Audit report recommendations

The Queensland Audit Office identified "deficiencies" in the council''s internal financial controls.

By Jeremy Sollars

The 2019 Queensland Audit Office financial report on the Southern Downs Regional Council identified more than a dozen “deficiencies” in the council’s internal financial controls.

The report also refers to up to $2 million held in “trust accounts” by the council from as far back as 1997, accounts the Queensland Audit Office suggests may be in need of a “clean up”.

The report was presented to the council in November 2019 and was tabled at the last council meeting for 2019 held on Wednesday 18 December.

The financial “control deficiencies” – six of which were termed “significant” by the Queensland Audit Office, a state government agency – related in some instances to “control activities” including access by council staff to the council’s finances and financial records.

These include “access to Electronic Funds Transfer (EFT) payment files”, “payroll masterfile amendments”, “accounts payable masterfile amendments” and “user access rights within the revenue process”.

The Queensland Audit Office defines a “significant deficiency” as one which “requires immediate remedial action” and could involve a risk to “material misstatement in the financial statements, “reputation”, “non-compliance with policies and applicable laws and regulations” and, perhaps most concerning, “potential to cause financial loss including fraud”.

The Queensland Audit Office also commented on the status of money held by the council in “trust accounts”, with a trust account usually containing money paid into it by an outside third party.

For councils, examples of such money typically include tender and contract deposits from businesses, and bonds for works performed by external contractors on which the council can make a claim if such works are not completed to the required standard.

The Queensland Audit Office report states that while the council’s trust accounts represent a “low” risk rating – although the “risk” is not defined other than for financial reporting purposes – the trust accounts should be subjected to a “detailed review” by the council.

“Council held approximately $1.9 million in Trust at 30 June 2018,” the Queensland Audit Office report states.

“Review of the trust register identified that some of these transactions date back as far as 1997.

“Council should conduct a detailed review of the Trust Fund register to identify whether any amounts are able to be returned and/or consider whether any action can be taken to clean up the trust account register.”

The report states that the council’s response to the recommendation is a “work in progress”, with “management” having “commenced a review process but this is still ongoing”.

An “action date” for completion of the “work in progress” on the trust accounts is given as 31 May 2020.

The most recent council Annual Report, for 2018-2019, states that as of the year ended 30 June 2019 council trust funds held $99,000 in “monies collected or held on behalf of other entities yet to be paid out to or on behalf of those entities”, and $1,882,000 in “security deposits”.

The annual report states that the council “only performs a custodial role in respect of these monies”.

“As these funds cannot be used by Council, they are not brought to account in these financial statements,” the annual report states.

Other “works in progress”

The Queensland Audit Office report states that in most cases the council has “resolved” the “internal financial control deficiencies” the Office identified, or that the council’s efforts to do so are, like the trust accounts, a “work in progress”.

Remedial actions recommended by the Queensland Audit Office included “reviewing” and “restricting” the “number of users who have write access to the server folders”, and ensuring “each user’s access is appropriate and required for their role”.

“Access for System Account users should be limited to the period to which they are required,” the report states.

It also states the Queensland Audit Office recommended “the review of the payroll masterfile amendments is undertaken by an employee who is independent of the function and who does not have access to make changes to the masterfile”.

Also recommended was that the council “regularly review user access to the supplier masterfile to ensure each user’s access is appropriate for their role”, and that “management should perform a review of system settings for users who have security and function access to raise general journals and restrict this ability for User Ids where this access is not required to fulfil their duties”.

Also recommended was a review of the council’s “data breach framework to ensure Council has a complete and consistent approach to meet its obligations in terms of the Privacy Amendment (Notifiable Data Breaches) Act”.

“Having an incomplete data breach framework exposes to the risk of penalties” under the Act, the report states.

The other “works in progress” – on asset management plans, the long-term financial plan and the data breach framework – are due for completion in either May or June 2020.