Part 5: Crown entities' audit results

Central government: Results of the 2012/13 audits (Volume 2).

5.1
In this Part, we report on the audit reports issued for Crown entities in 2012/13.

5.2
During our audit work, we gain insights and perspectives about the various factors and challenges facing public entities and about the initiatives being advanced to respond to these and drive improvement. This Part also sets out some of our observations and matters raised by auditors working with Crown entities.

5.3
Technically, schools and DHBs are also Crown entities, but we do not discuss them in any depth here. We are publishing reports later this year that will set out the audit results for these types of entities.12 Also, we do not comment here on the results of the 2012/13 audits for subsidiaries of Crown entities, other than to note the non-standard reports that we issued.

About Crown entities

5.4
There are more than 2700 Crown entities, including 2486 school boards of trustees. Crown entities have a wide range of roles, functions, and responsibilities and different degrees of autonomy. By law, the Auditor-General is the auditor of all Crown entities and their subsidiaries.

5.5
The Crown Entities Act 2004 provides a framework for the establishment, governance, accountability, and operation of Crown entities.13 It sets out five categories of Crown entities:

  • statutory entities:
    • Crown agents, such as the Accident Compensation Corporation and DHBs;
    • autonomous Crown entities, such as the Standards Council of New Zealand and the New Zealand Symphony Orchestra; and
    • independent Crown entities, such as the Law Commission;
  • Crown entity companies, including Television New Zealand and CRIs;
  • Crown entity subsidiaries;
  • school boards of trustees; and
  • TEIs (polytechnics, universities, and wānanga).

5.6
In July 2013, significant amendments to the Crown Entities Act were passed into law. The amendments aim to improve collaboration in the public sector by encouraging entities to work together to achieve the Government's priorities. It also changes requirements for accountability documents and service performance reporting.

Audit reports for 2012/13

5.7
For the Crown entities included in this report, we issued 102 audit reports. Of those, the reports for six Crown entities were non-standard audit reports (see Figure 13).

Figure 13
Number of standard and non-standard audit reports issued, by type of Crown entity, for 2012/13

Standard audit reports Non-standard audit reports
Crown research institutes 7 0
Tertiary education institutions 27 2
Crown entities (other) 62 4
Total 96 6

5.8
We used "Emphasis of matter" paragraphs (see Part 4) to draw readers' attention to:

  • disclosures about the disestablishment or pending disestablishment of entities;
  • uncertainties about measuring the fair value of unlisted venture capital investments;
  • uncertainties about measuring the value of unlisted mortgage-backed securities: and
  • the appropriate use of the going-concern assumption for EQC and uncertainties relating to the calculation of the outstanding claims liability from the Canterbury earthquakes.

5.9
We also audit a number of Crown entity subsidiaries. Our audits drew attention to the disestablishment of some of the Public Trust's controlled nominee companies. They also drew attention to uncertainties in measuring the fair value of unlisted venture capital investments for the New Zealand Venture Investment Fund Limited and subsidiaries.

Observations and matters arising from the audits

5.10
In the last two years, some Crown entities have received a high level of media coverage and public interest about security and privacy breaches. When an internal spreadsheet with Canterbury earthquake claims progress and personal details was mistakenly sent by an EQC employee to an external person in March 2013, it highlighted the growing importance of security in a digital environment. This followed the accidental release of claimant details by the Accident Compensation Corporation in 2011.

5.11
The increasing trend to more online delivery of government services comes with significant risk to protecting sensitive information. Some Crown entities had poor password settings, while others needed to improve their policies for user access to key information management systems. A recent PricewaterhouseCoopers report, The Global State of Information Security 2014, highlights that information security is an issue facing entities world-wide, stressing the importance of having effective security strategies and policies.

5.12
We have provided further commentary on security and privacy issues in Part 8, where we describe our observations from information systems audits carried out as part of our annual audits.

Structural and organisational change

5.13
An ongoing theme for Crown entities is structural and organisational change. Examples of this include:

  • shared services (the merging of back-office functions such as financial services, human resources and information technology);
  • the expansion of an entity's functions;
  • creating one entity out of several disestablished entities;
  • the introduction of new business processes; and
  • internal restructuring by disestablishing and creating new positions to align with new business strategies.

5.14
The Civil Aviation Authority and the Aviation Security Service underwent a change programme called "One Organisation", with the intent of creating a single organisation with two legislative responsibilities. This has seen their back-office services combined into shared services, along with structural changes and operational reviews of their regulatory functions. The New Zealand Productivity Commission is another Crown entity in a shared services agreement, with its core corporate support services provided by Inland Revenue. We encourage entities in shared service arrangements to agree the nature of their relationship and the services to be delivered, to ensure that sharing services provides value for money.

5.15
The Health Promotion Agency is a new Crown entity, established on 1 July 2012. It has taken over the functions of Alcohol Advisory Council, Health Sponsorship Council, and some health promotion functions previously delivered by the Ministry of Health. With any new entity there is a risk of an ineffective control environment, which can lead to fraud or error. The Health Promotion Agency has managed the change period well, developing a new governance and management structure to support its new identity and brand. It had an effective change management programme that prioritised the review and alignment of policies and processes. The Health Promotion Agency received a "Very good" grade when we assessed its management control environment.

5.16
Although most organisational change and restructuring is a result of financial pressure, two Crown entities are changing as a result of expansion and increased funding:

  • The Pharmaceutical Management Agency (Pharmac) increased its role to incorporate managing the national immunisation schedule and establishing the national hospital medicines list. No negative effects from the expansion of functions were found, although we encouraged Pharmac to review its performance framework to ensure that it captures the new responsibilities.
  • Education New Zealand is expanding its functions as it matures, and its total revenue for 2012/13 was $11.7 million higher than for 2011/12. We encouraged Education New Zealand to closely monitor how this expansion will affect its operational capacity and to plan effectively to mitigate any risks from this.

5.17
Generally, we found that organisational change and restructuring had been well managed by Crown entities, with no significant issues arising. However, there will be further organisational change and restructuring. Managers and auditors will need to remain alert to a number of unintended adverse effects caused by these changes, such as risks to the internal control environment, disgruntled staff, and the effect on organisational capability, which can reduce an entity's ability to achieve its major outcomes.

Governance and accountability

5.18
In times of significant organisational and environmental change, maintaining strong governance and accountability systems is important. Strong governance and accountability arrangements improve the decision-making and risk management processes of an entity. Weaknesses in governance and accountability can cause a breakdown in systems and controls, an increase in the risk of fraud, and expose the entity to significant reputational risk.

5.19
Having appropriate policies and procedures is essential for good governance and accountability. This year, Education New Zealand prepared its finance and administration policies and had them independently reviewed to ensure that they were appropriate and reflected good practice. It is also implementing an internal assurance programme, which will help improve its governance and accountability arrangements. We commend Education New Zealand on these improvements, and note that it went from "Needs improvement" grades in 2011/12 to "Good" grades for 2012/13.

5.20
The Museum of New Zealand Te Papa Tongarewa (Te Papa) has experienced change in senior management roles and at the board level, including a new board chairperson. There are risks to the internal control environment with these changes. However, the changes also provide Te Papa with an opportunity to improve on its management control environment, especially by improving the quality of internal reporting to support senior management and board decision-making.

5.21
We continue to encourage Crown entities to consider audit and risk committees. We produced a good practice guide, Audit Committees in the Public Sector, in 2008, which highlights the benefits of audit and risk committees. Those benefits include strong accountability and independent advice on strategic, performance, assurance, and compliance matters. For example, Te Māngai Pāho has established an audit and risk committee this year, but needs to set up an annual work plan for the committee.

5.22
Governance and accountability will be a focus for our work in 2014/15. This will involve understanding the strengths and weaknesses of governance arrangements and accountability systems within entities, including systems and processes that support good decision-making, delegations of authority, and risk management processes.

Service performance reporting

5.23
Performance reporting is an essential part of public sector accountability for Crown entities, just as it is for government departments. It allows Parliament and the public to assess the performance of Crown entities and ensure that they are using public funds effectively to provide the services they have been established to provide.

5.24
Appointed Auditors will modify their audit opinion if the performance information in the annual report does not, in their opinion, fairly reflect the Crown entity's performance for the year.

5.25
In general, Crown entities are improving the quality of their performance reports. Paragraphs 5.46 to 5.47 set out more information on the service performance information and associated systems and control assessment for Crown entities.

5.26
Some common issues were highlighted during the audits of Crown entities. These common reporting issues were:

  • The clarity and specificity of measures. In particular, many Crown entities were not providing enough context for their measures, which includes having relevant comparative and trend information. We recommended that both Sport New Zealand and the Health Quality and Safety Commission consider introducing international comparative information to give a clearer picture of their performance. Being clear with measures also includes providing specific definitions for words that may help the reader of the annual report understand what is being measured.
  • A number of Crown entities have overly complex performance frameworks that need to be refined so that they are better balanced, more concise, and accurate. For example, Maritime New Zealand's performance framework includes outcomes, intermediate outcomes, strategic objectives, impacts, and outputs. While we assessed the overall framework and associated performance information as good, a simpler framework would be easier for the reader to understand and for Maritime New Zealand to administer.
  • There is a general need for systems and controls to be strengthened so that they support the accuracy and completeness of performance data. This includes having an appropriate audit trail to allow us to verify the reported performance. For example, we recommended that EQC implement stronger controls over the information supporting output figures, including a review by management of the underlying data.

5.27
We have also encouraged Crown entities to use performance information as an internal reporting tool, not just as a compliance exercise at the end of the financial year. If a performance measure or target is useful to an external reader of the annual report, then it should be important to management for monitoring the entity's performance. Internal reporting of performance measures allows the entity to support decision-making and "fine-tune" its performance to meet targets and achieve outcomes.

5.28
Amendments to the Crown Entities Act 2004 were passed in July 2013. The amendments give greater reporting flexibility to Crown entities for reporting on service performance, such as removing the need to define performance in terms of outcomes, impacts, and outputs, and to encourage reporting as a sector on common goals. These amendments come into force on 1 July 2014, and we will be working with the Treasury and the Crown entities to help with this transition.

Financial sustainability

5.29
Crown entities continue to deal with issues of long-term financial viability and sustainability, especially in the context of static funding and changing demands.

5.30
The New Zealand Blood Service (the Blood Service) and the Office of Film and Literature Classification (OFLC) are being challenged by a decrease in demand for their services. The Blood Service is grappling with this decrease while redeveloping major facilities in Auckland and Christchurch and minimising price increases for DHBs. Similarly, OFLC is receiving significantly fewer submissions from the Film and Video Labelling Body Incorporated, which directly affects OFLC's revenue. Both entities are actively managing these challenges and we will continue to monitor their performance.

5.31
Financial pressure can also come when demand increases but funding remains static. The Office of the Privacy Commissioner's funding has remained static for a number of years despite increasing demand. In this instance, the Office of the Privacy Commissioner has managed the growth in demand and largely maintained service performance standards.

Tertiary education institutions

5.32
The main themes and/or risks that our auditors identified and focused on during the 2012 audits of TEIs were:

  • financial viability, sustainability, and reputational risk, in particular how revenue diversification, cost, and performance pressures affected service delivery and reputation;
  • improvements to service performance reporting;
  • capital asset expansion, in particular, procurement, project management and cost control, finance, and sustainability;
  • governance and management of subsidiaries; and,
  • for some affected TEIs, accounting for the Canterbury earthquakes.

5.33
We will continue to focus on this same range of themes in our 2013 audits of TEIs.

Our reporting on service performance

5.34
In December 2013, we sent out to TEIs and published on our website a document entitled Continuing to improve how you report on your TEI's service performance.14 This document noted that, although there was a range in quality and scope, there was an encouraging and positive trend toward improvement in service performance reporting. Good points included:

  • the gradual broadening of reporting to include all dimensions of the TEI's services, beyond the mandatory reporting against Educational Performance Indicators; and
  • management teams' and governance bodies' increased ownership of performance information.

Improving governance and management of subsidiaries

5.35
In December 2012, our report entitled Education sector: Results of the 2011 audits was presented to Parliament. Part 4 of that report noted our views about the need to improve assessment of the business need for, and reporting on, subsidiaries. We are aware that the Ministry of Education and the Tertiary Education Commission are considering these issues.

Environment, systems, and controls

5.36
In this section, we discuss our assessment and grading of the environment, systems, and controls for managing and reporting financial information for 63 Crown entities and service performance information for 61 Crown entities in 2012/13.15 We discuss the grades for CRIs in Part 6, and the grading scale in Appendix 2.

5.37
Two new Crown entities were assessed for the first time:

  • Health Promotion Agency, which received grades of "Very good" for its management control environment and "Good" for its financial information systems and controls and service performance information and associated systems and controls; and
  • Callaghan Innovation, which was assessed on its management control environment ("Very good") and its financial information systems and controls ("Very good").

Management control environment

5.38
Figure 14 shows the results of our assessment of Crown entities' management control environment from 2006/07 to 2012/13. The trend in the last three years is positive, with a significant increase in the number of Crown entities with a grade of "Very good". Of the 63 Crown entities, 48 (76%) were assessed as having "Very good" management control environments, with another 12 (19%) graded as "Good".

Figure 14
Crown entities – grades for management control environment, 2006/07 to 2012/13

Figure 14 Crown entities – grades for management control environment, 2006/07 to 2012/13.

5.39
Seven entities improved from "Good" to "Very good" grades in 2012/13. These entities were:

  • External Reporting Board;
  • Health Quality and Safety Commission;
  • Independent Police Conduct Authority;
  • New Zealand Historic Places Trust;
  • New Zealand Productivity Commission;
  • New Zealand Transport Agency; and
  • Social Workers Registration Board.

5.40
Some of the reasons that Crown entities improved their grade included:

  • improved strategic planning;
  • implementing important policies, including risk management, fraud, and procurement;
  • improving systems to comply with legislation; and
  • using an audit and risk committee to help with governance and accountability or implementing an internal assurance programme.

5.41
Three entities were assessed as "Needs improvement". This is an improvement on 2011/12, when five entities were assessed as "Needs improvement". The reasons why the three entities have remained on this grade vary:

  • EQC – The consequences of the Canterbury earthquakes continue to affect the management control environment of EQC. Although our auditors found an appropriate level of governance, and improvements such as expanding the internal audit function, a number of recommended improvements have yet to be addressed. They include establishing or updating important policies, proper staff handover when there is restructuring, and formalising processes for IT controls.
  • Te Papa – Changes to the board and senior management have increased risks to maintaining adequate controls. Some recommended improvements from last year were still to be addressed at the time of the audit. We note that the change in management is an opportunity to make these changes.
  • Real Estate Agents Authority – We noted improvements from 2011/12, but systems and controls were not in place for the whole year. Also, a board-initiated review of a significant project identified weaknesses in project management and the development of business requirements. The board is acting on the recommendations from the review.

Financial information systems and controls

Figure 15
Crown entities – grades for financial information systems and controls, 2006/07 to 2012/13

Figure 15 Crown entities – grades for financial information systems and controls, 2006/07 to 2012/13.

5.42
Figure 15 shows the results for our assessments of Crown entities' financial information systems and controls from 2006/07 to 2012/13. There has been some improvement in 2012/13, with 41 (65%) of Crown entities assessed as "Very good" and 21 (33%) as "Good".

5.43
The following entities improved their grade from "Good" to "Very good" in 2012/13 by resolving last year's recommendations (as well as Callaghan Innovation, which was graded "Very good" in its first year):

  • Broadcasting Standards Authority;
  • Civil Aviation Authority;
  • Electricity Authority; and
  • Environmental Protection Agency.

5.44
However, three entities dropped from "Very good" to "Good":

  • Drug Free Sport New Zealand – we recommended improvements to some formal processes for contract income and payroll reconciliations;
  • Te Māngai Pāho – we recommended some improvements to processes for expenditure coding and approval; and
  • Transport Accident Investigation Commission – we made recommendations about the independent review of journals and general ledger reconciliations.

5.45
We provide a briefing to management and the relevant boards if our auditors identify deficiencies or recommend improvements to financial information systems and controls. We will review the entities' progress with addressing issues and we expect those issues to be addressed during 2013/14.

Service performance information and associated systems and controls

Figure 16
Crown entities – grades for service performance information and associated systems and controls, 2008/09 to 2012/13

Figure 16 Crown entities – grades for service performance information and associated systems and controls, 2008/09 to 2012/13.

5.46
As Figure 16 shows, we continue to see significant improvements in service performance information and associated systems and controls in 2012/13. The percentage of Crown entities assessed as "Needs improvement" has dropped from 28% in 2011/12 to 13% in 2012/13. Six Crown entities are now assessed as "Very good", up from two in 2011/12. This improvement is positive, especially considering this was the first year the Auditor-General's revised standard for auditing service performance reports was applied to the audits in all Crown entities.

5.47
The following four entities have improved to join the New Zealand Artificial Limb Service and the New Zealand Blood Service with a "Very good" grade in 2012/13:

  • Broadcasting Standards Authority;
  • Guardians of New Zealand Superannuation and New Zealand Government Superannuation Fund;
  • New Zealand Transport Agency; and
  • Office of Film and Literature Classification.

12: For the results of our audits of other entities, see our forthcoming reports on the audit results for the heath sector, for schools, and for State-owned enterprises.

13: Many Crown entities also have their own enabling legislation.

14: See www.oag.govt.nz/2013/tei-reporting.

15: The Standards Council of New Zealand does not prepare a statement of service performance because it has a reporting exemption under section 143 of the Crown Entities Act 2004. We did not assess the service performance information and associated systems and controls for Callaghan Innovation because it was transitioning from the reporting requirements of a former CRI to those of a non-CRI Crown entity.

page top