisfying themselves that the process supporting the preparation
                                                                                                                                                                               
the Accountable Officer and CFAO could consider implementing to support                              of financial reports was robust and that the financial reports are
the formal statement requirements.                                                                   complete, accurate and reliable.
Please note that the lists are not exhaustive and should only be used as a                         understanding any key assumptions and accounting policies
                                                                                                     which underpin material balances (including changes to
guide to assist in the development of agency specific procedures in
                                                                                                     assumptions or accounting policies since the previous year)
relation to Direction 2.2 (d) and (w).
                                                                                                   considering key areas where significant judgement was exercised
                                                                                                     in determining accounting treatments
Requirement 1:                                                                                     understanding the nature and rationale of any significant period
Statement over presentation of agency‟s financial reports                                            end adjustments.
                                             12
The CFAO and/or the Accountable Officer have an obligation to provide a statement
to the Responsible Body stating that:                                                          2. Reviewing performance against financial budgets carried out
                                                                                                  throughout the course of the year with a view to:                            
 the financial reports present fairly, in all material respects, of the financial condition
   and operating results of the Agency                                                             ensuring that all material transactions have been captured within
                                                                                                     underlying financial accounting systems
 the financial reports have been prepared in accordance with the Financial
   Management Act 1994 including the Directions.                                                   developing an understanding of the reasons for variances
                                                                                                     between budgeted and actual financial results and their
                                                                                                     reasonableness
Links to other Directions
                                                                                                   comparing year end financial reports to management accounts
 Reporting in terms of Part 7 of the FMA (Standing Direction 4.2, Direction                         and understanding large adjustments made at year end as well
     Requirement 23).                                                                                as other impacts potentially affecting the robustness of the
                                                                                                     financial management process.
How to sign off on Requirement 1
Traditional sign off over financial statements.
(see also Template 1)
                                                                                               3. Reviewing the financial reports prior to release by:
                                                                                                   completing a comparison to last year‟s financial reports and
                                                                                                                                                                               
                                                                                                    consideration of significant movements in results, balances and
Requirement 1 signed off by                                                                         disclosures
 Accountable Officer and Responsible Body at Agency level                                         understanding changes that have occurred to relevant Accounting
                                                                                                    Standards and Directions under the FMA to ensure that they have
 CFAO at Department level.                                                                         been captured.

                                                                                               4. Considering the findings of the financial statement audit process this
                                                                                                  is achieved through discussions with financial accounting staff, the         
                                                                                                  external auditor and internal auditor (where relevant), including a
                                                                                                  summary of adjusted and unadjusted differences.



12
  At Government Departments the CFAO provides this statement.
At other agencies, the CFAO and Accountable Officer provide this statement.
FMCF User Guide Standing Direction 2.2 (Direction Requirement 3) – Financial Governance Formal Statements                                                                           18
Version 1 (September 2009)
                                                 Supplementary material to be used as guidance only
Requirement 2:                                                                                Example of potential steps and detail for Requirement 2                        Considered
Statement over risk management, internal compliance and control                               1. Identify significant accounts and disclosures
                                                                                              Identification of significant accounts and disclosures in financial reports.       
The CFAO and/or the Accountable Officer2 have an obligation to provide a statement to         Examples include:
the Responsible Body stating that the financial report is founded on a sound system of
                                                                                                  items separately disclosed in financial reports
risk management, internal compliance and control which implements the policies
adopted by the Responsible Body.                                                                  qualitative and quantitative factors
                                                                                                  materiality at the consolidated financial statements level.
Further explanation for Requirement 2
Requirement 2 focuses on the design effectiveness of internal controls within the
financial reporting process. Internal controls over the financial reporting process would
                                                                                              2. Account mapping
                                                                                              Map significant accounts and disclosures to accounting policies,                   
be considered to be designed effectively if, assuming they were operating as intended,        procedures and processes that generate the information reported.
they provided reasonable assurance that material misstatements in financial reports
would be prevented or detected by management.
Requirement 2 reinforces the fact that the CFAO and Accountable Officer are ultimately
                                                                                              3. Identify the relevant financial statement assertions
                                                                                              For each significant account and disclosure, identifying the relevant              
responsible for ensuring that the Agency has adequately designed internal controls over       financial statement assertions. Assertions examples are as follows:
the financial reporting process. The nature of internal controls that an agency has over           existence or occurrence
financial reporting will vary from agency to agency depending on factors including, but            completeness
not limited to:
                                                                                                   valuation or allocation
 the size of the agency
                                                                                                   rights and obligations
 the nature and volume of accounting transactions processed by the agency                         presentation and disclosure.
 the information technology environment within the Agency                                     Account / Disclosure X                                                           
 the nature and complexity of financial report disclosures required by the agency under
                                                                                               Account / Disclosure X                                                           
   Financial Reporting Directions and accounting standards.
Links to other Directions
                                                                                              4. Identify risks of misstatement
                                                                                              For each of the significant accounts and disclosures, identifying risks of         
 Financial risk management (Standing Direction 2.3, Direction Requirement 5)                 misstatement with reference to the financial statement assertions.
 Policies and procedures (Standing Directions 3.1.3 and 3.4, Direction Requirement
   12)
 Risk management compliance (Standing Direction 4.5.5 – refer to Victorian
                                                                                              5. Identify mitigating controls
                                                                                              Based on the risks identified, and with reference to accounting policies,          
   Government Risk Management Framework).                                                     procedures and processes, identifying the key controls which reduce
                                                                                              either the likelihood or impact of the risk occurring.
How to sign off on Requirement 2
Sign off that internal controls have been designed effectively so that they provide
reasonable assurance that material misstatements in financial reports are prevented or
                                                                                              6. Sufficiency of mitigating controls
                                                                                              Consider whether key controls identified are designed such that they               
detectable. This may require:                                                                 provide reasonable assurance that material misstatements would be
                                                                                              prevented or detected by management throughout the year.
- a representation from the Accountable Officer and CFAO to the Responsible Body –
Refer Template 1
- where appropriate, a series of management/staff representations to the Accountable
                                                                                              7. Develop and implement remediation plan
                                                                                              Where significant deficiencies in the design of internal control over              
Officer/CFAO – Refer Template 2                                                               financial reporting have been identified:
Requirement 2 signed off by                                                                        implement immediate corrective action to ensure reported results
 Accountable Officer and Responsible Body at Agency level                                          are not adversely affected
 CFAO at Department level.                                                                        develop and implement appropriate remedial action plans.


FMCF User Guide Standing Direction 2.2 (Direction Requirement 3) – Financial Governance Formal Statements                                                                             19
Version 1 (September 2009)
                                                 Supplementary material to be used as guidance only
Requirement 3:                                                                                Example of potential steps and detail for Requirement 3                      Considered
Statement over efficient and effective operation of risk management, internal
compliance and control systems
                                                                                              8. Gather information about the implementation and operation of
                                                                                                 internal controls in the organisation.                                        
The CFAO and/or the Accountable Officer2 have an obligation to provide a statement to            For example, this may include results of staff surveys re: knowledge
the Responsible Body stating that the agency‟s risk management and internal                      and understanding of internal controls in day to day operations, the
compliance and control system is operating efficiently and effectively in all material           extent to which internal and external audit recommendations have
respects.                                                                                        been implemented, completion of risk assessment processes within
                                                                                                 finance and accounting functions, evidence that system generated
                                                                                                 financial reports have been prepared and disseminated on a timely
Further explanation for Requirement 3                                                            basis.
Requirement 3 is intended to consider and report against operating effectiveness of

                                                                                                                                                                               
controls i.e: are internal controls being applied and operated as intended throughout the     9. Develop and execute an evaluation plan on control activities
entire reporting period?
                                                                                                 For key control activities identified during the evaluation of design
                                                                                                 effectiveness, develop and execute an evaluation plan with a view to
Links to other Directions                                                                        determining whether they were operating as intended throughout the
 Financial management governance and oversight (Section 2 – Standing Directions                 course of the year. This may involve a combination of:
   2.1 to 2.6, Direction Requirements 1 to 8)                                                     direct testing of a sample of significant control activities
 Financial management structure, systems, policies and procedures (Section 3 –                     conducted by internal audit
   Standing Directions 3.1 to 3.4 Direction Requirements 9 to 21).                                risk and control self assessment by management and staff
                                                                                                  management and staff representations over the operation of
How to sign off on Requirement 3                                                                    internal controls.
Sign off that internal controls are being applied and operated as intended throughout
the entire reporting period. This may require:                                                10.       Evaluate results to determine if deficiencies represent material
                                                                                                 weakness                                                                      
- a representation from the Accountable Officer and CFAO to the Responsible Body –
Refer Template 1                                                                                 Review the information obtained together with results of testing to
                                                                                                 determine whether deficiencies either individually or in aggregate
- where appropriate, a series of management/staff representations to the Accountable             represent material weaknesses. Where deficiencies are identified
Officer/CFAO – Refer Template 2                                                                  (be they material or immaterial), develop and implement appropriate
                                                                                                 remedial action plans (immediate and longer term).
Requirement 3 signed of by
 Accountable Officer and Responsible Body at Agency level
 CFAO at Department level.
                                                                                              11.       Notification of any control weaknesses
                                                                                                 Prepare and provide representation to the Responsible Body noting
                                                                                                                                                                               
                                                                                                 any material control weaknesses identified based on the evaluation
                                                                                                 of control effectiveness.




FMCF User Guide Standing Direction 2.2 (Direction Requirement 3) – Financial Governance Formal Statements                                                                           20
Version 1 (September 2009)
                                                                Template for Formal Statements
                                                                  to be used as guidance only

Attachments
Templates for Formal Statements


Template 1               Example representation from Accountable Officer and CFAO to Responsible Body

Template 2               Example representation from Management and Staff to the Accountable Officer and CFAO.




<Insert Organisation Name> <Insert Site> Formal Statements                                                       21

FMCF User Guide: Standing Direction 2.2 (Direction Requirement 3) – Financial Governance Formal Statements
Template for Formal Statements Version 1 (September 2009)
                                  Template for Formal Statements
                                    to be used as guidance only
 Template 1: Example representation from Accountable
       Officer and CFAO to Responsible Body
                 Statement to the Responsible Body of <insert agency name>

The Accountable Officer and Chief Finance and Accounting Officer state that:

(a) with regard to the integrity of the financial reports of <insert agency name> for the year ended 30
    June <insert year> that:

    (i)    the financial statements and notes thereto comply with accounting standards in all material
           respects

    (ii)   the financial statements and notes thereto give a true and fair view, in all material respects,
           of the financial position and performance of the Agency and consolidated entity

    (iii) in our opinion, the financial statements and notes thereto are in accordance with the
          Financial Management Act and associated directions, and

    (iv) in our opinion, there are reasonable grounds to believe that the agency will be able to pay its
         debts as and when they become due and payable.

(b) with regard to risk management and internal compliance and control systems of <insert agency
    name> for the year ended 30 June <insert year>:

   (i)     the statements made in (a) above regarding the integrity of the financial statements and notes
           thereto are founded on a sound system of risk management and internal compliance and
           control systems which, in all material respects, implement the policies adopted by the
           Responsible Body;

   (ii)    the risk management and internal compliance and control systems underpinning financial
           management processes are operating effectively and efficiently, in all material respects,
           based on an evaluation against the elements of the agency‟s defined internal control
           framework; and

   (iii) nothing has come to our attention since 30 June <insert year> that would indicate any
         material change to the statements in (i) and (ii) above.




Accountable Officer                                                 Chief Finance and Accounting Officer


<Date of annual report> *
                                                                    <Date of annual report> *


          To be dated as same date as annual report. Statement should be made at least annually to the Responsible Body
           upon completion and before the public release of the annual report




<Insert Organisation Name> <Insert Site> Formal Statements                                                                 22

FMCF User Guide: Standing Direction 2.2 (Direction Requirement 3) – Financial Governance Formal Statements
Template for Formal Statements Version 1 (September 2009)
                                Template for Formal Statements
                                  to be used as guidance only

 Template 2: Example representation from Management
    and Staff to the Accountable Officer and CFAO
        Statement to the Accountable Officer and CFAO of <insert agency name>

This statement is to verify that I have:


1. Identified the financial management requirements of my <insert cost centre/division>.


2. Put in place a structure to ensure transactions of the <insert area/office> have been processed in
   accordance with these requirements and including:
         <insert reference to approved policies and procedures>
         <insert reference to approved delegations of authority>


3. Monitored transactions and processes in my [insert cost centre/division] in accordance with my
   financial management responsibilities


4. In this process, identified the following issues that have or may impact financial management
   structures or processes under my responsibility:
         <insert any areas that need improvement>
         <insert any areas that need improvement>


5. Put in place the following rectification plans to address the above issues:
         <insert rectification plan and when date it is expected to be completed>



This statement has been prepared to the best of my knowledge and confirm that no other issues that
would impact on financial management have come to my attention.




Manager/staff name


<Title>


<Date of report>




<Insert Organisation Name> <Insert Site> Formal Statements                                                   23

FMCF User Guide: Standing Direction 2.2 (Direction Requirement 3) – Financial Governance Formal Statements
Template for Formal Statements Version 1 (September 2009)
                                Template for Formal Statements
                                  to be used as guidance only




<Insert Organisation Name> <Insert Site> Formal Statements                                                   24

FMCF User Guide: Standing Direction 2.2 (Direction Requirement 3) – Financial Governance Formal Statements
Template for Formal Statements Version 1 (September 2009)
                                                                Template for Formal Statements
                                                                  to be used as guidance only

User guide to Standing Direction 2.2
Direction Requirement 4

Financial Governance – Audit Committee




FMCF User Guide: Standing Direction 2.2 (Direction Requirement 4) – Financial Governance: Audit Committee   25
Version 1 (September 2009)
                                                Supplementary material to be used as guidance only
                                                 Financial Governance – Audit Committee
Introduction
Direction 2.2 (Direction Requirement 4) of the Standing Directions of the                      Please note that this material should be read in conjunction audit
Minister for Finance (the Directions) requires an agency to appoint an                         committee requirements detailed in Directions for internal audit (2.5,
audit committee to oversee and advise on matters of accountability and                         Direction Requirement 7) and external audit (2.6, Direction Requirement 8).
internal control affecting the operations of the agency, unless an
exemption has been obtained.13                                                                 Audit committee establishment and exemptions
The detailed requirements for audit committees are outlined in the                             The Directions permit agencies to apply for an exemption from
Procedures to Direction 2.2 specifically:                                                      establishing an audit committee. A number of parameters must be met to
o establishment and exemptions               Procedure (e)                                     ascertain whether an agency is permitted to apply for an exemption.
o charter, roles, responsibilities, meetings Procedures (h) - (j)                              The exemption process is outlined in the steps below. Also, Attachment 1
o membership and member qualifications       Procedures (f), (g), (k) - (q), (s)               provides a template for the exemption application.
o member induction                           Procedure (r)                                     Where an audit committee has been established, it is usually a sub
o relationships and reporting                Procedures (t) - (v).                             committee of the Board (Responsible Body). While the establishment of
                                                                                               an audit committee supports the Board‟s performance in the discharge of
This material provides:                                                                        its financial governance and oversight responsibilities, it does not release
o guidance to agencies for the implementation of the requirements in                           the Board from its responsibilities.
    relation to audit committees, and
o an overview of other audit committee requirements under the
    Directions.
The checklists in this material identify the madatory requirements relevant
to each of the detailed requirements for audit committees. The checklists
also contain elements that represent good practice.




13
  Procedure (e) under Direction 2.2 from the Standing Directions of the Minister for
Finance under the Financial Management Act1994
FMCF User Guide: Standing Direction 2.2 (Direction Requirement 4) – Financial Governance: Audit Committee                                                               26
Version 1 (September 2009)
                                                     Supplementary material to be used as guidance only
                                                       Audit Committee Exemption Process
          Majority of              • Are the majority of directors on the Board non-executive directors?
 Step 1


          non-executive              If yes, continue to Step 2.
          directors

                                   • Are the majority of non-executive directors independent?
          Majority of
 Step 2




                                     If yes, continue to Step 3.
          non-executive            • If there are at least three non-executive directors (and two of these are independent), an Audit Committee can be established in accordance with the
          independent directors      Directions.

                                   • A number of parameters are taken into account when determining an agency‟s                         • Agencies with an aggregate score (across all four parameters) of:
                                     size and eligibility for exemptions.                                                                 – less than or equal to 10 are able to seek an exemption,
 Step 3




          Agency size              • The parameters include: Total Budget, Total Assets, Number of Full Time                                continue to Step 4.
                                     Equivalent Employees and Financial Risk Profile must be totalled. The table                          – more than 10 cannot seek an exemption.
                                     below provides scores for each parameter.

                                   • Agencies that meet the requirements can seek an exemption via a written submission to the Minister.
 Step 4




          Exemption application    • A copy of the submission must also be sent to DTF with a set of the agency‟s most recently audited financial statements.
                                   • See the example template exemption letter.

                                   • Exemption applications are assessed on a case by case basis and DTF may request additional information.
 Step 5




          Exemption approval       • Exemptions are only granted for the one compliance year (1 July to 30 June).
                                   • Agencies granted an exemption must follow the “exemption confirmation process” the following year .


  Note for Step 1:                                                                                 Also,
  A non-executive director is an agency director that is:                                          1. family ties and cross-directorships may be relevant in considering interests and
  1. part of the Responsible Body                                                                      relationships which may compromise independence
  2. not employed on a full time basis by the Responsible Body
                                                                                                   2. “materiality” should be considered from the perspectives of both the Public Sector
  3. is not involved in the day to day management of the agency.
                                                                                                       Agency and the individual Committee member/candidates.
  Notes for Step 2:
                                                                                                   Scoring Parameters for Step 3 Audit Committee exemption:
  Guideline 3 to Direction 2.2 defines an independent person as one who:
  1. is independent of management of the agency                                                                     Parameter                        Small             Score             Medium           Score            Large      Score

  2. has not been employed in an executive capacity by the agency or related organisation           Total Budget1                                     <$5m               2           $5m – $15m             4              >$15m        6

     or been a director after ceasing to hold such employment within the last 3 years               Total Assets2                                     <$5m               2           $5m – $20m             4              >$20m        6
  3. has not been a principal of a material professional advisor or a material consultant to        Number of full time equivalent employees3          <20               2               20 – 50            4               >50         6
     the agency or a related organisation, or an employee materially associated with the
     service provider within the last three years,                                                   Financial Risk Profile                                                    Details                                                Score
  4. is not a material supplier or customer of agency or related organisation or an officer or      Low                         Agency has responsibility for managing their budget with no significant financial transactions          2
     otherwise directly or indirectly associated with a material supplier or customer                                           with third parties.

  5. has no material contractual relationship with the agency or a related organisation other       Moderate                    Agency has responsibility for managing their budget with limited significant financial transactions     4
                                                                                                                                with third parties.
     than as Committee member of the agency
  6. has not served on the Responsible Body (if it is a board) or the Committee for a period        High                        Agency has responsibility for managing its budget with significant transactions with third parties.     6

     which could, or could reasonably be perceived to materially interfere with the person‟s        1.
                                                                                                         Total Budget $m refers to Total Budgeted Expenditure
     ability to act in the best interests of the Public Sector Agency                               2.
                                                                                                         Total Assets $m amount should be derived from the last audited financial statements
  7. is free from any interest and any business or other relationship which could, or could         3.
                                                                                                         A measurement equal to one staff person working a full-time work schedule for the current compliance year
     reasonably be perceived to, materially interfere with the Committee member‟s ability to
     act in the best interests of the agency.


FMCF User Guide: Standing Direction 2.2 (Direction Requirement 4) – Financial Governance: Audit Committee                                                                                                                                     27
Version 1 (September 2009)
                                               Supplementary material to be used as guidance only
Processes for obtaining exemption confirmation for an audit committee
Exemptions are granted by the Minister for one financial year (from 1 July to 30 June) only.
Agencies requiring extensions on their exemptions need to complete the exemption process outlined in the steps below.


Exemption Confirmation Process
When? What?                           How?

                                      DTF compliance unit contacts agencies that have previously been provided exemptions:
                                      DTF compliance unit seeks written confirmation that:
   Nov




             DTF contacts agencies    • an exemption is still required; and
                                      • there have been no changes in the circumstances surrounding the agency.


                                      Agencies must inform DTF of situations where:
                                      • there has been or will be some change to its operating or governance structures
                                      • its operating functions or parameters have or will be altered
                                      • it is subject to litigation or pending litigation
   Dec-Jan




                                      • the agency has previously been the subject of media attention regarding its financial management activities
             Agencies respond         • the agency is subject to an internal or external review of any kind
                                      • a significant or material internal control weakness has been identified and is yet to be rectified
                                      • the Auditor-General has provided a qualified audit opinion
                                      • the Auditor-General has been unable to provide an audit opinion on the agency‟s financial statements OR
                                      • there has been an increase in the financial and/or political surrounding the agency.

                                      Agency responses are collated and assessed accordingly.
                                      If the circumstances of the agency have altered, the agency will be assessed using the exemption criteria.
   Feb




             Assessment



                                       DTF writes to agencies, informing them if their exemption(s) has been extended for the current compliance year.
             DTF extends
   Mar




             exemptions




FMCF User Guide: Standing Direction 2.2 (Direction Requirement 4) – Financial Governance: Audit Committee                                                28
Version 1 (September 2009)
                                                  Supplementary material to be used as guidance only
Audit committee charter, roles, responsibilities and meetings
                                                                                               Areas to consider including in an audit committee charter continued               Included
                                                                                               Accountability and reporting
The role, responsibilities, composition, structure and membership
requirements of an audit committee should be defined in an audit                               State the accountability and reporting requirements for the audit
                                                                                               committee, for example:
committee charter.
                                                                                                be fully accountable to the Responsible Body
                                                                                                                                              14
                                                                                                                                                                                      
Areas to consider including in an audit committee charter                   Included            meetings are to be minuted to ensure audit committee is addressing
                                                                                                                                   2
                                                                                                                                                                                      
                                                                                                 discharging its responsibilities
Purpose of the charter
                                                                                                minutes are to be provided to the Responsible Body at the next                       
Detail the functional and organisational framework for the audit                                meeting (or at agreed interval where Responsible Body is not a
committee to operate, for example:                                                               board)
The audit committee is a sub committee of the Responsible Body. The                             meeting attendance and schedule
audit committee is established to assist the Responsible Body fulfil its
                                                                                                state the attendance and meeting requirements, for example:
governance and oversight responsibilities including the:
         financial reporting process including annual financial                                   meetings are to be held not less than four times a year
                                                                                                                                                              2
                                                                                                                                                                                      
          statements                                                                               meetings should correspond with agency‟s financial reporting cycle                
         effectiveness of the internal audit function                                             only committee members are entitled to attend meetings                            
   scope of work, independence and performance of the external
    auditor
                                                                                                the Accountable Officer and CFAO are to attend relevant sections of                  
                                                                                                 the meetings by standing invitation – they are not members of the
   agency’s process for monitoring compliance with laws and                                     committee
                                                                                                             15

    regulations and financial code of conduct
                                                                                                other invitees can be included e.g. internal audit and external audit                
Roles and responsibilities                                                                       representatives
Define the requirements for roles and responsibilities of the audit
committee, for example:
 ensuring management has appropriate processes for identifying,                
  assessing and responding to risks
 evaluating the overall effectiveness of the internal control and risk         
  management frameworks and consider if management has
  implemented recommendations made by internal and external
  auditors
 overseeing the periodic financial reporting process implemented by            
  management and review interim financial statements, annual
  financial statements and preliminary announcements before release
 reviewing the effectiveness of the system to monitor against                  
  compliance with laws, regulations and internal policies
 reviewing external audit‟s proposed audit scope and approach for              
  current year and discuss with external audit significant findings and
  recommendations
 reviewing the activities, resources and organisational structure of the                     14
  internal audit function                                                                           This is a mandatory requirement as per Direction 2.2 (i) (Direction Requirement 4 (i))
                                                                                               15
                                                                                                    This is a mandatory requirement as per Direction 2.2 (k) (Direction Requirement 4 (k))


FMCF User Guide: Standing Direction 2.2 (Direction Requirement 4) – Financial Governance: Audit Committee                                                                                    29
Version 1 (September 2009)
                                                       Supplementary material to be used as guidance only
Audit committee membership requirements and member qualifications                                   Audit committee member induction
Requirements for audit committee membership are designed to ensure the                              Audit committee members require a range of information to develop their
committee has the appropriate skills and experience required to fulfil its                          knowledge and fulfil the obligations of their role. Agencies should consider
roles and responsibilities effectively. Membership requirements should be                           developing an induction program to ensure audit committee members
specified in the charter.                                                                           have access to the relevant information and are able to gain an adequate
                                                                                                    understanding about the agency and its operations.
Areas to consider including in an audit committee charter                           Included
                                                                                                    The following is a list of areas to consider in the development of an
Composition, structure, membership and skills                                                       induction program.
Outline the membership requirements and structure of the audit
           16
committee , including for example:                                                                  Suggested information / steps to include in an induction kit                Included
 the number of members comprising the audit committee17                                           Meet with key personnel                                                         
 at least two members of the audit committee are to be independent5                               To assist in obtaining an adequate understanding of the financial
 independent members are acknowledged as being independent in
                       5
                                                                                                   situation and industry within which the Public Sector Agency operates
     the annual report                                                                              Members should meet:
    each member of the audit committee must have and maintain a                                    the Accountable Officer (where applicable)
     number of skills including for example, basic financial literacy,                               the Board, or representatives from the Board (where applicable)
                                                             18
     relevant industry knowledge and business experience
                                                                                                     appropriate senior or key members of management (for example the
    at least one member must have appropriate expertise in financial
                            6
                                                                                                      CEO, CFAO etc.)
     accounting or auditing                                                                         Provide general information about the agency:                                   
    the Chairperson is to be one of the independent members and not                                Outputs, products and services of the agency
     also the Chairperson of the Responsible Body unless exemption has
     been obtained
                    19                                                                               Overview of the governance, risk management and internal control
                                                                                                        framework
    the Responsible Body is to review membership at least every three
           20
                                                                                                    Major statutory or other reporting requirements
     years
                                                                                                     Financial and accounting policies along with details of major financial
    new members are provided with all relevant and necessary
                               21
                                                                                                       reporting systems
     information by the CFAO
                                                                                                     Areas of risk (both financial and non-financial) ideally presented in a
                                                                                                      summary risk profile or equivalent
                                                                                                     Overview of any outsourced service arrangements or major contracts
                                                                                                     Areas of recent or immediate particular concern
16
     This is a mandatory requirement as per Direction 2.2 (h) (Direction Requirement 4 (h))          Any involvement in litigation or other disputes with third parties
17
 This is a mandatory requirement. Please refer to Direction 2.2 (f) and (g) for specific             Contingencies being faced
membership details (Direction Requirement 4 (f),(g))                                                 Code of Conduct, Code of Financial Practice and the audit committee‟s
18
   This is a mandatory requirement. Further detail is outlined in Direction 2.2 (n), (o), (p) and     role in overseeing management‟s monitoring of compliance with the
(q) and Guidelines 6 and 7 (Direction Requirement 4 (n),(o),(p),(q))                                  Codes
19
     This is a mandatory requirement. Further detail is outlined in Direction 2.2 (l) and (m)        Organisational structure with details about the senior management
20
  This is a mandatory requirement as per Direction 2.2 (s) (Direction Requirement 4 (s))              team
21                                                                                                   Any recent or planned systems modifications or organisational
  This is a mandatory requirement as per Direction 2.2 (r) (Direction Requirement 4 (r)).
                                                                                                      restructures
Also refer to further information available in this material.


FMCF User Guide: Standing Direction 2.2 (Direction Requirement 4) – Financial Governance: Audit Committee                                                                                  30
Version 1 (September 2009)
                                                    Supplementary material to be used as guidance only
Suggested information / steps to include in an induction kit                   Included        Audit committee relationships and reporting
Provide audit committee information:                                                          The audit committee should report directly to the Responsible Body. It is
 The audit committee charter outlining its role and responsibilities,                         usually a sub-committee of the Responsible Body that has no separate
  composition, structure and membership requirements
                                                                                               authority unless this has been specifically delegated. The responsibility for
 Copies of recent audit committee minutes and reports from the audit                          decisions, performance and outcomes of the agency therefore remain with
  committee to the Responsible Body
                                                                                               the Responsible Body.
 The annual audit committee programmes/plan detailing the number,
  date, time and standing agenda items for each meeting etc.                                   It is essential that the audit committee, management, internal and external
Other Committee Arrangements:                                                                 auditors work with a common purpose in improving financial reporting and
 Details of relevant Responsible Body sub committees and other                                greater effectiveness of internal controls. To succeed with this, audit
   relevant committees including their charters, for example Finance                           committees should work closely with management and internal audit within
   Committee, Risk Management Committee etc.                                                   an agency to ensure relevant information is obtained and reported in a
 External advisors available to support the relevant committees,                              timely manner.
   including the audit committee
 Public Sector Agency staff available to support the relevant
   committees, including the audit committee
Internal Audit Arrangements:                                                       
 The governance and reporting arrangements for internal audit
 The responsibilities of the internal audit function i.e. fraud, risk
  management, internal controls etc. This could be achieved by
  providing a copy of the Internal Audit Charter and/or contract with
  outsourced provider (where relevant)
 Details about the internal audit team - their qualifications/experience,
  scope of services, period of contract, fees etc. (where relevant)
 The current year‟s internal audit plan, and future years if applicable and
  the status of work against the approved plan
 Examples of information the audit committee receives from internal
  audit e.g. recent and previous reports
 Results of recent independent reviews that were not included in the
  internal audit plan
External Audit Arrangements:                                                       
 The scope and timing of the external audit and/or latest audit strategy
  and status for the current year
 Examples of information the audit committee receives from the external
  auditors
 The audit committee‟s relationship with the Auditor-General‟s Office
  and/or its service providers




FMCF User Guide: Standing Direction 2.2 (Direction Requirement 4) – Financial Governance: Audit Committee                                                                31
Version 1 (September 2009)
                                                  Supplementary material to be used as guidance only
                                                                                               Overview of other audit committee requirements under the Directions
Areas to consider including in an audit committee charter                    Included
                                                                                               There are a number of other Direction requirements to be met by audit
Relationships and access22
                                                                                               committees other than those articulated in Direction 2.2.
Outline the audit committee‟s access to, for example:
                                                                                               The table below provides a summary of the high level detail of the
 the internal and external auditors without the presence of                                  Directions that relate to audit committees. Please refer to the Directions for
     management
                                                                                               specific information.
 the Accountable Officer, CFAO and management                                   
 independent expert advise                                                      
Include that the audit committee has the right to seek explanations,                          High level detail of Directions relating to audit committees                  Complete?
additional information and the ability to seek assistance to undertake its                     Direction 2.2: Financial governance – audit committees
oversight responsibilities
                                                                                               Mandatory requirements for this Direction are outlined in the audit committee charter
Detail the evaluation and review responsibilities including:
                                                                                               checklists above.
 evaluate at least annually the committee‟s own performance and
                                              2
                                                                                              Direction 2.5: Internal audit
  report the results to the Responsible Body including a review of the
  individual members and collectively as a committee – see
                                                                                                Approve the internal audit charter                                             
  Attachment 2 for a template questionnaire                                                     Approve the internal audit plan                                                
 formally assess the achievement of duties specified in the charter                           Annually review the focus of the internal audit plan and its fit with the      
  and report findings to the Responsible Body                                                    risk profile and work of external audit
 requirements for the approval and review of the audit committee                               Annually review internal audit‟s performance                                   
  charter including for example:                                                                Annually confirm that the internal auditor has not been influenced by          
   review the audit committee charter periodically but at least every                          management and/or has had problems with management
    three years with recommendations for updates approved by the
                        4                                                                       At least annually meet privately with internal audit                           
    Responsible Body
   that the Responsible Body is to approve the audit committee                  
                                                                                                Fulfil the following tasks:                                                    
                                                                    4                               approve management response to audit recommendations
    charter (including any proposed changes and/or amendments)
                                                                                                    monitor actions taken to resolve audit issues identified
 details of a resolution process for situations where the audit                 
  committee or individual members cannot obtain adequate access to                                  advise management to adopt recommendation on a timely basis
  or response from the Responsible Body, CFAO and/or management.




22
  These are mandatory requirements as per Direction 2.2 (t), (u) and (v) (Direction
Requirement 4 (t),(u),(v))


FMCF User Guide: Standing Direction 2.2 (Direction Requirement 4) – Financial Governance: Audit Committee                                                                              32
Version 1 (September 2009)
                                                   Supplementary material to be used as guidance only
High level detail of Directions relating to audit committees   continued   Complete?           High level detail of Directions relating to audit committees continued          Complete?
Direction 2.6: External audit                                                                  Direction 4.5.1 Compliance with Directions
 Members are to have a clear understanding of the role of the external                        Annual review of FMCF compliance certification checklist (where
                                                                                                                                                    23
                                                                                                                                                                                  
  auditor (the Auditor-General)                                                                     relevant e.g. if delegated by Responsible Body) and including:
 Consider results from the external audit                                                        review the results of the annual Financial Management Compliance              
                                                                                                    Framework certification process prior to its finalisation based on:
 Invite the external auditor to attend relevant meetings. Discussions        
  are to include:                                                                                       an understanding of the business
     proposed audit objectives                                                                         prior management reporting of the implementation of financial
     briefing on the process
                                                                                                         management compliance action/rectification plans
                                                                                                        internal audit findings on work performed
     accounting issues potentially impacting the financial statements
                                                                                                        findings of any external audit reviews
     outcomes of the audit
 At least annually meet privately with external audit                                            make enquiries of management in relation to any identified or                 
                                                                                                    emerging issues and their associated rectification plans
 Monitor rectification of issues identified by the Auditor-General and                           include financial management compliance as a standing audit                   
  investigate reasons for any material adjustments to the accounts.
                                                                                                    committee agenda item
Direction 4.2 Reporting requirements in terms of Part 7 of the FMA
                                                                                                   ensure that internal audit continue to be proactive in the monitoring of      
 Review and recommend the financial statements prior to finalisation                              financial management compliance and risk areas
  and submission (if relevant e.g. if delegated by Responsible Body)                               encourage management to implement a culture of compliance                     
                                                                                                    throughout the entity
                                                                                                   review implementation of the Victorian Government Risk Management             
                                                                                                    Framework and check annual attestation by the Accountable Officer




                                                                                               23
                                                                                                 Note: This is not a mandatory requirement as per the Directions, rather good practice
                                                                                               as outlined in the Guideline to the Direction


FMCF User Guide: Standing Direction 2.2 (Direction Requirement 4) – Financial Governance: Audit Committee                                                                              33
Version 1 (September 2009)
                                                    Supplementary material to be used as guidance only
High level detail of Directions relating to audit committees continued       Complete?
Direction 4.5.2 Taxation
 Annual tabling of certification of compliance with tax rules (where           
  relevant e.g. if delegated by Responsible Body) 12
 Active involvement in tax compliance matters
                                               24
                                                                                
 Obtain regular reports and updates from management on the tax                 
  position, any issues and compliance status of the agency 13
Direction 4.5.3 Purchasing card
 To oversee the compliance with the Rules and consider them in the             
  broader risk management strategy of the agency e.g. include in
  internal audit program13
 In the event of a significant instance of unauthorised use of the             
  purchasing card obtain a report as soon as the inquiry into the issue is
  complete. Note that the report is also sent to the Minister for Finance
  and agency‟s minister.
 Where the Accountable Officer uses a purchasing card the                      
  Chairperson is to authorise expenses incurred.
Direction 4.5.4 Thefts and losses
 Active involvement in the monitoring and reporting of thefts and              
  losses13
Direction 4.5.5 Risk management compliance
 Agree with the agency‟s attestation of compliance with the Victorian          
     Government Risk Management Framework13




24
     Note: This is a requirement of the Rules or Framework accompanying this Direction


FMCF User Guide: Standing Direction 2.2 (Direction Requirement 4) – Financial Governance: Audit Committee   34
Version 1 (September 2009)
                 Template for an Audit Committee and/or Internal Audit
                  exemption application to be used as guidance only



Attachment 1
Template for an Audit Committee and/or Internal
Audit exemption application




User Note:
This template is generic and must be amended to suit.




FMCF User Guide: Standing Direction 2.2 (Direction Requirement 4) – Financial Governance: Audit Committee   35
Internal Audit Committee and/or Internal Audit Exemption Template Version 1 (September 2009)
                       Template for an Audit Committee and/or Internal Audit
                         exemption application to be used as guidance only
<Minister for Finance>
<name and address details>
<>
<>

<Date>

Application for exemption – Standing Directions of the Minister for Finance under the Financial
Management Act 1994

Dear Minister

I am writing to apply for an exemption from certain provisions of the Standing Directions of the
Minister for Finance issued pursuant to section 8 of the Financial Management Act 1994. The table
below details the specific Direction(s) which this agency seeks an exemption from, the reason for
exemption and the proposed alternative procedure(s) or action(s).

Direction         Direction        Reason                                        Alternative procedure/action
Reference
<insert ref>      <insert          <insert reason>                               <insert procedure/action>
                  Direction>
<insert ref>      <insert          <insert reason>                               <insert procedure/action>
                  Direction>

[Attach appropriate documentation to support reason for exemption]
[Attach copy of latest audited financial statements and accompanying notes]

Should you wish to discuss the matter, please contact <insert names and phone numbers of relevant
contacts>.

Yours sincerely

<signed by the Chair of the Responsible Body>

<Title>
<Agency>

cc: Assistant Director, Complaince, Budget and Financial Management, Department of Treasury and Finance 25




25
  A copy of this letter should be sent to Assistant Director, Compliance, Budget and Financial Management, Department of Treasury
 and Finance, Level 4, 1 Treasury Place, East Melbourne, VIC, 3002


FMCF User Guide: Standing Direction 2.2 (Direction Requirement 4) – Financial Governance: Audit Committee                     36
Internal Audit Committee and/or Internal Audit Exemption Template Version 1 (September 2009)
         Template for Audit Committee Self-Assessment Questionnaire
                         to be used as guidance only


Attachment 2
Template for an Audit Committee Audit
Committee Self-Assessment Questionnaire




User Note:
This template is generic and must be amended to suit.




FMCF User Guide: Standing Direction 2.2 (Direction Requirement 4) – Financial Governance: Audit Committee   37
Self-Assessment Questionnaire Template Version 1 (September 2009)
           Template for Audit Committee Self-Assessment Questionnaire
                           to be used as guidance only
Audit Committee Self-Assessment Questionnaire
Introduction
The purpose of the review is to enable the Audit Committee members to critically assess the
Committee‟s operations and performance and either:
o     confirm the appropriateness of existing procedures, or
o     provide suggestions for improvements to procedures.
The survey asks you to consider how well the Committee has performed in relation to the major
functional areas defined in the Charter26. The results of the survey, and its discussion at the meeting, will
form the basis of a report to the Responsible Body.
Process
 Action                                                                                                                       Timing
 Committee members complete survey.

 Survey results to be consolidated by [insert appropriate officer].

 Committee discusses survey results and potential improvements.

 Committee agrees a self-assessment rating and actions it will undertake to improve performance.

 Committee reports agreed survey results and suggested improvements to the Responsible Body for endorsement

Please complete and return the attached questionnaire to [insert appropriate officer] by [insert date]
in order for the results to be collated and a report prepared for [insert date of appropriate Audit
Committee].
The Audit Committee‟s Charter and annual work-plan27 should be referred to when answering the
questionnaire.
Respondents are not limited to the space provided. If additional space for comments is required, please
either use the reverse side of the page, or attach an additional sheet at the end of the questionnaire.
If you have any queries about the questionnaire itself or the process and timing of its completion, please
contact [insert appropriate officer].
Survey - Rating Scale

Questions ask you to assess the performance of the Committee in relation to its activities as described in
the charter using the rating scale below as a guideline circle the number that best reflects your assessment.
 Rating    Description
      0    No evidence that the Committee has met any of its responsibilities in this area. Extensive improvements required,
           approaching worst in field.
     2–3   The Committee has partially met some of its responsibilities in this area. Considerable improvements required.
      5    The Committee has fully undertaken some of its responsibilities in this area. Major improvements required,
           approaching middle of field.
     7–8   The Committee has fully undertaken most of its responsibilities in this area. Minor improvement required, but
           approaching best in field.
     10    The Committee has fully undertaken all its responsibilities in this area. It would be expected that independent
           assessment would find that [insert name of Public Sector Agency] is a leader in this field.




26
   This survey is based on the “Purpose and Objectives” as described in the example Audit Committee Charter provide as part of
the guidance material to accompany the Ministerial Directions to the Financial Management Act 1994. Refer Appendix A for detail.
The specific questions will need to be tailored to the specific requirements of the Public Sector Agency‟s Audit Committee‟s Charter
and Membership.
27
   Where an annual plan exists


FMCF User Guide: Standing Direction 2.2 (Direction Requirement 4) – Financial Governance: Audit Committee                         38
Self-Assessment Questionnaire Template Version 1 (September 2009)
          Template for Audit Committee Self-Assessment Questionnaire
                          to be used as guidance only
                                                                 Name:

1. How well is the Audit Committee achieving its purpose and objective to oversee:
   a. Financial performance and the financial reporting process, including the annual financial statements
   0          1           2          3           4           5          6           7           8            9   10

   b. The scope of work, performance and independence of internal audit
   0          1           2          3           4           5          6           7           8            9   10

   c. Ratifying the engagement and dismissal by management of any chief internal audit executive
   0          1           2          3           4           5          6           7           8            9   10

   d. The scope of work, independence and performance of the external auditor
   0          1           2          3           4           5          6           7           8            9   10

   e. The operation and implementation of the risk management framework
   0          1           2          3           4           5          6           7           8            9   10

   f.   Matters of accountability and internal control affecting the operations of the Public Sector Agency
   0          1           2          3           4           5          6           7           8            9   10

   g. The effectiveness of management information systems and other systems of internal control
   0          1           2          3           4           5          6           7           8            9   10

   h. The acceptability of and correct accounting treatment for and disclosure of significant transactions
      which are not part of the Public Sector Agency‟s normal course of business
   0          1           2          3           4           5          6           7           8            9   10

   i.   The sign off of accounting policies
   0          1           2          3           4           5          6           7           8            9   10

   j.   The public sector agency‟s process for monitoring compliance with laws and regulations and its own
        code of conduct and code of financial practice
   0          1           2          3           4           5          6           7           8            9   10

   k. Reasons for your assessment.




   l.   What are your suggested improvements?




 FMCF User Guide: Standing Direction 2.2 (Direction Requirement 4) – Financial Governance: Audit Committee        39
 Self-Assessment Questionnaire Template Version 1 (September 2009)
          Template for Audit Committee Self-Assessment Questionnaire
                          to be used as guidance only
2. How well has the Audit Committee interact with the internal audit function of [insert name of Public
    Sector Agency]?
   0        1       2        3         4          5         6          7         8         9      10

    a. Reasons for your assessment.




    b. What are your suggested improvements?




3. How well has the Audit Committee undertaken its responsibility to provide an independent and objective
    review of the financial statements presented by [insert name of Public Sector Agency] to Parliament?
   0         1          2         3         4         5        6         7        8        9        10

    a. Reasons for your assessment.




    b. What are your suggested improvements?




4. How well has the Audit Committee undertaken its responsibility to report periodically to the Responsible
    Body and senior management on the activities of the Committee?
   0        1        2       3          4           5       6           7         8           9       10

    a. Reasons for your assessment.




    b. What are your suggested improvements?




5. How well has the Audit Committee undertaken its responsibility to satisfy itself that appropriate action is
    taken on matters raised in respect of [insert name of Public Sector Agency] by the Auditor-General
    and Internal Audit?
   0         1          2        3         4        5       6           7            8        9          10

    a. Reasons for your assessment.




    b. What are your suggested improvements?




 FMCF User Guide: Standing Direction 2.2 (Direction Requirement 4) – Financial Governance: Audit Committee   40
 Self-Assessment Questionnaire Template Version 1 (September 2009)
                                       Template for Audit Committee Self-Assessment Questionnaire
                                                       to be used as guidance only

User guide to Standing Direction 2.3
Direction Requirement 5

Financial Risk Management




FMCFUser Guide Standing Direction 2.3 (Direction Requirement 5) – Financial Risk Management         41
Version 1 (September 2009)
                                       Template for Audit Committee Self-Assessment Questionnaire
                                                       to be used as guidance only

                                                             Financial Risk Management
Introduction                                                                                  Oversight by the responsible body
Direction 2.3 of the Standing Directions of the Minister for Finance (the                     The Responsible Body may use its Audit Committee to oversee the
Directions) outlines a number of requirements that agencies need to adopt                     effective operation of the financial risk management framework. As
in relation to managing risks associated with financial management.                           detailed within Direction 2.3(a) of the Directions the Responsible Body
                                                                                              must:
In particular, Direction 2.3 requires agencies to:
    ensure that there is a financial risk management policy and internal                                                                                               Yet to be
     control system in place, and                                                             Requirements in Direction 2.3(a)                               Achieved   achieved
    implement an effective framework to identify, assess, monitor,                           The responsible body has:
     manage and report, on an ongoing basis, the significant financial risks                  ensured that there is a financial risk management policy
     to which the agency is exposed to as a result of, and in the course of                   in place within the agency.
                                                                                                                                                                          
     its activities and responsibilities.                                                     ensured that the financial risk management policy
Implementation and operation of an agency‟s financial risk management                         outlines roles, responsibilities and accountabilities of the
                                                                                              Responsible Body, audit committee, management and
                                                                                                                                                                          
framework rests with management within that agency. Oversight of the                          internal audit
framework and its operation rests with the Responsible Body.
                                                                                              ensured management has implemented an effective
                                                                                                                                                                          
The management of financial risks may be a component of an agency‟s                           financial risk management framework
overall enterprise wide risk management framework in line with the                            a clear understanding of the significant financial risks
                                                                                                                                                                          
Victorian Government‟s Risk Management Framework (VGRMF).28                                   facing the agency
                                                                                              regularly, and at least annually, critically appraised and
This material provides an overall checklist for:                                              challenged the financial risk profile prepared by                           
   oversight by the Responsible Body of the framework and its operation                      management
   steps to assist in the implementation of the Agency‟s financial risk                      provided clear guidance on the level and categories of
    management framework.                                                                     financial management risk it regards as acceptable for                      
                                                                                              the agency
                                                                                              provided oversight and supervision of financial
                                                                                              management risks and the implementation of the related                      
                                                                                              management plans/treatment strategies
                                                                                              regularly and at least annually, reviewed the                               
                                                                                              effectiveness of the agency‟s system of risk
                                                                                              management and internal control.

28
  Direction 4.5.5 outlines the requirements in relation to Risk Management Compliance
and the VGRMF




FMCFUser Guide Standing Direction 2.3 (Direction Requirement 5) – Financial Risk Management                                                                                         42
Version 1 (September 2009)
                                       Template for Audit Committee Self-Assessment Questionnaire
                                                       to be used as guidance only
Implementation of a financial risk management framework                                       Day-to-day financial and risk management processes
In order to satisfy the requirements of Direction 2.3, a financial risk                        Step Example of detail for potential steps                                      Yes       No      N/A
management framework could be structured using the following                                     1     Identification of significant financial management
components.                                                                                            processes. This may vary from agency to agency                                           
                                                                                                       depending on the nature of operations of the agency.
Financial risk management framework and processes in relation to:
                                                                                                 2     Ensure that adequate and up-to-date policies and
   Day-to-day financial activities                                                                    procedures exist for significant financial management                                    
   Budgeting processes                                                                                processes.
   Monitoring and reporting activities                                                          3     Document the key “compliance” and “operations”
                                                                                                       objectives for each financial management process                                         
Guidance for potential steps within each component has been detailed                                   identified.29
below in the form of a checklist.                                                                4     No less than annually, identify and assess the risks
                                                                                                       relevant to the achievement of those objectives.
                                                                                                                                                                                                
                                                                                                 5     Based on the risks identified, identify the key controls
                                                                                                       which reduce their likelihood and/or impact and determine
                                                                                                       whether residual risk is reduced to an acceptable level
                                                                                                                                                                                                
                                                                                                       (i.e. assess design effectiveness).
                                                                                                 6     Where deficiencies in internal control are identified,
                                                                                                       develop action plans to remediate.
                                                                                                                                                                                                
                                                                                                 7     Develop and undertake a program of activities to obtain                                  
                                                                                                       assurance that the key elements of internal control
                                                                                                       operate effectively throughout the year (i.e. assess
                                                                                                       operating effectiveness). This may include a combination
                                                                                                       of:
                                                                                                        Testing of key internal control activities by internal
                                                                                                          audit.
                                                                                                        Risk and control assessment by management and
                                                                                                          staff.
                                                                                                        Management and staff representations over the
                                                                                                          operation of internal controls.
                                                                                                 8     Where internal controls are not operating as intended,
                                                                                                       develop and implement appropriate remedial action                                        
                                                                                                       plans.

                                                                                              29 Supplementary Material on Direction 2.2 “Financial Governance” outlines the steps that should be taken
                                                                                              in order to manage risks associated with the financial reporting process. It is recommended that the steps
                                                                                              outlined here be read in conjunction with that Supplementary Material and that agency‟s combine their
                                                                                              activities to respond to Directions 2.2 and 2.3.




FMCFUser Guide Standing Direction 2.3 (Direction Requirement 5) – Financial Risk Management                                                                                                          43
Version 1 (September 2009)
                                       Template for Audit Committee Self-Assessment Questionnaire
                                                       to be used as guidance only
Budgeting processes                                                                           Monitoring and reporting activities
Step Example of detail for potential steps                       Yes     No     N/A            Step Example of detail for potential steps                           Yes   No   N/A
  1    At the commencement of each budget planning process                                   1     Continue to monitor financial performance against budget
       an agency should take into account the following:                                              throughout the course of the year both at Management                   
        The strategic plan, the annual plan development with                                         and Responsible Body levels.
         project identification.                                                                2     Identify new financial risks as they emerge and/or change              
        Identification of risks and risk response strategies.                                  3     Re-forecast budgets at least quarterly, or more frequently
        Communication to relevant internal and external                                              if necessary, and submit to Responsible Body for review.
                                                                                                                                                                             
         stakeholders.
                                                                                                4     Periodically throughout the course of the year review the              
        Potential funding arrangements.                                                              financial risk profile at both management and
  2    Each agency should develop detailed financial budgets                                          Responsible Body levels. This would include:
       consistent with the framework, either on a rolling or                                           Status of key assumptions and variables underlying
       annual basis to be aligned with strategic and other
                                                                              
                                                                                                         budgets.
       business plans.                                                                                 Status of key risks identified in financial processes
  3    As part of the budget development process, sensitivity                                            (including any new risks identified).
       analysis should be conducted around those assumptions                                           Status of action plans arising from financial risk
       and variables that could materially impact budgeted
                                                                              
                                                                                                         assessment exercise.
       outcomes.
                                                                                                       The operation of key financial control activities (as per
  4    For each variable that could materially impact budgeted                                           assurance activities described above).
       outcomes, risk response strategies should be considered                                      Any control related observations made by the Agency‟s
       and action plans developed as appropriate.                                                        assurance providers e.g. external and internal auditors.
  5    Management should submit the proposed budget to the
       Responsible Body for approval.
                                                                              
  6    The Responsible Body should review the proposed
       budget, including sensitivity analysis around key
       assumptions and variables as well as management‟s                      
       proposed risk response strategies, and approve where
       satisfied.




FMCFUser Guide Standing Direction 2.3 (Direction Requirement 5) – Financial Risk Management                                                                                      44
Version 1 (September 2009)
User guide to Standing Direction 2.4
Direction Requirement 6

Authorisations




FMCF User Guide Standing Direction 2.4 (Direction Requirement 6) – Authorisations   45
Version 1 (September 2009)
                                                                              Authorisations
Introduction                                                                                     dollar amounts and caps for transaction and authorisation types*
                                                                                                 list of staff names holding positions with regular updates of the list*
The Standing Directions of the Minister for Finance (the Directions) require
agencies to establish and maintain authorisations for the overall financial                                          30
management of the agency under Direction 2.4 (Direction Requirement 6).                    The Responsible Body at least annually reviews and where relevant
The authorisations must include any financial obligations including                        makes changes to, the agency‟s authorisations including the:
contingent liabilities arising on behalf of the agency.                                     positions holding authorisations                                                           
                                                                                            categories and types of financial authority                                                
Direction 2.4 outlines a number of detailed requirements in relation to
                                                                                            processes and controls over authorisations*                                                
authorisations. The table below outlines areas to consider in relation to the
implementation of authorisations.                                                           maintenance of the register of financial authorisations.                                   
Please note the * denotes considerations that are not mandatory                            A financial authorisation cannot be given to:
requirements in Direction 2.4.                                                              another position without appropriate authority/approval i.e. not just an                   
                                                                                             authorised individual
Areas and detail to consider in relation to authorisations                   Considered?    a contractor or consultant.                                                                
The agency has clearly defined authorisations/delegations in place for all
financial obligations made on behalf of the agency that:                                   Further considerations for the Responsible Body
 refer to positions rather than specific individuals                            
 are allocated to positions that have an appropriate level of authority*.
                                                                                           The Responsible Body should also consider the following as a part of the
                                                                                          annual review:
Processes are in place to ensure:
                                                                                            Is there any evidence of non-compliance with authorisations?
 authorisations cease immediately when the position has a change in                       Are there instances where authorisations are not operating effectively?
  title or there is a material change in the duties of the position
 internal controls are not compromised where multiple financial                            Is there any evidence of fraud?
                                                                                 
  authorisations are assigned to a single position                                          Are there any concerns about conflicting authorisations?
 continuous running of the agency in the absence of the holders of an                     Have there been any significant changes to the structure, objectives and
  authorised position e.g. a person acting in a position*                                    roles of agency?
 re-assessment of financial authorisations where the agency is                  
  restructured e.g. a restructure affecting 50% or more of the positions.*                 If there the answer to any of the above questions is “yes”, the matter
Documentation to support authorisations is:                                                should be investigated further and a complete review of the authorisations
 retained in line with legal requirements for document retention and                      and relevant controls and processes should be considered.
                                                                                 
  record keeping, including an ability to track changes made to
  authorisations over time
 maintained in a register of financial authorisations. The register of          
  contains, for example the:                                                               30
                                                                                              In the case of a Government Department, the Responsible Body for the purposes of this
    list of positions holding financial authority for transaction types                   Direction is the Minister. The Minister may delegate to the Department‟s Secretary some or
    transaction types e.g. requisitions, liabilities, payment approval*                   all of the responsibilities for this Direction, but only up to the Secretary‟s Accreditation Limit as
                                                                                           defined by the Victorian Government Purchasing Board‟s purchasing accreditation of the
                                                                                           Department. Refer to the Standing Directions for further detail.




FMCF User Guide Standing Direction 2.4 (Direction Requirement 6) – Authorisations                                                                                                            46
Version 1 (september 2009)
User guide to Standing Direction 2.5
Direction Requirement 7

Internal Audit




FMCF User Guide: Standing Direction 2.5 (Direction Requirement 7) – Internal Audit   47
Version 1 (September 2009)
                                                Supplementary material to be used as guidance only
                                                                               Internal Audit
Introduction
Direction 2.3 (Direction Requirement 7) of the Standing Directions of the
                                                                                        Internal audit coverage
Minister for Finance (the Directions) require, unless an exemption has                  Internal audit can cover all aspects of an organisation‟s functions for
been obtained, an agency to establish and maintain an adequately                        example:
resourced independent internal audit function appropriate for its needs.                    financial processes and controls
                                                                                            operational processes and controls
Purpose of internal audit
                                                                                            risk management framework monitoring
The Institute of Internal Auditors globally define internal auditing as                     IT controls including: information quality, integrity, reliability
follows:
      Internal auditing is an independent, objective assurance and                          project / program management
      consulting activity designed to add value and improve an                              special investigations and ad hoc reviews.
      organisation’s operations. It helps an agency to accomplish its
      objectives by bringing a systematic, disciplined approach to evaluate             Resourcing internal audit
      and improve the effectiveness of risk management, control and
      governance processes.                                                             The work for internal audit is to be carried out by suitable qualified staff
                                                                                        that are independent of management and free from operational duties.
Internal audit is a part of an agency‟s governance framework. It works
with management and the Responsible Body to provide an independent                      The internal audit function can be resourced in-house through a co-
and objective assessment of the efficiency and effectiveness of controls,               sourcing arrangement or fully outsourced.
potential control gaps and whether controls in place are working as
intended.                                                                               Access for internal auditors
The role of internal audit also includes the development of practical and               The internal auditors should have access across the organisation to
useful recommendations for improvement - to enhance opportunities and                   ensure an in-depth understanding of the business, culture, systems and
control deficiencies.                                                                   processes can be developed.




FMCF User Guide: Standing Direction 2.5 (Direction Requirement 7) – Internal Audit                                                                               48
Version 1 (September 2009)
                                                Supplementary material to be used as guidance only
Processes for obtaining exemption for an internal audit function
The Directions permit agencies to apply for an exemption from establishing an internal audit function. A number of parameters must be met to ascertain
whether an agency is permitted to apply for an exemption.
The exemption process is outlined in the steps below. Also, Attachment 1 provides a template for the exemption application.


Internal Audit Exemption Process
                                   • A number of parameters are taken into account when determining an agency‟s              Scoring Parameters for Step 1 Internal Audit exemption:
                                     size and eligibility for exemptions.
                                                                                                                                          Parameter                      Small     Score            Medium      Score       Large   Score
                                   • The parameters include: Total Budget, Total Assets, Number of Full Time
 Step 1




                                                                                                                        Total Budget1                                   <$10m         2        $10m – $20m        4         >$20m     6
                                     Equivalent Employees and Financial Risk Profile must be totalled. The table
          Agency size                aside provides scores for each parameter.                                          Total Assets2                                   <$10m         2        $10m – $20m        4         >$25m     6

                                                                                                                        Number of full time equivalent employees3         <20         2             20 – 50       4          >50      6
                                   • Agencies with an aggregate score (across all four parameters) of:
                                         – less than or equal to 10 are able to seek an exemption, continue to Step 2    Financial Risk Profile                                           Details                                   Score
                                         – more than 10 cannot seek an exemption.                                       Low                            Agency has responsibility for managing their budget with no significant        2
                                                                                                                                                       financial transactions
                                   • Agencies that meet the requirements can seek an exemption via a written                                           with third parties.

                                     submission to the Minister.                                                        Moderate                       Agency has responsibility for managing their budget with limited               4
 Step 2




                                                                                                                                                       significant financial transactions with third parties.
          Exemption application    • A copy of the submission must also be sent to DTF with a set of the agency‟s
                                                                                                                        High                           Agency has responsibility for managing its budget with significant             6
                                     most recently audited financial statements.                                                                       transactions with third parties.

                                   • See the example template exemption letter.                                         1.
                                                                                                                             Total Budget $m refers to Total Budgeted Expenditure
                                                                                                                        2.
                                                                                                                             Total Assets $m amount should be derived from the last audited financial statements
                                                                                                                        3.
                                   • Exemption applications are assessed on a case by case basis and DTF may                 A measurement equal to one staff person working a full-time work schedule for the current compliance year
 Step 3




                                     request additional information.
          Exemption approval       • Exemptions are only granted for the one compliance year (1 July to 30 June).
                                   • Agencies granted an exemption must follow the “exemption confirmation
                                     process” the following year .




FMCF User Guide: Standing Direction 2.5 (Direction Requirement 7) – Internal Audit                                                                                                                                            49
Version 1 (September 2009)
                                                Supplementary material to be used as guidance only
Processes for obtaining exemption confirmation for an internal audit function
Exemptions are granted by the Minister for one financial year (from 1 July to 30 June) only.
Agencies requiring extensions on their exemptions need to complete the exemption process outlined in the steps below.

Exemption Confirmation Process
When? What?                            How?

                                       DTF compliance unit contacts agencies that have previously been provided exemptions:
                                       DTF compliance unit seeks written confirmation that:
   Nov




             DTF contacts agencies     • an exemption is still required; and
                                       • there have been no changes in the circumstances surrounding the agency.


                                       Agencies must inform DTF of situations where:
                                       • there has been or will be some change to its operating or governance structures
                                       • its operating functions or parameters have or will be altered
                                       • it is subject to litigation or pending litigation
   Dec-Jan




                                       • the agency has previously been the subject of media attention regarding its financial management activities
             Agencies respond          • the agency is subject to an internal or external review of any kind
                                       • a significant or material internal control weakness has been identified and is yet to be rectified
                                       • the Auditor-General has provided a qualified audit opinion
                                       • the Auditor-General has been unable to provide an audit opinion on the agency‟s financial statements OR
                                       • there has been an increase in the financial and/or political surrounding the agency.

                                       Agency responses are collated and assessed accordingly.
                                       If the circumstances of the agency have altered, the agency will be assessed using the exemption criteria.
   Feb




             Assessment



                                        DTF writes to agencies, informing them if their exemption(s) has been extended for the current compliance year.
             DTF extends
   Mar




             exemptions




FMCF User Guide: Standing Direction 2.5 (Direction Requirement 7) – Internal Audit                                                                        50
Version 1 (September 2009)
                                                    Supplementary material to be used as guidance only
Internal audit charter
                                                                                               Areas and detail to consider including in an internal audit charter               Included
An agency should define the purpose, responsibilities and accountability of                    continued
its internal audit function in an internal audit charter.
                                                                                               Independence
The development of an internal audit charter is a Direction requirement.                       State the independence requirements, for example:                                     
                                                                                                 Internal audit must be independent of the activities and processes it
The following checklist outlines areas and detail to consider including in an                    appraises in order to be able to perform its duties in an objective
internal audit charter. Please note that the mandatory Direction                                 manner and provide impartial advice to management and the board.1
requirements are referenced.
                                                                                                 Internal audit has no line responsibility or authority over any of the
                                                                                                 activities or operations they review.
Areas and detail to consider including in an internal audit charter               Included     Access
Purpose of the charter                                                                         Ensure that the internal auditor has direct access to the Chairman of                 
Detail the functional and organisational framework for internal audit to                      the audit committee1
operate                                                                                        State internal audit‟s accessibility to information, for example:                     
                                                                                                 Internal audit has full, free and unrestricted access to all records and
                                                                                                 documentation to fulfil its responsibilities. 1
Role of internal audit
Define the role of internal audit, for example:                                                  Internal audit has the authority to seek any information it requires to
                                                                                                  fulfil its responsibilities from any employee.1
     The role of internal audit is to provide objective assurance to the                       Internal audit planning
     Audit Committee/Board on the state of risks and internal controls,
     providing management with recommendations to improve the                                  Detail the requirements in relation to the internal audit plan including for
     management of the agency’s risks and enhance controls.                                    example:
     The role of internal audit is also to assist management in improving                       that the internal auditor is to develop an annual internal audit plan to            
                                                                                                                                                               32
     the entity’s business performance.                                                          address the relevant elements of the agency‟s risk profile
                                                                                                that the internal audit plan is to be approved by the audit committee
                                                                                                                                                                         33
                                                                                                                                                                                     
Authority and accountability
                                                                                                that the audit committee annually review the adequacy and focus of                  
Outline reporting and authority of the internal audit function including for                     the internal audit work plan and its fit with the public sector agency‟s
example:                                                                                         risk profile and work of the external auditors
                                                                                                                                                 34

 that the internal function reports to senior management
                                                             31
                                                                                                                                                                                    
                                                                                                that the internal audit plan is typically developed for a three year
 that the head of internal audit reports to the audit committee who                            period to show the coverage across the business over a 3 year cycle
  approves and advises the Board on the appointment or dismissal of
  the head of internal audit.
 that the head of internal audit is responsible for setting the overall              
  direction of internal audit activities and reports
                                                                                               32
                                                                                                 This is a mandatory requirement for internal audit as per Direction 2.5 (b) (Direction
                                                                                               Requirement 7(b))
                                                                                               33
                                                                                                 This is a mandatory requirement for internal audit as per Direction 2.5 (c) (Direction
                                                                                               Requirement 7(c))
31                                                                                             34
  This is a mandatory requirement for the internal audit charter as per Direction 2.5 (a)        This is a mandatory requirement for internal audit as per Direction 2.5 (d) (Direction
(Direction Requirement 7(a))                                                                   Requirement 7(d))


FMCF User Guide: Standing Direction 2.5 (Direction Requirement 7) – Internal Audit                                                                                                          51
Internal Audit Committee and/or Internal Audit Exemption Template Version 1 (September 2009)
                                                    Supplementary material to be used as guidance only
Areas and detail to consider including in an internal audit charter               Included   Areas and detail to consider including in an internal audit charter               Included
continued                                                                                    continued

Reporting                                                                                    Review of the internal audit function
Outline internal audit‟s reporting requirements including, for example:                      Outline the review requirements in relation to the internal audit function
 report on the overall state of controls to the audit committee at least                   including, for example:
  once annually                                                                               that the audit committee annually review the internal audit function‟s              
 provide a quarterly summary report to be provided to the audit                              performance, its authority, the adequacy of its resources and the
                                                                                                                                       36
  committee                                                                                    proposed allocation of those resources
 discuss all reports with management before they are finalised and                          that the audit committee annually take steps to confirm that the                    
  issued                                                                                       internal auditor has not been unduly influenced by management or
 issue a report for every review performed containing contain at a                           experienced any problems with management 6
  minimum:                                                                                    that the audit committee annually meet separately and privately with                
   scope of review                                                                            management and the internal auditors if necessary to ensure free,
                                                                                               frank and open communications6
   findings/issues/observation identified as result of the review that
      are rated by priority and/or risk level                                                Approval and review of the internal audit charter
   recommendations for improvement relating to findings/issues                              Detail the requirements for the approval and review of the internal audit
      raised and overall observations                                                        charter including for example:
   agreed management actions and/or remediation plans with                                   the audit committee is to approve the internal audit charter (including             
      timelines and responsibilities                                                           any proposed changes and/or amendments)1
Implementation and monitoring of internal audit outcomes                                      review the internal audit charter at least annually to ensure it remains            
                                                                                               consistent with current strategy and objectives
Outline the requirements for implementation and monitoring of internal
audit including, for example:
 that the audit committee approve, review and direct (where                          
  appropriate) management‟s planned actions and response to advice
                                                         35
  and recommendations received from the internal auditor
 that the audit committee monitor actions taken by management to                     
  resolve issues raised by the internal auditor 5
 that the audit committee advise management to adopt and address                     
  the accepted recommendations from the internal auditor on a timely
  basic5




                                                                                             36
                                                                                               This is a mandatory requirement for internal audit as per Direction 2.5 (d) (Direction
35                                                                                           Requirement 7(d))
  This is a mandatory requirement for internal audit as per Direction 2.5 (e) (Direction
Requirement 7(e))
FMCF User Guide: Standing Direction 2.5 (Direction Requirement 7) – Internal Audit                                                                                                        52
Version 1 (September 2009)
                                                Supplementary material to be used as guidance only
Annual internal audit plan
Agencies must develop internal audit plan annually that sets out the key
areas for internal audit review for the upcoming year.
Ideally the internal audit plan would be a 3 year rolling plan that identifies
areas to be covered across a 3 year period including those reviews
undertaken annually i.e. high risk areas and/or reviews to meet legislative
requirements e.g. payroll in large organisations and/or purchasing card
reviews as per FMCF requirements.
The internal audit plan should be developed in conjunction with the internal
auditor (and approved by the audit committee) to address relevant
elements of the agency‟s risk profile.
Considerations include:
  Does the internal audit plan address key risks of the agency?
  What operational processes and key controls are involved in these
   risk areas?
  Are sufficient time and resources allocated in the plan to reviewing the
   control environment for the risks?




FMCF User Guide: Standing Direction 2.5 (Direction Requirement 7) – Internal Audit                   53
Version 1 (September 2009)
              Template for an Audit Committee and/or Internal Audit
               exemption application to be used as guidance only

Attachment 1
Template for an Audit Committee and/or
Internal Audit exemption application




User Note:
This template is generic and must be amended to suit.



FMCF User Guide: Standing Direction 2.5 (Direction Requirement 7) – Internal Audit             54
Internal Audit Committee and/or Internal Audit Exemption Template Version 1 (September 2009)
               Template for an Audit Committee and/or Internal Audit
                exemption application to be used as guidance only
<Minister for Finance>
<name and address details>
<>
<>

<Date>

Application for exemption – Standing Directions of the Minister for Finance under the Financial
Management Act 1994

Dear Minister

I am writing to apply for an exemption from certain provisions of the Standing Directions of the
Minister for Finance issued pursuant to section 8 of the Financial Management Act 1994. The
table below details the specific Direction(s) which this agency seeks an exemption from, the
reason for exemption and the proposed alternative procedure(s) or action(s).

Direction         Direction        Reason                                     Alternative
Reference                                                                     procedure/action
<insert ref>      <insert          <insert reason>                            <insert procedure/action>
                  Direction>
<insert ref>      <insert          <insert reason>                            <insert procedure/action>
                  Direction>

[Attach appropriate documentation to support reason for exemption]
[Attach copy of latest audited financial statements and accompanying notes]

Should you wish to discuss the matter, please contact <insert names and phone numbers of
relevant contacts>.

Yours sincerely

<signed by the Chair of the Responsible Body>

<Title>
<Agency>

cc: Assistant Director, Complaince, Budget and Financial Management, Department of Treasury and Finance 37




37
  A copy of this letter should be sent to Assistant Director, Compliance, Budget and Financial Management, Department of
 Treasury and Finance, Level 4, 1 Treasury Place, East Melbourne, VIC, 3002


FMCF User Guide: Standing Direction 2.5 (Direction Requirement 7) – Internal Audit                                         55
Internal Audit Committee and/or Internal Audit Exemption Template Version 1 (September 2009)
              Template for an Audit Committee and/or Internal Audit
               exemption application to be used as guidance only




FMCF User Guide: Standing Direction 2.5 (Direction Requirement 7) – Internal Audit             56
Internal Audit Committee and/or Internal Audit Exemption Template Version 1 (September 2009)
                                               Template for an Audit Committee and/or Internal Audit
                                                exemption application to be used as guidance only



User guide to Standing Direction 2.6
Direction Requirement 8

External Audit




FMCF User Guide: Standing Direction 2.6 (Direction Requirement 8) – External Audit                     57
Version 1 (September 2009)
                                                Supplementary material to be used as guidance only

                                                                             External Audit
Introduction                                                                              any issues raised as a result of the audit and identify and material
                                                                                           misstatements in the financial statements.
The Victorian Auditor-General is responsible for the external audit of
financial operations and resource management of the Victorian Public
Sector.                                                                               External audit preparation
Direction 2.6 (Direction Requirement 8) of the Standing Directions of the             The following checklist outlines a number of suggestions to consider when
Minister for Finance (the Directions) requires an agency to establish and             preparing for the annual external audit. It is also advisable to check with
maintain a constructive, open working relationship with the Auditor-                  the auditor for any specific requirements and/or requests for information.
General and the appointed representatives.                                            Areas and detail to consider when preparing for an annual external audit   Included
It is also a requirement of the Direction for the Responsible Body to ensure          General
that agency staff adopt a cooperative and conservative approach with the              Copy of Financial Statements at 30 June
external auditors on relevant auditing matters.                                       Copy of Trial Balance at 30 June                                             
The specific requirements for this Direction should be considered in                  Copy of Trial Balance mapping to financial statements                        
conjunction with Direction 2.2 Procedures (e) to (v) in relation to the audit         Working papers to supporting notes to the accounts                           
committee.                                                                            Revenue
                                                                                      Obtain copy of confirmation for contributions received 30 June               
Defining an external audit                                                            Listing of grants received from the Department and other sources 30 June     
                                                                                      Transaction listing of other revenue                                         
The objective of an external audit of the financial statements is to
determine whether, in the auditor‟s opinion, the statements present fairly in         Transaction listing of sales of goods
all material respects, the agency‟s financial position, results of operations         Expenditure
and cashflows. Qualified auditors that are independent of the entity                  Transaction listing of payments - include expenditure account codes
conduct the external audit. In the Victorian public sector the Victorian              Payroll
Auditor-General conducts the audits as required by The Audit Act 1994.                Gross Pay per payroll cycle including number of staff paid per cycle         
                                                                                      Payroll Reconciliation - Reconciling Payroll System to Finance               
An external audit comprises of a review of:
                                                                                      System/General Ledger and Financial Statements at 30 June
   an entity‟s financial statement                                                   Cash
   the data sources, processes and reports used to compile the financial             Bank Reconciliation at 30 June                                               
    statement                                                                         Access to monthly bank statements                                            
   the control environment surrounding financial systems and processes               Copy of responses of bank confirmations for 30 June                          
    within an entity                                                                  Supporting documentation for agency‟s bank balances at 30 June               
   the information technology procedures and controls that support the
    entity
   the overall internal control environment

FMCF User Guide: Standing Direction 2.6 (Direction Requirement 8) – External Audit                                                                                      58
Version 1 (September 2009)
                                                      Supplementary material to be used as guidance only

Areas and detail to consider when preparing for an annual external audit     Included   Areas and detail to consider when preparing for an annual external audit    Included
Receivables                                                                             Commitments
Trade Debtors Reconciliation at 30 June                                                Schedule of capital expenditure commitments at 30 June                         
Aged Trade Debtors Listing at 30 June                                                  Schedule of lease commitments at 30 June                                       
Listing of other receivables at 30 June                                                Schedule of other expenditure commitments at 30 June                           
Analysis of Trade Debtors and doubtful debts                                           Cashflow
BAS as at 30 June                                                                      Working papers to support cashflow calculations                                
Inventories                                                                             Financial information
Listing of inventories at 30 June                                                      Report on movements in equity and reserves at 30 June                          
Assessment of Inventories – provision for obsolescence                                 Supporting documentation for Auditors remuneration at 30 June                  
Prepayments                                                                             Supporting documentation for Executive Officer renumeration at 30 June         
Schedule of prepayments at 30 June                                                     Supporting documentation for superannuation disclosure at 30 June and          
Property, plant and equipments                                                          applicable actuary reports for defined benefit superannuation schemes
Listing of asset additions at 30 June                                                  Correspondence responses received from solicitors for 30 June                  
Listing of asset disposals at 30 June                                                  Access to recurring/standing journal folder for financial year                 
Fixed asset reconciliation between Fixed Asset register and General                    Supporting documentation for trust account balances and/or corporate           
Ledger at 30 June                                                                       donations at 30 June
Fixed Asset movement schedule at 30 June                                               Supporting documentation for contingent assets and liabilities at 30 June      
Asset revaluation report (if applicable)                                        
Supporting work papers of analysis Revaluation of PPE                           
Payables
Trade Creditors Reconciliation at 30 June                                       
Aged Trade Creditors Listing at 30 June                                         
Listing of accrued expenditure at 30 June                                       
Sundry Creditors Reconciliation at 30 June                                      
Sundry Creditors Listing at 30 June                                             
Employee provisions
Long service leave liability calculation at 30 June                             
Annual leave liability calculation at 30 June                                   
Supporting documentation for other employee provisions at 30 June               




FMCF User Guide: Standing Direction 2.6 (Direction Requirement 8) – External Audit                                                                                             59
Version 1 (September 2009)
                                                Supplementary material to be used as guidance only




FMCF User Guide: Standing Direction 2.6 (Direction Requirement 8) – External Audit                   60
Version 1 (September 2009)
                                               Supplementary material to be used as guidance only

User guide to Standing Direction 3.1

Financial Management Structure
Including:
3.1.1             Direction Requirement 9                               Public Sector Agency Financial Management
                                                                        Team Structure
3.1.2                                                                   Chief Finance and Accounting Officer (CFAO):
                  Direction Requirement 10                              CFAO Credentials
                  Direction Requirement 11                              CFAO Endorsement
3.1.3             Direction Requirement 12                              Policies and Procedures
3.1.4             Direction Requirement 13                              Chart of Accounts
3.1.5                                                                   Managing Outsourced Financial Services:
                  Direction Requirement 14                              Outsourcing Governance
                  Direction Requirement 15                              Audit Scrutiny

FMCF User Guide: Standing Direction 3.1 (Direction Requirements 9 to 15) – Financial Management Structure              61
Version 1 (September 2009)
User Guide to Standing Direction 3.1.1
Direction Requirement 9

Financial Management Structure –
Public Sector Agency Financial Management
Team Structure




FMCF User Guide: Standing Direction 3.1.1 (Direction Requirement 9) – Financial Management Structure Public Sector Agency Financial Management Team Structure   62
Version 1 (September 2009)
                                               Supplementary material to be used as guidance only
                           Public Sector Agency Financial Management Team Structure
Introduction                                                                                  Financial management team documentation
Standing Direction 3.1.1 (Direction requirement 9) of the Minister for                        Direction 3.1.1 specifically requires an agency‟s financial management
Finance outlines requirements in relation to an agency‟s financial                            team to have defined and documented the:
management team structure.                                                                       team structure
The Direction states that:                                                                       roles and responsibilities for each position with effective and efficient
                                                                                                  allocation of tasks and resources
           The Chief Finance and Administration Officer (CFAO)
           must ensure that there is a structure for the financial                               prerequisite skills, qualifications and experience required for
           management team with clearly defined roles                                             each position.
           and responsibilities to adequately support sound                                   Documentation should take into account:
           financial management.
                                                                                                review and monitoring processes across the finance function to
This supplementary material provides an outline and high level guidance in                       ensure responsibilities are allocated to specific positions
relation to the detail within the Direction.                                                    segregation of conflicting duties i.e. no one person should have the
                                                                                                 ability to perform, approve or oversee the preparation, processing and
                                                                                                 reviewing of an overall financial function or transaction without the
                                                                                                 involvement and/or oversight by others
                                                                                                roles that have a number of duties across the agency e.g. within the
                                                                                                 financial function, administration and management of an agency
                                                                                                 and/or human resources.




FMCF User Guide: Standing Direction 3.1.1 (Direction Requirement 9) – Financial Management Structure Public Sector Agency Financial Management Team Structure           63
Version 1 (September 2009)
                                               Supplementary material to be used as guidance only
Financial management functions                                                                Roles that cover financial management functions
There are a number of functions within Financial management including:                        A financial management team may include the following roles (depending
   budgeting                                                                                 on the size and nature of the agency/department):
   financial reporting                                                                           CFAO
   accounts receivable/payable                                                                   Financial Controller(s)
   procurement                                                                                   Supervisors/Managers for key financial activities (for example,
                                                                                                   accounts payable, accounts receivable, management reporting,
   taxation
                                                                                                   budgeting, payroll, general ledger etc.)
   asset management
                                                                                                  Clerical/Administrative/Processing for each key financial activity
   financial systems
                                                                                                  Corporate Card, Fleet, Lease, Asset Management Administrator(s)
   accounting policies
                                                                                                  Contract Administrator
   cash management
                                                                                                  Payroll Administrator
   project management – financial aspects
                                                                                                  System Administrator(s) for the various financial
    (for further details see User Guide for Standing Direction 3.2.4 –
                                                                                                   management systems.
    IT Development)
   payroll
   management reporting.
These areas and functions should be considered when defining the
structure and allocating roles and responsibilities within the financial
management team.




FMCF User Guide: Standing Direction 3.1.1 (Direction Requirement 9) – Financial Management Structure Public Sector Agency Financial Management Team Structure     64
Version 1 (September 2009)
User Guide to Standing Direction 3.1.2
Direction Requirements 10 and 11

Financial Management Structure –
Chief Finance and Accounting Officer (CFAO):
Credentials and Endorsement




FMCF User Guide: Standing Direction 3.1.2 (Direction Requirements 10 and 11) – Financial Management Structure Chief Finance and Accounting Officer (CFAO):   65
Credentials and Endorsement
Version 1 (September 2009)
                                               Supplementary material to be used as guidance only
                           Public Sector Agency Financial Management Team Structure
Introduction                                                                                   CFAO credentials (Direction Requirement 10)
Standing Direction 3.1.2 of the Minister for Finance relates to the financial                  The role of the CFAO must have a clearly defined position description with
management leadership within a Public Sector Agency (agency).                                  prerequisite skills, qualifications and experience.
The Direction outlines requirements for an Agency to appoint a Chief                           The duties, rights and responsibilities must also be clearly defined
Finance and Accounting Officer‟s (CFAO) with the appropriate credentials                       and documented.
i.e. suitable experience and qualifications (Direction Requirement 10).
The Direction also requires the CFAO‟s to endorse financial reports to                         Qualifications
senior management, the Responsible Body and other boards or                                    The guidelines to the Direction state that a CFAO should hold at least
management groups (Direction Requirement 11).                                                  tertiary level qualifications and membership of the Institute of Chartered
This supplementary material provides an outline and high level guidance in                     Accountants in Australia (ICAA), CPA Australia, National Institute of
relation to the detail within Direction 3.1.2 including:                                       Accountants (NIA), or equivalent.
    CFAO credentials (Direction Requirement 10)
        Qualifications                                                                        Potential examples of key responsibilities for a CFAO
        Potential examples of competencies for a CFAO                                         The following is a list of key responsibilities to consider for the
      Potential examples of key responsibilities for a CFAO                                   role of CFAO:
    CFAO endorsement of financial information                                                     Establishing and directing the Public Sector Agency‟s financial
     (Direction Requirement 11)                                                                     administrative activities and operational procedures to ensure sound
                                                                                                    financial management.
        Endorsement
                                                                                                   In consultation with other senior management, making
        Access to the Responsible Body.                                                            recommendations and devising financial policy approach and
                                                                                                    strategy of the Public Sector Agency as well as planning the
                                                                                                    financial operations.
                                                                                                   Overseeing the development, implementation and monitoring of
                                                                                                    financial accounting and related systems.
                                                                                                   Communicating changes in accounting standards (and guidance
                                                                                                    material) and taxation rulings or legislative requirements.
                                                                                                   Directing the collection of financial and accounting information
                                                                                                    and the preparation of budgets, reports, forecasts and the various
                                                                                                    statements as required by the Model Report for Departments (issued
                                                                                                    annually by DTF).
FMCF User Guide: Standing Direction 3.1.2 (Direction Requirements 10 and 11) – Financial Management Structure Chief Finance and Accounting Officer (CFAO):            66
Credentials and Endorsement
Version 1 (September 2009)
                                                   Supplementary material to be used as guidance only
Potential examples of key responsibilities for a CFAO continued                                CFAO endorsement of financial information (Direction Requirement 11)
    Directing and coordinating economic research, major feasibility
     studies involving detailed financial analysis, and estimates of future                    Endorsement
     returns on proposed investment.
                                                                                               The CFAO must endorse all financial information submitted to
    Evaluating the financial aspects of proposed acquisitions,                                senior management, the Responsible Body and peak boards and
     investments, or the sale of assets and giving assessments of                              management groups.
     proposals involving financial expenditure and of the financial status of
     syndicates, joint venture parties etc.                                                    The CFAO must endorse / approve by physically signing or other
                                                                                               electronic means the financial information to ensure it is:
    Representing the agency in dealings with stakeholders, legal advisers
     and others as required.                                                                       complete
    Making policy decisions and accepting responsibilities for operations,                        reliable
     performance of staff, achievement of targets and adherence to                                 accurate.
     budgets, standards and procedures.
    Managing the selection and training of finance staff, establishing lines                  Access and involvement with to the Responsible Body, executive and senior management
     of control and delegating responsibilities to subordinate staff.                          To assist with the understanding of financial information presented to the
                                                                                               Responsible Body it is recommended that the CFAO has access to
                                                                                               Responsible Body.
                                                                                               The direct access creates the opportunity to question and clarify as well as
                                                                                               independently explain the information presented for completeness,
                                                                                               accuracy and improved quality.
                                                                                               Consideration should also be given to including the CFAO in relevant:
                                                                                                 executive/senior management forums to present financial reports and
                                                                                                  to discuss financial risk management issues
                                                                                                 audit committee meetings particularly when internal audit reports
                                                                                                  relating to financial administration of the Agency are presented and
                                                                                                  the financial statements are being presented for review
                                                                                                 other forums where key decisions with financial management
                                                                                                  implications are made.




FMCF User Guide: Standing Direction 3.1.2 (Direction Requirements 10 and 11) – Financial Management Structure Chief Finance and Accounting Officer (CFAO):                        67
Credentials and Endorsement
Version 1 (September 2009)
User guide to Standing Direction 3.1.3
Direction Requirement 12

Policies and Procedures

Please refer to Section 3.4 of the User Guide




FMCF User Guide: Standing Direction 3.1.3 (Direction Requirement 12) – Financial Management Structure Policies and Procedures – link to 3.4   68
Version 1 (September 2009)
User Guide to Standing Direction 3.1.4
Direction Requirements 13

Financial Management Structure –
Chart of Accounts




FMCF User Guide: Standing Direction 3.1.4 (Direction Requirements 13) – Financial Management Structure Chart of Accounts   69
Version 1 (September 2009)
                                               Supplementary material to be used as guidance only
                                   Financial Management Structure – Chart of Accounts
Introduction                                                                                    Structure of the Chart of Accounts
The Standing Directions of the Minister for Finance (the Directions) require                    A chart of accounts outlines accounts that are used to record transactions
Public Sector Agencies to:                                                                      in a general ledger. Details within a chart of accounts include the:
           establish and maintain a chart of accounts to                                            account name
           accurately reflect transactions in the financial records                                 account number.
           for management decision-making purposes and to
                                                                                                A chart of accounts is flexible and can be tailored to suit the needs and
           ensure     compliance      with    external    reporting
                                                                                                structure of an organisation.
           requirements (Direction 3.1.4, Direction Requirement
           13).                                                                                 The chart of accounts is typically structured to include:
The Direction also requires that:                                                                  Balance sheet accounts
   the CFAO (or an approved delegate) is responsible for the                                           assets
    development and maintenance of the chart of accounts                                              liabilities
   there is effective and efficient communication about the chart of                               Income statement accounts
    accounts across an agency
                                                                                                        revenue
   Government Departments must use the chart of accounts
                                                                                                        expenses
    issued by the Minister for Finance to align activities and reporting
    for consistency                                                                                     profits
   the nature and purpose of each account within the chart of accounts is                              losses.
    explained so that capital, revenue and expense items set down and to
                                                                                                Additional categories should be included in each account for example,
    assist with the categorisation of transactions.
                                                                                                within revenue and expenses business functions such as producing,
                                                                                                selling, administrative and financing could be added.
                                                                                                Additional accounts/information should also be reflected in the balance
                                                                                                sheet to ensure consistency.
                                                                                                Depending on the agency‟s operations, the chart of accounts could be
                                                                                                based on the agency‟s organisational structure. For example, each
                                                                                                business area/division could be responsible for its own expenses and
                                                                                                oncosts such as salaries, supplies, communications, accommodation, etc.
                                                                                                An account for each expense would then be created for each business
                                                                                                area/division.



FMCF User Guide: Standing Direction 3.1.4 (Direction Requirements 13) – Financial Management Structure Chart of Accounts                                               70
Version 1 (September 2009)
                                                 Supplementary material to be used as guidance only
Alignment of the Chart of Accounts
An agency should ensure the structure of the Chart of Accounts fulfils the                       Chart of Accounts (CoA) – checklist                                           Included
requirements of the portfolio and the Department of Treasury and Finance.                        Development and structure of the CoA
A Chart of Accounts that is structured to align with the portfolio would                         Has there been a restructure or Machinery of Government change                  
enable straightforward and consistent reporting.                                                 impacting the CoA?
                                                                                                 Have any changes or updates to the CoA be approved by your                      
A consistent chart of accounts enables financial information to be:                              agency‟s CFAO or their delegate?
   analysed and compared over time (current vs previous data)                                   Is the CoA sufficiently detailed and logically structured to allow useful       
                                                                                                 and timely management reporting and financial reporting?
   published in a consistent and clear format across Government.
                                                                                                 Is the CoA consistent with legislative and professional                         
                                                                                                 accounting requirements?
Financial reporting against the Chart of Accounts                                                Does the CoA provide for effective departmental budgeting, reporting            
Agencies should consider the structure of the Chart of Accounts in line                          and monitoring of the output management principles and practices?
with reporting requirements (annual and progressive estimates) and                               Are “other” categories used? Can they be reclassified?                          
ensure consistency with the audited financial statements.                                        Operations

It is recommended that agencies limit their use of „other' categories in the                     Is the CoA incorporated into the financial process? e.g. updating the           
                                                                                                 general ledger and relevant accounts during financial payments?
chart of accounts, to ensure comprehensive identification of transactions
and minimise queries from the portfolio and the Department of Treasury                           Is your CoA communicated efficiently and effectively to all officers within     
                                                                                                 your public sector agency?
and Finance at year end.
                                                                                                 Review and Maintenance
                                                                                                 Does your agency‟s CoA align with the reporting requirements of the             
Overall considerations for a Chart of Accounts                                                   Department of Treasury and Finance (DTF)? e.g is there a map or a
                                                                                                 relationship table between your agency‟s CoA and whole of government
The checklist (aside) provides an outline of high level considerations of the
                                                                                                 requirements as issued by DTF?
Chart of Accounts in relation to:
                                                                                                 Has the CoA been maintained and updated in a timely manner so that it           
   development and structuring                                                                  meets the objectives of your agency? Is there a map to reference
   day to day financial operations                                                              changes across years for year to year comparison?

   review and maintenance.




FMCF User Guide: Standing Direction 3.1.4 (Direction Requirements 13) – Financial Management Structure Chart of Accounts                                                             71
Version 1 (September 2009)
User Guide to Standing Direction 3.1.5
Direction Requirements 14 and 15

Financial Management Structure –
Managing Outsourced Financial Services:
Outsourcing Governance and Audit Scrutiny




FMCF User Guide: Standing Direction 3.1.5 (Direction Requirements 14 and 15) – Financial Management Structure Managing Outsourced Financial Services:   72
Outsourcing Governance and Audit Scrutiny
Version 1 (September 2009)
                                               Supplementary material to be used as guidance only
                       Financial Management Structure –
Managing Outsourced Financial Services: Outsourcing Governance and Audit Scrutiny
Introduction                                                                                   The definition of outsourcing
The Standing Directions of the Minister for Finance (the Directions) require                   Outsourcing is a process by which a specific service or group of services is
that agencies ensure effective management of outsourced financial                              provided for the agency by a third party through an agreement e.g.
functions and related services (Direction 3.1.5, Direction Requirements 14                     contract. Typical drivers for outsourcing include cost savings, improved
and 15).                                                                                       quality, access to specialised skills and other efficiencies.

This supplementary material has been developed to assist agencies in                           Impact of legislation on outsourcing
implementing and managing their own outsourced services; and to provide
guidance for maintaining appropriate control over the end to end life cycle                    Where an agency relies on outsourced services, appropriate procedures
of outsourced functions.                                                                       should be in place to manage the associated risks to ensure all legislative
                                                                                               requirements are being met.
The material also details elements of cost benefit analysis and audit
scrutiny to assist with specific aspects of Direction 3.1.5.                                   The Public Sector Agency should be aware that outsourcing does
                                                                                               not diminish the responsibilities of the Chief Finance and Accounting
This supplementary material includes the following information:                                Officer (CFAO) and the Accountable Officer for the outsourced function -
   The definition of outsourcing                                                              in summary, a service can be outsourced but the risk cannot.
   Impact of legislation on outsourcing                                                       Direction 2.2(d) and (w) requires annual sign-off that the agency‟s:
   Spectrum of outsourcing
                                                                                                           i)      financial reports are presented fairly
   Outsourcing lifecycle
    1.           Strategy and approach                                                                     ii)     risk management, internal compliance and control framework is sound
    2.           Requirements and selection                                                                iii)    internal control framework is operating effectively and efficiently.
    3.           Negotiation and agreement                                                     This is relevant          for    all   functions      within     an    agency       including
    4.           Transition and implementation                                                 those outsourced.
    5.           Maintenance and management                                                    Direction 3.1.5 also outlines specific requirements for outsourced financial
    6.           Realisation of benefits                                                       functions. The underlying concepts included in this Direction are relevant
    7.           Amendment or termination                                                      to all outsourced services. As stated in Guideline (i) to Direction 3.1.5:
   Cost Benefit Analysis                                                                                  The Public Sector Agency remains responsible for
   Audit scrutiny of outsourced services.                                                                 ensuring that the third party provider is meeting the
                                                                                                           requirements of the FMA, these Directions and any
                                                                                                           other relevant legislation.

FMCF User Guide: Standing Direction 3.1.5 (Direction Requirements 14 and 15) – Financial Management Structure Managing Outsourced Financial Services:                                     73
Outsourcing Governance and Audit Scrutiny
Version 1 (September 2009)
                                               Supplementary material to be used as guidance only
This supplementary material provides guidance on outsourced services in
addition to the requirements outlined in Direction 3.1.5 and is relevant to
outsourced financial functions as well as other outsourced services.
                                                                                                Internal Delivery        Delivery of the service is managed and resourced internally.
                                                                                                                         Third parties may provide discrete products or services.
Spectrum of Outsourcing                                                                         Full Outsourcing         Where a single contract with a single supplier exists usually
There is a broad spectrum of models to deliver services. The following                                                   covering a broad scope of services and needs. This
table provides an overview of the spectrum of service delivery models.                                                   model is typically implemented as a strategic partnership
                                                                                                                         between management and the service provider and is
                                                                                                                         usually put in place for the long-term.
                                                                                                Co-sourcing              Responsibility for delivery of service is spilt between an
                                                                                                                         outsourcer and internal delivery. This model often involves
                                                                                                                         an internal delivery team working with the outsourcer as a
                                                                                                                         single group.
                                                                                                Insourcing/Shared        Insourcing or shared services disconnect a service from the
                                                                                                         38
                                                                                                Services                 organisation via a separate business unit. The business unit is
                                                                                                                         usually set up with its own Profit/Loss Statement.
                                                                                                                         An agreement such as a Service Level Agreement (SLA) is
                                                                                                                         commonly in place to govern the provision of the service and
                                                                                                                         payment levels. The underlying concept is to run the separate
                                                                                                                         unit like a business and emulate outsourcing services and
                                                                                                                         pricing. The benefits of this type of arrangement are that
                                                                                                                         organisations can achieve consolidation, integration, and
                                                                                                                         standardisation while maintaining direct control of the service
                                                                                                                         provider and openness to changing market options.
                                                                                                Selective Sourcing       Where multiple contracts are set up with multiple suppliers.
                                                                                                                         This type of arrangement is common in the public sector.
                                                                                                                         This model is often implemented when the sourcing strategy is
                                                                                                                         undefined and there is a variety of service delivery options.
                                                                                                                         Benefits of this type of outsourcing model include the ability to
                                                                                                                         leverage the markets‟ best capabilities in a very competitive
                                                                                                                         environment. Innovation is available and “switching costs” are
                                                                                                                         typically minimal. When managed effectively, agility, flexibility,
                                                                                                                         and scalability are readily available.




                                                                                               38
                                                                                                 Whilst the supplementary material can be applied to a shared services function, it does not
                                                                                               address the additional organisational and other aspects that need to be considered when
                                                                                               establishing a shared service function.
FMCF User Guide: Standing Direction 3.1.5 (Direction Requirements 14 and 15) – Financial Management Structure Managing Outsourced Financial Services:                                    74
Outsourcing Governance and Audit Scrutiny
Version 1 (September 2009)
                                               Supplementary material to be used as guidance only
Outsourcing lifecycle                                                                          Steps within an outsourcing lifecycle
An inherent risk of outsourcing is that the intended benefits are not
realised, be they cost, quality or other benefits.                                                                          1. Strategy and approach

The typical outsourcing lifecycle is outlined in the diagram (aside) with
further detail for each step provided in the form of checklists.
The checklists provide information to assist with mitigating against the
                                                                                                                          2. Requirements & selection
risk of benefits not being realised. It includes guidance for the end-to-end
lifecycle of an outsourced function from strategy and approach through
to termination.

                                                                                                                           3. Negotiation & agreement




                                                                                                                         4. Transition & implementation




                                                                                                                         5. Maintenance & management




                                                                                                                            6. Realisation of benefits




                                                                                                                          7. Amendment or termination




FMCF User Guide: Standing Direction 3.1.5 (Direction Requirements 14 and 15) – Financial Management Structure Managing Outsourced Financial Services:     75
Outsourcing Governance and Audit Scrutiny
Version 1 (September 2009)
                                                 Supplementary material to be used as guidance only
Step 1. Strategy and approach
                                                                                               1.0 Strategy and approach continued                                              Included
Prior to embarking on a decision to outsource a business process, it is
important to have a full understanding of the business drivers for                             1.3 Define outsource components. Consider:                                         
considering outsourcing, i.e. the business reasons for outsourcing the                              clearly defined scope of services to be outsourced
function and how they align to the agency‟s strategy.                                                    clearly state the business functions and processes to be outsourced
                                                                                                         define parts to be retained in-house and ongoing
The following aspects should be considered:                                                                   in-house responsibilities
                                                                                                         specify exclusions to reduce risk of ambiguity
 1.0 Strategy and approach                                                      Included            classification of activities, for example:
                                                                                                         strategic and non-strategic/non-core and core competencies
 1.1 Understand, define and document business drivers and intended benefits.                       in-house control over strategic direction of outsourced service
     Consider:
                                                                                                    key service level requirements
      improved service quality
                                                                                                    define Key Success Factors (KSF):
      cost savings
                                                                                                         aligning with identified business drivers defined in 1.1
      software fees and maintenance charges
                                                                                                         using essential criteria and desirable criteria
      hardware capital costs, leases and maintenance charges
                                                                                                         categories for KSFs:
      fixed cost, flexibility (e.g. additional capacity available)                                        a)   financial
      clarity of accountability                                                                           b)   technical/functional
      access to wider skill base                                                                          c)   market
                                                                                                           d)   approach
      staff costs
                                                                                                           e)   other e.g. post implementation, support, HR requirements,
      freeing up existing staff                                                                                time constraints.
      enabler of change.
                                                                                               1.4 Consider current environment / market place capability including:              
 1.2 Verify that the drivers align with the business strategy and                                  assessment of what other Agencies have done, and whether there is
     overall objectives.                                                                             opportunity to achieve synergies of scale
                                                                                                    areas for improvement in processes / functions / operations
                                                                                                    review of service delivery options other than outsourcing
                                                                                                    potential constraints
                                                                                                    sources of service and experience of others
                                                                                                        technological advances
                                                                                                        regulatory changes.




FMCF User Guide: Standing Direction 3.1.5 (Direction Requirements 14 and 15) – Financial Management Structure Managing Outsourced Financial Services:                               76
Outsourcing Governance and Audit Scrutiny
Version 1 (September 2009)
                                                Supplementary material to be used as guidance only

 1.0 Strategy and approach continued                                              Included     1.0 Strategy and approach continued                                            Included
 1.5 Select sourcing options including:                                                       1.7 Conduct feasibility study / cost benefit analysis to:                        
      internal delivery                                                                            define objectives and project scope
      full outsourcing                                                                             identify the options
      co-sourcing                                                                                  identify costs and benefits
      insourcing/shared services                                                                   complete sensitivity analysis
      selective sourcing.                                                                          identify and report on preferred option.
                                                                                                   See also detailed checklist in this material.
 1.6 Understand and clarify risks considering for example:                          
      financial risks – costs data used in the selection process is inaccurate
       and/or lack firm costs estimates                                                        1.8 Develop business case (using information from work conducted) to:            
      regulatory / legal risk                                                                      define objectives and define scope
      technical risk – the risks associated with continuing the project e.g.                       analyse of the current situation and the need for change
       interfacing new systems with legacy systems                                                  outline end benefits that can be achieved (e.g. improved efficiency of
                                                                                                     the new system through reduced costs)
      capability risk – the capability and capacity of the organisation to
       execute the project and make the necessary changes required                                  define measures for the intended benefits
      benefits risk – the risks affecting the potential achievement of the                         describe options and consider:
       intended outsourcing benefits and meeting key objectives                                         criteria for selecting preferred solution
      operational risk – the risk that operations of the agency                                        preferred option
       may be impacted                                                                              provide estimates of establishment and implementation costs
      erosion of competitiveness (confidentiality, uniqueness,                                     estimate on-going costs and of the financial benefits
       responsiveness, flexibility)                                                                 consider qualitative and quantitative evaluation options
      loss of in-house skills and understanding                                                    explain and clarify risks and proposed mitigation strategies
      level of difficulty and expense to bring back in-house                                       develop a proposed timeline and key milestone and decision dates
      technology stagnation                                                                        summarise the cost versus benefit versus risk assessment
      cost of planning and transition.                                                             summarise impacts on agency processes.
     Mitigating these risks:
      undertake a thorough risk analysis as part of investment appraisal
      ensure risk management activities feature in the implementation plan
       and on-going management model.




FMCF User Guide: Standing Direction 3.1.5 (Direction Requirements 14 and 15) – Financial Management Structure Managing Outsourced Financial Services:                             77
Outsourcing Governance and Audit Scrutiny
Version 1 (September 2009)
                                                Supplementary material to be used as guidance only
                                                                                               Step 2. Requirements and selection
1.0    Strategy and approach continued                                          Included       Once a potential outsourcing solution has been identified, the functional
                                                                                               and service delivery requirements need to be defined in sufficient detail to
1.9    Establish project – work to be completed includes:                         
        develop a project plan with key milestones, timeframes, resource
                                                                                               enable potential suppliers to submit proposals.
         requirements etc.                                                                     The processes involved in this step are outlined below. Agencies will note
        establish project governance and procedures                                           that internal procurement and purchasing policies form part of this step.
            allocate sponsor responsible for the project plan and delegation
              to authorise project funding
            establish a steering group with responsibility for the project                     2.0    Requirements and selection                                              Included
            consider if project requires a project manager and project team                    2.1    Prepare statement of requirements consider and include:                    
            establish a project tracking, reporting and monitoring process                             a comprehensive Request for Proposal (RFP) focused on business
            ensure strong business representation and buy-in                                            issues, business requirements and required benefits
        considering whether to leverage a project methodology                                          potential major contractual issues
         such as Prince II.                                                                             third-party consents
        develop communications strategy                                                                personnel issues
            define stakeholders                                                                        conditions for hiring third parties for new services if required
            identify key messages to be communicated                                                   appropriate approval.
            consider nature, level and frequency of communication required
              e.g. email, newsletter
            integrate with the project plan.                                                   2.2    Map requirements to business case (drivers and risks) ensure drivers       
                                                                                                       and risks have been considered.

1.10   Assess the maturity of the function to be potentially outsourced.          
       Consider the following:                                                                  2.3    Define selection criteria and weightings consider the following:           
        how efficient and effective the function is currently                                          skills
        whether the above assessment has bearing on the contract price,                                financial impact
         intended costs/savings, other factors.                                                         service levels
                                                                                                        flexibility
                                                                                                        core expertise
                                                                                                        stability
                                                                                                        market share
                                                                                                        cultural compatibility
                                                                                                        quality service attitude
                                                                                                        vertical expertise.




                                                                                               2.0    Requirements and selection continued                                    Included

FMCF User Guide: Standing Direction 3.1.5 (Direction Requirements 14 and 15) – Financial Management Structure Managing Outsourced Financial Services:                             78
Outsourcing Governance and Audit Scrutiny
Version 1 (September 2009)
                                                 Supplementary material to be used as guidance only
2.4    Issue request for services in accordance with agency‟s internal policy                 Step 3. Negotiation and agreement
       and procedures (and where appropriate, Victorian Government
       Purchasing Board Guidelines39).                                                         When finalising the contractual terms for outsourcing, it is particularly
                                                                                               important that the Agreement covers all the necessary legal aspects and
2.5    Evaluate responses ensuring                                                            that the Service Level Agreement contains sufficient detail to enable the
        defined selection criteria and weightings are used                                    agency to monitor the adequacy of the services provided.
        vendor competition continues until decision is made
                                                                                               There are also a number of mandatory areas, such as access for audit
        due diligence, Best and Final Offer Invitation (BAFO), is completed
                                                                                               (internal and external) and business continuity arrangements that should
        references are checked.
                                                                                               be addressed. The agency may also consider staffing issues and transition
2.6    Select preferred supplier in accordance with agency‟s internal policy                  or exit requirements in this step so that they can be included in the
       and procedures.                                                                         Agreement where necessary. The checklist identifies some issues to
                                                                                               consider in the negotiation and agreement step.
2.7    Define basis for proceeding communicate to all parties involved the           
       next steps in the processes.                                                            These steps should be considered in conjunction with Victorian
                                                                                               Government Purchasing Board Guidelines (VGPB) and other standard
2.8    Update project plan and business case.                                                 procedures relevant to the agency.


                                                                                                3.0    Negotiation and agreement                                                Included
                                                                                                3.1    Refine and confirm solution to ensure drivers and risks are addressed.     

                                                                                                3.2    Review terms of contractual agreement in accordance with agency‟s          
                                                                                                       internal policy and procedures (and where appropriate, Victorian
                                                                                                       Government Purchasing Board Guidelines). Consider:
                                                                                                        pricing structure
                                                                                                        confidentiality
                                                                                                        exclusivity
                                                                                                        regulatory requirements e.g. audit access
                                                                                                        performance reporting
                                                                                                        management structure
                                                                                                        deadlock resolution
                                                                                                        penalty and reward clauses
                                                                                                        extension clauses.




39
   For more information on the Victorian Government Purchasing Board Guidelines, please
refer to www.vgpb.vic.gov.au
FMCF User Guide: Standing Direction 3.1.5 (Direction Requirements 14 and 15) – Financial Management Structure Managing Outsourced Financial Services:                              79
Outsourcing Governance and Audit Scrutiny
Version 1 (September 2009)
                                                  Supplementary material to be used as guidance only
                                                                                               Step 4. Transition and implementation
3.0   Negotiation and agreement continued                                       Included       This step is focused on addressing the activities and processes in relation
                                                                                               to the implementation and transition of the outsourced service. Most of the
3.3   Define the Service Level Agreement:                                         
                                                                                               information required for this step should have been developed during
       to include service delivery considerations and measures
                                                                                               agreement negotiations, although there will be some issues and
       to include information and measures for the assessment of realisation
        of overall business drivers (benefits realisation)
                                                                                               circumstances that will not have been included or foreseen.
       ensuring performance measures are SMART:                                               In order to manage transition and implementation effectively as well as
            Specific                                                                          safeguard the agency‟s relationship with the service provider, it is
            Measurable                                                                        important to apply sound project management practices. Some
            Action oriented                                                                   considerations are outlined below.
            Realistic
            Time-bound
                                                                                                4.0    Transition and implementation                                                Included
          Refer to User Guide Standing Direction 4.4 Financial Performance
          Management and Evaluation for more detail                                             4.1    Establish process for managing relationships and staff. Consider               
       detailing reporting requirements                                                                nominating a relationship manager
           content (including regulatory requirements)                                                 agreement on contact point arrangements
           stakeholders/audiences                                                                      retaining sufficient in-house staff to manage the agreement
           timeframes                                                                                  clear and simple procedures.
           frequency.                                                                          4.2    Develop implementation plan. Consider:                                         
                                                                                                        human resources issues e.g. training, change management
3.4   Establish agreements (contractual and SLA). Ensure:                                              implementation activities e.g. data conversion and test environments,
       areas of uncertainty have been clarified and defined                                             responsibilities identified
       the best and final offer is included                                                            transferring/assigning contracts and agreements
       there is flexibility catering for potential changes in the business                             plans for transition of physical, legal and taxation considerations e.g.
       all parties understand and accepted the agreement                                                buildings, equipment, other assets
       the business case is approved.                                                                  due diligence by supplier to allow detailed planning of the transition
                                                                                                         by accessing information e.g. monthly reports, asset register.
3.5   Include transition and termination and amendment clauses in                 
      accordance with agency‟s internal policy and procedures (and where                        4.3    Update business case. Ensure:                                                  
      appropriate, Victorian Government Purchasing Board Guidelines).                                   business drivers are fulfilled and risks are mitigated
                                                                                                        agreement with supplier reflects all requirements including
                                                                                                         transition arrangements.
3.6   Assess legal sign-off requirements on the contracts and                     
      supporting materials.




FMCF User Guide: Standing Direction 3.1.5 (Direction Requirements 14 and 15) – Financial Management Structure Managing Outsourced Financial Services:                                  80
Outsourcing Governance and Audit Scrutiny
Version 1 (September 2009)
                                                Supplementary material to be used as guidance only
                                                                                               Step 5. Maintenance and management
4.0   Transition and implementation continued                                 Included         It is important to have maintenance and management procedures in place
                                                                                               for the outsourced service once it is implemented.
4.4   Prepare handover and undertake transition. Ensure:                         
       documentation complete, authorised and signed by both parties                          The relationship with the outsourced provider needs to be managed
       work undertaken in accordance with implementation plan                                 proactively to ensure the smooth operation of services. The business
       milestones are monitored.                                                              process needs to be adequately controlled, monitored and reported on.
                                                                                               Any changes should be adequately controlled and implemented, and
                                                                                               service should continue at the required quality and cost levels and within
4.5   Manage business change arising from implementation. Consider:              
       communicating changes throughout organisation                                          agreed timeframes. The checklist below provides an outline for potential
       keeping relevant stakeholders updated on progress (positive
                                                                                               management and maintenance processes.
        and negative)                                                                          Where the processes or activities outsourced have some impact on the
       remaining in-house processes may need to be amended to optimize                        financial management, financial processing or financial statements of an
        the change                                                                             agency, there is a need to obtain specific assurance on the control
       updating organisational risk profile                                                   procedures at the service entity. Even where there is no impact, there may
       other impacts such as:                                                                 still be a need to obtain assurance over control procedures to enable:
           agency‟s employee satisfaction with the services
             being outsourced                                                                       the agency to ensure the requirements of the FMA, the Directions and
           impact on staff structure                                                                any other relevant legislation are being met
           privacy of information and legislative requirements (potential                          the Accountable Officer and CFAO to make the annual statement
             training requirements).                                                                 required under Direction 2.2 (d) for Public Sector Agencies, or (w) for
                                                                                                     Government Departments.
                                                                                               The primary reason for this is that outsourcing does not diminish
                                                                                               the responsibilities and accountabilities of the agency for sound
                                                                                               financial management.




FMCF User Guide: Standing Direction 3.1.5 (Direction Requirements 14 and 15) – Financial Management Structure Managing Outsourced Financial Services:                    81
Outsourcing Governance and Audit Scrutiny
Version 1 (September 2009)
                                                  Supplementary material to be used as guidance only
                                                                                               Step 6. Realisation of benefits
5.0   Maintenance and management                                                   Included    After the outsourcing is operational and the management processes are in
                                                                                               place, an assessment of the operational and financial benefits originally
5.1   Manage ongoing service delivery. Consider:                                     
       budget, costs, charges
                                                                                               intended in the business case should be conducted.
       relationship management                                                                The results of the assessment should be communicated and necessary
       manage risks and plan for contingencies                                                improvements need to be managed and implemented. Outsourcing
       reporting on the SLA:                                                                  projects have the potential to fail to deliver the intended benefits because
            service delivery                                                                  of the lack of focus on post implementation issues. The checklist outlines
            key controls                                                                      some ideas for benefits realisation processes.
            performance measures
            regulatory compliance
                                                                                                6.0     Realisation of benefits                                                      Included
            annual review.
                                                                                                6.1     Implement a process to identify, monitor and report against the                
5.2   Provide ongoing management and monitoring. Consider:                                             originally intended benefits as well as other intended benefits identified
       implementing customer satisfaction surveys                                                      throughout the process. Consider:
       implementing a continuous improvement programme                                                  implementation of a strong reporting and governance framework to
                                                                                                           keep focus on delivery of benefits
       conducting audits at supplier‟s premises.
                                                                                                         operational and financial benefits
                                                                                                         regular monitoring of benefits and business drivers e.g. 6 monthly.
5.3   Obtain appropriate levels of assurance – as per Direction 3.1.5 (d).           
      Consider requirements for Direction 2.2(d) and (w) sign-off.
                                                                                                6.2     Review costs and benefits                                                      
      Note: see audit scrutiny section in this material for further information.
                                                                                                        Conduct an assessment of costs and benefits against the business
                                                                                                        case to determine whether costs and benefits have been achieved.
5.4   Review aspects of the functions retained internally.                           
      Consider remaining in-house processes as they may need to be
      amended to optimize the change.                                                           6.3     Independent review/assessment/audit. Consider                                  
                                                                                                         independent assessment to obtain an impartial review of
                                                                                                          the implementation
5.5   Review outsourcing strategy. Consider:                                         
                                                                                                         benchmarking to confirm costs and benefits are in line with
       periodically assess requirements are met and amended
                                                                                                          the market
       re-tendering regularly.
                                                                                                         obtaining information on potential areas for improvement
                                                                                                         assessment frequency to be at least annual.
5.6   Report to demonstrate drivers are met and risks managed.                       




FMCF User Guide: Standing Direction 3.1.5 (Direction Requirements 14 and 15) – Financial Management Structure Managing Outsourced Financial Services:                                   82
Outsourcing Governance and Audit Scrutiny
Version 1 (September 2009)
                                                 Supplementary material to be used as guidance only
Step 7. Amendment or termination                                                               Cost Benefit Analysis
Once the outsourced service is implemented and reviewed some changes                           This section provides a Cost-Benefit Analysis (CBA) checklist to assist with
may be required that effect the agreement. Alternatively, the agreement                        the preparation and evaluation of the CBA.
may need to be terminated. Potential reasons for termination include
                                                                                               The use of this checklist will also assist to define the scope and
reaching the end of a defined agreement term or failure of one of the
                                                                                               thoroughness required for the evaluation.
parties to comply with the terms of agreement.
The process for managing an agreement termination or amendment                                  Steps to consider when conducting a Cost Benefit Analysis                   Included
should be clear and well-organised. The checklist provides some                                 Step 1: Define objectives and project scope
suggestions for this.                                                                            Why is the proposal/project proposed?                                        
                                                                                                 Are the objectives consistent with overall agency objectives                 
 7.0    Amendment or termination                                                   Included        and strategies?
                                                                                                 What type of proposal is it? Temporary or Permanent or New?                  
 7.1    Assess options and business case. Include:                                   
                                                                                                 What is the scope of the proposal?                                           
         re-assessment of current service position
         review of contract termination provisions                                              Has it been evaluated previously or been subject to other forms of           
                                                                                                   analysis e.g. risk analysis or value management?
         calculation of a financial model for termination options
                                                                                                 Is it part of a larger program or strategy?                                  
         a strategy for managing supplier
         update/review business case.                                                           What major stakeholders are likely to be impacted - internal and             
                                                                                                   external, public, private, community sectors?
                                                                                                 What consultation was undertaken and how was it done?                        
 7.2    Negotiate term or amend agreement. Include:                                  
         transition activities and associated costs                                            Step 2: Identify the Options
         severance costs                                                                        What are the options to achieve the objectives?                              
         agreement on contract and financial reconciliation issues                              What is the base case? (What would happen without the                        
         resolution of “blame” if termination due to failure to provide service                   project/proposal?)
         timeframes for activities, milestones, etc.                                            What other relevant information is available? Has this project been          
                                                                                                  undertaken elsewhere? Where was the information sourced? How can
         resources from both parties.
                                                                                                  it be used?
                                                                                                Step 3: Identify Costs and Benefits
 7.3    Terminate arrangements. Consider:                                                       What are the capital (equipment, facilities, structures, project             
         planning and executing transition                                                       management, construction, decommissioning etc.) costs?
         updating business case.                                                                 Over what timeframe?
                                                                                                 Is refurbishment or system upgrade costs needed?                             
                                                                                                 What are the recurrent costs – labour, training, maintenance,                
                                                                                                   utilities etc.
                                                                                                 What are the operating parameters e.g. levels of service, hours of           
                                                                                                   operation/availability, expectations of growth in use/demand etc? What
                                                                                                   data may be required for monitoring/reporting?


FMCF User Guide: Standing Direction 3.1.5 (Direction Requirements 14 and 15) – Financial Management Structure Managing Outsourced Financial Services:                              83
Outsourcing Governance and Audit Scrutiny
Version 1 (September 2009)
                                                    Supplementary material to be used as guidance only
Steps to consider when conducting a Cost Benefit Analysis         continued      Included      Audit scrutiny of outsourced activities
  Do policies, procedures need to be amended or changed                                      An agency must ensure effective management of outsourced activities to
   e.g. security, operations?
                                                                                               obtain the required levels of service and maintain compliance with
  What are the user benefits?                                                                regulatory requirements such as the Standing Directions for the Minister
  What are the cost savings (avoidable capital and recurring costs, sale                     for Finance the Financial Management Act. (Direction 3.1.5).
     of assets, risk, efficiency, economies of scale, etc.)?
  What are the external costs and benefits?                                                  The Direction requires outsourced financial services to be subject to
                                                                                               internal and external audit scrutiny (Direction 3.1.5 (d)). An agency should
  How will these costs and benefits be presented?                                            take into account the risk profile of an outsourced activity to determine the
  Have you considered a discounted cash flow analysis to present                             nature and extent of information required to be subject to audit scrutiny.
     financial cost and benefit information in current dollars?
  Are user comfort and convenience issues a factor?                                          The purpose of audit scrutiny is to enable the agency to obtain an
  How will risk issues be managed?                                                            appropriate level of assurance that the:
                                                                                    
 Step 4: Sensitivity Analysis                                                                     provider is complying with the agreed terms and conditions
  Is there are need for sensitivity analysis based on optimistic and                              (e.g. performance measures and relevant legislation as outlined in the
                                                                                    
     pessimistic estimates of costs and benefits?                                                  contract or Service Level Agreement)
    Have the values of costs and benefits been adjusted for real price                          controls for activities and processes impacting financial management
     variations over time?                                                                         are efficient and effective resulting in accurate financial and other
    What is the length of the evaluation period - over how many years was                        relevant information being reported
     the discounted cash flow analysis be undertaken and is the evaluation
     period based on the life of the expected outsourcing arrangement?                            control environment surrounding the outsourced services provided is
                                                                                                  robust, efficient and effective to enable complete and accurate
     What are the major areas of uncertainty and risk in the project?               
     How have these been dealt with i.e. specific analyses?                                        processing of underlying transactions and/or data
    Which assumptions need to be tested?                                                        agency‟s responsibilities and accountabilities for good governance
 Step 5: Identify and report on preferred option                                                   and sound financial management are not negatively impacted by the
  What is the preferred option when the initial evaluation of costs and                          outsourced activities
   benefits, sensitivity analysis and all qualitative factors are taken into                      the Accountable Officer and CFAO can sign-off on the accuracy,
   account? Does the risk analysis impact on the outcomes significantly?                           effectiveness and efficiency of the financials, internal control and
  Has a report been prepared and include:                                                        compliance systems and risk management within an agency on an
      the objectives of the outsourcing strategy and alignment with                               annual basis (as per Direction 2.2 (d) and (w)).
        agency objectives and strategies?
      a description of the evaluation framework, assumptions and
        key input data?
      a description of all the costs and benefits?
      the assumptions underpinning the evaluation?
      the evaluation results with cost, sensitivity and qualitative analysis?
      comparison of preferred option with other options?
      recommendations for the preferred option?



FMCF User Guide: Standing Direction 3.1.5 (Direction Requirements 14 and 15) – Financial Management Structure Managing Outsourced Financial Services:                    84
Outsourcing Governance and Audit Scrutiny
Version 1 (September 2009)
                                                   Supplementary material to be used as guidance only
How to obtain assurance using internal or external audit
It is strongly recommended that an agency liaise with its own internal and/or external
auditors to discuss the best approach to obtaining assurance However, the following
options are provided for consideration:



 Option 1: Outsourced service provider provides assurance through either:
  a publicly available opinion on internal control (usually this will be an opinion in
   accordance with Australian Auditing Standards that is made available to all
   customers of the outsourced service provider)
  an opinion or report specifically designed for the use of the agency (in these
   instances, a tailored scope of work will typically be requested by the agency, but the
   work is performed, and report provided, by the outsourced service provider‟s internal
   or external auditors).

 Option 2: Agency arranges for an independent party/auditor to visit the outsourced
 service provider to obtain assurance (in these instances, the scope of work will be
 determined by the agency and results will often be reported in format that the agency is
 familiar with).
 Interpreting the results from audit scrutiny to determine the level of assurance provided.
 It is strongly recommended that the agency obtain assistance from its internal or
 external auditors to interpret the information received as a result of audit scrutiny.
 Factors that need to be considered in interpreting results include, but are not
 necessarily limited to:
  What type of opinion or report has been issued? Is there reference to an auditing
     standard? If so, is there an expression of the level of assurance being provided and
     are there any limitations on scope referred to? What does the conclusion say?
  What period of time is covered by the opinion or report? Is this consistent with the
     period of interest to the agency?
  What locations, specific business processes and/or transactions have been reviewed
     and reported on? Do these cover the full scope of the agency‟s activities or
     transactions provided by the outsourced service provider? If not, are the activities or
     transactions not covered material or significant to the agency?
  What issues or concerns have been identified?
  What resolution plans has the provider put in place?
  What is the impact of the identified issues and resolution plans on the agency?




FMCF User Guide: Standing Direction 3.1.5 (Direction Requirements 14 and 15) – Financial Management Structure Managing Outsourced Financial Services:   85
Outsourcing Governance and Audit Scrutiny
Version 1 (September 2009)
User guide to Standing Direction 3.2

Information Technology Systems
Including:
3.2.1             Direction Requirement 16                              Information Technology Management

3.2.2             Direction Requirement 17                              Information Technology Operations

3.2.3             Direction Requirement 18                              Security

3.2.4             Direction Requirement 19                              Development

3.2.5             Direction Requirement 20                              Change Control




FMCF User Guide: Standing Direction 3.2 (Direction Requirement s 16 to 20) – Information Technology Systems   86
Version 1 (September 2009)
                                              Supplementary material to be used as guidance only

User Guide to Standing Direction 3.2.1
Direction Requirement 16

Information Technology Systems - Information
Technology Management




FMCF User Guide: Standing Direction 3.2.1 (Direction Requirement 16) – Information Technology Systems: Information Technology Management   87
Version 1 (September 2009)
                                              Supplementary material to be used as guidance only
               Information Technology Systems - Information Technology Management
Introduction                                                                                  Management and integration of IT within an agency
The Standing Directions of the Minister for Finance have a number of                          The management of IT operations should be integrated into an agency‟s
requirements in relation to information technology (IT).                                      day to day business practices and processes.
Direction 3.2.1 specifically requires an agency to ensure that the direction,                 IT operations (and expenditure requirements) should be considered and
strategy and use of information technology is consistent and appropriate                      linked, where relevant, to the agency‟s strategic plan, goals and business
for sound financial management.                                                               plans to ensure IT needs are met and appropriately managed.
In addition the Responsible Body must at least annually:                                      IT systems and operations with financial management functions should be
    review the use of information technology for financial management                        identified to ensure governance and compliance requirements are
                                                                                              monitored and fulfilled.
    conduct or review an assessment of information technology risks and
     their impact on financial management.                                                    An agency may establish an IT steering committee to assist with the
                                                                                              management of IT operations. An IT Steering Committee typically:
This material outlines guidance to assist with the compliance of these
requirements and includes:                                                                      comprises of representatives from the executive team, IT division as
                                                                                                 well as various areas within the agency to ensure users are
   management and integration of IT within an agency
                                                                                                 represented. Members are usually from the agency‟s
   annual IT management reviews                                                                 management team
        use of IT for financial management                                                     meets regularly to oversee all IT activities within an agency
        manual processes and spreadsheets                                                      oversees the resourcing for IT operations across the agency as well
      IT risk assessment for financial management                                               as any outsourced IT activities
    outsourced IT for finance functions.                                                       reviews all proposals for IT projects, prior to sign-off and oversees the
                                                                                                 prioritisation of projects, expenditure, resourcing, contract and vendor
                                                                                                 management (e.g. rollout of Disaster Recovery Plan, new
                                                                                                 implementations)
                                                                                                ensures the IT strategy is implemented and reviewed taking into
                                                                                                 account alignment with the business strategy
                                                                                                reviews IT Policy and procedure documentation for currency and
                                                                                                 relevance
                                                                                                reviews and resolves IT related risks and issues.




FMCF User Guide: Standing Direction 3.2.1 (Direction Requirement 16) – Information Technology Systems: Information Technology Management                               88
Version 1 (September 2009)
                                              Supplementary material to be used as guidance only
Annual IT management reviews
The purpose of annual IT management reviews are to:                                           The annual review of IT for Financial Management should also consider
   assess the effectiveness of current technology used for financial                         and include:
    management and reporting                                                                     any work conducted on business continuity and disaster recovery
   identify any new or changed technology requirements in relation to                            planning for financial management should also be included in the
    financial management                                                                          review
   monitor the extent to which alternative (i.e. unapproved) technology                         annual budget and/or corporate planning information which may
    solutions may be in use across the agency                                                     highlight decisions for new technologies around financial management
   examine the risks in relation to IT systems supporting the agency‟s                          the resources and skills available to support the IT environment within
    financial management.                                                                         the agency and whether external support is required
                                                                                                 the appropriateness and current level of reliance on IT at the agency
Annual review - use of IT for financial management                                               the control environment surrounding IT systems and operations
The annual review of IT for financial management may be undertaken in a                          the adequacy, impact, management and understanding of changes to
number of forms.                                                                                  financial applications and IT infrastructure (where relevant).
Upon reflection an agency may find that there is a variety of work                            The outcomes of the review should be reported to the Responsible Body
conducted during the normal course of business that would contribute to a                     and outline:
review of IT for financial management. Examples of this may include:                             current technology for financial management
    internal documentation e.g. memos, reports, emails, that discuss                            risks and opportunities
     risks/issues associated with financial management and provide                               actions/changes planned and recommendations (where relevant).
     comment how the risks would be managed including the technological
     implications i.e. are upgrades or software changes required                              Note: This information could be included in the CFAO‟s report on the plan
    information regarding alternative technologies, databases or                             for preparation and finalisation of the financial statements.
     spreadsheets being used across an agency to supplement the core                          Also an agency may wish to consider including the requirements to
     finance system.                                                                          monitor the use of technology for financial management in the CFAO‟s
This information could be identified in reports by internal audit or external                 annual performance plan.
reviews e.g. a division of the agency keeps its own spreadsheet to record
certain financial transactions and circumvents the main system.
Management response and subsequent actions to these findings form part
of the annual review process.




FMCF User Guide: Standing Direction 3.2.1 (Direction Requirement 16) – Information Technology Systems: Information Technology Management                              89
Version 1 (September 2009)
                                                 Supplementary material to be used as guidance only
Manual processes and spreadsheets                                                             Annual review - IT risk assessment
Manual processes and spreadsheets are a common aspect of many                                 The agency‟s annual assessment of IT risks and their impact on financial
financial management systems that have higher risks when used outside                         management should be reported to the Responsible Body. The risk
of the core financial system.                                                                 assessment should seek to cover the following areas (where applicable):
An agency should consider the use of manual processes in the annual                              backup, recovery and contingency planning
review of IT for financial management. The checklist below provides some                         change management
areas for consideration.                                                                         delivery, support, operations and procedures
                                                                                                 physical and logical security
 Step    Checklist for   processes         outside     the    financial   Considered?            planning, organisation and resourcing
         management system
                                                                                                 project management and systems development
   1     Identify all spreadsheets, manual processes etc. across                                 strategic IT management.
         the agency
                                                                              
                                                                                              For further information about IT risk management refer to:
   2     Consider whether processes identified in Step 1 capture
         significant financial transactions, calculations or processes
                                                                                                 Standards Australia - Security Risk Management documentation
                                                                                                  Government Services Group on the Department of Treasury and
   3     Identify the risks e.g. the risk of error in the financial                                Finance website (www.dtf.vic.gov.au).
         management information sourced from processes identified             
         in Step 1
                                                                                              Outsourced/shared IT services
   4     Review mitigation and management strategies for the risks
         e.g. review of data input and output, use of formulae
                                                                                             Where IT services and/or operations are outsourced, co-sourced or
                                                                                              shared, etc. the agency needs to seek an annual assessment of the
   5     Review need for processes identified in Step 1.                                      services/operations from the provider to ensure this Direction and the
         Consider implementation of formal, automated or system                               specific requirements are met.
         based processes within existing financial management
                                                                              
         applications to replace manual processes.                                            The assessment should be documented and provided to the Responsible
                                                                                              Body.
   6     Report findings, actions, recommendations and mitigation
         strategies to Responsible Body as part of the annual                                The agency is responsible for the implementation of this Direction in
         review process.                                                                      relation to IT for financial management irrespective of the provider. That is,
                                                                                              if the provide is another agency or department, the documented
                                                                                              assessment is to be submitted to the Responsible Body.
                                                                                              For further information refer to to the User Guide for Direction 3.1.5 –
                                                                                              Outsourcing Governance.




FMCF User Guide: Standing Direction 3.2.1 (Direction Requirement 16) – Information Technology Systems: Information Technology Management                                 90
Version 1 (September 2009)
User Guide to Standing Direction 3.2.2
Direction Requirement 17

Information Technology Systems – Information
Technology Operations




FMCF User Guide: Standing Direction 3.2.2 (Direction Requirement 17) – Information Technology Systems: Information Technology Operations   91
Version 1 (September 2009)
                                               Supplementary material to be used as guidance only
                 Information Technology Systems – Information Technology Operations
Introduction
The Standing Directions of the Minister for Finance (the Directions) require                   This supplementary material has been developed to assist Public Sector
that agencies strongly support financial management systems with                               Agencies in developing and implementing their own business continuity
particular requirements for disaster recovery and business continuity                          and disaster recovery plans.
management. These requirements are outlined under Direction 3.2.2
                                                                                               This supplementary material includes the following information:
Procedure (a) and include:
                                                                                                  Understanding business continuity
    formal assessment, at least annually, of the impact of financial
     management systems not being available for an extended period                                Understanding disaster recovery
    review and testing of a formally documented disaster recovery plan                           Developing business continuity and disaster recovery plans
     and business continuity plan.                                                                Business continuity and disaster recovery plan methodology:
                                                                                                        Scoping - definition and awareness
                                                                                                        Business impact analysis
                                                                                                        Strategy selection and evaluation
                                                                                                        Plan development and documentation
                                                                                                        Implementation and testing
                                                                                                      Maintenance and update
                                                                                                    Attachment 1 – Template for a Business Continuity and Disaster
                                                                                                     Recovery Plan.




FMCF User Guide: Standing Direction 3.2.2 (Direction Requirement 17) – Information Technology Systems: Information Technology Operations                              92
Version 1 (September 2009)
                                               Supplementary material to be used as guidance only
Understanding business continuity                                                              Understanding disaster recovery
Business continuity is a state where the Agency‟s critical functions and                       Disaster recovery focuses on the recovery of information technology (IT)
operations continue with minimal interruption in the event of a disruption.                    systems infrastructure used to support an Agency‟s operations in the event
Examples of disruptions can include natural disasters, human error, loss of                    of disruption (to one or more systems for a period of time).
resources and/or suppliers.
                                                                                               A disaster recovery plan (DRP) specifically documents the technical
Business continuity management (BCM) is an integrated approach that                            recovery procedures to be implemented to regain critical IT systems
includes policies, standards, and procedures for ensuring operations can                       and/or components for an Agency‟s operations to continue.
be maintained or recovered in a timely fashion in the event of a disruption.
                                                                                               Disaster recovery plans are referred to in business continuity plans as a
Its purpose is to minimise the operational, financial, legal, reputational and
                                                                                               part of the complete recovery of an Agency‟s operations.
other material consequences arising from a disruption.
Business continuity plans (BCP) are a component of BCM. Business                               Developing business continuity and disaster recovery plans
continuity plans are documented contingency plans that outline actions
and methods required to recover Agency operations from particular                              This material provides an outline of methodology used to develop business
disruptions.                                                                                   continuity and disaster plans as well as an example template to document
                                                                                               the plans (see Attachment 1).
The development of the business continuity plan follows a methodology
that identifies critical business processes, activities and related risks to                   As business continuity and disaster recovery requirements differ between
ensure the continuity of business operations in the event of a disruption.                     agencies this material should only be used as a guide for Agencies. The
The methodology also proactively aims to minimise risks and potential                          information can be tailored to suit an Agency‟s needs, size and operational
losses.                                                                                        type.

The implementation of a developed plan should reduce the time spent in                         For further information about Disaster Recovery and Business Continuity
the contingency or recovery phase in the case of a disruptive event.                           Capability refer to Government Services Group on the Department of
                                                                                               Treasury and Finance website (www.dtf.vic.gov.au).




FMCF User Guide: Standing Direction 3.2.2 (Direction Requirement 17) – Information Technology Systems: Information Technology Operations                               93
Version 1 (September 2009)
                                               Supplementary material to be used as guidance only
Business continuity and disaster recovery planning methodology
                                                                                               Figure 1 - Steps within a business continuity and disaster recovery
The typical methodology for developing business continuity and disaster
                                                                                               planning methodology
recovery plans is outlined in the diagram (aside) with further detail for each
step provided in the form of checklists.
This methodology can be used for business continuity and disaster                                                            1. Scoping
recovery planning across all functions within an Agency. The requirements
of the Financial Management Compliance Framework (FMCF), however,
solely focus on information technology operations that support
financial management.
                                                                                                                    2. Business impact analysis




                                                                                                                                                      6. Maintenance and update
This methodology aims to assist Public Sector Agencies in implementing
an effective business continuity and disaster recovery capability with
focus on:
   engaging the appropriate stakeholders
   documenting a Business Impact Analysis (BIA) with a focus on critical                                      3. Strategy selection and evaluation
    business activities. Under the FMCF, focus will be on those that have
    an impact on financial management
   identifying risk reduction measures and selecting recovery strategies
   documenting continuity and recovery plans as appropriate to the                                         4. Plan development and documentation
    Agencies requirements
   testing continuity and recovery solutions and plans and training
    relevant staff in recovery processes.
The methodology used to develop a BCP is similar to that required for a                                            5. Implementation and testing
DRP as the checklists outlined in this material indicate. When preparing
the plans it is advisable to develop them separately to ensure all steps are
implemented.




FMCF User Guide: Standing Direction 3.2.2 (Direction Requirement 17) – Information Technology Systems: Information Technology Operations                                          94
Version 1 (September 2009)
                                               Supplementary material to be used as guidance only
Step 1. Scoping – definition and awareness                                                     Step 2. Business impact analysis (BIA)
The first step in the development of a BCP and/or DRP is to define the                         A Business Impact Analysis identifies and measures (quantitatively and
objectives and scope and understand the timelines, assumptions, resource                       qualitatively) the business impact or loss of business processes in the
allocation and milestones for the project. The following outlines the details                  event of a disruption. It also defines recovery priorities as the critical
to be considered in this step.                                                                 business processes and activities are identified. BIA‟s analyse and
                                                                                               evaluate the impact and probabilities of failures and critical
                                                                                               business processes.
 Example tasks                                                      BCP         DRP
 Identify key stakeholders                                                                   The results of a BIA are crucial to the development of a BCP and DRP.
                                                                                               The processes outlined below provide high level detail of what is required
 Organise a briefing session                                                                 to complete a BIA.
 Ensure the staff involved in documenting the BCP and DRP                       
 have the appropriate:
                                                                                                 Example tasks                                                                 BIA
  skills
                                                                                                 Identify key business processes and activities                                 
  knowledge of the organisation and functional areas.
                                                                                                 For each business process and activity, identify dependencies,                 
 Assign responsibilities for plan ownership and                                                such as Information Technology (IT), resources, other activities,
 administration, including plan testing and maintenance                                          locations, other
 activities
                                                                                                 For each business process and activity, identify critical time                 
 Assign responsibilities for collaborative plan development                                     periods, i.e. daily, end of week, month-end, quarter-end, year-
 with process/activity owners                                                                    end, other
 Assign responsibilities for collaborative plan development                                     For each business process and activity, identify potential failure             
 with IT personal and where possible functional area                                             events or disaster scenarios, i.e. describe how the activity is able
 representatives                                                                                 to fail
 Develop and document project objectives                                                       For each business process and activity, rate the impact of not                 
 Develop draft BCP and DRP assumptions (may need to                                            having the business process and activity available
 revisit as plan develops)                                                                       For each business process and activity, identify the remaining                 
                                                                                                                                      40
 Define in-scope and out-of-scope activities                                                   impact and maximum tolerable outage to be addressed
 Obtain current copy of the organisation chart                                                  For each business process and activity, identify controls to                   
                                                                                                 prevent an event from occurring
 Obtain current copy of the organisational structure for the IT                  
 department/division
 Review existing BCP and DRP documentation (where                               
 available) and assess the relevance/opportunity for
 integration with existing arrangements, responsibilities and
 recovery strategies
 Define timelines and milestones and assign adequate                                         40
 resources for the BCP and DRP activities                                                        Maximum Tolerable Outage (MTO) - the maximum period of time that critical business
                                                                                               processes can operate before the loss of critical resources affects their operations
FMCF User Guide: Standing Direction 3.2.2 (Direction Requirement 17) – Information Technology Systems: Information Technology Operations                                              95
Version 1 (September 2009)
                                               Supplementary material to be used as guidance only
Step 3. Strategy selection and evaluation                                                      Step 4. Plan Documentation
This step defines the recovery strategies for critical processes and                           This step results in the documentation of plans.
systems identified in the BIA that require continuity planning. The
strategies provide actions to deal with impacts of business interruption
                                                                                                 Example tasks                                                         BCP        DRP
efficiently.
                                                                                                                       41.
                                                                                                 Document the BCP                                                         
Recovery strategies are pre-defined, pre-tested, management approved                                                   2.
actions that are employed in response to a business disruption,                                  Document the DRP                                                                      
interruption or disaster.                                                                        Identify systems/applications/infrastructure which may require
                                                                                                 more detailed policies and procedures. Document as                                    
The tasks below should be considered when developing recovery
                                                                                                 necessary
strategies for BCPs and DRPs.
                                                                                                 Approval and endorsement of BCP and DRP                                              

 Example tasks                                                       BCP       DRP
 Identify recovery strategies, including approach, escalation          
 plan process and decision points
 Identify recovery strategies specifically related to IT systems,                 
 including approach, escalation plan process and decision
 points
 Ensure the recovery strategies are cost effective and meet            
 agreed maximum acceptable outage requirements
 Implement proposed response strategies and solutions                  




                                                                                               41
                                                                                                    Attachment 1 provides an example template for the documentation of a BCP and DRP
FMCF User Guide: Standing Direction 3.2.2 (Direction Requirement 17) – Information Technology Systems: Information Technology Operations                                               96
Version 1 (September 2009)
                                               Supplementary material to be used as guidance only
Step 5. Implementation and Testing                                                             Step 6. Maintenance and update
Regular testing of continuity and disaster recovery plans is one of the most                   To ensure plans are current and up to date with an Agency‟s systems and
important aspects of successful business continuity.                                           processes they should be reviewed and updated on a regular basis. This
                                                                                               will help to ensure that the contingency and recovery measures remain
Plans should be tested as least once a year to ensure they are kept up to
                                                                                               current and accurate.
date, new systems and processes are included and staff are familiar with
their individual roles and responsibilities. Consideration could be given to                   Annual testing programs will assist in identifying areas within the plan that
testing the BCP and the DRP at the same time.                                                  require maintenance and update.
Testing validates the usability of contingency and recovery plans and                          Some considerations for this step are outlined below.
identifies changes.
                                                                                                 Example tasks                                                        BCP   DRP
 Example tasks                                                       BCP       DRP               During the updates, at a minimum, the following details must          
 Determine testing approach to be followed (approaches                                         be checked:
 documented within BCP and DRP)                                                                   business processes
 Hold testing briefing with all participants                                                    criticality of assessed processes and elements
                                                                                                  third-party interfaces
 Test developed plans following to adopted approach                              
                                                                                                  organisation structure
 Undertake a testing debrief This process will identify                                         responsible persons assigned to carry out tasks
 gaps/additional needs in the current plans
                                                                                                  deadlines
 Incorporate necessary changes into BCP and DRP                                                 appendices, including contact lists.
 Publish and distribute final copies of BCP and DRP to                                         Ensure IT change management procedures include the                          
 Responsible Parties                                                                             requirement to consider IT DRP arrangements and backup
                                                                                                 strategies
                                                                                                 During the updates, at a minimum, the following details must                
                                                                                                 be checked:
                                                                                                    criticality of assessed IT systems/applications/infrastructure
                                                                                                    changes in IT systems/applications/infrastructure
                                                                                                    IT Organisation structure
                                                                                                    responsible persons assigned to carry out tasks
                                                                                                    deadlines
                                                                                                    appendices, including contact lists.




FMCF User Guide: Standing Direction 3.2.2 (Direction Requirement 17) – Information Technology Systems: Information Technology Operations                                          97
Version 1 (September 2009)
      Template for a Business Continuity and Disaster Recovery Plan
                       to be used as guidance only



Attachment 1
Template for a Business Continuity and
Disaster Recovery Plan




                                          <Insert Organisation Name>

                                <Insert Site Name> Business Continuity and
                                           Disaster Recovery Plan




Organisation Address:                          <Insert Address>




User Note:
This template is generic and does not therefore use
terminology that is restricted to business continuity planning for
financial management purposes.


<Insert Organisation Name> <Insert Site> Business Continuity Plan            98
                                               Template for a Business Continuity and Disaster Recovery Plan
                                                                to be used as guidance only


Table of contents
1. Purpose and objectives ..................................................................................................................................................................................... 100
   1.1. Objective ....................................................................................................................................................................................................... 100
   1.2. Scope ............................................................................................................................................................................................................ 100
   1.3. Out of Scope ................................................................................................................................................................................................. 100
2. Contingency Strategy ........................................................................................................................................................................................ 100
   2.1. Overview of Contingency Strategy ................................................................................................................................................................ 100
   2.2. Recovery Team Structure ............................................................................................................................................................................. 101
3. Fast Action Summary Checklist ....................................................................................................................................................................... 101
4. Business Continuity Recovery Procedures ..................................................................................................................................................... 102
   4.1. <Insert System/Application/Infrastructure Name> ......................................................................................................................................... 102
   4.2. <Insert System/Application/Infrastructure Name> ......................................................................................................................................... 102
5. Disaster Recovery Tasks ................................................................................................................................................................................... 102
   5.1. <Insert System/Application/Infrastructure Name> ......................................................................................................................................... 102
   5.2. <Insert System/Application/Infrastructure Name> ......................................................................................................................................... 103
6. Testing & Maintenance Procedures.................................................................................................................................................................. 103
Appendix 1.BIA Findings and Conclusions .......................................................................................................................................................... 104




<Insert Organisation Name> <Insert Site> Business Continuity Plan                                                                                                                                                          99
        Template for a Business Continuity and Disaster Recovery Plan
                         to be used as guidance only
Version Control

Version #          Updated                  Author                   Changes
1.0                <insert date>            <Insert Author>          <Insert changes made>



Purpose and objectives
Objective
The objective of this Business Continuity Plan (BCP) 1 and Disaster Recovery Plan (DRP) 2 is to
provide guidance to <Insert Organisation Name> management for the restoration of facilities, critical
business processes and Information Technology (IT) facilities by defining, at a high level, the recovery
procedures required to continue/restore core services in the event of a disaster.
This plan describes the organisational framework and procedures to be activated in the event of a
disaster occurring to enable recovery of services provided to <Insert Organisation Name>‟s
customers, including the public, and the relevant business units supporting these services.

Scope
This plan is confined to the main business processes of the following business units:
   <Insert Applicable Business Units>

Out of Scope
The following are not considered by this plan:
   <Insert any relevant exclusions, such as non-critical business functions, separate incident plans,
    non-financial business processes and activities >
Contingency Strategy
Overview of Contingency Strategy
The contingency strategy aims to recover operations with minimal, if any, impact on the services
supplied to our customers. The contingency strategy focuses on resolving issues relating to
information technology, suppliers and service factors for services offered to <Insert Organisation
Name> customers and, where appropriate the public.
Specifically the contingency strategy focuses on:
  Immediate welfare of staff employed at the service site
  Assessing the workload requirements for Business Unit(s)
  Establishing priorities for, and allocating the use of, technological and human resources
  Delegating responsibilities for critical recovery procedures of each functional service area
  Overall control of recovering operations
  Communicating the status of the event to customer representatives, management and alternate
   sites.




1
      A BCP describes the methods and procedures required to recover business operations from particular
      disaster scenario‟s or events.
2
      The DRP focuses on recovery of IT systems infrastructure to support the recovery of the business. The DRP
      is a subset of the BCP and outlines separate recovery procedures defined by the IT team for the technical
      recovery of IT systems or components to support the business operations.



<Insert Organisation Name> <Insert Site> Business Continuity Plan                                          100
       Template for a Business Continuity and Disaster Recovery Plan
                        to be used as guidance only
Recovery Team Structure
The recovery team structure is critical to the success of the recovery process. The recovery team
structure consists of a combination of representatives for recovery of service and Business Units at
<Insert Organisation Name>.
Key roles and responsibilities are as follows:
Role                       Name                    Contact details        Alternate contact           Alternate     contact
                                                                                                      details
<Insert Role>              <Insert Name>           <Insert Details>       <Insert Name>               <Insert Details>




Fast Action Summary Checklist
The initial response procedures are critical to efficiently manage a disaster scenario and reduce the
impact on business operations at <Insert Site(s)>. The following key tasks are required to be
completed and are used as the trigger for the initial response to the relevant disaster scenario. The
following table acts as a checklist to ensure all relevant activities have been performed within the
required time frames.


Ref     Example activities                                            Responsibility      Required        time    Sign off
                                                                                          frame
1       Notify recovery team leader of the incident including:                            Immediate upon
                                                                                          identification of
        Time of incident                                                                  incident
        Manner in which incident was identified
2       Liaise with Police, Fire Brigade or Ambulance services                            Every 5 - 15
        (where appropriate)                                                               minutes
3       Conduct initial assessment of incident and determine                              1 – 5 minutes of
        severity                                                                          incident
4       Notify First Aid/Occupational Health and Safety or                                2 – 5 minutes of
        Human resource Officers of incident to ensure                                     incident
        adequate attention is provided to employees impacted
        by event
5       Notify security (if loss of facilities is the incident) to                        2 - 5 minutes of
        distribute additional security to affected <Insert                                incident
        Organisation Name> area
6       Notify recovery team members of severity                                          15 minutes of
                                                                                          incident
7       Determine availability of:                                                        15 – 20 minutes
                                                                                          of incident
         backup data for recovery of IT systems
         access to customer data delivered prior to the
          incident
         receiving and processing data by alternate means
         redirecting service to alternate site
8       Contact back up facilities as necessary                                           15 – 20 minutes
                                                                                          of incident
9       Determine if incident is likely to publicly impact                                45 minutes of
                                                                                          incident
        <Insert Organisation Name>
10      Assess the need to release a communications briefing                              60 minutes of
        and release as determined appropriate                                             Incident




<Insert Organisation Name> <Insert Site> Business Continuity Plan                                                        101
       Template for a Business Continuity and Disaster Recovery Plan
                        to be used as guidance only
Ref         Example activities                                      Responsibility     Required       time   Sign off
                                                                                       frame
11          Monitor and review the detailed recovery procedures                        Continuously
            relevant to the service and scenario


Business Continuity Recovery Procedures
The following high level recovery procedures are required to be completed if for each critical business
process (as identified during the Business Impact Assessment as per Appendix 1) <Insert
Organisation Name> cannot operate under normal capacity; this may be due to loss of site, loss of
key personnel, loss of IT systems, loss of suppliers, etc.


<Insert System/Application/Infrastructure Name>
The <Insert System/Application/Infrastructure Name> recovery tasks are outlined below.

        3
Period               Task Requirement                                                Responsibility          Sign-off
0 – 2 hours          <Insert>                                                        <Insert>

2 – 4 hours          <Insert>                                                        <Insert>

etc

<Insert System/Application/Infrastructure Name>
[Repeat as per 4.1 for each critical system/application/infrastructure to be covered]
The <Insert System/Application/Infrastructure Name> recovery tasks are outlined below.
Disaster Recovery Tasks
<Insert System/Application/Infrastructure Name>
[Repeat for each critical system/application/infrastructure to be covered]
The <Insert System/Application/Infrastructure Name> recovery tasks are outlined below.
Objectives

[Insert Objectives for the recovery of the system/application/infrastructure, including the required recovery
timeframe (i.e. maximum tolerable outage]


Pre-Conditions

[Insert any pre-conditions here. For example, where a systems or applications recovery depends on the recovery
of infrastructure, make reference here]


Supporting Documentation

[Insert any supporting documentation here. For example, if detailed policies and procedures have already been
documented elsewhere, do not repeat this information, rather refer to the documentation and ensure it is
appropriately accessible]




3
      These represent the time frames after the initial incident was identified. The period indicates that the Task
      Requirement‟s are required to be completed during the time frame indicated for the period.




<Insert Organisation Name> <Insert Site> Business Continuity Plan                                                 102
       Template for a Business Continuity and Disaster Recovery Plan
                        to be used as guidance only
Task     Task Requirement                                                           Responsibility   Sign-off

1        [Document the tasks required to enable the IT department (or other
         party      as      required)       to      recover      the     critical
         system/application/infrastructure in the required timeframe. The tasks
         should include the acquisition of computer hardware and
         communications equipment, installation of system software and/or
         application from original CD, retrieval and loading of backup tapes,
         reference to security standards to be implemented, etc.]
2




<Insert System/Application/Infrastructure Name>
[Repeat as per 5.1 for each critical system/application/infrastructure to be covered]
Testing & Maintenance Procedures
Testing and maintenance of the BCP and DRP is critical to ensuring that the planned procedures
remain both relevant and reliable for use in the event of a disaster. The document owner is
responsible for updating the document to ensure that it accurately reflects the customer services
provided, contact listing details and additional references that may change from time to time.
The schedule below depicts the anticipated time frames in which testing, and subsequently
maintenance, will be performed.


Section within the BCP/DRP                                                      Testing Conducted

Recovery Procedures
Business Continuity Recovery Procedures                                         Annually
Disaster Recovery Tasks                                                         Annually
Example appendices
Appendix 1 – Business Impact Analysis                                           Annually
Appendix 2 – Software & Application Contacts                                    Annually
Appendix 3 – Required Information/ Data Locations                               Annually
Appendix 4 – Internal Telephone Directory                                       Semi Annually
Appendix 5 – External Suppliers Contact List                                    Semi Annually




<Insert Organisation Name> <Insert Site> Business Continuity Plan                                          103
      Template for a Business Continuity and Disaster Recovery Plan
                       to be used as guidance only

Appendix 1.        BIA Findings and Conclusions
Based on the workshops held as part of this BIA and the questionnaires completed, <insert number>
business activities and <insert number> instances where a failure event would have an impact on
<Insert Organisation Name> operations were identified. A break down by functional area is outlined
below.



                                                                       Dependencies     -     IT
Business                                                               System/Software/Supplier    MTO
Process            Business Activity                   Event Failure   /3rd Party/PPE              (hrs)

<Functional Area Name>




<Functional Area Name>




<Functional Area Name>




<Insert Organisation Name> <Insert Site> Business Continuity Plan                                    104
User Guide to Standing Direction 3.2.3
Direction requirement 18

Information Technology Systems – Security




FMCF User Guide: Standing Direction 3.2.3 (Direction Requirement 18) – Information Technology Systems: Security   105
Version 1 (September 2009)
                                               Supplementary material to be used as guidance only
                                              Information Technology Systems - Security
Introduction
The Standing Directions for the Minister for Finance requires an agency‟s                           is regularly communicated across the agency.
financial management system have appropriate security level in place that                       The IT security controls to be implemented as a minimum across all
only allow authorised access to transactions (Direction 3.2.2, Direction                        agencies are listed below.
Requirement 18).
                                                                                                   Implement mandatory passwords for individuals and passwords that
The Direction requires an annual formal assessment of the security and                              have composition to prevent guessing e.g. contains numbers and
controls surrounding financial management information that is sensitive to                          letters.
the agency and stakeholders. The assessment must consider the                                      Maintain a user listing to monitor all login IDs (active and inactive).
adequacy of the following controls:
                                                                                                   Implement procedures to revoke access to IT network and deactivate
   security policies                                                                               login IDs for terminations.
   password controls, for both applications and operating platforms                               Ensure user access rights are restricted to those processing functions
   segregation of duties                                                                           and data files required for the users‟ normal duties and to enforce an
   user access levels in line with roles and responsibilities                                      appropriate level of segregation of duties.
   restricted physical access to the computer room and other sensitive                            Ensure network servers are protected from hazardous operations, and
    financial management technology assets.                                                         fire detection and extinguishing equipment are nearby.
                                                                                                   Ensure operations personnel restrict and monitor visitor access
This material provides guidance in relation to different aspects of
                                                                                                    to terminals.
information technology (IT) security.
                                                                                                   Ensure IT equipment is physically tagged, inventoried periodically,
                                                                                                    and reconciled to the general ledger.
Basic IT security governance and controls
                                                                                                   Software licenses are current, compliant and updated with relevant
The governance structure for IT security should be outlined in a detailed                           security patches.
policy that:
    is approved by management and annually reviewed for currency and
     validity
    is based on clearly defined business and regulatory requirements and
     supports relevant standards and procedures
    ensures establishment of acceptable information risks including the
     agency‟s risk appetite
    ensures impact reduction is implemented through use of control
     measures i.e. the agency‟s ability to prevent, detect and recover from
     an incident
    requires regular monitoring and reporting of information security
     issues/events
FMCF User Guide: Standing Direction 3.2.3 (Direction Requirement 18) – Information Technology Systems: Security                                                        106
Version 1 (September 2009)
                                                   Supplementary material to be used as guidance only
Good practice IT security
                                                                                                Examples of potential IT security elements continued                         Considered
There are a number of elements to an IT security framework that take into
account physical, logical, environmental and technological issues. The                          Environmental Security                                                           
following checklist outlines the elements within an IT security framework                       Typical environmental controls for IT server rooms include:
that should be considered for good practice.                                                     uninterruptible power supply
                                                                                                 raised floors
Examples of potential IT security elements                                   Considered          air-conditioning that is separate to the building and ensures constancy
Logical security                                                                                fire suppression system
 automatic disabling of access and logon after:
                                                                                                Cryptographic Controls                                                           
     a prescribed number of logon failures (usually 3)
     a set period of inactivity (usually 2 months)
                                                                                                 encryption of sensitive information while it is stored/at rest or being
                                                                                                  transmitted over open or public networks
 revoke logon access upon employee termination or relocation
                                                                                                Vulnerability Management                                                         
 user access rights are restricted to processing functions and data files
  required for the users‟ normal duties                                                          installation of anti-virus programs to protect sensitive information and
                                                                                                  programs and prevent, detect and remove malicious programs
 approval required for changes to user access rights, proof of approval
  is retained for audit trail requirements                                                       sensitive information systems are regularly checked for compliance
                                                                                                  with security implementation standards e.g. through penetration
 regular review of user access rights for propriety to ensure inline with                        testing
  position requirements etc. (e.g. biannual review)
                                                                                                 regular review to ensure security patches are installed and up to date
 individual password controls requiring:
                                                                                                 logging and active monitoring of security events
     minimum length (generally between 6-8 characters)
     password composition to be designed to prevent guessing (for
          example alpha and numeric characters)                                                 For further guidance on information security refer to:
     maximum three attempts before lockout
                                                                                                    Information systems audit and controls association
     minimum 12 previous passwords stored                                                           (www.isaca.com.au)
     intruder lockout set at 120 minutes
Physical security
                                                                                                    Standards Australia - Security Risk Management documentation
                                                                                 
 physical security perimeters are clearly defined                                                  Government Services Group on the Department of Treasury and
 regular review of access to sensitive areas and ensure access is                                   Finance website (www.dtf.vic.gov.au)
  revoked when no longer required                                                                   Best management practices (www.best-management-practice.com).
 physical security controls are typically:
     operations personnel restrict and monitor visitor access to areas
          containing sensitive information or assets
     computer equipment is physically tagged, inventoried periodically,
          and reconciled to the general ledger
     commercial software on computers and PCs is licensed
     servers are stored in secure cabinets
     access to the computer room is restricted at all times (e.g. lock
          and key)
 regular testing of physical security controls (alarms, locks etc.)
FMCF User Guide: Standing Direction 3.2.3 (Direction Requirement 18) – Information Technology Systems: Security                                                                      107
Version 1 (September 2009)
User Guide to Standing Direction 3.2.4
Direction requirement 19

Information Technology Systems - Development




FMCF User Guide: Standing Direction 3.2.4 (Direction Requirement 19) – Information Technology Systems: Development   108
Version 1 (September 2009)
                                               Supplementary material to be used as guidance only
                                        Information Technology Systems - Development
Introduction                                                                                  IT development methodology
The Standing Directions of the Minister for Finance (the Directions) require                  Potential steps for an IT development methodology are outlined in the
the CFAO of an agency to regularly review developments in financial                           diagram below with further detail for each step provided in the form
management systems to ensure appropriate technological support for                            of checklists.
financial management practices.
                                                                                              This methodology can be used for IT development projects across all
The specific requirements include:                                                            functions within an Agency. The requirements of the Financial
   implementation of a formal methodology for information technology                         Management Compliance Framework (FMCF), however, solely focus on
    (IT) development in relation to financial management systems and                          information technology operations that support financial management.
    technology
                                                                                                                                      1. Design
   developments to IT systems impacting financial management:                                                                     a. initiate & plan
                                                                                                                                  b. specify & design
        must have a business case approved by the IT Steering
         Committee (or Responsible Body or Executive Team) and end
         user representatives prior to project commencement
         Note: see User Guide for Direction 3.2.1 – IT management for
                                                                                                                                     2. Develop
         further information about IT steering committees                                                                                a. build
        must follow project management practices                                                                                 b. integration testing

        annual review of manual financial processes including the use of
          spreadsheets to assess whether automated systems are
          available                                                                                                                   3. Deliver
          Note: see User Guide Direction 3.2.1 – IT management for further                                                           a. implement
          information about manual processes and spreadsheets                                                                         b. operate

This supplementary material outlines guidance in relation to:                                 Packaged / off the shelf products
   IT Development methodology                                                                Where an off the shelf product is being implemented agencies should
   Key steps within an IT development methodology                                            follow the three phases of the IT development methodology to ensure the
                                                                                              chosen product:
   Project management
                                                                                                  fits requirements as defined in the design phase
        project scope
                                                                                                  is modified and integrated as defined in the develop phase
        project governance                                                                        e.g. developing reports and customising terminology structure etc.
        project steering committee                                                               is implemented and operational as per the delivery phase.
        project stages
                                                                                              It is recommended that customisations for off the shelf products are kept to
                                                                                              a minimum to ensure the integrity of the product is maintained.


FMCF User Guide: Standing Direction 3.2.4 (Direction Requirement 19) – Information Technology Systems: Development                                                    109
Version 1 (September 2009)
                                                 Supplementary material to be used as guidance only
Key steps within an IT development methodology                                                2.    Develop
The following table outlines the key steps in an IT development which                         2.a   Build
should be considered.                                                                                Produce hardware and executable software based on specifications e.g.
                                                                                                       databases, coding, programs compiled and refined, systems acquired &
                                                                                                       installed
1.    Design
                                                                                                     Develop environment for testing
1.a   Initiate and plan                                                                              Conduct initial testing of software and hardware as it is assembled
       Identify business requirement                                                                  and integrated
       Define project requirements / scope                                                   2.b   Integration testing
       Develop business case* for IT Steering Committee (or Responsible Body)                       Complete testing of requirements using test data in the test environment to
        approval, as per Direction requirements, outlining:                                            ensure conformance with Detailed Functional Specifications
            cost benefit analysis                                                                   Complete User Acceptance Testing (UAT) to ensure the specification, privacy,
                 (see User Guide for Direction 3.1.5 – Outsourcing for a detailed                      security and other mandated requirements are met.
                 checklist)
            approach for the development
                                                                                              3.    Deliver
            defined measures for the development
                                                                                              3.a   Implement
            proposed budget
                                                                                                     Resolve test issues
            key risks and migration strategies
                 (for more detail see User Guide for Direction 3.1.5 – Outsourcing, Step             Sign-off of test results and issue resolutions prior to “go-live”
                 1.8)                                                                                Install the system for operation in the production environment
       Establish the project                                                                             sign-off data migration / conversion
        (for more detail see User Guide for Direction 3.1.5 – Outsourcing, Step 1.9):                     user groups are installed with segregated duties
            implement project management practices as per Direction requirement              3.b   Operate
            establish project steering committee                                                    System is operational
                 (see “Steering Committee” below for further detail)                                 Finalise system documentation:
       Secure and plan resources for the project                                                         procedures to operate and maintain system
       Define security requirements i.e. the impact of the development on the existing                   user guides/manuals
        security environment
                                                                                                     Conduct post-implementation review after the production environment has
1.b   Specify and design                                                                               stabilised using key metrics to measure impact and success
       Analyse requirements and develop Detailed Functional Specifications that                     Monitor system continued performance in accordance with user requirements
        include user needs analysis
                                                                                                     Incorporate system modifications as/when required.
       Develop Detailed Systems Design document outlining how functionality is to be
        delivered
       Design testing requirements / cases / procedures based on specifications
       Finalise and formalise approvals (with IT Steering Committee, Project
        Committee, etc.) for all relevant project documentation including specifications
        and contracts




FMCF User Guide: Standing Direction 3.2.4 (Direction Requirement 19) – Information Technology Systems: Development                                                                  110
Version 1 (September 2009)
                                               Supplementary material to be used as guidance only
Project management processes                                                                  Project steering committee
Project management is the combination of resources, tools and processes                       If defining the governance structure for a project an agency may decide to
used to manage a project successfully.                                                        establish a project steering committee for projects of a particular size
                                                                                              and/or complexity.
Project scope                                                                                 The project steering committee would work with the IT steering committee
Projects vary in size, complexity and involve change that affect a                            and other parts of the governance structure such as the executive team
combination of areas within an organisation e.g. people, policies,                            and Responsible Body.
technology, structure and work practices.                                                     Substantial consultation with all parts of the governance structure usually
Projects have:                                                                                occurs at the beginning of a project and then declines once the project is
                                                                                              underway, even so the governance structures remain active throughout
   a finite and defined life span
                                                                                              the project's life.
   defined and measurable deliverables
                                                                                              The project steering committee should:
   a corresponding set of activities to achieve the required outcome
                                                                                                 have a clear and well defined role that is formalised/documented in
   a defined amount of resources
                                                                                                  the form of a charter or terms of reference
   a governance structure to manage the project e.g. project manager,
                                                                                                 meet at least every 2 months
    working group, project board / steering committee.
                                                                                                 approve the Business Case and Project Initiation and Project Close
Project governance                                                                                phases
                                                                                                  Note: The business case should also be approved by the IT Steering
Well defined and implemented project governance assists a successful                              Committee for IT development projects.
outcome for a project.                                                                           approve the Request for Tender and Tender Decision
Project governance structures are used to:                                                        Note: The tender decision should also be approved by the
   resolve issues that arise                                                                     Responsible Body and/or relevant delegate.
                                                                                                 monitor the project‟s progression as well as any changes (within
   consider recommendations on project deliverables
                                                                                                  approved delegations)
   agree/approve changes to a project's scope, timelines or budget
                                                                                                 provide direction and resolution of issues and risks
   ensure the documentation trail for the project is maintained e.g.
                                                                                                 provide advice, updates and referrals (as required) to the Responsible
    approvals, changes, etc.
                                                                                                  Body or relevant delegate
Without a rigorous approach to governance projects can potentially                               communicate project outcomes, benefits, changes, etc.
experience scope creep, poorly-defined requirements, overruns with
                                                                                                 facilitate change management programs required as a result of the
timelines and budget.
                                                                                                  project.




FMCF User Guide: Standing Direction 3.2.4 (Direction Requirement 19) – Information Technology Systems: Development                                                   111
Version 1 (September 2009)
                                                   Supplementary material to be used as guidance only
Project stages
                                                                                              Potential project management steps to consider during a project         Considered?
Agencies should have project management methodologies that are                                continued
specific to their organisation as required by Direction 3.2.4 (d). The
                                                                                              Phase C: Implementation
checklist below can be used as a high level guide to project management
across the four phases of a project.                                                          Have appropriate controls been identified to monitor project                
                                                                                              implementation and delivery?

Potential project management steps to consider during a project             Considered?
                                                                                              Are there regular meetings of the project steering committee to             
                                                                                              monitor progress, discuss risks, changes, etc?
Phase A: Initiation
                                                                                              Are project reporting requirements being met and managed e.g. status        
Is the project scoped and defined?                                                           reporting for contract, timelines, deliverables?
Has the business case been developed?                                                        Project costs are tracked and monitored through detailed cost               
Note: Consider financial implications in relation to the objective and                        estimates and expenditure reporting. Deviations are reported and
need for the project.                                                                         additional expenditure is approved
Is the project in line with the strategic plan?                                              Is there a clear procedure for managing and approving change and/or         
                                                                                              variations (to scope, timelines, contracts, milestones, etc.)?
Has the project received sign off by sponsor, IT Steering Committee,             
Responsible Body or Delegate, etc.?                                                           Is the planned versus actual schedule current/reported/monitored/?          
                                                                                              Is there agreement on the level of tolerance?                               
Phase B: Planning                                                                             Is the executive, Responsible Body or delegate periodically updated         
Are governance structures / levels of authority for the project clear?                       on progress?
Are roles/resources appropriate, explicit and documented?                        
Has the project steering committee been appointed?                                           Phase D: Closure and review
Have risks been assessed with an action to mitigate/monitor them?                            Have all products been completed and delivered?                             
Has an implementation plan with schedules and phases been                                    Have the communications, change and training programs been                  
developed?                                                                                    implemented?
Have the project Quality/Cost/Time drivers been identified?                      
                                                                                              Has the project review been completed including assessment of:              
                                                                                              overall outcomes vs initial objectives?
Have clear project control/reporting procedures been established?                
                                                                                              financial outcomes in relation to the initial/revised budget?
Are tools to manage the project being used e.g. monitor milestones               
using Gantt charts?                                                                           intended benefits?
Has the critical path for the project been identified?                                       the learnings?
Has an overall project budget been set up and approved?                                      Where relevant, is there a case for abandoning the project – where it       
                                                                                              is off schedule or has not been fully delivered?
Have outsourced services been identified/approved/appointed?                     
Are financial milestones included in payment terms and conditions                
                                                                                              Has formal approval to close the project been obtained from the             
                                                                                              project steering committee following tabling of the project review
Is there a communications plan that is included in the project plan/Gantt                    report?
charts?
Is risk analysis conducted and reported throughout the project?                  

FMCF User Guide: Standing Direction 3.2.4 (Direction Requirement 19) – Information Technology Systems: Development                                                            112
Version 1 (September 2009)
User Guide to Standing Direction 3.2.5
Direction requirement 20

Information Technology Systems –
Change Control




FMCF User Guide: Standing Direction 3.2.5 (Direction Requirement 20) – Information Technology Systems: Change Control   113
Version 1 (September 2009)
                                               Supplementary material to be used as guidance only

                                                                                               The key aspects of a change control process are outlined below:
    Supplementary material in relation to                                                      1.   Change requirements and approval

             change control                                                                    2.
                                                                                                    Change requirements are clearly defined and approved by management
                                                                                                    Project management
Introduction                                                                                        Consider project team structure, communication between dependent parties, level
                                                                                                    of involvement and commitment from senior management, property reporting and
The Standing Directions of the Minister for Finance (the Directions) require                        escalation of project issues, post implementation support model
authorisation to be obtained for changes made to financial management
                                                                                               3.   Project monitoring
systems. It also requires changes to be implemented in a controlled
manner through a change control and management process to ensure the                                Consider deadlines, milestones, resources, activities, monitoring costs against
integrity of financial management data is maintained (Direction 3.2.5,                              budget and monitoring status of progress against milestones
Direction requirement 20).                                                                     4.   Risk/issue management
                                                                                                    Potential impacts, including security impacts, of changes has occurred and
A „change control„ process is required to ensure major impacts of a                                 processes exist to capture and escalate project issues, risk mitigation plans,
proposed change can be identified and adequately managed while                                      ensuring that people with appropriate authority can resolve issues, contingency
designing and implementing the changes required.                                                    planning
                                                                                               5.   Process requirements
Benefits of change control                                                                          New processes defined (system design documentation) and approved by Process
                                                                                                    Owners with sufficient training provided to majority base of users
The benefits of change control include:
                                                                                               6.   Segregation of duties
   improved oversight and communication of changes to be implemented
                                                                                                    Duties are segregated between users who develop changes and users who test
   increased certainty that only changes that will benefit agency business                         and promote changes to the production environment
    will be approved and implemented
                                                                                               7.   Testing
   ensure that business priority, infrastructure impact and project risk of
                                                                                                    Testing procedures exist around development, regression and user acceptance
    proposed changes are considered prior to implementation                                         tests, data conversion activities etc.
   improved ability to move back to the previous environment in case of                       8.   Fall back procedures
    change failure or unanticipated results
                                                                                                    Procedures exist including defined responsibilities for aborting / recovering from
   streamlining and efficiency of change implementation including                                  unsuccessful changes
    minimisation of disruptions to ongoing services.                                           9.   Sign Off
                                                                                                    Sign-off for “Go Live” (migration to the production environment) based on agreed
Key aspects of a change control process                                                             acceptance criteria has been provided and is appropriately controlled
All aspects of changes to the IT environment should be controlled
including the initial proposal/submission for the change, analysis, decision
making, approval and implementation of any changes as well as
documentation to ensure appropriate recording of the change.



FMCF User Guide: Standing Direction 3.2.5 (Direction Requirement 20) – Information Technology Systems: Change Control                                                                    114
Version 1 (September 2009)
                                               Supplementary material to be used as guidance only

User Guide to Standing Direction 3.3
Direction Requirement 21

Education and Training




FMCF User Guide: Standing Direction 3.3 (Direction Requirement 21) – Education and Training         115
Version 1 (September 2009)
                                               Supplementary material to be used as guidance only

                                                                   Education and Training
Introduction
                                                                                              Education and Training checks                                               Included
It is a requirement of the Standing Directions of the Minister for Finance to
review, at least annually, the education and training needs for financial                     Overall approach
management staff within a public sector agency (Direction 3.3).                               Is there an education and training strategy implemented across the               
                                                                                              agency that includes all sites and business units?
The Direction also states that a program for the identified needs should be                   Are there policies and procedures in place for the application and               
developed                                                                                     approval of education and training for staff?
This supplementary material outlines a checklist of areas to consider to                      Are there links between the identification of training needs and                 
                                                                                              position requirements/competencies?
fulfil the requirements of this Direction.
                                                                                              Does management discuss training and education opportunities and                 
Specifically, the checklist includes consideration of an agency‟s:                            requirements with each staff member as part of their annual review
                                                                                              process?
  overall approach to education and training
                                                                                              Are outcomes of the annual review discussion in relation to training
  organisation of training / education for staff                                             reflected in:
  post training activities.                                                                   individual performance plans?                                                  
                                                                                               business unit / division plans?                                                
                                                                                               agency wide training plans/program?                                            
                                                                                              Is there an education and training program for the agency that is                
                                                                                              aligned to the overall strategy and supports identified training needs of
                                                                                              individuals?
                                                                                              Are specific training requirements considered/reflected in the annual            
                                                                                              budget process?
                                                                                              Organising training
                                                                                              Have workloads and skill requirements been considered in the                     
                                                                                              preparation and timing of training courses?
                                                                                              Does the education/training cover training needs that have been                  
                                                                                              identified?
                                                                                              Post training activities
                                                                                              Are details of staff education and training documented and recorded              
                                                                                              centrally / by business unit / on personell records?
                                                                                              Are the training strategy and individual programs regularly reviewed             
                                                                                              (including the assessment of whether training should be delivered in-
                                                                                              house or externally)?




FMCF User Guide: Standing Direction 3.3 (Direction Requirement 21) – Education and Training                                                                                          116
Version 1 (September 2009)
                                                Supplementary material to be used as guidance only


User Guide to Standing Directions 3.1.3 and 3.4
Direction Requirement 12

Policies and Procedures




User Guide: Standing Direction 3.1.3 and 3.4 (Direction Requirement 12) – Policies and Procedures    117
Version 1 (October 2009)
                                                    Supplementary material to be used as guidance only

                                                                    Policies and Procedures
Introduction                                                                                  This material outlines detail in relation to:
The Standing Directions of the Minister for Finance (the Directions) require                     the definition of policy and procedure
agencies to establish and maintain documented policies and procedures in                         authorisations and approvals
relation to financial administration and management under Direction 3.1.3.
                                                                                                 maintenance, monitoring and access
The specific policies and procedures required are outlined in Direction 3.4.                     content
In addtion, the Directions require agencies to:                                                  internal controls
    communicate policies and procedures to staff                                                example internal control checklists for:
    adopt quality assurance mechanisms to monitor, review and assess                                  revenue
     compliance with policies and procedures.
                                                                                                       cash handling
The table below outlines the required policies and procedures and                                      expenditure
indicates whether example internal control checklists are included in this
material:                                                                                              physical and intangible assets

                                                                                              Definitions
Direction      Financial management element requiring policy        Internal Control          Definition of Policy
               and procedure                                        checklist available
3.4.1          Revenue                                                                       Policies are principles, rules or guidelines that regulate and direct actions
                                                                                              and activities.
3.4.2          Cash handling                                                
3.4.3          Bank accounts
                                                                                              They are formulated and adopted to ensure good governance, compliance
                                                                                              and fulfilment of organisational goals.
3.4.4          Cash flow forecasting
3.4.5          Procurement                                                                    Definition of Procedure
3.4.6          Expenditure                                                  
                                                                                              Procedures outline the specifics of day-to-day operations of the
3.4.7          Employee costs                                                                 organisation explaining how to and who will implement policies.
3.4.8          Commission on employee payroll deductions
                                                                                              They are specific, factual, succinct and to the point. Well developed
3.4.9          Physical and intangible assets                                                procedures identify and define controls within a process e.g. authorisation
3.4.10         Liabilities                                                                    requirements for payments.
3.4.11         Reconciliations                                                                Procedures generally refer to the process rather than the result.
3.4.12         Administration of discretionary financial benefits
                                                                                              Together, policies and procedures contribute to good governance and
3.4.13         Information Collection and Management                                          fulfilment of the Responsible Body’s directions/instructions.


FMCF User Guide: Standing Direction 3.3 (Direction Requirement 21) – Education and Training                                                                            118
Version 1 (September 2009)
                                                Supplementary material to be used as guidance only
Authorisations and approvals                                                                        Review triggers
Policies are approved at an executive level and should be ratified by the                           The following is a list of circumstances that could trigger a review (outside
Board/Responsible Body or relevant delegate e.g. Audit Committee.                                   of the two year process) of policies and procedures to ensure they are in
                                                                                                    line with requirements and agency direction:
Procedures should be ratified by the CFAO.
                                                                                                        significant change in the underlying business of the agency e.g.
                                                                                                         organisational restructure, merging or alteration of finance structure,
Content
                                                                                                         changes to staff numbers or the finance team
The guideline to Direction 3.1.3 suggests that policies and procedures for                              legislation or regulation introduction/amendment with financial impact
financial administration and management should incorporate:                                              (these changes often impact procedures rather than policies)
    the legislation under which the agency operates                                                    new accounting standards or policies
    the financial management structure of the agency                                                   Whole of Government or departmental change to financial
    the agency‟s chart of accounts                                                                      management e.g. implementation shared services
    policy and procedure details for areas of financial management                                     Machinery of Government change.
     covered detailed in Direction 3.4, including use of information
     technology related to financial matters, where appropriate                                     Version control
    standard forms to be used in financial management
                                                                                                    In addition, policies and procedures should clearly outline version control
    a list of exemptions obtained from the Minister for Finance and all                            details as well as role and responsibility information (i.e. who is
     relevant supporting documentation                                                              responsible for the maintenance, review and implementation of the
    Accounting Standard Pronouncements of the Australian Accounting                                policy/procedure). Agencies should ensure that only authorised versions
     Standards Board                                                                                are in use at any point in time.
    conflict of interest details.
                                                                                                    Access
Maintenance, monitoring and access                                                                  Policies and procedures should be accessible to staff at all times.
Systems for the maintenance and monitoring of policies and procedures                               Details of how and where to access the documents should be circulated to
should be implemented to ensure they are regularly reviewed and updated                             staff regularly.
to reflect requirements. Monitoring activities could be conducted by agency
staff as well as internal audit.                                                                    Staff should also be aware of any changes and updates made to policies
                                                                                                    and procedures.
Policies and procedures should be reviewed at least every two years.
Reviews should be designed to continuously improve the policies and
procedures and reflect changes in the business/operations, technologies
and best practice trends in financial management.




User Guide: Standing Direction 3.1.3 and 3.4 (Direction Requirement 12) – Policies and Procedures                                                                            119
Version 1 (October 2009)
                                                Supplementary material to be used as guidance only
Internal controls
                                                                                                    Accounts receivable – invoicing
Internal controls prevent or detect irregularities in financial management
                                                                                                    Example Control Objective: Sales invoice is generated for every approved
processes. Internal controls can be used to assist with:                                            provision of services
    ensuring compliance                                                                             Invoices are sequentially pre-numbered and accounted for                            
    monitoring activities                                                                           A manual or system check is performed to ensure documents are not missing           
    communication to staff regarding the relevance and significance of the                           or duplicated or fall outside of a specified range of numbers. All rejected,
     policy and procedures                                                                            suspense, or missing items are researched, corrected and re-entered on a
                                                                                                      timely basis
    the assessment of risks associated with that procedure.                                        Example Control Objective: Invoices generated represent actual provision
Example checklists for internal controls are outlined below. These controls                         of services
can be incorporated into financial management procedures.                                            Sales personnel reconcile control totals of the daily invoices generated with       
                                                                                                      the total shipments per the shipping system (if applicable)
                                                                                                     A manual or system check is performed to ensure data is not duplicated or           
Example checklists for Internal Control Activities                                                    falls outside a specified range of numbers (check can be preventive or
                                                                                                      detective)
The following checklists provide example control objectives and examples                                                                                                                  
                                                                                                     All rejected, suspense or missing items are investigated, corrected and re-
of potential control activities. The material should be used as a guide to                            entered on a timely basis
assist the agency with internal control activities.
                                                                                                    Example Control Objective: Price, amount, and other information on the
                                                                                                    invoice are correct
Revenue (Direction 3.1.1)                                                                            Management approval is required for discounts and allowances in excess of           
Public Sector Agencies must implement and maintain an effective internal                              predefined limits
control framework over revenue transaction processing and management                                 Invoicing personnel examine the sales order for evidence of appropriate             
                                                                                                      approval before input. Invoices that are not approved are placed in a
to ensure that revenue is completely and accurately identified, recorded                              suspense file that is reviewed by management for clearance on a regular basis
and collected.                                                                                       Potential System Control: System edits exist to validate invoice data input (e.g.   
                                                                                                      customer name and number, pricing, amounts, other information) against
                                                                                                      approved standing data in the sales order system. Invalid data is rejected for
                                                                                                      re-entry or stored in a suspense file where it is investigated, corrected and re-
                                                                                                      entered for completeness

                                                                                                    Example Control Objective: Duplicate recording of invoices is prevented
                                                                                                     A manual or system check is performed to ensure invoice numbers are not             
                                                                                                      duplicated or fall outside a specified range of numbers (check can be
                                                                                                      preventive or detective)
                                                                                                     All rejected, suspense or missing items are investigated, corrected and re-         
                                                                                                      entered on a timely basis




User Guide: Standing Direction 3.1.3 and 3.4 (Direction Requirement 12) – Policies and Procedures                                                                                             120
Version 1 (October 2009)
                                                    Supplementary material to be used as guidance only
Accounts receivable – invoicing continued                                                           Credit notes
Example Control Objective: Periodic updates for batch processing are                                Example Control Objective: Ability to raise credit notes is restricted and
complete and accurate                                                                               subject to review
 For invoices that are input into a temporary file before sub-ledger updates,                      Credit notes are sequentially numbered and access to physical credit notes          
  batch totals are utilised before processing is complete. Input documents are                        restricted
  grouped and a numerical total is calculated (i.e. number of documents, dollar                      Any gap in credit notes sequential numbering is investigated                        
  amount, hash totals). These totals are compared to post input / update
  reports. All out of balance conditions are researched and re-entered on a                          Credit notes are raised and approved by a separate authority within delegation      
  timely basis
                                                                                                     All applications for credit notes are supported by the original invoice and other   
Example Control Objective: Duties are adequately segregated                                           relevant information regarding the credit note
                                                                                                    Credit notes are only raised to correct transactions relating to an incorrect       
 Appropriate segregation of duties should be maintained over, for example:
                                                                                                      accounts receivable balance and / or charge
  order entry, determining credit limits, inventory custody, shipping, invoicing,
  returns acceptance, returns approval, credit note approval, cash receipts, cash                    Finance personnel regularly review outstanding credit notes                         
  disbursements, bank reconciliations, approval of bank reconciliations, A/R
  accounting/maintenance, and G/L maintenance functions                                              Any credit notes linked to a customer‟s account will be utilised before cash        
                                                                                                      payment is accepted for the customer
 Exceptions noted are investigated and resolved. If management accepts              
  incompatible duties, appropriate mitigating controls exist                                        Bad Debts
                                                                                                    Example Control Objective: Doubtful debts are accounted for correctly
Example Control Objective: Ability to post to the accounting records is
restricted to authorised users                                                                       Senior Finance Management regularly review outstanding payments to ensure           
                                                                                                      all debts are recoverable
 Formal approval by application owner is required for access to specific            
  accounting records                                                                                 Management ensure that all outstanding debts over XX days are included in           
                                                                                                      the provision for doubtful debts
 Management reviews access rights periodically to ensure only authorised            
  individuals have access and for segregation of duties. Exceptions noted are                       Example Control Objective: Ability to write-off bad debts is subject to
  investigated and resolved                                                                         approval
Example Control Objective: Unauthorised access to the accounting records                             All write-offs are subject to review and approval within delegated authority        
is prevented and detected                                                                             limits. All submissions for write-off have supporting documentation
 Management investigates and resolves all instances where unauthorised              
  access has been obtained
 Potential System Control: Access controls such as user IDs and passwords           
  are utilised and specific to each application
 Potential System Control: Multiple failures to log on invalidate the user ID and   
  are reported via an exception report. The exception report is reviewed by
  management on a regular basis




User Guide: Standing Direction 3.1.3 and 3.4 (Direction Requirement 12) – Policies and Procedures                                                                                             121
Version 1 (October 2009)
                                                      Supplementary material to be used as guidance only
Cash Handling (Direction 3.1.2)
                                                                                                    Example Control Objective: Periodic updates for batch processing are
Public Sector Agencies must implement and maintain an effective internal                            complete and accurate
control framework over cash handling and banking so that cash from all                               For systems where application of cash is input into a temporary file before       
sources is completely and accurately identified, banked and recorded in                               sub-ledger updates, batch totals are utilised before processing is complete
the financial records.                                                                                   Input documents are grouped and a numerical total is calculated (i.e.
                                                                                                               number of documents, dollar amount, hash totals). These totals are
                                                                                                               compared to post input/update reports
Cash receipting
                                                                                                         All out of balance conditions are researched and re-entered on a timely
Example Control Objective: Cash receipts are accurately recorded and in                                        basis
the proper period
                                                                                                    Example Control Objective: Duties are adequately segregated
 The organisation / department directs all cash receipts to its lockbox(es)         
                                                                                                     Appropriate segregation of duties are to be maintained for the following:         
 A summary report and electronic file of receipts is provided by the bank to                        order entry, determining credit limits, inventory custody, shipping, invoicing,
  the agency on a daily basis                                                                         returns acceptance, returns approval, credit note approval, cash receipts,
 Total amount of cash receipts from the bank summary report is recorded as                          cash disbursements, bank reconciliations, approval of bank reconciliations,
  cash and unapplied accounts receivable                                                              A/R accounting/maintenance, and G/L maintenance functions)
 The electronic files are provided to the accounts receivable clerk for                                 Exceptions noted are investigated and resolved
  application to customer accounts                                                                       If management accepts incompatible duties, appropriate mitigating
 Bank statements are reconciled to cash accounts                                                            controls exist
      Discrepancies are researched, corrected, and adjusted as necessary on                        Example Control Objective: Ability to post to the accounting records is
           a timely basis                                                                           restricted to authorised users
      The reconciliations are reviewed and approved by appropriate                                  Formal authorisation by application owner is required for access to specific      
           management                                                                                 accounting records
Example Control Objective: Cash receipts relate to sales and are                                         Management reviews access rights periodically to ensure only
recorded against the correct customer account                                                                authorized individuals have access and for segregation of duties
      Detailed accounts receivable aging is reviewed monthly and any long                               Exceptions noted are investigated and resolved
          outstanding balances or other unusual balances (i.e. credit                               Example Control Objective: Unauthorised access to the accounting
          balances) are investigated                                                                records is prevented and detected
 Potential System Control: The electronic file of receipts into the lockbox                                                                                                           
                                                                                                     Potential System Control: Access controls such as user IDs and passwords
  interfaces with the accounts receivable sub-ledger and applies cash receipts                        are utilised and specific to each application
  to the debtor accounts based on a matching of debtor name, number,
  invoice number etc.                                                                                    Multiple failures to log on invalidate the user ID and are reported via
                                                                                                                an exception report
      Unmatched cash receipts are investigated and manually applied
                                                                                                         Management investigates and resolves all items
Example Control Objective: All cash receipts are input for processing
                                                                                                   Example Control Objective: Cash receipts are protected before they are
 Cash posting personnel reconcile control totals of the cash receipts received
  for the day (from lockbox files/reports) with the total of cash receipts applied                  deposited
  to customer accounts                                                                               Physical access to cash receipts is limited to the cash receipts personnel        
 All rejected, suspense or missing items are researched, corrected and re-                          prior to posting to the system
  entered on a timely basis                                                                               Incompatible functions and related duties are subject to a regular review
                                                                                                               by management
                                                                                                          Discrepancies and exceptions noted are investigated and resolved



User Guide: Standing Direction 3.1.3 and 3.4 (Direction Requirement 12) – Policies and Procedures                                                                                           122
Version 1 (October 2009)
                                                    Supplementary material to be used as guidance only
Petty Cash                                                                                          Expenditure (Direction 3.1.6)
Example Control Objective: There is restricted access over petty cash
                                                                                                    Public Sector Agencies must implement and maintain an effective internal
 The petty cash box is locked and kept in a secure location                                       control framework over expenditure transaction processing and
 No more than two staff members have access to the petty cash fund                                management to ensure that disbursements (including but not limited to
Example Control Objective: All requests for petty cash are valid and
                                                                                                    grants, capital expenditure, salaries and wages, and other recurrent
accounted for                                                                                       expenditure) are appropriately authorised and incurred in accordance with
 A set limit for petty cash requests should be in place and should not go over                    business needs, and captured in the financial records.
  this level                                                                                        Invoice processing
 All petty cash requests should be documented on a standard form / petty                          Example Control Objective: Invoices are processed for payment after
  cash book detailing date, amount required, reason, and signature of                               goods are received
  employee requesting petty cash                                                                     When goods / services are received, the finance system is updated to reflect      
 The finance personnel with access to petty cash review each request for                              the receipt
  petty cash and determine if it is appropriate                                                        All invoices are date stamped and signed by appropriate personnel and           
 Petty cash payments should not be over $X level and should not be used for                           forwarded to the finance department for payment
  payments that should be made with a purchase order or can be paid via an                             Invoices received by the finance department are reconciled to the               
  expense reimbursement process                                                                         accounting system to ensure the good / service has been received
                                                                                                            If the invoice is not found in the finance system, it is passed to the
Example Control Objective: Unauthorised expenditure of petty cash is                                              receipting department for authorisation that the good / service has
prevented and detected                                                                                            been received prior to returning the invoice to the finance
 Petty cash should be reconciled on a regular basis (e.g. fortnightly)                                          department for payment
 Appropriate segregation of duties should be in place so that the                                    Potential System Control: Appropriate financial limits are established within
  reconciliation is performed by finance personnel who do not have access to                            the payables function of the finance system                                     
  the petty cash fund                                                                                  Potential System Control: An exception report is reviewed to identify           
 Spot checks are performed on petty cash floats on a regular basis                                    instances where the financial limits established have been overridden when
                                                                                                        raising purchase requisition or purchase order. Discrepancies are followed
Example Control Objective: Replenishment of petty cash fund should be                                   up on a timely basis by management
appropriately approved
 Replenishment of the petty cash fund should be done on a regular basis,                          Example Control Objective: Ability to enter goods receipts is restricted to
  either when reconciled or when funds have diminished to below a particular                        authorised users
  threshold (e.g. X%)                                                                                Formal authorisation is required for access to the purchasing module of the       
 The replenishment amount should be reviewed and approved by an                                     system and key purchasing transactions
  appropriate member of finance personnel                                                            Management reviews access rights periodically to ensure only authorised           
                                                                                                      individuals have access and that duties are appropriately segregated
                                                                                                     Potential System Control: Attempts to access the system are prevented if          
                                                                                                      access isn‟t authorised




User Guide: Standing Direction 3.1.3 and 3.4 (Direction Requirement 12) – Policies and Procedures                                                                                           123
Version 1 (October 2009)
                                                    Supplementary material to be used as guidance only
Invoice processing – continued                                                                      Example Control Objective: Periodic updates for batch processing are
Example Control Objective: Duties are adequately segregated                                         complete and accurate
                                                                                                     For systems where invoices are input into a temporary file, batch totals are     
 Purchasing and accounts payable duties are segregated. Incompatible                                utilised before processing of invoices is complete. Input documents are
  functions and related duties are subject to a regular review by management.                         grouped and a numerical total is calculated (i.e. number of documents, dollar
  Discrepancies and exceptions noted are promptly investigated                                        amount, hash totals). These totals are compared to post input/update
 Raising and editing of purchase requisitions or purchase orders is restricted                       reports
  to authorised users                                                                                    All non-reconciling items are researched and re-entered on a timely
 Potential System Control: Users with access to the purchasing module do                                      basis
  not have access to the vendor maintenance, goods receipts, accounts                               Example Control Objective: Duplicate recording of invoices are prevented
  payable and processing disbursements functions within the system
                                                                                                     Invoices and supporting documents are stamped as “entered” to prevent re-        
Example Control Objective: All invoices received are input for processing                             submission for payment
                                                                                                     Potential System Control: Once a purchase order is matched to an invoice,        
 Accounts Payable personnel reconcile daily batch totals of the invoices         
                                                                                                      the system identifies the purchase order as 'closed'. Closed purchase
  entered with a post input report of invoices entered into the Accounts
                                                                                                      orders cannot be selected again for matching
  Payable system
 All non-reconciling items are investigated, corrected and re-entered on a                        Example Control Objective: Routine services (e.g. rent, utilities) are
  timely basis. Batch totalling is completed for the re-entered data                                recorded
 Review long standing purchase orders and purge from the system if no                              A process exists to capture recurring costs on a monthly basis                   
  longer current                                                                                      For example, Accounts Payable group maintains an excel spreadsheet.
                                                                                                      When an invoice is received from a recurring bill or open purchase order,
                                                                                                      Accounts Payable checks the bill / purchase order against the spreadsheet
Example Control Objective: Invoices are input for processing correctly
                                                                                                      to ensure the amount has not been processed, the invoice amount matches
Potential System Controls:                                                                            to the list of normal recurring bills, and the amount is not outside of the
 System edits ensure vendors, quantities, price, extensions, payment terms                          expected dollar range
  (including available discounts), supplier name and code, GST Classification,                      Example Control Objective: Payments against capital expenditure are
  purchase order reference and accuracy of the account distribution are                             recorded
  agreed between the invoice, receiving report and purchase order                                                                                                                      
                                                                                                     When invoices are received in relation to capital expenditure projects (which
 Items that do not match are researched, corrected and re-entered prior to                          may not have a corresponding purchase order) a designated project
  approving the invoice for payment                                                                   accountant / manager is responsible for monitoring these costs and signing
 Duplicate invoice numbers are not permitted                                                        invoices for approving payment
 Incorrect entry of price, quantity, amounts, vendor or general account                                 Frequent monitoring of expenditure against budget / approved capital
  numbers is prevented or detected; and mismatched purchase orders or                                          expenditure plan should be performed by an independent person
  receiving reports are investigated and resolved                                                              (e.g. Fixed Assets Manager)

Example Control Objective: Expenditure is allocated to the correct cost                            Example Control Objective: Postings to expense and/or inventory in the
centre                                                                                              general ledger are complete, accurate and valid
 Accounts Payable officers check the cost centre coding per the accounting                         A monthly report is generated that lists receipts for which a supplier invoice   
  system (or stamped to the invoice if applicable) to the nature of the good /                        has not been received. This report is utilised by accounts payable to accrue
  service per the invoice and the delivery details                                                    for these materials/services in the month of their receipt
     Any overrides to cost centre coding are checked on a regular basis by                          Procedures exist to ensure that period end reconciliation of the accounts        
          the Accounts Payable Supervisor                                                             payable ledger to the general ledger and cut-off errors are corrected on a
                                                                                                      timely basis
                                                                                                          Accounts payable suspense accounts are included in the period end
                                                                                                              reconciliation process


User Guide: Standing Direction 3.1.3 and 3.4 (Direction Requirement 12) – Policies and Procedures                                                                                          124
Version 1 (October 2009)
                                                   Supplementary material to be used as guidance only
Invoice processing – continued
                                                                                                    Example Control Objective: Disbursement input is for the correct amount
Example Control Objective: Duties and taxes on purchases are accounted
for correctly                                                                                        Any differences between the payment amount and the invoice amount are         
                                                                                                     automatically put into a suspense file. Management must clear items in the
 Tax components in an invoice are compared with the tax estimate in the
                                                                                                      suspense file on a timely basis
  purchase order. Significant variances are reviewed
                                                                                                     Payment amount information is automatically input from the invoice            
Example Control Objective: Data input for invoicing is restricted to                                  matching process
authorised users
 Accounts Payable personnel who are responsible for updating invoice                              Example Control Objective: Payments in foreign currency are accurately
  information should be different to those who sign cheques                                         calculated
 Potential System Control: Attempts to access the finance system are                               Potential System Control: All payments in foreign currencies are flagged by   
  prevented if access isn‟t authorised                                                                the system and foreign currency translation is calculated off line by an
                                                                                                      accounts payable clerk and reviewed by the accounts payable manager
Example   Control Objective: Duties over invoice processing                 are
adequately segregated. Fraudulent invoices cannot be created
                                                                                                    Example Control Objective: Disbursement input is in the proper period
 Invoice processing is restricted to authorised users independent from vendor    
  maintenance, goods receipts, and processing disbursements                                          Potential System Control: The system does not allow for differences           
 Incompatible functions and related duties are subject to a regular review by                       between the payment date and the date of the cheque. Management
  management. Discrepancies and exceptions noted are promptly                                         approval is required for any override of this control
  investigated
                                                                                                    Example Control Objective: Correct postings are made to the purchase
Payments                                                                                            ledger control account and cash in the general ledger
Example Control Objective: Disbursements are input for processing in a                               The total of cheques issued is reconciled with the updates to the Accounts    
complete manner                                                                                       Payable sub-ledger and cash account. Reconciling items are researched
 An accounts payable aging report is reviewed periodically to ensure                                and corrected as necessary
  payments have been recorded                                                                        A list of outstanding purchase orders for which ownership of goods is         
                                                                                                      transferred prior to delivery is prepared for accrual purposes. Management
Example Control Objective: Disbursement is for the correct invoice                                    reviews and approves the listing
 Payments are not made on invoices that have not been matched to a                                 Potential System Control: The system updates the corresponding cash and       
  receiving report and purchase order. This may be a manual or a system                               accounts payable accounts as of the cheque run date. Reconciliations are
  control                                                                                             performed to ensure transactions are posted correctly
 Potential System Control: The system may be configured to allow payments                         Example Control Objective: Purchase discounts are accurately calculated
  that have not been matched. Appropriate segregation of duties must be in                          and recorded
  place over who can alter and override those configurations
                                                                                                     Potential System Control: The system is configured to calculate applicable    
Example Control Objective: Disbursement is to the correct payee and                                   discounts per management policy. If the discount policy can be overridden,
vendor                                                                                                monitoring procedures exist for detection and resolution of any system
 Statements received from suppliers are reconciled to the supplier‟s accounts                       overrides
  in the accounts payable sub ledger regularly and differences are                                  Example Control Objective: Signed cheques are mailed out promptly to
  investigated                                                                                      the correct payee
 Potential System Control: Payee name and address are automatically                                Bank reconciliations are performed to check for old reconciling items.        
  extracted from the vendor master file                                                               Exceptions are investigated and corrected as necessary
                                                                                                     An accounts payable aging report is reviewed periodically to ensure           
                                                                                                      payments have been recorded



User Guide: Standing Direction 3.1.3 and 3.4 (Direction Requirement 12) – Policies and Procedures                                                                                       125
Version 1 (October 2009)
                                                    Supplementary material to be used as guidance only
Payments – continued
Example Control Objective: Missing, duplicate or long outstanding                                   Example Control Objective: Duplicate payments are prevented
cheques are investigated                                                                             Potential System Control: The system does not allow an invoice to be paid         
 When a payment is made in the system a reference is made to a specific                             twice
  invoice and the system does not allow the payment to be made again                                Example Control Objective: Payments made are for goods or services
      Accounts payable staff adopt a consistent approach to entering invoice /                     actually ordered or rendered and received
          supplier details to ensure no invoices are duplicated for payment
                                                                                                     Payments can only be made from 'closed' invoices. Invoices are closed after       
      Only original invoices are accepted for processing payments in the                             matching to a receiving report and purchase order
          accounting system
                                                                                                    Example Control Objective: Urgent payment requests are approved
 Cheques outstanding >30 days are reviewed and resolved on a monthly              
  basis                                                                                              Requests for manual cheques are supported by purchase agreements,                 
                                                                                                     receiving reports, original invoices, or other documentation that indicates the
 All cheques must be paid in sequential order                                                        purpose of the expenditures
 Bank reconciliations are performed on a regular basis to determine                                    The cheque request amount is compared to the initiator or approvers
  outstanding cheques and reconciling items. Exceptions are investigated and                                  maximum delegation amount to determine if a second signature is
  corrected as necessary                                                                                      required
Example Control Objective: Periodic updates for batch processing are                                     Cheques in excess of established dollar amounts (or equivalent) are
complete and accurate                                                                                         forwarded to a second designated cheque signatory for approval with
                                                                                                              supporting documentation
 Input documents are grouped and a numerical total is calculated (i.e. number     
  of documents, dollar amount, hash totals)                                                         Example Control Objective: Access to unissued cheques and cheque
 These totals are compared to post input/update reports. All out of balance                       signing machines is restricted
  conditions are researched and re-entered on a timely basis                                         Duties over the release of cheques for printing and signing are segregated        
 Potential System Control: For systems where disbursements are input into a                         from those of entering and matching invoices for approval
  temporary file, batch totals are utilised before processing of payments is                         Unused cheques are kept in a locked location                                      
  complete
                                                                                                     Mechanical cheque signers and signature plates are safeguarded                    
Example Control Objective: Cash and electronic funds payments are                                    Access to cheque signing privileges is limited to a minimum number of             
approved                                                                                              people
 The release of cheques for printing and signing or release of electronic funds                        Multiple signatures are required for cheques over a certain amount
  is approved by personnel separate from those who enter and match invoices                                                                                                             
                                                                                                     Cheque stock is sequentially pre-numbered
 Appropriate authority limits are established for approvals                       
                                                                                                         Sequential cheque numbers are reviewed and reconciled on a regular
Example Control Objective: Electronic funds transfers are controlled                                         basis. Any missing cheque numbers are researched immediately
 One-off and initial standing wire transfer requests are accompanied by                                Cheque runs are reviewed for any inaccurate, spoiled or illegible cheques
  appropriate supporting documentation                                                              Example Control Objective: Input and generation of payments is restricted
 Only authorised treasury personnel can initiate wire transfers. Bank call-back                   to authorised users
  verification procedures are in place                                                                                                                                                  
                                                                                                     Attempts to access the system are prevented if access isn‟t authorised
     Potential System Control: Electronic Fund Transfers require dual
           authorisation                                                                            Example Control Objective: Duties are adequately segregated
 All bank accounts are reconciled on a timely basis and all wire transfer                          Access to process disbursements is segregated from vendor maintenance,            
  activity accounted for                                                                              purchasing, goods receipts, and accounts payable
                                                                                                     Incompatible functions and related duties are subject to a regular review by      
                                                                                                      management. Discrepancies and exceptions noted are promptly investigated



User Guide: Standing Direction 3.1.3 and 3.4 (Direction Requirement 12) – Policies and Procedures                                                                                           126
Version 1 (October 2009)
                                                   Supplementary material to be used as guidance only
Masterfile Changes to Accounts Payable
Example Control Objective: Approved changes are input for processing                                Example Control Objective: Unauthorised access to accounting records is
completely and accurately                                                                           prevented and detected
 An appropriate officer approves changes to standing data prior to input.                          Access controls such as user IDs and passwords are utilised and specific to      
  Each change must be supported by sufficient documentation                                           each application and user
 A one-to-one check of changes input into the system is completed via a                                Multiple failures to log on invalidate the user ID and are reported via an
  comparison between post input/update reports to the change source                                           exception report. Management investigates and resolves all items on
  documents for completeness and accuracy. Discrepancies are resolved and                                     the exception report
  the re-entered data is subject to the same control
 To ensure that data remains accurate, the standing data owners complete a                        Example Control Objective: Vendors in the masterfile are current
  regular review. Any changes noted by the owners are entered via the
  standard standing data change process                                                              Potential System Control: A report of vendors with no purchasing activity for    
 Potential System Control: For changes to certain types of standing data and                        12 months or more is generated periodically (eg. quarterly) to ensure that all
  /or changes outside certain parameters, the system produces a report of                             vendors in the masterfile are current
  these changes which is forwarded to management for review. Acceptance
  of these changes by the system is dependent upon management review of
  supporting documentation and approval
Example Control Objective: Periodic updates to standing data via batch
processing are complete and accurate
 Where batch totals are utilised, input documents are grouped and a             
  numerical total is calculated (i.e. number of documents, dollar amount, hash
  totals). These totals are compared to post input/update reports
 All out of balance conditions are investigated and re-entered on a timely      
  basis

Example Control Objective: Duties are adequately segregated

 Segregation of duties is maintained between the update of standing data        
  and the maintenance of financial records (i.e. posting or approval of
  adjustments, reconciliations, etc.). Exceptions noted are investigated and
  resolved
 If management accepts incompatible duties, appropriate mitigating controls     
  exist, such as regular review of system access
Example Control Objective: Ability to post to the accounting records is
restricted to authorised users
 Formal authorisation by the application owner is required for access to        
  specific accounting records
     Management reviews access rights periodically to ensure only
           authorised individuals have access to the accounting system and
           there is adequate segregation of duties. Exceptions noted are
           investigated and resolved




User Guide: Standing Direction 3.1.3 and 3.4 (Direction Requirement 12) – Policies and Procedures                                                                                          127
Version 1 (October 2009)
                                                     Supplementary material to be used as guidance only
Physical and Intangible Assets (Direction 3.1.9)                                                    Example    Control Objective: Capital expenditure                 requests       are
                                                                                                    appropriately updated upon receipt of asset
Public Sector Agencies must implement and maintain an effective internal                             The finance department performs a monthly review of the open capital                 
control framework for asset management to ensure that assets are                                      expenditure forms per the capital expenditure request tracking system / fixed
identified, recorded accurately and accounted for in accordance with                                  assets/project sub-ledger. Items are researched and resolved as necessary
Australian Accounting Standards.                                                                     Potential System Control: When capital items are received and matched to             
Asset Additions                                                                                       the purchase order, the system automatically notifies the appropriate
                                                                                                      personnel so that the capital expenditure request tracking system or fixed
Example Control Objective: Capital expenditure requests are recorded
                                                                                                      assets/projects sub-ledger can be updated
completely
 Capital expenditure forms are sequentially pre-numbered and accounted for.                       Example Control Objective: Fixed Asset acquisitions are input accurately
  Alternatively, every capital expenditure request is assigned a unique number                      and in the correct period
  to eliminate the risk of duplication                                                               Subsequent to receipt, fixed asset records are updated. A one-for-one                
      A manual or system check is performed to ensure documents are not                              check between the internal and external supporting documents (i.e. invoice)
           missing or duplicated or fall outside a specified range of numbers. All                    and the fixed asset sub ledger / fixed asset register occurs. Any
           rejected, suspense or missing items are researched, corrected and                          discrepancies are identified and re-entered. The check occurs again for re-
           re-entered on a timely basis                                                               entered data
 Potential System Control: If an automated purchasing system is used,                              The fixed asset manager / appropriate personnel reviews all fixed asset              
  specific application controls may be embedded in the system                                         additions and approves the classification, useful lives, depreciation method,
                                                                                                      etc.
Example Control Objective: Capital expenditure requests are approved                                                                                                                       
                                                                                                     Periodically, management reviews acquisition reports and compares to
 The pre-numbered capital expenditure forms (for both internally constructed                        budgets or other data for reasonableness of acquisitions by category of
  assets and external purchases) / capital expenditure requests are approved                          asset, location or division. Discrepancies are followed up and corrected as
  by an appropriate level of management and forwarded to either the internal                          necessary
  engineering group or the purchasing department, respectively                                      Example Control Objective:           Where applicable, the organisation /
      All changes to capital expenditure forms require formal approval from                        department holds a valid title
            management in accordance with appropriate delegations of authority                                                                                                             
                                                                                                     Where applicable, internal legal counsel ensures that the organisation /
            (see below)
                                                                                                      department holds legal title to recorded fixed assets
 Established policies and procedures define spending limits and approval                                                                                                                 
                                                                                                     Where a physical title is received, it is maintained in a secure location
  procedures for capital expenditure
 Potential System Control: Approval limits are configured in the system, which                    Example Control Objective: Duties and taxes on fixed asset transactions
  allow authorised users to enter and approve acquisitions within approved                          are recorded in accordance with applicable laws and regulations
  limits. These are systematically applied and attempts to override are                              Periodically, the tax department reviews the tax consequences of fixed asset         
  prevented                                                                                           additions to determine appropriate treatment
Example Control Objective: Approved capital expenditure request are                                  Due to complexity, all foreign taxes are reviewed by the tax department              
recorded accurately
 Approved capital expenditure forms are input into a capital expenditure                          Example Control Objective: Interests that can be capitalised on financed
  request tracking system or fixed asset/projects sub-ledger                                        capital projects are recorded completely and accurately
     A one-to-one check between the entered information and source                                  All debt and interest expense information is stored in a central repository,         
          documentation occurs for accuracy of key data fields. Any                                   including the purpose of the debt
          discrepancies are re-entered and subject to the same control                                    The information used to calculate the capitalisation of interests is
Note that ordering, receipt, invoice processing and payments related to capital                                reviewed by management and matched against the repository
expenditure are covered in the Internal Control checklists of Expenditure                                 Discrepancies are identified, investigated and re-entered




User Guide: Standing Direction 3.1.3 and 3.4 (Direction Requirement 12) – Policies and Procedures                                                                                              128
Version 1 (October 2009)
                                                    Supplementary material to be used as guidance only
Asset Additions – continued
Example Control Objective: Capitalised interest is recorded in the proper                           Example Control Objective: Duties are adequately segregated
period
                                                                                                     Adequate segregation of duties exists between the physical custody of          
 The finance department generates a report on debt used to finance              
                                                                                                      assets, acquisition/disposal approval and finance duties
  acquisitions. This report is reconciled by management to the interest
  capitalised
                                                                                                    Example Control Objective:     Unauthorised input to Fixed Asset sub-
     Any discrepancies are identified and re-entered                                               ledgers is prevented and detected
 The interest capitalised is compared against a separate approved budget                           Potential System Control: Access controls such as user ID‟s and passwords      
  file. Items that do not match are investigated, corrected and re-entered as                         are utilised and specific to each application. Multiple failures to logon
  necessary on a timely basis                                                                         invalidates the user ID and are reported via an exception report for
 Capitalised interest is approved                                                                   investigation by management. Formal authorisation by the application
                                                                                                      owner is required for access to the Fixed Asset sub-ledgers of the system
 Significant differences between actual and budgeted capitalised interest are   
  approved                                                                                                Management reviews access rights periodically to ensure only
                                                                                                                authorised individuals have access and for segregation of duties
Example Control Objective: Capitalisation of payroll cost for services                                    Discrepancies and exceptions are promptly investigated
rendered for construction purposes are recorded completely and
accurately                                                                                          Example Control Objective: Ability to post to the Fixed Asset sub-ledger
 Employees charge hours worked on capital projects to specific time codes.                        is restricted to authorised users
  Edit checks lead to the rejection of invalid codes or storage in a suspense                        Incompatible functions and related duties are subject to a regular review by   
  file where it is investigated, corrected and re-entered                                             management. Discrepancies and exceptions noted are promptly
 If applicable, the engineering department provides a report on the                                 investigated
  involvement of employees in capital projects. This report is reconciled by                         Potential System Control: Attempts to access the system are prevented if       
  management to the personnel costs capitalised. Any discrepancies are                                access isn‟t authorised
  identified and re-entered
 The payroll costs capitalised are matched against a separate approved          
  budget file. Items that are not matched are investigated, corrected and re-
  entered on a timely basis

Example Control Objective: Capitalised payroll is approved

 Significant differences between actual and budgeted capitalised payroll are    
  approved

Example Control Objective: Constructions-in-progress is input accurately
and in the correct period
 There is a one-for-one check between the project status report and the         
  construction in process sub-ledger. Any discrepancies are identified and re-
  entered. The check occurs again for re-entered data
 Periodically, management reviews the construction in process sub ledger        
  against the project status reports and budgets to assess the status of
  projects. Final costs for completed projects are provided for posting to the
  fixed asset sub-ledger




User Guide: Standing Direction 3.1.3 and 3.4 (Direction Requirement 12) – Policies and Procedures                                                                                        129
Version 1 (October 2009)
                                                    Supplementary material to be used as guidance only
Depreciation                                                                                        Assets Valuation and Stocktakes
Example Control Objective: Information necessary to calculate the                                   Example Control Objective: All fixed asset accounts are tested for
depreciation (e.g. depreciation rates, estimated useful lives) is recorded in                       valuation issues on a timely basis
the system completely and accurately                                                                 Significant fixed asset accounts are reviewed quarterly by management for     
 The fixed asset sub-ledger utilises a standard form to record all relevant                         impairment, including an assessment of current and future utilisation
  information for fixed asset additions. Additions are not accepted without                         Example Control Objective: All damaged or idle fixed assets are assessed
  information necessary to compute depreciation                                                     for impairment
 Edit checks ensure that the information input to calculate the depreciation is                                                                                                   
                                                                                                     Periodic physical inspections of fixed assets and construction-in-progress
  reasonable
                                                                                                      are compared to manually or system recorded data
 Potential System Control: Invalid data is rejected for re-entry or stored in a   
                                                                                                         Discrepancies are investigated, corrected, and reprocessed as
  suspense file where it is investigated, corrected and re-entered on a timely
                                                                                                              necessary on a timely basis
  basis
Example Control Objective: Property, plant and equipment accounts have                              Example Control Objective: All construction-in-progress projects are
an assigned depreciation rate                                                                       assessed for impairment
 Useful lives and other information are standardised                                               Appropriate reports are prepared for all construction in progress projects.   
       Management reviews system reports on changes to depreciation rates                            Regular on site meetings are held by management to identify and assess
           and methods. Changes not in compliance with policies are identified                        valuation issues
           and corrected
                                                                                                   Example Control Objective: Appropriate information is used to calculate
 Potential System Control: Program limits and reasonableness checks
  identify deviations from these standards that are investigated and re-entered                     the impairment
  if appropriate                                                                                     The information needed for fixed asset valuation is formally documented in    
                                                                                                      accordance with policies
Example Control Objective: Fixed assets are depreciated appropriately                                A one-for-one check between all source documents and information              
                                                                                                      recorded in the fixed asset sub ledger occurs
 Management performs reasonableness tests of depreciation expenses.               
  Results that are outside an expected range are investigated and corrected                              Any discrepancies are identified and re-entered. The check occurs again
  as necessary                                                                                                for re-entered data

Example Control Objective: Fixed assets are depreciated appropriately                               Example Control Objective: Valuation calculations/ recordings are
and correct postings are made to accumulated depreciation, depreciation                             approved
expense and the general ledger                                                                       Significant impairments require management approval to be processed           
 Management reviews periodic reports and compares to budgets or other                                  On a quarterly basis, management reviews all impairments
  data for reasonableness of depreciation charges by category of asset,
  location or division. Discrepancies are followed up and corrected as                              Example Control Objective: Ability to post to the Fixed Asset sub-ledger is
  necessary                                                                                         restricted to authorised users
                                                                                                     Incompatible functions and related duties are subject to regular review by    
Example Control Objective: Information necessary to calculate the
                                                                                                      management. Discrepancies and exceptions noted are promptly
depreciation expense (e.g. depreciation rates, estimated useful lives) is
                                                                                                      investigated
approved
                                                                                                     Potential System Control: Attempts to access the system are prevented if      
 The methods of fixed asset depreciation are formally documented, approved                          access isn‟t authorised
  and consistently applied through manual or system processes




User Guide: Standing Direction 3.1.3 and 3.4 (Direction Requirement 12) – Policies and Procedures                                                                                       130
Version 1 (October 2009)
                                                       Supplementary material to be used as guidance only
Asset Disposals
Example Control Objective: All disposals are completely and accurately                              Example Control Objective: Correct postings are made to fixed assets,
input for processing                                                                                accumulated depreciation and the general ledger
 Fixed asset disposal documents are sequentially pre-numbered and                                  A one-for-one check occurs to ensure the fixed asset to be disposed per the   
  accounted for                                                                                       approved disposal request matches the fixed asset removed from the fixed
     Those with custody over fixed assets regularly report the disposals/                            asset ledger and that the correct related accumulated depreciation is
           retirements of fixed assets under their custody to the finance                             removed and the net amount booked to gain or loss on disposal, including a
           department using these pre-numbered forms                                                  check related to date removed from service
 Periodic physical counts of fixed assets are compared to the fixed asset                         Example Control Objective: Disposals/ retirements of fixed assets are
  register. Differences to the information in the sub ledger/fixed assets ledgers                   approved
  are identified, investigated and when applicable, the ledger is corrected.                         Those with custody over fixed assets have to obtain approval from             
  Refer to stocktake procedures above                                                                 management before they process a fixed asset for disposal / retirement
Example Control Objective: Periodic updates for batch processing are
appropriately executed                                                                              Example Control Objective: Recordings of disposals/ retirements of fixed
                                                                                                   assets are approved
 For systems where disposals are input into a temporary file before sub-
  ledger updates, batch totals are utilised before processing is complete.                           Management reviews and approves monthly reports on disposals/                 
  Input documents are grouped and a numerical total is calculated (i.e.                               retirements generated by the finance department
  number of documents, dollar amount, hash totals). These totals are
  compared to post input/update reports. All out of balance conditions are                          Example Control Objective: Duties are adequately segregated
  investigated and re-entered on a timely basis
                                                                                                     Adequate segregation of duties exists between the physical custody of         
Example Control Objective: Information that is used to calculate asset                                assets, acquisition/disposal approval and finance duties
disposals/ retirements is complete and accurate
 The fixed asset sub-ledger utilises a standard form to record all relevant            
  information for fixed asset disposals
      Disposals are not accepted without information necessary to process the          
           impact of the disposal
 Potential System Control: Edit checks ensure that the information input to            
  calculate the disposal is complete
      Invalid data is rejected for re-entry or stored in a suspense file where it is
           investigated, corrected and re-entered on a timely basis

Example Control Objective: Net proceeds / costs associated with asset
retirement are recorded accurately
 A one-for-one check between disposal source documents (i.e. cash                      
  proceeds, removal costs, etc) and the disposal form in the fixed asset
  system occurs
     Any discrepancies are identified and re-entered. The check occurs again
         for re-entered data




User Guide: Standing Direction 3.1.3 and 3.4 (Direction Requirement 12) – Policies and Procedures                                                                                       131
Version 1 (October 2009)
                                               Supplementary material to be used as guidance only


User guide to Standing Direction 4.1
Direction Requirement 22

Internal Financial Management Reporting




FMCF User Guide: Standing Direction 4.1 (Direction Requirement 22) – Internal Financial Management Reporting   133
Version 1 (September 2009)
                                               Supplementary material to be used as guidance only

                                                Internal Financial Management Reporting
Introduction                                                                                    The purpose of internal financial management reporting
The Standing Directions of the Minister for Finance (the Directions) require                    Internal financial management reporting should take the “pulse” of an
the agencies implement and maintain internal financial reporting that is                        agency and provide management with the information required to support
timely, accurate, appropriate and effective.                                                    effective, timely decision making.
The reports should provide strong financial analysis and are to be used to                      Internal financial management reporting should assist with:
support management decision making and broader operations.                                          early identification of potential problems through the use of
A number of specific requirements are outlined under Direction 4.1                                   performance measures, trend analysis, forecasting, benchmarks etc.
including that:                                                                                     data-driven decision making i.e. information and measures to assist
    an agency must identify its financial management information                                    management in decision making processes
     requirements                                                                                   quality improvement programs, based on clear identification of areas
    financial management reports must be presented to the Responsible                               for improvement that align with business plans across the agency
     Body                                                                                           allocation of responsibilities/accountabilities.
    the CFAO must sign off on financial management reports
    financial systems must support internal financial management
                                                                                                In substance, the fundamental objective is to provide clear and common
     reporting.
                                                                                                understanding of:
This supplementary material provides guidance in relation to each of the
                                                                                                     “What has happened?” so that management can focus their efforts on
specific requirements for internal financial reporting as outlined in Direction
                                                                                                     “What does this mean?” and “What do we need to do”?
4.1.

                                                                                                While the focus of this guidance material is on internal financial
                                                                                                management reporting, an effective suite of management reports require a
                                                                                                balance of financial, operating and risk and control indicators, as these are
                                                                                                essential to the holistic monitoring of agency performance.
                                                                                                Note: For further detail please refer to material for Direction 4.4 Financial
                                                                                                Performance Management and evaluation (KPIs).




FMCF User Guide: Standing Direction 4.1, (Direction Requirement 22) – Internal Financial Management Reporting                                                            134
Version 1 (September 2009)
                                                    Supplementary material to be used as guidance only
Good practice reporting                                                                          include useful information that is relevant to the users and represents the reality of the
                                                                                                  business
Internal reporting requirements depend on the nature of the agency‟s                             have appropriate measures that are presented clearly through tables, graphics, text
business, the operational and strategic drivers and expectations of                                numbers, etc.
management and the Responsible Body.                                                            3. Reports are accurate, reliable and timely
Internal management reporting should consistently reflect and align with                        Reports should:
strategic objectives and only provide key information that drives an agency                      be valid, reliable, dependable and free from error and bias by using data sources that
performance in achieving business objectives.                                                     are reliable and accurate
                                                                                                 use information that is current to ensure timely reporting
The table below provides some good practice principles for internal
                                                                                                 enable informed, effective and decision making in a timely manner
reporting.
                                                                                                Processes should be developed to ensure sufficient time for preparation, review and
1. Reports fulfil business needs                                                                distribution of reports e.g. develop annual reporting timetable with timelines and
                                                                                                responsibilities.
Internal financial management reports should be developed to meet an agency‟s
                                                                                                4. Reports are complete and consistent
financial management reporting requirements.
 understand agency strategy (e.g. improve resource utilisation)                                 Financial information must be consistent and complete to ensure reliability and allow
 identify which factors are critical to the achievement of the strategy (e.g. manage             for comparability over time and financial periods.
   resource expenditure)                                                                         Measurement processes should be applied to enable consistency over time for quality
 identify impacts on these factors (e.g. overtime)                                               analysis and assurance purposes.
 identify which of these factors can be controlled by the agency                                An adequate audit trail for the production of reports should be kept to detail changes
                                                                                                   made and comparisons to the underlying financial systems.
 assess which factors to report (based on significance, degree of control, etc.)
                                                                                                5. Reports comment, evaluate and compare
Consider:
 whether the benefit derived from reports exceeds the cost of producing the report              Financial reports must include commentary to evaluate and compare results
 using existing measurement / reporting frameworks to streamline the process                    Results can be compared across time periods, across different agencies and/or
                                                                                                  portfolios – comparisons should be appropriate to ensure relevancy
 the example pulse questions below to check whether reports will meet requirements:
Are we on track?
                                                                                                 Evaluations can take into account variations that are seasonal or cyclical, for example
     To manage the day to day operations as appropriate                                          Comments can be structured using Cause, Impact and Action for example:
                                                                                                Cause – What happened and how did it happen?
Will we deliver the strategy?
                                                                                                     The result
     To monitor and track their progress against organisational priorities and the strategic
     plan                                                                                            The financial / non-financial outcome effecting the result
Is the performance optimal?                                                                          The main driver causing the outcome
     To manage the internal control environment, efficiency and effectiveness of operations     Impact – What is the result to our expected / planned benefit?
What do we need to change to make it right?                                                          The impact on the financial / non-financial benefit?
                                                                                                     The impact of the benefit into the future?
     To implement corrective actions e.g. resource re-allocation.
                                                                                                     The impact on our expectations of the benefit?
                                                                                                Action – What are we doing as a result and who is charged with it?
2. Reports are clear and relevant                                                                    The decision required to take action?
Ensure reports:                                                                                      The action taken to mitigate the risk or maximise the opportunity
 contain clear and concise information that is usable, digestible and have widely
  accepted definitions


FMCF User Guide: Standing Direction 4.1, (Direction Requirement 22) – Internal Financial Management Reporting                                                                           135
Version 1 (September 2009)
                                                           Supplementary material to be used as guidance only
Good practice reporting continued                                                                                  Meeting good practice
Representing financial information graphically can assist report users in
“digesting” the information presented.
                                                                                                                   The checklist below can be used to assist in assessing whether an
Where it is inappropriate to present large volumes of financial information                                        agency‟s internal financial management reports are meeting requirements
in a graph, the application of a few simple principles can help to draw                                            and good practice
attention to the key areas of interest.
The example below demonstrates that for better understanding the                                                    Question in consideration of good practice                                    Considered
rounding to 000‟s assist users to digest numbers more easily and attention                                          What information is being reported?
                                                                                                                                                                                                     
is drawn to variance analysis through the use of the traffic light system i.e.                                      e.g. income, expenditure, safety indicators, enrolments information etc.
use of colours and arrows to indicate financial movements.                                                          How is it being reported?
                                                                                                                                                                                                     
                                                                                                                    e.g. tabular, graphical, textual, numerical etc.
                                    Statement of financial Position                                                 When is it being reported?
                                                      Month                                   Full Year                                                                                              
                                                      ($'000)                                  ($'000)              e.g. daily, weekly, monthly, annually, is there a report timetable in place
                               Actual       Budget        Variance        LY Variance    Budget      Forecast
Income                                                                                                              To whom is it being reported?
Grant income                      1,233          1,800          (567)             333      21,600         14,796
                                                                                                                                                                                                     
                                                                                                                    e.g. manager, senior managers, portfolio heads etc.
Onshore student income              303           300                 3         (1000)      3,600          3,636
Offshore student income             700           100             600             150       1,200          8,400    What decision making does it support?
Other fees and charges              466           577           (111)             100       6,924          5,592                                                                                     
                                                                                                                    e.g. daily operational decision making, strategic planning etc.
Total student related income      2,702          2,777           (75)            (417)     33,324         32,424

                                                                                                                    Who is involved in the production of the report?
                                                                                                                                                                                                     
                                                                                                                    e.g. finance

                                                                                                                    What resources are required? Is there reliable data available?
                                                                                                                                                                                                     
                                                                                                                    e.g. time taken to produce reports / how complex is it / is the time and
                                                                                                                    effort worth it?

                                                                                                                    Who owns the report?
                                                                                                                                                                                                     
                                                                                                                    e.g. finance




FMCF User Guide: Standing Direction 4.1, (Direction Requirement 22) – Internal Financial Management Reporting                                                                                            136
Version 1 (September 2009)
                                                Supplementary material to be used as guidance only


User guide to Standing Direction 4.2
Direction Requirement 23

Reporting in terms of Part 7 of the FMA




FMCF User Guide: Standing Direction 4.2 (Direction Requirement 23) – Reporting in terms of Part 7 of the FMA   137
Version 1 (September 2009)
                                                Supplementary material to be used as guidance only

                                                   Reporting in terms of Part 7 of the FMA
Introduction                                                                                     Annual report
The Standing Directions of the Minister for Finance (the Directions) require                     The annual report is the medium through which agencies discharge their
agencies to develop procedures for the timely and accurate preparation of                        accountability to Parliament, Government and the Victorian public. The
reports to ensure compliance with Part 7 of the Financial Management Act                         FMA requires an annual report to consist of:
(FMA).                                                                                            a Report of Operations
The FMA requires agency‟s to submit:                                                              Financial Statements
 an annual report with a number of specific requirements                                        The information provided in relation to an agency‟s finances, performance
 financial information for the purposes of meeting the State‟s                                  operations and other general details is valuable information that is used for
   Consolidated Financial Reporting requirements                                                 planning and resource utilisation decisions.

Procedures for FMA Reporting                                                                     Report of Operations
To comply with the Directions, agencies must ensure there are procedures                         The Report of Operations provides users of financial statements with
in place to support the implementation of Part 7 of the FMA.                                     general information about the entity and its current and future activities (by
                                                                                                 providing qualitative and quantitative information) and other relevant
Procedures should consider:
                                                                                                 information that is not included in the financial statements.
 tasks to be completed to meet the requirements
                                                                                                 This report is to be prepared in accordance with the requirements of
 identification of appropriate resources
                                                                                                 Financial Reporting Directions, and presented in accordance with the
 responsibilities for tasks (at a role level)                                                   guidelines contained in the Model Report for Victorian Government
 approval processes across the agency                                                           Departments, as issued annually by the Department of Treasury and
 timelines that ensure requirements are met and appropriate approvals                           Finance.
    have been obtained.                                                                          Government departments are also required to include in the unaudited
                                                                                                 section of the annual report a comparison between their portfolio financial
                                                                                                 statements published in Budget Paper No 4 and actual results for the
                                                                                                 portfolio for the corresponding financial year. This is known as „Budget
                                                                                                 Portfolio Outcomes‟ and must be presented as a set of financial
                                                                                                 statements in the same format and consolidation basis as those prepared
                                                                                                 for the agency.
                                                                                                 The Report of Operations must be signed and dated by the Accountable
                                                                                                 Officer in the case of a Government Department or, in the case of any
                                                                                                 other agency, a member of the Responsible Body.




FMCF User Guide: Standing Direction 4.2 (Direction Requirement 23) – Reporting in terms of Part 7 of the FMA                                                               138
Version 1 (September 2009)
                                                Supplementary material to be used as guidance only
Financial Statements                                                                             Consolidated Financial Reports for the State
The financial statements must be prepared in accordance with:                                    Financial Reports for the State of Victoria are key elements of the
 Australian accounting standards and interpretations (AAS‟s) which                              Government‟s financial reporting framework.
   include Australian equivalents to International Financial Reporting                           The FMA require agencies to submit financial information for the
   Standards;                                                                                    preparation of quarterly, mid year and annual Consolidated Financial
 Financial Reporting Directions; and                                                            Reports for the state. The information is submitted to the Department of
 Business Rules.                                                                                Treasury and Finance through the Business Management System.

Consistent with professional accounting requirements, the financial                              Quarterly Financial Reporting and Mid-Year Financial Reporting were
statements are to comprise the following:                                                        introduced in the 2000-01 financial year, following the introduction of
                                                                                                 amendments to the Financial Management Act 1994. The reporting
 Comprehensive operating statement;
                                                                                                 framework is a key component of the Government's commitment to
 Balance sheet;                                                                                 openness and accountability in financial management
 Statement of changes in equity;
 Cash Flow Statement; and
 Notes to the financial statements.
The financial statements are to be signed and dated by the Accountable
Officer, CFAO and a member of the Responsible Body, stating that the
financial statements have been presented fairly, in accordance with
applicable Financial Reporting Directions and applicable accounting
standards.

Model Report
Each year the Department of Treasury and Finance issue a Model Report
to assist agencies with the planning and preparation of their FMA reporting
requirements.
The Model Report is available on the Department of Treasury and Finance
website (www.dtf.vic.gov.au).




FMCF User Guide: Standing Direction 4.2 (Direction Requirement 23) – Reporting in terms of Part 7 of the FMA                                                         139
Version 1 (September 2009)
                                                Supplementary material to be used as guidance only



User guide to Standing Direction 4.3
Direction Requirement 24

Other External Reporting




FMCF User Guide: Standing Direction 4.2 (Direction Requirement 23) – Other External Reporting        140
Version 1 (September 2009)
                                                    Supplementary material to be used as guidance only


                                                                       Other External Reporting
Introduction                                                                                      The integrated Management Cycle
The Standing Directions of the Minister for Finance (the Directions) require                      The Integrated Management Cycle (IMC) describes the annual process
agencies to ensure all other external reporting requirements are met                              that integrates and aligns Government decisions with strategic priorities for
through the development of procedures. The procedures should also                                 resource allocation and output delivery including internal evaluations,
ensure other external reports are completed in a timely and accurate                              reviews and reporting.
manner.                                                                                           The key objectives of the IMC are to ensure that:
External reports must:                                                                                processes are stable and certain, with events and key dates known in
                                                                                                       advance
   be identified by the agency to ensure all external reporting
    requirements are met                                                                              there is a clear sequence of events
   be delivered completely, accurately and in a timely manner                                        linkages between processes are well understood, and
   be reviewed by the CFAO or delegate prior to release                                              the focus on delivering outputs to achieve Government outcomes –
                                                                                                       rather than inputs and compliance – is reinforced.
   include those contained the Integrated Management Cycle (IMC) 45,
    where appropriate, as issued by the Department of Treasury and                                The diagram below outlines the IMC:
    Finance (DTF).

Procedures for other external reporting
To comply with the Directions, agencies must ensure there are procedures
in place to support the implementation of other external reporting
requirements.
Procedures should consider:
   tasks to be completed to meet the requirements
   identification of appropriate resources
   responsibilities for tasks (at a role level)
   approval processes across the agency
   timelines that ensure requirements are met and appropriate approvals
    have been obtained.

                                                                                                  Please refer to the DTF website for further information
                                                                                                  (www.dtf.vic.gov.au).
45
  Internal financial management reporting is a critical process for the efficient and effective
management of departments and agencies and a key input to the IMC.
FMCF User Guide: Standing Direction 4.2 (Direction Requirement 23) – Other External Reporting                                                                              141
Version 1 (September 2009)
                                              Supplementary material to be used as guidance only

User guide to Standing Direction 4.4
Direction Requirement 25

Financial Performance Management and
Evaluation




FMCF User Guide: Standing Direction 4.4 (Direction Requirement 25) – Financial Performance Management and Evaluation   142
Version 1 (September 2009)
                                              Supplementary material to be used as guidance only
                                    Financial Performance Management and Evaluation
Introduction                                                                                  This material provides guidance in relation to developing an agency‟s
The Standing Directions of the Minister for Finance (the Directions) require                  internal KPIs to assist in monitoring financial performance. It is designed
that agencies develop appropriate financial management performance                            to assist agencies in considering, designing and developing the types of
indicators and monitor performance against these to identify key statistics                   KPIs that may be appropriate for their agency activities.
and trends for use in management decision-making.                                             This material specifically relates to financial KPIs only does not include
The Directions outline a number of specific requirements, under Direction                     overall KPIs required for annual performance reporting.
4.4, for financial key performance indicators (KPIs) including that KPIs:                     This material includes the following information:
    must be developed by the Responsible Body working with                                      Performance management and KPIs
     management, including the Chief Financial Accounting Officer (CFAO)
     and the Accountable Officer                                                                 Purpose of KPIs
    must be designed to measure and monitor financial management                                Types of KPIs
     performance of the Public Sector Agency                                                     KPI development and design
    must be measured, monitored and reported against on a regular basis                         KPI characteristics
     (at least quarterly, unless the financial KPI is an annual measure) to                      Implementation of KPIs.
     the Responsible Body
                                                                                                 Examples of KPIs relating to:
    are implemented by the Responsible Body with procedures to ensure
                                                                                                      revenue
     they are monitored.
                                                                                                      expenditure
                                                                                                      cash handling
                                                                                                      investments
                                                                                                      liabilities




FMCF User Guide: Standing Direction 4.4 (Direction Requirement 25) – Financial Performance Management and Evaluation                                                 143
Version 1 (September 2009)
                                              Supplementary material to be used as guidance only

Performance management and KPIs                                                               Diagram of a performance management cycle
Performance management is a combination of approaches, measures,
processes and systems that organisations use to monitor and manage
their performance. KPIs are a fundamental component of performance                                                                      1. What are
management that communicate strategic goals across the agency.                                                                             the key
                                                                                                                                          business
KPIs can be used across all levels of an organisation, from business plans                                                              drivers in the
                                                                                                                                           Agency
at divisional/department levels to individual employee work programs and                                    7. How are set               Strategy?                2. How is the
activities. An organisation can use KPIs from across the different areas                                      targets and                                            strategy
and levels to align and feed into overall strategic organisational measures.                                    budgets                                          translated into
                                                                                                            compared with                                             KPIs?
Well defined KPIs can be monitored to measure how effectively the overall                                   actual results?
organisation strategy is being implemented – “strategy to execution” – and
will also provide a mechanism that allows early action to be taken if issues
arise – “opportunity for action”.
                                                                                                     6. How are
Performance management cycle                                                                        individuals &
                                                                                                      agencies
                                                                                                                                                                             3. How is KPI
                                                                                                                                                                                progress
                                                                                                    rewarded for                                                              measured?
A typical performance management cycle is depicted in the diagram aside.                           achieving their
The initial step is to define the key business drivers for the agency. Steps                            KPIs?
2 and 3 consider the design and development of KPIs.
The collation and recording of data (as per Step 4) for KPI monitoring                                                 5. How can the
                                                                                                                                                         4. What data &
typically provides a challenge for agencies; though this is less of an issue                                                                              systems are
                                                                                                                        data be used
                                                                                                                                                           available to
for financial KPIs which are usually sourced from the core financial                                                    to implement
                                                                                                                                                             collate
                                                                                                                         sustainable
systems.                                                                                                                  change?
                                                                                                                                                         information for
                                                                                                                                                         management?
The performance management cycle uses the reporting results (from KPI
monitoring and reporting) as a basis to assess the need for change and
implement it as required. It also analyses the results (Steps 6 and 7) to
consider the reward for successful achievement of goals.




FMCF User Guide: Standing Direction 4.4 (Direction Requirement 25) – Financial Performance Management and Evaluation                                                                    144
Version 1 (September 2009)
                                               Supplementary material to be used as guidance only

Purpose of KPIs                                                                               KPI development and design
KPIs provide a means for monitoring agency performance, and                                   The process for designing and implementing effective KPIs commences
understanding how effective and efficient that agency is in achieving its                     with consideration of an agency‟s strategy, vision, and goals as well as the
objectives and desired outcomes.                                                              drivers that support those goals.
KPIs are a way for an agency to effectively establish measures and                            The link to strategy is achieved most effectively by starting at the strategy
monitor progress for the following overall organisational questions:                          level and moving to the task and activity level (rather than the other way).
   Where do we want to be?                                                                   Using the agency‟s strategy, vision and goals, KPIs are identified with
   How will we know when we get there?                                                       defined metrics. The annual budget process provides a good opportunity
   What are we doing to get there?                                                           to identify KPIs and targets each year.

KPIs that are designed to support the overall strategic objectives of an                      Once KPIs are defined it is important to ensure processes are in place to
organisation represent its "vital signs". When part of a comprehensive                        collect data for the monitoring of the KPI. Indicators and metrics can be
system of measures implemented across an organisation, KPIs inform the                        incorporated into a single source, e.g. a scorecard, to input and collate
CFAO, management and the governing body and employees of what and                             data for tracking KPIs. A scorecard of indicators provides an effective
how they are progressing towards achieving overall agency objectives.                         tracking device for:
                                                                                                  financial and non-financial performance
Types of KPI                                                                                      short-term and long-term performance
There are a number of different categories into which KPIs can be                                 lag measures (which represent past performance) and lead measures
grouped. These include:                                                                            (which indicate future performance).
 Financial:       focus on financially driven measures. It is this category of KPI that      Once initial KPIs are established agencies should consider the process for
                   is the focus of Direction 4.4 and for which illustrative examples of       reviewing and revising KPIs. The process should be efficient and well
                   potential indicators are included in this supplementary material (for
                   revenue/ receivables, expenditure/accounts payable and cash                controlled and may take into account use of appropriate technology and
                   receipting).                                                               software for performance management to help achieve this.
 Stakeholder:     focus on service to, and satisfaction of various stakeholders who
                   are impacted by the agency‟s activities. This could include
                   response times or service satisfaction levels.
 Process:         target the key processes or activities that allow an agency to meet
                   its strategic objectives and are operational in nature.
 People:          focus on the recruitment, development, appraisal and retention of
                   staff within the agency.

KPIs developed and implemented across all agency activity areas using
these different categories provide a balanced and comprehensive view of
expectations, outcomes and activities that can be monitored and reported
against.



FMCF User Guide: Standing Direction 4.4 (Direction Requirement 25) – Financial Performance Management and Evaluation                                                   145
Version 1 (September 2009)
                                              Supplementary material to be used as guidance only

Process for developing KPIs
                                                                                              KPI characteristics
The diagram below illustrates the process for developing KPIs, monitoring
                                                                                              To be meaningful and effective, performance indicators should be
and reporting activities.
                                                                                              “S M A R T”. The table below outlines the characteristics of “S M A R T”
                                                                                              KPIs:


                                                                                               Specific:               linked to a specific desired outcome or goal that is clearly
                                                                                                                       defined and understood, e.g., accelerate cash collections
                                                                                                                       cycle
                                                                                               Measurable:             capable of being measured in a timely and efficient manner
                                                                                               Action oriented:        linked to the desired actions that are expected of the people
                                                                                                                       being measured
                                                                                               Realistic:              based on facts and agreed targets should be achievable
                                                                                               Time-bound:             refers to how frequently the KPI should be measured and
                                                                                                                       reported, e.g. will the KPI be reported weekly, monthly,
                                                                                                                       quarterly or yearly




FMCF User Guide: Standing Direction 4.4 (Direction Requirement 25) – Financial Performance Management and Evaluation                                                            146
Version 1 (September 2009)
                                                 Supplementary material to be used as guidance only

Implementation of KPIs
Public Sector Agencies must develop, measure, monitor, evaluate and                           This supplementary material sets out a number of illustrative KPIs for
report against financial KPIs.                                                                across the following financial processes:
Ultimately, financial KPIs are tailored to an agency‟s business and assist                       revenue
management in strategic planning and resource allocation. KPIs can also                          expenditure
provide information from ongoing activities to assist in highlighting                            cash receipting
instances where corrective action is required on a timely basis.
                                                                                                 investments
CFAO‟s should not take KPI results as just a static “point in time” measure.                     liabilities.
The results should be analysed in the context of their overall trend,
generally across 3-5 periods.                                                                 The KPIs provided are examples only and are not a complete list of all
                                                                                              possible KPIs. Other suitable financial KPIs may also exist
The checklist below provides an overall guide in relation to developing
KPIs.                                                                                         The material should be used as a guide to assist the agency select KPIs
                                                                                              which are specific to their business in order to provide meaningful
 KPI checks                                                                 Included          information to management.
 Is there a clear link between portfolio level goals and/or government        
 level goals/aspirations and agency level desired outcomes and
 services?
 Does the KPI enable assessment of service delivery by key                    
 stakeholders, including Portfolio departments?
 Does the KPI assist CFAO‟s in strategic planning, resource allocation        
 as well as highlighting instances where corrective action is required on
 a timely basis?
 Is the KPI comparable with similar agencies?                                 
 Can data be readily collected and reported against the indicator when        
 required?
 Have the KPIs been endorsed by the CFAO?                                     




FMCF User Guide: Standing Direction 4.4 (Direction Requirement 25) – Financial Performance Management and Evaluation                                              147
Version 1 (September 2009)
                                                  Supplementary material to be used as guidance only

Example of KPIs relating to revenue / receivables

 Revenue                                                                                          Revenue – accounts receivable
 KPI: Revenue growth                                                                              KPI: Accounts receivable (AR) cost as a percentage of total revenue
 Description        This KPI measures the percentage growth in revenue for the current            Description        This KPI measures the AR processing cost as a percentage of total
                    period                                                                                           revenue
 Objective          To ensure that revenue growth is in line with the target set by agency        Objective          To ensure that the cost of AR processing as a % of total revenue is in
                                                                                                                     line with the target set by the agency
 KPI calculation    (Current period revenue – prior period revenue) / Prior period revenue
                                                                                                  KPI calculation    Total AR processing cost / Total revenue
 Example Target     Revenue growth to be greater than or equal to xx%
                                                                                                  Example target     The total cost of AR processing as a xx% of total revenue or
 KPI: Actual revenue vs budgeted revenue                                                                             lower/higher (direction)
 Description        This KPI measures the variance between actual and budgeted revenue            KPI: Ageing of receivables
 Objective          To ensure that actual vs budget meet internal targets set by the agency       Description        This KPI measures the spread of receivables across each “days
                    to improve forecasting                                                                           outstanding” tranche, e.g. 30 days, 60 days or 90 days
 KPI calculation    (Actual revenue – budgeted revenue) / Budgeted revenue                                           Lead indicator for bad debts
 Example target     Actual revenue to deviate from forecast revenue by xx%                        Objective          To monitor the ageing of receivables on a regular basis
 KPI: Operating margin
 Description        To measure the % of revenue which converts into operating income              KPI calculation    N/A
 Objective          To ensure that each dollar of Revenue that translates into operating          Example target     Tranche 1: (xx days): xx%
                    Income, (profitability measure) is in line with the targets set by the                           Tranche 2: (xx days): xx%
                    agency
                                                                                                                     Tranche 3: (xx days): xx%
 KPI calculation    (Total operating revenue-Total operating expenditure) / Revenue
                                                                                                  KPI: Total cost of the AR function as a percentage of sales
 Example target     Operating margin to be greater than or equal to xx%
                                                                                                  Description        This KPI measures the cost of an agency‟s Accounts Receivables
 KPI: Significant revenue items as a % of total revenue                                                              function as a percentage of total sales
 Description        This KPI measures significant revenue items as a % of total revenue           Objective          To ensure that the cost of the AR function as a % of total sales is in line
                    (e.g. premiums)                                                                                  with the target set by the agency
 Objective          To ensure that significant revenue items as a % of total revenue is in line   KPI calculation    Total AR cost / Total sales
                    with the target set by the agency
                                                                                                  Example target     The total cost of the AR function as a xx% of total sales or lower/higher
 KPI calculation    Revenue for specific revenue item / Total revenue                                                (direction)
 Example target     The total significant revenue items as xx% of total revenue or lower
                    (direction)
 KPI: Grant monies as a % of total revenue
 Description        This KPI measures the % contribution that grant monies make to overall
                    revenue
 Objective          To ensure that the grant monies as a % of revenue is in line with the
                    target set by the agency
 KPI calculation    Total grant monies / Total revenue
 Example target     Total grant monies as a % of revenue is in line with the target set by the
                    agency by xx%

FMCF User Guide: Standing Direction 4.4 (Direction Requirement 25) – Financial Performance Management and Evaluation                                                                        148
Version 1 (September 2009)
                                                  Supplementary material to be used as guidance only

Example of KPIs relating to revenue / receivables continued                                    Example KPIs relating to expenditure / payables

 Revenue – bad debts                                                                            Expenditure
 KPI: Credit worthiness of customers                                                            KPI: On-time payment percentage
 Description        This KPI measures the creditworthiness of customers                         Description       This KPI measures the percentage of invoices paid on time (within
                    Lead indicator for bad debts                                                                  invoice terms)
 Objective          To ensure that the provision for bad debts is appropriate and to manage     Objective         To maximise the frequency of on-time payment
                    the number of receivables that “go bad”                                     KPI calculation   Total invoices paid on-time / Total invoice payments
 KPI calculation    Total number of customers with a credit rating of > xx / Total number of    Example target    The on-time payment percentage is xx% or higher
                    customers                                                                   KPI: AP turnover days
 Example target     The % of customers with a credit rating of a xx or higher is xx%            Description        This KPI measures how long it takes to pay the vendor, once the liability
 KPI: Bad debts as a % of accounts receivable                                                                      is established
 Description        This KPI measures the percentage of receivables not recovered by the        Objective          To ensure that the AP turnover days is in line with the targets set by the
                    entity, e.g. bad debts “gone bad”                                                              agency
 Objective          To minimise bad debts as a % of receivables                                 KPI calculation    Average AP balances / Total purchase costs x 360 days
                                                                                                Example target     The AP turnover days is in line with the target set by the agency by xx%
 KPI calculation    Total bad debts / Total receivables
 Example Target     Bad debts as a % of total receivables is less than or equal to xx%          KPI: Ageing of Payables
 KPI: Bad debts as a % of sales                                                                 Description        This KPI measures the spread of payables across each “days
                                                                                                                   outstanding” tranche, e.g. 30 days, 60 days or 90 days this will allow
 Description        This KPI measures the number of receivables not recovered by the                               improved visibility over cash flow
                    entity, as a percentage of sales
                                                                                                Objective          To monitor the ageing of payables on a regular basis
 Objective          To minimise bad debts as a % of sales
                                                                                                                   Lead indicator for on-time payments
                                                                                                KPI calculation    N/A
 KPI calculation    Total bad debts / Total Sales
                                                                                                Example target     Tranche 1: (xx days): xx%
 Example target     Bad debts as a % of total sales is less than or equal to xx%
                                                                                                                   Tranche 2: (xx days): xx%
 KPI: The provision for bad debts greater than xx days outstanding
                                                                                                                   Tranche 3: (xx days): xx%
 Description        This KPI measures the receivables which may not be recovered by the
                    entity as a % of receivables which are greater than xx days outstanding.    KPI: YTD expenditure to budgeted expenditure
                    This may indicate when the provision for bad debt is understated.           Description        This KPI measures the deviation of expected expenditure to budgeted
 Objective          To minimise bad debts as a % of receivables                                                    expenditure
                    Lead indicator for bad debts                                                Objective          To ensure that YTD expenditure does not deviate significantly to
                                                                                                                   budgeted expenditure and to improve forecasting
 KPI calculation    Total provision for bad debt/ Total average receivables > xx days
                    outstanding                                                                 KPI calculation    (YTD expenditure – budgeted expenditure) / Budgeted expenditure
 Example target     The provision for bad debts as a % of total receivables > xx days is        Example Target     Variance between actual and budgeted expenditure is xx% or lower
                    consistently
                    xx%




FMCF User Guide: Standing Direction 4.4 (Direction Requirement 25) – Financial Performance Management and Evaluation                                                                     149
Version 1 (September 2009)
                                                       Supplementary material to be used as guidance only

Example KPIs relating to expenditure / payables continued

 Expenditure continued                                                                                Expenditure continued
 KPI: Total wages expense to Budgeted wages expense                                                   KPI: Total contractors expense to Total expenditure
 Description             To ensure that total actual wages expense does not deviate significantly     Description             This KPI measures total contractors expense as a percentage of total
                         to budgeted wages expense and to improve forecasting                                                 expenditure
 Objective               This KPI measures the deviation of expected wages expenditure to             Objective               To ensure that the total contractors expenditure as a % of total
                         budgeted wages expenditure                                                                           expenditure is in line with the target set by the agency
 KPI calculation         (Total wages expenditure – budgeted wages expenditure) / Budgeted            KPI calculation         Total contractors expenditure / Total expenditure
                         wages expenditure                                                            Example target          The total contractors expense as xx% of total expenditure or lower
 Example target          Variance between actual and budgeted wages expenditure is xx% or             KPI: Foreign exchange gains or losses
                         lower
                                                                                                      Description             This KPI measures the foreign exchange gains or losses as a % of total
 KPI: Total project expense to Total budgeted/approved expense                                                                expenditure
 Description             This KPI measures the deviation of total project expenditure to              Objective               To ensure that gains or losses resulting from exposure to changes in
                         budgeted/approved project expenditure                                                                foreign exchange rates are within the tolerance thresholds set by the
 Objective               To ensure that total project expense does not deviate significantly to                               agency. Also measures the effectiveness of management of FX risk
                         budgeted (approved) project expense and to improve forecasting                                       (realised and unrealised)
 KPI calculation         (Total project cost – total budgeted / approved project cost) / Total        KPI calculation         Total gains or losses related to expenditure / Total expenditure
                         budgeted / approved project cost                                             Example target          The total gains or losses is within xx%-xx% of total expenditure
 Example target          Variance between actual and budgeted / approved project expenditure          KPI: Significant expense items as % of total expenditure
                         is xx% or lower
                                                                                                      Description             This KPI measures significant expense items as a % of total
 KPI: Overtime as a % of wages                                                                                                expenditure (e.g. claims)
 Description             This KPI measures expected expenditure to budgeted expenditure               Objective               To ensure that significant expense items as a % of total expenditure is
                                                                                                                              in line with the target set by the agency
 Objective               To ensure that the % of overtime of total wages is in line with the target
                         set by the agency                                                            KPI calculation         Total expense (for specific expense item) / Total expenditure
 KPI calculation         Total overtime expense / Total wages expense                                 Example target          The total significant expense items as xx% of total expenditure or lower
                                                                                                                              (direction)
 Example target          The overtime expense as xx% of wages or lower
 KPI: Total wages expense to Total expenditure
 Description             This KPI measures total wages expense as a percentage of total
                         expenditure
 Objective               To ensure that the total wages expenditure as a % of total expenditure
                         is in line with the target set by the agency
 KPI calculation         Total wages expenditure / Total expenditure
 Example target          The total wages expense as xx% of total expenditure or lower




FMCF User Guide: Standing Direction 4.4 (Direction Requirement 25) – Financial Performance Management and Evaluation                                                                               150
Version 1 (September 2009)
                                                     Supplementary material to be used as guidance only

Example KPIs relating to cash receipting

 Cash                                                                                               Cash – liquidity continued
 KPI: Proportion of cash payments made via electronic means                                         KPI: Debt as a percentage of net working capital
 Description          This KPI measures the proportion of all cash receipts processed               Description           This KPI measures the liquidity of an agency
                      electronically as a proportion of total cash receipts
                                                                                                    Objective             To ensure that the working capital ratio complies with agency target set
 Objective            To maximize the efficiency of the cash receipt processing through the
                      use of technology, for example, internet banking                              KPI calculation       Long term debt (excluding current portion) / Net working capital
 KPI calculation      Number of cash receipts paid electronically / Total number of cash            Example target        Ratio is xx or lower
                      receipts                                                                      KPI: Debt/capital ratio
 Example target       The number of cash receipts processed electronically is xx% of total          Description           This KPI measures the leverage of an agency
                      cash receipts or higher
                                                                                                    Objective             To ensure that the debt to capital ratio complies with agency target set

 Cash – petty cash                                                                                  KPI calculation       Long term debt (excluding current portion) / Total invested capital
                                                                                                    Example target        Ratio is xx or lower
 KPI: Petty cash disbursements
                                                                                                    KPI: Debt refinancing for the upcoming quarter
 Description          This KPI measures petty cash disbursements as a percentage of total
                      cash disbursements                                                            Description           This KPI measures the amount of debt which requires refinancing within
                                                                                                                          the next quarter which will impact on an agency‟s cash flow
 Objective            To ensure that petty cash disbursements are in line with internal
                      requirements (policies and procedures) as set by the agency                   Objective             To ensure that debt obligations are monitored and managed given their
                                                                                                                          direct impact on the availability of cash
 KPI calculation      Total petty cash disbursements / Total cash disbursements
                                                                                                    KPI calculation       Total dollar value of debt expiring within the upcoming quarter
 Example target       Petty cash requests should be less than or equal to xx%
                                                                                                    Example target        Total value of debt is xx or lower

 Cash – liquidity
                                                                                                    Cash - cash flow
 KPI: Current ratio (working capital ratio)
 Description            This KPI measures an agency's ability to cover its short-term liabilities
                                                                                                    KPI: Total Cash flow to budget
                        with its current assets                                                     Description           This KPI measures cash flow
 Objective              To ensure that the current ratio complies with target set by the                                  Lead indicator of solvency
                        agency                                                                      Objective             To ensure that total cash flow is in line with the budget operating cash
 KPI calculation        Current assets / Current liabilities                                                              flow requirements as set by the agency
 Example Target         The current ratio is xx or higher                                           KPI calculation       Total cash flow actuals / Total cash flow budget
 KPI: Quick (acid test) ratio                                                                       Example target        Total cash flow actuals to budget is within xx%-xx%
 Description          This KPI measures an agency's ability to cover its short-term liability       KPI: Operating cash flow (OCF) growth
                      with its most liquid assets                                                   Description           This KPI measures the OCF growth over a given period
 Objective            To ensure that the quick ratio complies with target set by the agency                               Lead indicator of solvency
 KPI calculation      (Current assets – inventory) / Current liabilities                            Objective             To ensure operating cash flow growth to meet internal target set by the
 Example target       The quick ratio is xx or higher                                                                     agency
                                                                                                    KPI calculation       (OCF current period – OCF prior period) / OCF prior period
                                                                                                    Example target        OCF growth to be equal to or greater than xx%

FMCF User Guide: Standing Direction 4.4 (Direction Requirement 25) – Financial Performance Management and Evaluation                                                                            151
Version 1 (September 2009)
                                                    Supplementary material to be used as guidance only

Example KPIs relating to cash receipting continued                                              Example KPIs relating to liabilities

 Cash - cash flow continued                                                                     (Also see examples in Cash receipting – liquidity)
 KPI: Net Change in Cash                                                                         Liabilities
 Description          This KPI measures the change in cash and cash equivalents within a
                      period                                                                     KPI: Current liabilities as a % of total liabilities
 Objective            To ensure that significant changes in cash and cash equivalents are        Description           This KPI measures current liability as a % of total liabilities
                      monitored                                                                  Objective             To ensure that the ratio of short-term liabilities complies with the target
 KPI calculation      Cash and cash equivalents at period end- Cash and cash equivalents at                            set by the agency
                      the beginning of the period                                                KPI calculation       Current liabilities / Total liabilities
 Example target       Movement in cash and cash equivalents is within +/-$xx or +/-%xx           Example Target        The ratio of current liabilities is within xx%-xx%
                                                                                                 KPI: Non current liabilities as a % of total liabilities
 Cash - invoice processing                                                                       Description           This KPI measures non current liability as a % of total liabilities
 KPI: Cash collections cycle                                                                     Objective             To ensure that the ratio of liabilities not due in the current year complies
                                                                                                                       with the target set by the agency. This ratio can be used/calculated at
 Description          This KPI measures the average number of days required to collect cash                            an aggregate level or by liability type.
                      from sales
                                                                                                 KPI calculation       Non current liabilities / Total liabilities
 Objective            To ensure the cash collections cycle is in line with targets set by the
                      agency (terms)                                                             Example Target        The ratio of current liabilities is within xx%-xx%
 KPI calculation      Days taken from date of sale to date of collection of cash
 Example Target       The days taken from date of sale to collection of cash does not exceed
                      xx days
 KPI: Average processing time
 Description          This KPI measures the average time taken to process cash receipts
 Objective            To minimise processing time of cash receipts in accordance with targets
                      set by the agency (where appropriate)
 KPI calculation      (Total time spent on cash receipts processing)/ Number of receipts
                      processed
 Example target       Average processing time of cash receipts does not exceed xx hours




FMCF User Guide: Standing Direction 4.4 (Direction Requirement 25) – Financial Performance Management and Evaluation                                                                          152
Version 1 (September 2009)
                                                  Supplementary material to be used as guidance only

Example KPIs relating to investments

 Investments - capital                                                                           Investment - non-capital
 KPI: The average Net Present Value (NPV) of investments                                         KPI: Short/medium/long term investments as a percentage of total investments
 Description         This KPI measures the average NPV of investments (i.e. the current          (deposits)
                     value of the expected future cash inflows/outflows associated with the      Description        This KPI measures short/medium/long term investments as a
                     investment)                                                                                    percentage of total investments (deposits)
 Objective           To ensure that the average NPV of investments is in line with targets       Objective          To ensure that the percentage of short/medium/long term investments
                     set by the agency                                                                              (deposits) is in line with targets set by the agency
 KPI calculation     Sum of total investment NPVs/Total number of investments                    KPI calculation    (Sum of short/medium/long term investments)/Total number of
                                                                                                                    investments
 Example target      The average investment NPV is greater than $xx
                                                                                                 Example target     The percentage of short/medium/long term investments is within xx%
 KPI: The average Pay back period for investments                                                                   and xx%
 Description         This KPI measures the average payback period for investments (i.e. the
                                                                                                 KPI: The average rate of return for investments(deposits)
                     time taken for the expenditure relating to the investment is recouped)
                                                                                                 Description        This KPI measures the average rate of return for investments (deposits)
 Objective           To ensure that the average payback period for investments is in line
                     with targets set by the agency                                              Objective          To ensure that the rate of return for investments (deposits) is in line with
 KPI calculation     Sum of total investment payback period/Total number of investments                             targets set by the agency
 Example target      The average investment payback period is less than xx                       KPI calculation    Sum of total investment returns/Total number of investments
                     weeks/months/years                                                          Example target     The average rate of return for investments (deposits) is greater than xx
 KPI: The average Return on Investment (RoI) of investments                                                         %
 Description         This KPI measures the average RoI (i.e. the earnings generated by an
                     investment expressed as a percentage of the investment)
 Objective           To ensure that the average RoI of investments is in line with targets set
                     by the agency
 KPI calculation     Sum of total investment RoIs/Total number of investments
 Example target      The average investment RoI within xx%-xx%
 KPI: The average Internal Rate of Return (IRR) of investments
 Description         This KPI measures the average IRR of investments (i.e. the return
                     required for the NPV to equal zero)
 Objective           To ensure that the average IRR of investments is in line with targets set
                     by the agency
 KPI calculation     Sum of total investment IRRs/Total number of investments
 Example target      The average investment IRR is less than xx%




FMCF User Guide: Standing Direction 4.4 (Direction Requirement 25) – Financial Performance Management and Evaluation                                                                       153
Version 1 (September 2009)
                                               Supplementary material to be used as guidance only

User guide to Standing Direction 4.5

Financial Management Compliance Obligations
Including:
4.5.1            Direction Requirement 26                                Compliance with Directions
4.5.2            Direction Requirement 27                                Taxation
4.5.3            Direction Requirement 28                                Purchasing Card
4.5.4            Direction Requirement 29                                Thefts and Losses
4.5.5            Direction Requirement 30                                Risk Management Compliance
4.5.6            Direction Requirement 31                                Treasury Risk Management




FMCF User Guide: Standing Direction 4.5 (Direction Requirements 26 to 29) – Financial Management Compliance Obligations   154
Version 1 (September 2009)
User guide to Standing Direction 4.5.1
Direction Requirement 26

Compliance with Directions




FMCF User Guide: Standing Direction 4.5.1 (Direction Requirement 26) – Financial Management Compliance Obligations Compliance with Directions   155
Version 1 (September 2009)
                                               Supplementary material to be used as guidance only
                                                              Compliance with Directions
Introduction                                                                                   Compliance with Directions
The Standing Directions of the Minister for Finance (the Directions), under                    Entities are required to comply with each of the mandatory components of
Direction 4.5.1, require agencies to certify that they have complied with all                  the Directions.
applicable Directions. The Direction specifically requires agencies to:
   certify annually, using the form provided by DTF for the purpose, that                     Direction Requirements
    they have complied with all applicable Directions
                                                                                               Direction Requirements have been developed to assist and simplify annual
   conduct an annual review of their obligations under these Directions                       certification against the Directions. The Direction Requirements
   identify and rectify any failure or deficiency in complying with                           incorporate the key themes and principles from the Directions.
    these Directions.
                                                                                               The Direction Requirements included in the annual certification process
Certification of compliance should be made annually to the Responsibly                         are outlined in the Certification Checklist.
Body or relevant delegate e.g. Audit Committee.
                                                                                               Each Direction Requirement has a:
Agencies subject to the Financial Management Compliance Framework                                high level requirement that is used for certification
(FMCF) are also required to annually certify compliance with these                                purposes i.e. agencies submit their level of compliance against each
Directions to their Minister.                                                                     high level requirement
This material provides guidance in relation to:                                                  number of elements (mandatory requirements) that must be
   compliance with Directions                                                                    considered when certifying the level of compliance. These elements
                                                                                                  are taken from the detail within the Directions.
      Direction Requirements
    compliance levels
        definitions
        determining compliance level
        documentation
      partially or not compliant certification responses
    certification
        overview
        annual FMCF certification process
      certification requirements for newly created or structurally changed
     agencies.



FMCF User Guide: Standing Direction 4.5.1 (Direction Requirement 26) – Financial Management Compliance Obligations Compliance with Directions                        156
Version 1 (September 2009)
                                                  Supplementary material to be used as guidance only
Compliance levels                                                                              Determining compliance levels
                                                                                               To determine the compliance level for each Direction Requirement
Compliance level definitions                                                                   agencies need to:
Agencies are required to certify their level of compliance against each of                        use the certification checklist to review compliance against each
the Direction Requirements in the annual certification process.                                    element within a Direction Requirement
The compliance level definitions are detailed in the table below:                                 assess the overall compliance of the Direction Requirement based on
                                                                                                   the compliance levels of the elements i.e. are all, or a majority, or less
 Compliance      Definition                           Additional information                       than a majority of elements within the Requirement compliant?
 level                                                                                            select a compliance level based on the definitions.
 Compliant       A compliant level of compliance                                               Note: Any queries relating to compliance responses should be directed to
                 means that the agency is fully                                                portfolio coordinators.
                 compliant with all elements
                 within the Direction and Direction
                 Requirement.                                                                  Documentation of compliance levels certified
 Partially       A partially compliant level of       Direction Requirements that are          Agencies should maintain a documentation trail to support the level of
 Compliant       compliance means that the            certified (in the annual certification   compliance certified each year. Documentation could be in the form of
                 agency is partially compliant        process) as not compliant or             references to relevant policies, meeting minutes, files, etc.
                 with any element within the          partially compliant must contain
                 Direction and Direction              information that outlines:               This could be recorded in the comments section of the
                 Requirement as at 30 June.            reasons for the partial                certification checklist.
                                                         compliance or non-compliance
 Not
 Compliant
                 A not compliant level of              rectification plans to achieve full    Partially compliant and not compliant certifications
                 compliance means that the               compliance.
                 agency is not compliant with                                                  The focus for agencies with areas of partial or non compliance is to
                 any element within the               Note: These responses should be
                                                      added in the comments field in the       address the issues through the development and implementation of action
                 Direction and Direction
                 Requirement as at 30 June.           Compliance Monitoring System             plans that will effectively achieve compliance with the Directions.
                                                      and/or Certification Checklist.
                                                                                               Agencies are expected to actively work towards and be
 Not             A not applicable compliance level    Direction Requirements that are
 Applicable                                                                                    able to demonstrate progress in becoming fully compliant with the
                 means that the Direction is not      certified (in the annual certification
                 applicable to the agency.            process) as not applicable must          Directions over time.
                 This response is only appropriate    detail reasons for the response.         Where an agency is partially or not compliant with the Directions,
                 for a limited number of Directions   Note: If the response is not             consideration should be given to disclosing the compliance level to the
                 and Direction Requirements.          applicable due to an exemption,
                                                                                               Auditor-General prior to an audit. This would assist:
                                                      please provide details regarding
                                                      the exemption e.g. date, period of          in maintaining an open and constructive relationship with the
                                                      exemption, etc.                              Auditor-General (as per Direction 2.6 – External Audit)
                                                                                                  in ensuring that the Auditor-General is provided with all relevant
                                                                                                   information that could potentially influence a positive outcome
                                                                                                   for the entity.
FMCF User Guide: Standing Direction 4.5.1 (Direction Requirement 26) – Financial Management Compliance Obligations Compliance with Directions                            157
Version 1 (September 2009)
                                                       Supplementary material to be used as guidance only
Certification                                                                          For certification purposes, the last set of annual financial
                                                                                       accounts/statements must be used to certify again relevant Direction
Overview                                                                               Requirements in Sections 2 and 4.

Agencies are required to certify their compliance against the Directions,              Certification approval and sign-off
through the Direction Requirements, on an annual basis to their
portfolio Minister.                                                                    The Chief Executive Officer of each entity is required to approve and
                                                                                       sign the FMCF certification letter and exceptions compliance
Portfolio‟s each report their FMCF status to the Minister for Finance via the          summary attachment.
Department of Treasury and Finance (DTF).
                                                                                       The Responsible Body or delegate e.g. Audit Committee must also review
The diagram below details the process:                                                 and approve the certification.

                                                                                       Annual certification process– Compliance Monitoring System
           1. Department / Agency
 Complete certification process with a letter prepared                                 The annual certification process contains a number of parts including:
  by the Department / Agency and signed off by the
        Accountable Officer (Secretary / CEO)                                             Complete review requirements
   Timing: between 1 July and 30 September each year                                      Assess compliance
                                                                                          Obtain sign-off
                                                                                          Complete and submit certification.
                                                                                       Please refer overleaf for a detailed outline of each part of the process.
                    2. Portfolio
  Portfolio summary report prepared by the portfolio                                   Agencies use the Compliance Monitoring System (CMS) to complete their
    and signed off by the Departmental Secretary               Portfolio               certification. The CMS is an online tool that is accessed through a website.
           on behalf of the Portfolio Minister                 Minister
            Timing: by 31 October each year                                            It is suggested that agencies obtain approval for the certification from the
                                                                                       CEO and Audit Committee once they assess their compliance prior to
                                                                                       entering the detail into CMS (as per process overleaf).
                                                                                       The CMS generates a certification letter and exceptions compliance
           3. Whole of Government                                                      summary attachment. The certification letter is a standard template that is
     Whole of government report prepared by                    Finance                 populated with an agencies compliance details.
   DTF and approved by DTF‟s Secretary for the
               Minister for Finance
                                                               Minister                The compliance summary attachment is an exceptions report that details
                                                                                       rectification plans and reasons for partially or not compliant responses.
                                                                                       Agencies are able to add additional comments to the certification letter and
Certification period and financial year end                                            exceptions report.
The FMCF compliance year is from 1 July to 30 June i.e. agencies must                         Note: The CMS is open to agencies from 1 July to 30 September annually.
certify their compliance with the Directions (through the Direction                           Please refer to the FMCF certification tools section of the FMCF toolbox
Requirements) as at 30 June.                                                                  for further information.
FMCF User Guide: Standing Direction 4.5.1 (Direction Requirement 26) – Financial Management Compliance Obligations Compliance with Directions                      158
Version 1 (September 2009)
                                                  Supplementary material to be used as guidance only
        Annual FMCF Certification Process                                                                                                                       Please refer to guidance
                                                                                                                                                               material in the FMCF toolbox
         The following flowchart outlines the steps within the annual FMCF certification process at the agency and portfolio level.                               for further information
         The timing of tasks are provided as a guide.

                                                                                          Agency process

         When?             Throughout the year                      June – July                                July – August                             August – September

         What?
                             Complete review                                                                                                                   Complete and
                                                                     Assess compliance                             Obtain sign-off
                              requirements                                                                                                                   submit certification


         How?        There are requirements within the FMCF    The FMCF „Compliance Certification           7. Obtain required approval e.g. Board/   9. Complete online certification via the
                     to complete reviews over a number of      Checklist‟ provides detailed guidance of        Audit Committee upon completion of        Compliance Monitoring System
                     areas throughout the year e.g. policy     compliance requirements for each                the „Compliance Certification             (CMS) website:
                     documents, and                            Direction                                       Checklist‟                                www.cms.dtf.vic.gov.au.
                     the financial risk profile (see
                     Supplementary Material flyer for          4. Use the „Compliance Certification         8. Finalise detailed sign-off over        10. Provide signed certification letter
                     Direction review requirements)               Checklist‟ to review the compliance          Direction 2.2 (d) & (w) including:         and exception compliance summary
                                                                  status against each of the mandatory         - internal controls                        attachment (where applicable) to the
                     1. Complete relevant reviews                 elements within the 29 Direction             - risk management                          relevant Portfolio Minister and
                                                                  Requirements                                                                            copied to the Portfolio Coordinator
                     2. Where required obtain endorsement                                                      - financial statements
                        by the                                 5.    Determine the compliance level                                                      Note: The compliance summary attachment is
                        CEO/CFO (or delegate)                                                                                                            an exceptions report that details rectification
                                                                    (compliant, partially compliant, not                                                 plans and reasons for partially or not compliant
                        or the Board/Audit Committee                compliant) using results from Step 4                                                 responses. Agencies can also add further
                                                                    and complete the „Certification                                                      comments in this attachment.
                     3. Keep documentation supporting
                                                                    Checklist‟ as at 30 June
                        evidence of these reviews
                                                               6. Ensure there is evidence to support
                                                                  the compliance levels certified (where
                                                                  relevant)


                                                                                 Department / Portfolio Process

         When?                September                                                                                              October

         What?                     Agency compliance                                            Portfolio summary report                                Portfolio summary report
                     11.       certification received by the                        12.          prepared by Portfolio                        13.     presented to the Minister for
                                Portfolio Minister via the                                    Coordinator and signed off by                           Finance and copied to DTF
                                  Portfolio Department                                         the Department Secretary


FMCF User Guide: Standing Direction 4.5.1 (Direction Requirement 26) – Financial Management Compliance Obligations Compliance with Directions                                                               159
Version 1 (September 2009)
                                                Supplementary material to be used as guidance only
Certification requirements for newly created or structurally changed agencies                  Departmental division moves to a different Department
                                                                                               Departments should detail the level of financial management compliance
Agencies created during the compliance year                                                    achieved by all its divisions as at 30 June in the certification.
Agencies created during a compliance year that are required to comply                          The certification should include divisions that have moved from one
with the FMCF must apply the FMCF from the date of establishment.                              department to another during the compliance year.
The FMCF is mandatory for agencies:
                                                                                               Agencies moves Portfolios
   that are a Government Department or are defined as a public body in
    Section 3 of the Financial Management Act                                                  Agencies that move to a different portfolio during a compliance year
   that feed into Victoria‟s Whole-of-Government Consolidated Annual                          should certify to the portfolio to which the agency belongs as at 30 June.
    Financial Report.                                                                          The certification should incorporate the compliance status for the entity for
                                                                                               entire compliance year.
Merger of agencies during the compliance year
In cases where 2 or more agencies are merged during a compliance year,                         Closing of an agency
i.e. between 1 July and 30 June, a single FMCF certification is required for                   Agencies that close during a compliance year should contact DTF for
the merged agency.                                                                             advice to determine if certification is required for that financial year, and to
The certification must reflect the compliance environment of the newly                         arrange access to the Compliance Monitoring System if necessary.
merged agency. The certification should detail the reasons for the
compliance level and state the details of the merger. Any relevant                             Note: The Compliance Monitoring System (CMS) will be updated to reflect
instances of non-compliance identified by the agencies prior to the merger                     any changes to agencies and portfolios prior to 30 June certification.
should be documented in the certification.

Partially merged agencies
Where agencies partially merge, a certification for each agency
is required.
Certification should reflect the compliance status of the agencies as at 30
June and detail any areas that are partially or not compliant. The
certification should detail the reasons for the compliance level and state
the details of the merger.




FMCF User Guide: Standing Direction 4.5.1 (Direction Requirement 26) – Financial Management Compliance Obligations Compliance with Directions                              160
Version 1 (September 2009)
                                               Supplementary material to be used as guidance only

User guide to Standing Direction 4.5.2
Direction Requirement 27

Taxation




FMCF User Guide: Standing Direction 4.5.2 (Direction Requirement 27) - Financial Management Compliance Obligations Taxation   161
Version 1 (September 2009)
                                               Supplementary material to be used as guidance only
Introduction                                                                                   Application of taxation compliance rules

The Standing Directions of the Minister for Finance (the Directions) require                   The Rules apply to agencies that must comply with the FMCF, that is
agencies to demonstrate compliance with Commonwealth Government                                agencies that:
taxation obligations and concessions (Direction 4.5.2, Direction                                meet the „public body‟ definition contained within section 3 of the
requirement 27).                                                                                  Financial Management Act 1994, and
The Direction stipulates that agencies must:                                                    have an Australian Business Number (ABN), and
 annually review compliance with taxation and                                                  have Commonwealth taxation obligations (including GST, FBT
   concession requirements                                                                        and PAYG).
 annually certify that taxation compliance and concession requirements
                                                                                               Compliance requirements
   have been met
 develop and maintain taxation policies and procedures                                        Compliance with the Taxation Direction and Procedure is monitored
                                                                                               through the Taxation Compliance Rules and associated guidance.
 develop and implement a taxation education program
 identify and rectify any taxation compliance issues.                                         The Tax Compliance Review Questionnaire is used to assess compliance
                                                                                               with the Rules. This should be the starting point of the annual taxation
Taxation Compliance Rules                                                                      compliance assessment process.

A set of Taxation Compliance Rules (the Rules) supplement Direction                            Certification of compliance should be made annually to the Responsibly
4.5.2 to assist agencies in meeting the requirements.                                          Body and/or Audit Committee (or equivalent).

The Rules set out principles and specific procedures to follow so that                         Ultimate responsibility for taxation compliance rests with the agency.
compliance with the Direction is achieved. Specifically, the Rules assist                      Accordingly, it is anticipated that the Chief Finance and Accounting Officer,
VPS agencies to meet their compliance obligations in relation to:                              the Accountable Officer and the Audit Committee are actively involved in
                                                                                               taxation compliance matters.
 Australian Business Number (ABN);
 Goods and Services Tax (GST);                                                                More information
 Pay As You Go (PAYG);
                                                                                               The Taxation Compliance Rules are available in the “Standing Directions
 Fringe Benefits Tax (FBT);                                                                   and associated Rules” section of the FMCF toolbox.
 Deductible Gift Recipient (DGR);
 Income Tax Exempt Charity (ITEC); and
 Fuel Tax Credits Scheme (FTCS).




FMCF User Guide: Standing Direction 4.5.2 (Direction Requirement 27) - Financial Management Compliance Obligations Taxation                                             162
Version 1 (September 2009)
User guide to Standing Direction 4.5.3
Direction Requirement 28

Purchasing card




FMCF User Guide: Standing Direction 4.5.3 (Direction Requirement 28) – Financial Management Compliance Obligations Purchasing Card   163
Version 1 (September 2009)
                                               Supplementary material to be used as guidance only
                                                                         Purchasing card
Introduction                                                                                  Unauthorised use
The Standing Directions of the Minister for Finance (the Directions), under                   The Direction also requires that:
Direction 4.5.3, require agencies that operate purchasing cards to:                              any instance of unauthorised use46 of a purchasing card must be
   establish a facility account, with a maximum monthly account limit,                           reported to the Minister for Finance and the audit committee following
    with the Card provider                                                                        an inquiry by the accountable officer
   ensure only one Card is issued to employee cardholders:                                      all instances of unauthorised use of purchasing cards for the
         that are approved                                                                       period ending 30 June are to be reported annually to the
                                                                                                  Minister for Finance.
      with maximum limit of $25,000 per card, unless approved by the
     Minister for Finance                                                                          Note: All reports of unauthorised use of purchasing cards
                                                                                                   should also be provided to the Audit Committee.
      that have a financial delegation and that individual transaction
     limits do not exceed this delegation
                                                                                              Internal controls for purchasing cards
      requiring supporting documentation for all transactions and ensure
     expenditure is approved under delegates prior to settling the monthly                    When implementing the necessary internal controls for the Card, Public
     account with the Card provider                                                           Sector Agencies and cardholders are to apply the principles set out in the
    ensure cardholders use the Card for official business and that                           Purchasing Card Rules for Use and Administration (the Rules), issued by
     purchases of goods and services are for Government purposes.                             the Department of Treasury and Finance.
                                                                                              The Rules outline guiding principles and procedures that should be
Monitoring and certification                                                                  followed in relation to the use and administration of the Card.
Agencies must:
  ensure adequate monitoring and security procedures are in place                            Purchasing Card Rules for Use and Administration
  include a review of the Card scheme and the use of cards issued in                         The Purchasing Card Rules for Use and Administration (the Rules),
   the internal audit program                                                                 supplement Direction 4.5.3 and have been developed to assist
  certify annually that they have followed the Purchasing Card                               cardholders and agencies in the interpretation and application of the
   procedure.                                                                                 legislative requirements.
                                                                                              The Rules aim to ensure agencies administer procurement using
                                                                                              purchasing cards within a controlled environment of strict procedures and
                                                                                              guidelines, with clear consequences for public servants or statutory
                                                                                              officers who misuse cards.
                                                                                              46
                                                                                                An instance of unauthorised use is defined in Section 7 „Unauthorised Use‟ of the
                                                                                              Purchasing Card Rules for Use and Administration.
FMCF User Guide: Standing Direction 4.5.3 (Direction Requirement 28) – Financial Management Compliance Obligations Purchasing Card                                                  164
Version 1 (September 2009)
                                               Supplementary material to be used as guidance only
Key principles for conduct
The following key principles are outlined in the Rules for conduct
of cardholders:
    cardholders must always act in the interests of the State, as opposed
     to their own personal interests or convenience; and
    cardholders must perform their duties honestly, with skill and care.

Liability for charges
The liability for any charges on purchasing cards rests with the State and
not the individual cardholder. For this reason, the Rules must be strictly
adhered to as a means of limiting the financial exposure of the State.

More information
The Purchasing Card Rules for Use and Administration are available in the
“Standing Directions and associated Rules” section of the FMCF toolbox.
Please contact your portfolio coordinator directly if you have problems
with access.




FMCF User Guide: Standing Direction 4.5.3 (Direction Requirement 28) – Financial Management Compliance Obligations Purchasing Card   165
Version 1 (September 2009)
User Guide to Standing Direction 4.5.4
Direction Requirement 29

Thefts and Losses




FMCF User Guide: Standing Direction 4.5.4 (Direction Requirement 29) – Financial Management Compliance Obligations Thefts and Losses   166
Version 1 (September 2009)
                                               Supplementary material to be used as guidance only
                                                                       Thefts and Losses
Introduction                                                                                   Notification reports and incident reports provided to the Minister
The Standing Directions of the Minister for Finance (the Directions), under                    for Finance and the Auditor-General should also be provided to the
Direction 4.5.4, require the Responsible Body to ensure.                                       relevant Minister.
all cases of suspected or actual theft, arson, irregularity or fraud in                        Thefts and Losses Rules
connection with the receipt or disposal of money, stores or other property
                                                                                               Direction 4.5.4 is supplemented by a set of Thefts and Losses Rules (the
of any kind whatsoever under the control of the agency are notified to the
                                                                                               Rules) which have been developed to assist agencies.
Minister for Finance and the Auditor-General.
                                                                                               The Rules set out the principles and procedures to be followed in relation
Notification requirements                                                                      to the thefts and losses monitoring and reporting requirements.
Where the receipt or disposal of money is:                                                     More information
  equal to or exceeds $1,000, the incident must be reported at the time                       The Thefts and Losses Rules are available in the “Standing Directions and
   of the occurrence and an incident report must be submitted within 2                         Rules” section of the FMCF toolbox.
   months; or
                                                                                               This supplementary material contains the following:
  less than $1,000 the incident must be reported annually for the period
   ending 30 June together with an incident report.                                               Attitudes to fraud
                                                                                                  Definition of fraud
For stores and property of any kind with a value:
                                                                                                  Fraud control framework
   equal to or exceeding $20,000, must be reported at the time of
    occurrence and an incident report must be submitted within 2 months;                             a. Fraud Control Policy
    or                                                                                               b. Responsibility Structures
   less than $20,000 must be reported annually for the period ending 30
                                                                                                     c. Fraud Monitoring
    June together with an incident report.
                                                                                                     d. Fraud Risk Profile
Incident report                                                                                      e. Employee Awareness
The incident report must outline:                                                                    f. Fraud Reporting Systems
   whether internal controls and systems:                                                           g. External Requirements
         have been reviewed                                                                         h. Investigation Procedures
      have identified weaknesses and that have or will be rectified                                 i. Code of Conduct and Discipline Procedures
    the status of any proceedings, investigations or disciplinary actions
                                                                                               This outline of a fraud control framework serves to raise awareness of,
    what has been recovered, whether by way of money, stores, other
                                                                                               and therefore minimise, the consequences of fraudulent or corrupt
     property or insurance
                                                                                               behaviour in relation to the conduct of public service sector agencies‟
    any other information that it appears appropriate to include.                             business or activities.
FMCF User Guide: Standing Direction 4.5.4 (Direction Requirement 29) – Financial Management Compliance Obligations Thefts and Losses                                 167
Version 1 (September 2009)
                                               Supplementary material to be used as guidance only
Attitudes to fraud                                                                             Definition of fraud
                                                                                               For the purpose of this supplementary material, fraud against the
State Government                                                                               State of Victoria is defined as “dishonestly obtaining a benefit by deception
The Victorian State Government is committed to the aims and objectives                         or other means.”
of good corporate governance. It does not tolerate improper conduct by its                     This definition includes, but is not limited, to the following types of fraud:
employees and recognises the value of transparency and accountability in
its administrative and management practices.                                                      theft
                                                                                                  obtaining property, a financial advantage or any other benefit
This supplementary material has been developed:                                                    by deception
   to assist agencies in developing a fraud control framework to suit the                        providing false or misleading information to the State Government, or
    particular operational requirements and circumstances of their                                 failing to provide information where there is an obligation to do so
    business; and
                                                                                                  causing a loss, or avoiding or creating a liability by deception
   to assist agencies in reviewing, revising and implementing their own
    fraud control framework.                                                                      creating, using or possessing forged or falsified documents
                                                                                                  bribery, corruption or abuse of office
Agencies                                                                                          unlawful use of public sector equipment including interfering with or
                                                                                                   hacking into computers, misuse of vehicles, telephones and other
Effective fraud control requires the commitment and involvement of all                             property or services
public service sector agencies, employees and external service providers.
All agencies are potentially exposed to losses as a result of fraud and                           relevant bankruptcy offences; and
corruption which may have an impact on reputation and inappropriate or                            any offences of a like nature to those listed above.
inefficient use of financial or physical resources. Agencies should be
committed to minimising the risk of fraud, not tolerating any act of
                                                                                               Fraud can be perpetrated by:
internal fraud or corrupt conduct and take steps to manage the risks of
external fraud.                                                                                   a public sector employee against a public sector agency or
                                                                                                   its programs
The guidelines for unacceptable behaviour are outlined in the Victorian
                                                                                                  an agency or external individual against such an agency or
Public Service Code of Conduct which is the standard by which public                               its programs
sector behaviour is measured.
                                                                                                  a contractor or service provider against an agency or its programs
                                                                                                  any combination of the above, acting in collusion or otherwise.




FMCF User Guide: Standing Direction 4.5.4 (Direction Requirement 29) – Financial Management Compliance Obligations Thefts and Losses                                       168
Version 1 (September 2009)
                                               Supplementary material to be used as guidance only
Fraud control framework
It is vital that public sector agencies establish a fraud control framework to
protect themselves against loss or reputation damage. The strategy                                a.   Fraud Control Policy
should include a range of proactive and reactive strategies designed to                                As a part of the fraud control framework an agency should adopt a fraud
mitigate fraud.                                                                                        control policy that integrates components of the framework and is designed
                                                                                                       to meet the specific needs of the organisation.
The following table outlines the components of a fraud control framework.                         b.   Responsibility Structures
Each component is discussed in detail in sections (a.) to (i.) in this
                                                                                                       An agency should define the organisational responsibility for fraud control to
supplementary material.                                                                                implement and give effect to a fraud control framework.
                                                                                                  c.   Fraud Monitoring
                                                                                                       Ongoing fraud monitoring activities can be encompassed into existing
Please note that this list is guide only and there are many other steps that                           assurance programs.
an agency can incorporate into their own framework to minimise fraud and                          d.   Fraud Risk Profile
tailor to their individual requirements, such as the introduction of a conflicts                       Developing a fraud risk profile includes undertaking a fraud risk assessment
of interest policy.                                                                                    across areas of the organisation on a periodic basis, e.g. every 2 years.
                                                                                                       The assessments examine the internal and external fraud risks (employee
                                                                                                       and contractor/customer fraud) and also the potential for collusion.
                                                                                                  e.   Employee Awareness
                                                                                                       Fraud awareness training for all employees is essential to provide an
                                                                                                       understanding of what constitutes fraud and to assist in recognising
                                                                                                       fraudulent behaviour.
                                                                                                  f.   Fraud Reporting Systems
                                                                                                       A fraud control framework should have internal and external reporting
                                                                                                       arrangements which include formal and informal mechanisms for
                                                                                                       reporting fraud.
                                                                                                  g.   External Requirements
                                                                                                       Policies and procedures should include consideration of the requirement to
                                                                                                       report incidents of fraud or corruption to external authorities.
                                                                                                  h.   Investigation Procedures
                                                                                                       Formalised, documented procedures for internal investigations including
                                                                                                       reporting matters to the police and other external parties should be
                                                                                                       implemented as a part of the framework.
                                                                                                  i.   Code of Conduct and Discipline Procedures
                                                                                                       An agency‟s Code of Conduct should support a culture of honesty and
                                                                                                       integrity where fraud, corruption and dishonest acts will be detected,
                                                                                                       investigated and if required, disciplined.




FMCF User Guide: Standing Direction 4.5.4 (Direction Requirement 29) – Financial Management Compliance Obligations Thefts and Losses                                                    169
Version 1 (September 2009)
                                                    Supplementary material to be used as guidance only
a.    Fraud Control Policy                                                                     b.   Responsibility Structures
A fraud control policy designed to meet the specific needs of an agency                        The Accountable Officer and the Responsible Body are responsible for the
should be developed and implemented.                                                           system of internal control, which includes the prevention and detection of
The table below provides an example of a structure for fraud control policy                    fraud. The Audit Committee also plays a role in the oversight of the
and procedures.                                                                                operation and implementation of the risk management framework.

 Example of potential structure for fraud control policy and procedures        Included        Agencies should ensure that appropriate resources are allocated to fraud
 Executive summary
                                                                                               monitoring and control.
  Introduction to Policy                                                                     Each agency should allocate appropriate personnel to:
  Objectives of the policy, e.g. management‟s commitment for its                                implement their fraud and corruption control initiatives
     responsibility towards identifying fraudulent activity and establishing                    coordinate the fraud risk assessment procedures
     procedures for prevention and detection.
  Definition of Fraud                                                                          record fraud incident reports, and
  Agency‟s statement of attitude towards fraud, which may incorporate                           conduct investigations of allegations of fraud.
   and/or refer to the Code of Conduct                                           
                                                                                               Allocation of these resources may also require the assistance of specialist
  Responsibility structures including:                                                       skilled internal or external resources to the agency. Alternatively existing
      Appointment of Fraud Control Officer and/or external support role
                                                                                               staff may need to be trained to perform these roles.
      Fraud control responsibilities
 Fraud Control Strategies                                                                      Larger agencies should consider appointing a Fraud and Corruption
  Fraud monitoring activities including:                                                     Control Officer who can implement practical fraud and control procedures,
        Internal audit reviews                                                                as well as training of all staff in identification of risks.
        Internal compliance reporting                                                         When defining the responsibility structure an agency may wish to bear in
        External obligation requirements                                                      mind that management are responsible for the prevention of fraud,
  Fraud risk profiling and assessment                                                        however operational line management are often in a better position to
  Implementation of proposed actions                                                         prevent and detect fraud by monitoring the continued operation of controls
  Employee awareness and conduct                                                             to prevent fraud.
 Fraud Reporting                                                                               The Audit Committee are also responsible for overseeing an agency‟s
  Procedures for internal reporting of fraud                                                 operation and implementation of their risk management framework.
  Procedures for external anonymous reporting                                   
  Protection for discloser reporting suspected fraud (see whistleblowers)       
  Procedures for reporting to police and external parties                       
  Reporting requirements                                                        
 Fraud Investigation
  Procedures for internal investigations and reporting to external parties      
  Documentation of results of investigation                                     
 Disciplinary matters                                                            


FMCF User Guide: Standing Direction 4.5.4 (Direction Requirement 29) – Financial Management Compliance Obligations Thefts and Losses                                   170
Version 1 (September 2009)
                                               Supplementary material to be used as guidance only
c.   Fraud Monitoring                                                                          The table below outlines potential steps to consider when developing a
Reviews for the monitoring and prevention of fraud can be encompassed                          fraud risk profile.
into an agency‟s assurance programs and should also be reflected in the
responsibility structure.
                                                                                                Example of potential steps to consider when developing a fraud risk profile   Included
Agency‟s can ensure fraud is monitored through existing assurance                               1.   Consideration of the size of the agency                                    
programs such as internal audit, internal review and other review                                     are the internal controls robust in a large agency?
mechanisms. Ideas for the scope of these reviews include:                                             are there any set guidelines to follow in a small agency?
   pro active fraud detection can be achieved by performing regular data                       2.   Determine the number of staff working for an agency and identify           
    mining reviews using an automated detection program. This program                                associated risks
    assists an agency to identify anomalous transactions and other data                               does the agency enforce segregation of duties?
    records that appear to be suspicious and therefore might be worth                                 in a small agency are there only a few staff responsible for
    further investigation                                                                              accounting procedures?
   fraud risk reviews should be undertaken on a recurring basis to                                   in a large agency are staff rotated on a regular basis to
    regular monitor all agency processes                                                               reduce the chances of supplier familiarity which can lead to
                                                                                                       improper relationships?
   monitoring of calls to the whistleblowers hotline                                           3.   Management accountability                                                  
   regular screening of new and/or promoted employees.                                               has management effectively implemented the agency‟s
                                                                                                       antifraud controls?
d.   Fraud Risk Profile                                                                               is the code of conduct is adhered to?
                                                                                                      has it been demonstrated that internal controls are important?
A fraud risk profile includes the completion of a fraud risk assessment
which identifies weaknesses in procedures and controls and links them to
                                                                                                4.   Undertake a fraud risk assessment – identify the risks                     
risks across functions within an organisation.                                                       A fraud risk assessment considers fraud schemes and circumvention
                                                                                                     of existing controls.
When preparing a fraud risk profile high risk functions should be                                    The fraud risk assessment should be conducted on a systematic basis
considered to determine what controls are in place to prevent, detect, or                            and could include:
deter fraudulent activity.                                                                            interviews with agency employees at different levels identify risks
                                                                                                       relevant to their role and area
An assessment of whether the controls in place are sufficient can then be                             the identification and risk assessment of the reliance on process of
made and an agency can determine if fraud control obligations can be met                               each area within the agency
and whether external support is required to determine the fraud risk profile.                         identification of possible fraud risks that might occur in a typical
Each agency‟s requirements will vary when developing a fraud risk profile.                             administrative situation
                                                                                                      review outcomes of previous risk treatment activities.




FMCF User Guide: Standing Direction 4.5.4 (Direction Requirement 29) – Financial Management Compliance Obligations Thefts and Losses                                              171
Version 1 (September 2009)
                                                  Supplementary material to be used as guidance only
                                                                                               Areas and elements within a fraud risk profile
 Example of potential steps to consider when developing a fraud risk profile     Included      A fraud risk profile considers the potential for fraud across areas within
 continued                                                                                     an organisation.
 5.    Undertake a fraud risk assessment – rate the risks                                     A potential fraud exposure can be described as an element.
       Assessment of the probability and impact of the fraud needs to be
       considered. Risk weightings can be assigned to each fraud risk,                         The table below outlines examples of areas and potential fraud
       such as:                                                                                elements within an area and can be used to assist in the development of a
        probable (rating 1)                                                                   fraud risk profile.
        reasonably possible (rating 2)
        remote (rating 3).
                                                                                                Area           Example of elements of potential fraud within an area
       The impact and significance of fraud should also be identified.
       This could be completed:                                                                 Payroll           Duplicate payroll payments for personal gain
        by focussing on one area within a fraud risk profile at a                                                Continued payments to employees who have been terminated
         time (e.g. HR)                                                                                           Fraudulent payments in excess of authorised salary
        consider all the fraud risks associated with that area                                                   Excessive payments of overtime as a proportion of gross salary
        consider existing control measures to mitigate the risks                                                 Fictitious employees on payroll
        assess whether the control measures are actively in place                              Accounts          Lack of segregation of duties between accounting processes
        assess the rating of the control measure using the rating weightings                   Payable           Creation fictitious invoices or bogus vendors
 6.    Consideration of circumvention and overriding of controls                                                 Duplicate invoice numbers and payments
       by management.                                                                                             Payments to vendors where the bank account matches the account
       Effectively designed internal controls should be in place to respond to                                     number of an employee and the vendor name is different from the
       the assessment of risk of management override.                                                              employee name
 7.    Fraud control plan                                                                                        Favourable payment of invoices (within 5 days)
       Following the risk assessment and evaluation of potential fraud risks,                                     Misuse of purchasing card / cab charges / travel and expense claims
       a fraud control plan should be implemented.                                                                EFT fraud
       These control activities should be designed and implemented to                                             Misappropriation of funds
       mitigate identified fraud risks. The risks acknowledged in the fraud                     Petty cash        Poor controls over cash under lock and key
       control plan should be monitored on a regular basis to ensure new                                          Lack of segregation of duties from receiving cash, issue of receipts and
       risks are identified.                                                                                       bank deposits
                                                                                                                  Regular reconciliations not performed
                                                                                                                  Infrequent cash deposits, allowing cash to accumulate
                                                                                                Accounts          Lack of control or system processes over generation of
                                                                                                Receivable         invoice numbers
                                                                                                                  Lack of segregation of duties between processing of accounts
                                                                                                                   receivable, posting to ledger and issuing of receipts
                                                                                                                  Frequent credit notes and write offs
                                                                                                                  No reconciliation of accounts receivable sub ledger to general ledger
                                                                                                                   control account




FMCF User Guide: Standing Direction 4.5.4 (Direction Requirement 29) – Financial Management Compliance Obligations Thefts and Losses                                                  172
Version 1 (September 2009)
                                                  Supplementary material to be used as guidance only
 Area               Example of elements of potential fraud within an area    continued         Detailed elements within an area
 Physical Assets       Poor controls over asset records                                       In order to explain how an element within an area can be included in a
                       Personal use of assets                                                 fraud risk profile an example on pre-employment screening has been
                       Theft of assets                                                        provided below.
                       Unlawful disposal of assets
                       Falsification of asset statements
                       Selection of a preferred supplier for personal gain, e.g. kickbacks     Area:           HR
 Tendering and
 Contracting           Paying the contractor more than what they are entitled                  Element:        Pre-employment screening
                       Payment to supplier of services not performed                           Explanation:    Pre-employment screening is the verification of a candidate‟s background
                       Conflicts of interest                                                                   for employment purposes. The screening of potential employees has
                                                                                                                proven to be a valuable risk management tool and is considered by
                       Misuse of sensitive information in contracting
                                                                                                                experts to be the most effective way of minimising and guarding against
                       Fraudulent dealing in relation to capital projects                                      potential security risks by identifying undesirable employees before they
                       Collusion between employees and contractors                                             join the organisation.
 Communications        Unauthorised acquisition of information                                 Potential steps for a pre-employment screening process
                       Fraudulent release of information                                       1.   Development of an effective pre-employment screening process for employees
                       Fraudulent application of sponsorships/donations                             before the commencement of employment, promotion and prior to the completion of
 HR                    Pre-employment screening                                                     the probationary period, paying particular attention to those positions with higher
                                                                                                     risk exposures.
                       Fraudulent recording of attendance and/or changes to
                        leave entitlements                                                      2.   Enquiries should be undertaken as part of the employment process to verify identity,
                       Fraudulent worker‟s compensation claims                                      credentials and validate employment history.
                       Unauthorised disclosure of confidential employee information                 These checks could include:
                        for profit                                                                    the verification of two forms of identification such a driver‟s licence or a passport
 Information           Unauthorised release of login and password details                            a Victoria Police criminal history search
 Technology            Inadequate controls over software resulting in unauthorised staff             verbal reference checks with the candidate‟s last two employers
                        accessing systems                                                             consideration and the reasons for any discrepancies or gaps in employment history
                       Downloading of inappropriate material from the internet                        provided on the candidate‟s curriculum vitae
                       Installation of pirated software of organisation‟s computers                  confirmation of any formal qualifications obtained.
                       Theft of data, hardware, software
                       Manipulation of output from IT processes for fraud
 Motor vehicles        Unauthorised private use of vehicles                                   A review of a fraud risk profile for the element in this area would include
                       Theft or substitution of accessories or tools                          examination of documented procedures and testing of controls.
                       Use of petrol card for private vehicles
                       Falsification of vehicle logs




FMCF User Guide: Standing Direction 4.5.4 (Direction Requirement 29) – Financial Management Compliance Obligations Thefts and Losses                                                173
Version 1 (September 2009)
                                                 Supplementary material to be used as guidance only
e.   Employee Awareness                                                                        f.        Fraud Reporting Systems
Employee awareness about fraud is important for the prevention and                             A fraud control framework should have internal and external
control of both internal and external fraud.                                                   reporting arrangements which include formal and informal mechanisms for
                                                                                               reporting fraud.
For a fraud awareness program to be effective training should be delivered
to all staff initially.                                                                        It should also include documented procedures for the receipt, retention
                                                                                               and treatment of complaints and confidential, anonymous disclosures of
It is important to update and present the program on a regular basis to
                                                                                               concern by employees or external third parties. Best practice is the
ensure the continuing identification of fraud weaknesses and development
                                                                                               establishment of an independent ethics/whistleblower hotline to allow
of controls (from regular fraud risk assessments) is communicated. The
                                                                                               employees     to    make   protected   disclosures   in  relation    to
agency should determine its own regularity for fraud awareness training.
                                                                                               unethical behaviour.
Induction programs for new staff could include information and training
                                                                                               Agencies need to ensure that all employees are able to report suspicious
about fraud prevention, detection and reporting of fraud or corruption as
                                                                                               behaviour or unethical conduct. This could include reporting through the
well as employee malpractice.
                                                                                               agency‟s usual organisation structure or internal/external anonymous
A fraud awareness program for employees could include information about                        reporting channels, for example, a whistleblower hotline discussed earlier.
the following:
                                                                                               Whistleblower

 Considerations for developing a fraud awareness program for employees      Included           Agencies should encourage employees to report suspicions of fraud and
                                                                                               the Whistleblowers Protection Act 2001 (the Act) provides protection to
 Fraud awareness training should be provided to all staff.                                    employees making disclosures of improper conduct by public bodies or
 Development of a training program to raise the level of awareness of                         public sector employees.
 fraud issues to assist employees to identify, prevent and control fraud.
 Fraud Awareness Training should cover:                                                        The 3 key areas of inappropriate conduct falling within the realm of
                                                                                               whistleblower reporting are:
  Culture and ethics                                                           
  Code of conduct                                                              
  Identification of fraud                                                                         1.        “Improper conduct by a public body or public official”.
  Prevention                                                                                      This incorporates conduct that is corrupt, a substantial mismanagement of
  Detection                                                                                        public resources, or conduct involving substantial risk to public health or safety or
                                                                                                   to the environment.
  Fraud profiles, e.g. behavioural characteristics                                                2.        “Corrupt conduct”
  Responsibility structure                                                                        Includes conduct that adversely affects the honest performance of a public officer‟s or
  Reporting and obligations                                                                       public body‟s functions, conduct that amounts to a breach of public trust or misuse of
                                                                                                    information or material acquired in the course of their official functions; the performance
  Consequences.                                                                                   of an employee‟s functions dishonestly or with inappropriate partiality, a conspiracy or
 Short training sessions (1 to 2 hours) should be scheduled on a                                   attempt to engage in any of the aforementioned conduct.
 periodic basis.                                                                                    3.        “Detrimental action”
 Supporting documentation should be available on hard copy and                                     A detrimental action makes it an offence for a person to take action against a person in
 available on intranet.                                                                             reprisal for a protected disclosure, including action causing injury, loss or damage,
                                                                                                    intimidation or harassment; and discrimination or disadvantage in relation to a person‟s
 A record of the training sessions, including dates and attendees                                  employment, including taking disciplinary action.
 should be kept.
FMCF User Guide: Standing Direction 4.5.4 (Direction Requirement 29) – Financial Management Compliance Obligations Thefts and Losses                                                        174
Version 1 (September 2009)
                                                   Supplementary material to be used as guidance only
The following table outlines steps to consider when developing a policy                        In addition to the Whistleblower Investigations Officer within a public sector
and procedures for whistleblower reporting.                                                    agency, reports of improper or corrupt conduct may be made in writing or
                                                                                               by telephone to your agency‟s nominated Protected Disclosure Officer.
 Steps to potentially consider when developing whistleblower‟s                    Included     Alternatively, disclosures may be directly to the Ombudsman for Victoria.
 policy and procedures:
 1.   Establishment of a policy which outlines the agency‟s commitment to a                   g.   External Requirements
      culture of corporate compliance and ethical behaviour.
 2.   A statement in the policy which determines unethical behaviour and                      An agency should have formal procedures outlining external notification of
      encourages reporting to approved personnel.                                              obligations,    and     mechanisms   to    record     outcomes        and
 3.   A statement emphasising the benefits and significance of a                              reporting requirements.
      whistleblower system. The policy should also encourage immunity for
      whistleblowers.                                                                          External notification and reporting obligations are set out in the Financial
      The objectives of a whistleblower system are to:
                                                                                               Management Act 1994 (the “FMA”). All incidents of theft or losses must be
                                                                                               reported to the Minister for Finance and the Auditor General.
       encourage reports of corruption and illegal practices that can cause
        loss to an agency or reputation damage                                                 The reporting timeframe will depend on the value of the theft or loss.
       enable an agency to protect the identity of the whistleblower                          Agencies should refer to the Theft and Losses Rules pursuant to the
       enable an agency to protect the whistleblower from reprisal                            Financial Management Act 1994 for further details on reporting thresholds
       provide the framework including the nomination of a
                                                                                               and timeframes.
        Coordinator, Welfare Officer and Investigator as well as alternative                   In addition, the agency is to provide an incident report to the Minister for
        means of reporting.
                                                                                               Finance and the Auditor General.
 4.   Provision of resources to support a whistleblowers procedure that             
      include the appointment of a whistleblower protection officer, a
      whistleblower investigations officer; an internal reporting line, regular
      training for all relevant employees and a mechanism for appeals.
                                                                                                The incident report must outline the following:
 5.   Establishment of reporting mechanisms which detail how and where to                       whether internal controls and systems have been reviewed
      report suspicions of fraud. Details of these mechanisms should be
      communicated to all employees and be easily accessible,                                    whether these weaknesses identified have been rectified
      e.g. an intranet site.                                                                     the status of any proceedings, investigations or disciplinary actions; and
 6.   A policy statement guaranteeing that the reporting of reportable                          what has been recovered?
      conduct will be held in the strictest confidence.
 7.   Communication by the agency that the whistleblower will be kept               
      informed of the outcomes of investigation.
 8.   Reported conduct should be investigated by the Whistleblower                  
      Investigations Officer.
 9.   All reportable conduct investigated by the Whistleblower Investigations       
      Officer should be reported to the CEO or other senior executive.




FMCF User Guide: Standing Direction 4.5.4 (Direction Requirement 29) – Financial Management Compliance Obligations Thefts and Losses                                           175
Version 1 (September 2009)
                                                 Supplementary material to be used as guidance only
     h.   Investigations procedures                                                            Other references
Best practice suggests that agencies should establish standardised                             There are a number of other references that should be considered when
procedures for tracking, responding to, investigating and assessing                            developing a fraud control framework for example:
allegations of fraud. Procedures could include a written plan for tracking                        legislation and regulations in relation to:
and responding to allegations of misconduct.         Where appropriate,
the investigative process should allow for an investigation independent                                financial management
of management.                                                                                         public sector administration
Consideration should also be given to ensuring that any initial action or full                         whistleblowers protection
investigation is concerned with the preservation of evidence, following                              information privacy.
other legal rules and principles do not complicate any formal investigation.                       codes of practice and/or good practice guides such as:
                                                                                                       code of conduct (Victorian Public Sector)
i.   Code of conduct and discipline procedures                                                         financial code of practice
It is important that an agency‟s Code of Conduct supports a culture of                               whistleblower guidelines (Ombudsman's Office).
honesty and integrity where fraud, corruption and dishonest acts will be                           Australian Standards in relation to:
detected, investigated and if required, disciplined.
                                                                                                       fraud and corruption control
The Victorian Public Sector Code of Conduct is a public statement of how
                                                                                                       organisational codes of conduct
agencies should conduct their business and how they should treat their
clients and colleagues. It supports the legislation in relation to public                              whistleblower protection.
administration in Victoria.
Agencies should be committed to effectively managing discipline and
misconduct to ensure that their standard of work performance and conduct
are maintained.




FMCF User Guide: Standing Direction 4.5.4 (Direction Requirement 29) – Financial Management Compliance Obligations Thefts and Losses                             176
Version 1 (September 2009)
User guide to Standing Direction 4.5.5
Direction Requirement 30

Risk Management Compliance




FMCF User Guide: Standing Direction 4.5.5 – Financial Management Compliance Obligations Risk Management Compliance   177
Version 1 (Septebmer 2009)
                                              Supplementary material to be used as guidance only
                                                         Risk Management Compliance
Introduction
The Standing Directions of the Minister for Finance (the Directions) require
agencies to implement and maintain risk management governance,
systems and reporting requirements as outlined in the Victorian Risk
Management Framework.
Direction 4.5.5 requires agencies to:
   conduct an annual review of their obligations under this Direction
   identify and rectify any failure or deficiency in complying with
    this Direction
   provide an attestation that their risk identification and management
    plan is consistent with Australian/New Zealand Standard 4360:2004
    or equivalent.

Compliance requirements
For details regarding compliance requirements for this Direction, agencies
must refer to the Victorian Risk Management Framework issued by the
Minister for Finance in July 2007.
The framework document outlines the requirements and also contains
example attestation.

More information
The Victorian Risk Management Framework can be obtained from the
Department of Treasury and Finance or found at www.dtf.vic.gov.au.




FMCF User Guide: Standing Direction 4.5.6 – Financial Management Compliance Obligations Treasury Risk Management   178
Version 1 (September 2009)
User guide to Standing Direction 4.5.6
Direction Requirement 31

Treasury Risk Management




FMCF User Guide: Standing Direction 4.5.6 – Financial Management Compliance Obligations Treasury Risk Management   179
Version 1 (September 2009)
                                              Supplementary material to be used as guidance only
                                                            Treasury Risk Management
Introduction                                                                                Centralised Treasury and Investment Policy
The Standing Directions of the Minister for Finance require agencies to                     A centralised Treasury and Investment Policy has been issued by the
undertake all borrowings, investments and financial arrangements with a                     Treasurer. High level details of the policy are included below.
financial institution that is either a State owned entity or has a credit rating,
assigned by a reputable rating agency, that is the same as or better than                   Background
the State of Victoria.
                                                                                            The objectives of the policy are to ensure that treasury risks are effectively
Note that there are a number of exceptions to this Direction including:                     identified, assessed, monitored and managed by public sector agencies,
   where an agency has been granted specific borrowing or investment                       and that the strategies adopted by public sector agencies are consistent
    powers under its constituting legislation                                               with the overall objectives of the Government.
   where an agency is operating a bank overdraft as part of its normal                     The State has a conservative philosophy for the management of treasury
    transactional banking operations                                                        risks and accordingly, public sector agencies are encouraged to develop
   where the investment amount is less than $50,000, or                                    specific measures that best address the borrowing and investment risks of
   where the investment is a non-market equity investment or is of                         their business.
    private moneys held under trust arrangements.                                           As part of the State‟s prudent approach to financial risk management, the
Agencies must:                                                                              Government has established the Treasury Corporation of Victoria (“TCV”)
                                                                                            and Victorian Funds Management Corporation (“VFMC”) as centralised
  conduct an annual review of their obligations under this Direction; and                  agencies to manage the borrowing, investing and financial market
  identify and rectify any failure or deficiency in complying with                         activities of public sector entities. A key reason for taking this action is so
   this Direction.                                                                          that the Government has assurance that Government agencies are
                                                                                            dealing with bodies that are owned by the State and therefore have a
Application for other exceptions                                                            credit rating equal to that of the State. In order to minimise the State‟s
                                                                                            overall financial risk it is important that the State‟s borrowing and
Any investments held by Government agencies outside the centralised                         investment activities be undertaken through these agencies.
framework, apart from the above exceptions must be approved by the
Treasurer and reported to the Department of Treasury and Finance semi-
annually. Applications for approval and reporting of such investments
should be forwarded to:

The Assistant Director
Financial Risk Management
Department of Treasury and Finance
Level 5, 1 Treasury Place
Melbourne VIC 3002

FMCF User Guide: Standing Direction 4.5.6 – Financial Management Compliance Obligations Treasury Risk Management                                                       180
Version 1 (September 2009)
                                              Supplementary material to be used as guidance only
Operating Guidance                                                                          Transition Arrangements
TCV manages borrowings and short-term deposits, facilitates financial                       In terms of transition arrangements, there may be a number of public
arrangements to hedge, protect or manage the value of assets and                            sector agencies that, prior to the issuance of this policy, have entered into
liabilities, and executes the associated transactions. VFMC manages long-                   short term investments, such as term deposits with commercial banks that
term investments, advises and/ or implements diversified investment                         may incur break costs if they are withdrawn prior to maturity.
strategies, and executes the associated transactions. These centralised
                                                                                            Where substantial break costs for early withdrawal exist, these short term
arrangements create significant benefits as they:
                                                                                            investments are permitted to continue to maturity, after which the proceeds
     provide the capacity to net the State‟s borrowings and investments                    must be invested with the centralised agencies.
      prior to approaching financial markets, thus reducing its overall
      borrowing program;
     create economies of scale which reduces execution and
      administration costs;
     enable the State‟s overall counterparty risk to be monitored
      and managed;
     improve prudential oversight of the State‟s overall borrowings and
      investments; and
     allow the concentration of appropriate financing and investment
      expertise, rather than being spread thinly across a range of public
      sector agencies.
Under the centralised framework all borrowings, short term investments
and financial arrangements should be dealt through TCV which can
advise on appropriate funding, hedging and investing structures taking into
account the financial requirements and risk appetite of the public
sector agency.
Where it is clear that an entity has a long term investment need, the entity
should approach VFMC directly (where appropriate, TCV will refer the
entity to VFMC). Relevant approval processes are to be followed before
the transactions can be undertaken.




FMCF User Guide: Standing Direction 4.5.6 – Financial Management Compliance Obligations Treasury Risk Management                                                     181
Version 1 (September 2009)
                                              Supplementary material to be used as guidance only




FMCF User Guide: Standing Direction 4.5.6 – Financial Management Compliance Obligations Treasury Risk Management   182
Version 1 (September 2009)

				
DOCUMENT INFO