Management assurance framework Queensland Shared Services Version number: V8.0 Reference number: QSS/2134-01 Policy owner: Director, Corporate Assurance and Risk Management Total number of pages: 18 Effective date: July 2015 Review date: July 2016 Security classification: PUBLIC Uncontrolled when printed Table of Contents 1 Introduction ............................................................................................................................ 3 1.1 Background .................................................................................................................. 3 1.2 Internal control and risk environment ............................................................................ 3 1.2.1 Governance of QSS operations ........................................................................... 3 1.2.2 Risk management ................................................................................................ 4 1.2.3 Control activities .................................................................................................. 4 1.2.4 Information and communication ........................................................................... 4 1.2.5 Monitoring ............................................................................................................ 4 2 Purpose ................................................................................................................................. 4 3 Scope .................................................................................................................................... 5 4 Management assurance framework details ............................................................................ 5 4.1 Internal control objectives ............................................................................................. 5 4.1.1 Governance controls............................................................................................ 5 4.1.2 Business process controls ................................................................................... 5 4.1.3 Information technology general controls .............................................................. 6 4.2 Internal control assessment .......................................................................................... 6 4.2.1 Assessment scope............................................................................................... 6 4.2.2 Methodology ........................................................................................................ 6 4.2.3 Assurance from third party providers ................................................................... 7 4.2.4 DSITI Internal Audit ............................................................................................. 7 4.3 Reporting ...................................................................................................................... 7 4.3.1 Interim status update ........................................................................................... 7 4.3.2 Final management assurance report ................................................................... 7 Queensland Shared Services Security classification: Public 4.3.3 Post balance date assurance............................................................................... 8 4.4 Continuous improvement .............................................................................................. 8 4.5 CARM solution .............................................................................................................. 8 5 Responsibilities ...................................................................................................................... 9 6 Endorsement and approval .................................................................................................. 11 Appendix A: Contacts ................................................................................................................... 12 Appendix B: References ............................................................................................................... 12 Appendix C: Definitions ................................................................................................................. 13 Appendix D: Internal control assurance model .............................................................................. 15 Appendix E: DSITI assurance framework ...................................................................................... 17 Appendix F: MAF process map ..................................................................................................... 18 Page 2 of 18 Security classification: Public 1 Introduction 1.1 Background Management assurance framework Queensland Shared Services (QSS) is a provider of corporate services to Queensland Government entities, that is, state government departments and statutory bodies (hereafter referred to as customers). QSS provides financial services, human resource management services and underlying application support and maintenance services to its customers. QSS has established Service Agreements (SAs) with its customers. QSS is a business area (division) within the Department of Science, Information Technology and Innovation (DSITI) and the Director-General of DSITI is the accountable officer for QSS. Agency accountability and financial administration requirements are underpinned by the Queensland Financial Accountability Act 2009 (FAA) and the Queensland Financial and Performance Management Standard 2009 (FPMS). Under section 61 of the FAA, accountable officers are responsible for the efficient, effective and economical operation of their department and for the establishment and maintenance of appropriate systems of internal control and risk management. To discharge this responsibility, section 77 of the FAA includes the requirement, for departments only, that an accountable officer must delegate the establishment and review of financial internal controls to the chief finance officer (CFO). The CFO must provide to the accountable officer a statement before or at the same time the CFO certifies the annual financial statements, about whether the financial internal controls of the department are operating efficiently, effectively and economically. As prescribed in section 57(1)(d) of the FPMS, the CFO statement must include assurance over external service providers in relation to their internal controls. As an external service provider of corporate services, QSS is responsible for the design, implementation, maintaining and monitoring of an internal control framework for its operations. In carrying out this responsibility, QSS has regard to the interests of its customers, other key government stakeholders and to the general efficiency, effectiveness and economical operation of its business. 1.2 Internal control and risk environment The FAA defines internal control as: …the methods adopted within an entity to safeguard its assets; check the accuracy and reliability of its accounting information; and secure compliance with the prescribed requirements that apply to the entity. QSS has established its internal controls based on the principles outlined in the Committee of Sponsoring Organisations (COSO) Internal Control Integrated Framework Guidance on Monitoring Internal Control Systems, May 2013. 1.2.1 Governance of QSS operations QSS has a formalised organisational structure with distinct operational responsibilities including: Service Delivery (Finance, Human Resources and Mail) Systems Business Transformation Corporate Assurance and Risk Management (CARM) Page 3 of 18 Queensland Shared Services Security classification: Public The Executive Directors are responsible for the provision of services within their area of responsibility and they report directly to the Assistant Director-General, QSS within DSITI. CARM is an independent business unit which directly reports to the Assistant Director-General, QSS. 1.2.2 Risk management QSS has implemented a robust risk management process in accordance with the approved DSITI departmental risk management framework, policy and guidelines. Risk management assessment is performed regularly and a risk register is in place which incorporates risk treatment plans for the identified risks. The risk register is tabled at the monthly QSS Executive Management Group (QSS EMG) meeting for review. The CARM unit coordinates the risk management process. 1.2.3 Control activities QSS management has established its internal control environment with documented control objectives and control activities through a risk management process. These control objectives have been developed to address risks relating to QSS delivery of financial, human resource management (including payroll) and information technology services. 1.2.4 Information and communication QSS has implemented an effective communication process around its management reporting and business operations to communicate pertinent information for reporting and decision making. There are different forums, committees and groups established within QSS to facilitate such communication. Key stakeholders have been identified and an effective communication strategy implemented with customers and suppliers. 1.2.5 Monitoring QSS has established a reasonable number of internal monitoring and review processes necessary for evaluating the continual effectiveness of controls. The monitoring and control functions are carried out as follows: The QSS EMG is responsible for overseeing the primary governance of QSS. The QSS EMG convenes weekly and at least once a month reviews and provides direction on QSS issues covering governance, risk management, compliance and audit. The CARM unit regularly monitors the effectiveness of established internal controls and compliance with relevant policies and practices as part of the annual Management Assurance Framework (MAF) testing and reporting. At the DSITI departmental level, the DSITI Audit and Risk Management Committee provides oversight in relation to the internal control systems, risk management systems and the internal and external audit functions. 2 Purpose The purpose of the MAF is to provide a high level framework for QSS to effectively manage its internal controls and comply with relevant legislation for the provision of Service Agreement based services. Refer to Appendix B for a list of references used to develop the MAF. Effective implementation of the MAF enables QSS to provide reasonable assurance to its customers that management has maintained, in all material respects, efficient, effective and economical internal controls for its operations. The MAF forms part of the QSS Internal Control Assurance Model (refer to Appendix D) and DSITI Assurance Framework (refer to Appendix E). Page 4 of 18 Security classification: Public 3 Management assurance framework Scope The MAF is limited to the scope of services as outlined in the SAs signed between QSS and its customers. It does not encompass responsibilities undertaken by customers for their part of service provision or the external audit assurance requirements under the Standard on Assurance Engagements ASAE 3402 Assurance reports on controls at a service organisation. 4 Management assurance framework details The framework includes the below components: Refer to Appendix F for the detailed process of implementing the MAF. 4.1 Internal control objectives The following is a list of the internal control objectives identified through the risk management process. 4.1.1 Governance controls Internal control objective 1: A formal governance structure is established with clear roles and responsibilities to ensure effective decision making, monitoring and review of QSS’s operations and performance and information is communicated to relevant QSS stakeholders. Internal control objective 2: A robust risk management process has been implemented by business areas to manage operational risks effectively. 4.1.2 Business process controls Internal control objective 3: Processing of transactions is subject to customer agency authorisation and adequate procedures are implemented within QSS to ensure the accuracy, completeness and integrity of documents being processed. Page 5 of 18 Queensland Shared Services Security classification: Public Internal control objective 4: Segregation of duties (SoD) is implemented either through preventative or compensating controls to mitigate SoD risks. Internal control objective 5: Validation and reconciliations are performed adequately to ensure the accuracy, completeness and integrity of transactions processed. Internal control objective 6: Processes and procedures have been implemented to manage customer agencies’ records in accordance with relevant record management standards. 4.1.3 Information technology general controls Internal control objective 7: Logical access security (including application security management) is implemented adequately to comply with relevant information security standards and ensure the confidentiality, integrity and availability of information systems and data. Internal control objective 8: Change management processes have been implemented effectively with segregation of duties to manage all information, communication and technology changes. Internal control objective 9: Business continuity (BCP) and Disaster recovery (DRP) plans are developed and implemented effectively to ensure the continued business operations in case of unexpected events or disruptions to the systems. Internal control objective 10: Physical and environmental security is restricted to prevent inadvertent or unauthorised access to systems, assets and information that are managed, maintained, owned or used by QSS. 4.2 Internal control assessment QSS performs annual control self-assessments to test the internal control objectives and associated internal control activities, covering the period from 1 July to 30 June of each financial year. 4.2.1 Assessment scope The assessment scope will be determined based on the following items: internal control objectives for QSS to provide services to its customers as outlined in the service agreements internal control activities including the key specific policies and procedures established to meet internal control objectives QAO QSS ASAE 3402 Assurance Report testing coverage and issues identified; all processes related to the issues raised in the recent QAO QSS ASAE 3402 report should be considered to be included in the MAF testing depending on the risk level DSITI Internal Audit coverage for QSS during the current financial year and issues identified. the QSS risk register initiatives and internal control environment changes within QSS during the current financial year consultation with key stakeholders within QSS. 4.2.2 Methodology Control self-assessment methodology will be used to test the effectiveness of the internal control activities. The following steps will be undertaken: Page 6 of 18 Security classification: Public Management assurance framework Control self-assessments including comprehensive internal control activities will be distributed and completed by QSS Service Delivery (Finance, Human Resources and Mail), QSS Systems and any other applicable business areas. Sampling techniques will be used to submit evidence to support responses. The actual sampling size will be determined before the testing, taking into account the complexity and consistency of the control activities applied for each customer agency. Responses and supporting evidence will be reviewed and approved by responsible directors. Responses and supporting evidence will be independently analysed and control weaknesses, if any, will be identified by the CARM unit with action plans agreed with management. The CARM unit will continue to monitor the implementation of action plan by management. 4.2.3 Assurance from third party providers QSS obtains assurance reports from its third party providers annually and performs an assessment of those against the internal control objectives. The assessment process is to provide reasonable assurance regarding: compliance with control objectives and procedures appropriate risk management policies and procedures are in place appropriate internal controls are in place monitoring and reporting is adequate, accurate and timely. 4.2.4 DSITI Internal Audit DSITI Internal Audit plays a key role in the departmental assurance framework. In accordance with the approved internal audit annual audit plan, Internal Audit sets out the audits intended to be carried out for QSS. The audit findings and recommendations arising from such audit activity are formally reported to QSS management for consideration and corrective action. The CARM unit is responsible for monitoring the implementation of corrective actions implemented by management. QSS will communicate with the appropriate customer agency officer any issues raised by DSITI Internal Audit which may have a material impact on customer agencies. 4.3 Reporting 4.3.1 Interim status update In February of each year QSS provides each customer agency’s Chief Finance Officer a status update by email, containing: a list of all audit issues raised by DSITI Internal Audit and the current status update a list of material control exceptions identified through previous financial year’s MAF testing and status update The purpose is to provide each customer agency with an update of QSS internal controls and highlight any material internal control weaknesses to the customer. 4.3.2 Final management assurance report By 31 July each year QSS provides each customer agency’s accountable officer with a detailed management assurance report and an accompanying letter. The assurance report covers the previous financial year and provides assessment results concerning the effectiveness of internal controls established and operated by QSS. The intent is to provide reasonable assurance that, in all material aspects, the internal controls have been operating efficiently, effectively and economically. Page 7 of 18 Queensland Shared Services Security classification: Public The final management assurance report will include the following information: assessment results for control objectives and control activities operated by QSS DSITI Internal Audit issues identified and a status update on management actions assurance outcomes provided by QSS third party providers. It is important to mention that the management assurance report is not intended to diminish the customer’s responsibility and accountability for designing, implementing and reporting on the adequacy and effectiveness of its own risk management and internal control system. 4.3.3 Post balance date assurance By mid-August each year QSS provides each customer agency’s accountable officer with a separate post balance date assurance letter prior to certification of their financial statements. This assurance letter states whether or not there have been any significant internal control changes or financial events within QSS since the balance date that may have a material effect on the financial management of the customer agency. Where applicable, the impact of any change or event is identified and quantified in the letter. 4.4 Continuous improvement The CARM unit facilitates the continuous improvement of implementing the MAF through working with management in the following activities: review and update QSS risk register review and update internal control objectives to reflect relevant legislative changes, other external drivers and QSS risks review and update control activities and control self-assessments to reflect the control environment changes, new initiatives within QSS and audit issues raised by DSITI Internal Audit and external auditor continuously improve the control self-assessment methodologies and techniques to ensure efficient and effective assurance processes. 4.5 CARM solution The CARM solution is a web based system implemented and utilised by QSS to simplify the control self-assessment process and related MAF testing and reporting. The CARM solution is used to: assess control activities, develop improvement plans and review, consolidate and analyse results on a real time basis improve efficiency and timeliness of the process support the quality assurance process improve reporting mechanisms and enable effective compliance reporting facilitate business improvements enable assessment of non-financial systems (e.g. human resources, information technology) store data in a central electronic repository resulting in easy access to information and a considerable improvement to the efficiency and effectiveness of the appraisal process. The CARM unit provides the system support, maintenance and helpdesk function to all users. Page 8 of 18 Security classification: Public 5 Management assurance framework Responsibilities The below table describes the responsibility of each stakeholder to ensure the effectiveness of MAF implementation. Role Director-General, DSITI Assistant DirectorGeneral, QSS Executive Directors and Directors Internal Audit External audit – Queensland Audit Office Responsibility Approve the MAF Endorse and sign the management assurance reports and post balance date assurance letters issued to customers’ accountable officers Requires the Assistant Director-General, Queensland Shared Services (QSS) to establish and maintain the MAF Requires QSS to regularly review the framework and its associated system of reporting on internal control objectives and internal control activities. Own the control environment encompassing the responsibility for establishing, endorsing and reviewing the MAF and associated internal control environment and internal control objectives Review and certify the management assurance reports and post balance date assurance letters following acceptance by the executive directors Provide leadership to the QSS Executive Management Group (EMG) which shapes and endorses the values, principles and operating policies that form the basis of the framework of internal controls. Ensure that the framework is incorporated within their area of responsibility Ensure that internal controls and other policies and procedures aimed at ensuring QSS meets its internal control objectives are established and maintained Develop processes that identify, monitor and review operational risks and developing strategies that mitigate identified risks Be cognisant of audit recommendations and, where weaknesses are identified, take appropriate and timely action to strengthen control and compliance procedures Actively support the annual program of work provided by internal and external audit Implement appropriate responses to issues raised by internal and external audit Review the adequacy and effectiveness of control self-assessments and refine where necessary Review and complete the control self-assessments Oversee all aspects of QSS internal control activities within their area of responsibility and ensure that managers apply a range of tools, structures, forums and strategies to adhere to the MAF. DSITI Internal Audit has a direct reporting relationship to the Director-General, DSITI and the DSITI Audit Committee In accordance with the approved DSITI internal audit annual audit plan, Internal Audit sets out the audits intended to be carried out which includes coverage within QSS. The audit findings and recommendations arising from such audit activity are formally reported to departmental management for consideration and corrective action Monitor and report on the implementation of agreed audit recommendations Provide independent audit advice as an observer to QSS EMG. Support the role of the Auditor-General in providing Parliament with an independent assessment of the financial management-related activities of public sector entities Undertake independent ASAE 3402 controls assurance review of QSS in accordance with its program of work Report on audit issues and recommendations requiring further consideration or attention to QSS EMG Provide external audit assurance to the Director-General, DSITI. Page 9 of 18 Queensland Shared Services Role QSS Executive Management Group Corporate Assurance and Risk Management (CARM) unit Customers of QSS Page 10 of 18 Security classification: Public Responsibility Ensure formal decision-making, monitoring and review structures or forums are established within QSS Ensure structures or forums are transparent and subject to scrutiny Ensure structures or forums communicate effectively with stakeholders as appropriate Ensure reviews are undertaken around QSS operational performance and management of risk in the context of QSS internal control objectives Be accountable to the Assistant Director-General, QSS and focus on the quality of internal controls that support the delivery of services. This includes the effectiveness of and conformance with the MAF, risk management, compliance and audit issues management. Implement and manage a risk-based control self-assessment program Independently review the control self-assessment results and follow up noncompliant control activities Prepare statements of assurance including results from internal and external audit reviews Actively support the annual program of work provided by internal and external audit Facilitate appropriate responses to issues raised by internal and external audit Complete an annual review of the MAF to ensure its currency Review and update internal control objectives as required Regularly review and update internal control activities and control selfassessments to reflect internal control environment changes. Ensure the accuracy, completeness and authorisation of its financial data and that legislative requirements have been met. Customers rely on QSS to ensure that the relevant control mechanisms continue to function as intended to the extent that QSS has control over those mechanisms Ensure that it has a complementary set of internal controls in relation to its responsibilities in the end-to-end processes for services provided by QSS Provide complete, accurate and timely documentation and instructions to QSS Provide correct agency authorisations or approvals based on customer delegations Ensure that specific delegations and authorisations provided to QSS to approve expenditure on behalf of the customer are appropriate for the operations of the agency and are in accordance with the FAA and the Public Service Act 2008 Monitor delegations and authorisations exercised on behalf of the agency by QSS Ensure the accuracy, completeness and integrity of the agency’s financial statements and that financial statement reporting requirements have been met – these specific responsibilities cannot be delegated to QSS Own and operate information systems or utilise system applications which QSS maintains and accesses to provide agreed services to the customer Maintain an effective system of internal controls to support the confidentiality, integrity and accuracy of information systems that it owns and operates and system applications that it utilises Grant and approve user access to its systems for its own staff and customers Satisfy themselves that the access sought to its information is appropriate and reviewed on a regular basis View the control and security environment at QSS as an integral part of its own internal control structure in relation to its information systems and data. Security classification: Public 6 Management assurance framework Endorsement and approval This framework has been endorsed by: Name Irene Violet Position A/Assistant Director-General Queensland Shared Services Signature Endorsed and signed Date: 07/08/2015 This framework has been approved by: Name Jamie Merrick Position A/Director-General Department of Science, Information Technology and Innovation Signature Approved and signed Date: 11/08/2015 Page 11 of 18 Queensland Shared Services Security classification: Public Appendix A: Contacts Corporate Assurance and Risk Management Queensland Shared Services Department of Science, Information Technology and Innovation Level 5, 160 Mary Street Brisbane Qld 4000 Telephone: 07 3179 1264 Email: carm@dsiti.qld.gov.au Appendix B: References Page 12 of 18 Financial Accountability Act 2009 Financial and Performance Management Standard 2009 Financial Accountability Regulation 2009 Financial Accountability Handbook – Queensland Treasury Public Service Act 2008 Internal Control – Integrated Framework, Guidance on Monitoring Internal Control Systems, Volume 2: Application, Committee of Sponsoring Organizations of the Treadway Commission (COSO), May 2013 Australian Auditing Standards Australian Accounting Standards Security classification: Public Management assurance framework Appendix C: Definitions Term Definition Accountable officer Chief Executive Officer with responsibility for management of the department or agency as defined under the FAA Customers A customer is a Queensland Government department or other body to which QSS provides a range of corporate services under a SLA Committee of Sponsoring Organisations (COSO) The COSO of the Treadway Commission is an internationally recognised voluntary private sector organisation that has established a common internal control model against which organisations may assess their control systems. Control environment The control environment includes the governance and management functions concerning the customer’s internal control and its importance in the agency. It sets the tone of an organisation, influencing the control consciousness of its employees and is the foundation for effective internal control providing discipline and structure. Reference: ASA 315, Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement, para 80. Australian Auditing and Assurance Standards Board, October 2009 DSITI Audit and Risk Management Committee This committee acts as an advisory body to the Director-General, DSITI to assist in the effective discharge of the responsibilities in the FAA and FPMS and other relevant legislation and prescribed requirements. The committee is chaired by the DirectorGeneral, DSITI. Financial Accountability Act 2009 (FAA) The FAA is legislation enacted by the State of Queensland to provide for accountability in the administration of the State’s finances and financial administration of departments and statutory bodies. Financial and Performance Management Standard 2009 (FPMS) The FPMS is subordinate legislation made under the FAA. It provides a framework for an accountable officer to develop and implement systems, practices and controls for efficient, effective and economic financial and performance management of the department or statutory body. Governance Section 7 of the FPMS states that governance is the way the department or statutory body manages the performance of its functions and operations. Governance is generally accepted to encompass management’s behaviour and accountability for the way it directs an agency’s operations. It may also relate to the agency’s structure, responsibilities, competencies, reporting and risk management processes. Information systems As defined by the FPMS, information systems mean the methods, mechanisms and records established within the department or statutory body to identify, assemble, analyse, classify, record and report transactions and other events affecting the department or statutory body. Within QSS this may include tools categorised as business application systems. Internal control objective The specific target used to determine whether an internal control is operating effectively, efficiently and economically is called the internal control objective. Management assurance framework (MAF) A description of the QSS internal control environment, internal control objectives and internal control activities established to provide reasonable assurance that QSS is managing its business operations efficiently, effectively and economically. Material/materiality In the context of the MAF, the concept of materiality relates to the internal controls and the systems being reported on, not the financial reports/statements of the customer agency. The MAF is used to assess whether the internal controls at QSS are suitably designed and are operating effectively, efficiently and economically in all material respects in delivering SLA services to customer agencies. Such assessment includes those financial controls which are relevant to the financial reporting of customer agencies. Page 13 of 18 Queensland Shared Services Term Security classification: Public CARM solution Definition The CARM solution is a web based system implemented by the CARM unit to simplify and automate the process of completing and reporting on the MAF control selfassessments. QSS Executive Management Group (QSS EMG) The QSS EMG is the primary governance body of QSS in providing leadership and stewardship for directing and controlling the business of QSS. It is chaired by the Assistant Director-General, QSS. Queensland Audit Office (QAO) The QAO supports the role of the Auditor-General in providing Parliament with an independent assessment of the financial management-related activities of public sector entities. It provides independent audit services and reports to Parliament to enhance public sector accountability. Reasonable assurance A general acknowledgement that it is not possible to certify absolutely and certainly that an event will or will not occur due to the limitations inherent in all internal control systems. In the context of the management assurance report, it therefore refers to the degree of satisfaction that the evidence obtained from monitoring activities undertaken by QSS supports the certifications made. Service Agreement (SA) A formal agreement between QSS and a customer agency for the provision of services. The SA includes details of all services provided by QSS including a description of each service, QSS responsibilities, customer agency responsibilities and QSS performance measures. Services Functions and activities that QSS can provide to customers on a fee-for-fee service basis and which are described in the SA. Page 14 of 18 Security classification: Public Management assurance framework Appendix D: Internal control assurance model Page 15 of 18 Security classification: Public Management assurance framework Appendix E: DSITI assurance framework Page 17 of 18 Queensland Shared Services Appendix F: MAF process map Page 18 of 18 Security classification: Public