To Contents Page To Previous Page To Next Page To Home Page Navigation Bar

 

 

 

DEPARTMENT OF HEALTH

 

 

FUNCTIONAL RESPONSIBILITY AND STRUCTURE

 

Establishment

 

The Department of Health (DH) is an Administrative Unit established pursuant to the Public Sector Management Act 1995.

 

Functions

 

The Department is charged with broad ranging policy and administrative responsibilities associated with health.  One of the functions delegated to the Chief Executive of the Department under the South Australian Health Commission Act 1976 is to ensure that there is proper allocation and use of resources between Hospitals, Health Centres and Health Services incorporated under the Act.

 

The Department’s role includes that as funder or service purchaser, policy setter and strategic planner and provider of services.

 

Structure

 

The structure of the Department of Health is illustrated in the following organisation chart.

 

 

AUDIT MANDATE AND COVERAGE

 

Audit Authority

 

Audit of the Financial Report

 

Subsection 31(1)(b) of the Public Finance and Audit Act 1987 provides for the Auditor-General to audit the accounts of the Department of Health for each financial year.

 

A discussion of the arrangements for the preparation and audit of financial statements for Incorporated Health Services is provided in the section of this Report titled ‘Commentary on Health Services Activities’ following presentation of the Department’s financial statements.

 

Assessment of Controls

 

Subsection 36(1)(a)(iii) of the Public Finance and Audit Act 1987 provides for the Auditor-General to assess the controls exercised by the Department of Health in relation to the receipt, expenditure and investment of money, the acquisition and disposal of property and the incurring of liabilities.

 

This assessment also considers whether those controls are consistent with the prescribed elements of the Financial Management Framework as required by Treasurer’s Instruction 2 Financial Management Policies.

 

Scope of Audit

 

The audit program covered major financial systems and was directed primarily to obtaining sufficient evidence to enable an audit opinion to be formed with respect to the financial statements and internal controls.

 

During 2005-06, specific areas of audit attention included:

 

·                     Risk Management

·                     Insurance Services

·                     Payroll

·                     Accounts Payable

·                     Accounts Receivable

·                     Funding to Health Services

·                     Interstate Patient Transfers

·                     Non-current Assets

·                     Revenue received from the Commonwealth

·                     Grants to Non-government Organisations

·                     Shared Services arrangements

 

The work done by internal audit was considered in planning the audit programs.  Reliance was placed on the work of internal audit in assessing the effectiveness of DH’s internal controls.

 

AUDIT FINDINGS AND COMMENTS

 

Audit Opinions

 

Audit of the Financial Report

 

In my opinion, the financial report presents fairly in accordance with the Treasurer’s Instructions promulgated under the provisions of the Public Finance and Audit Act 1987, applicable Australian Accounting Standards and other mandatory professional reporting requirements in Australia, the financial position of the Department of Health as at 30 June 2006, the results of its operations and its cash flows for the year then ended.

 

Assessment of Controls

 

In my opinion, the controls exercised by the Department of Health in relation to the receipt, expenditure and investment of money, the acquisition and disposal of property and the incurring of liabilities, except for the matters raised in relation to Funding to Non-government Organisations, Interstate Patient Transfers,  Payroll, Accounts Payable and Computer Information Systems Environments as outlined under Audit Communications to Management and Other Matters, are sufficient to provide reasonable assurance that the financial transactions of the Department of Health have been conducted properly and in accordance with law.

 

Audit Committee and Internal Audit

 

The Department’s Audit Committee has continued in operation throughout the 2005-06 financial year.  As a result of the split of the former Department of Human Services (DHS), internal audit and risk management services are provided to the Department by Department for Families and Communities (DFC) under a shared service arrangement.

 

Internal Audit continued to conduct audits within the Department.  In addition to using DFC staff, assignments have been undertaken by private sector firms as contractors.  Work undertaken by Internal Audit for the Department included review of:

 

·                     Casemix model

·                     IT General Controls

·                     Signing of Health Service Agreements

·                     Non-government Organisation (NGO) Performance Management.

 

Budget and Financial Management Consultancy

 

In December 2003, Cabinet approved the engagement of accounting consultants to examine the budget and financial management practices of the former DHS.  The review included evaluation of reporting arrangements and examination of performance against the formal budget allocation and how variations were

managed by the Department.


The final report of the consultants titled ‘Department of Human Services Review of Financial Management Stage One Final Report’ was tabled in Parliament in July 2005.  The key findings of the review were that it was apparent that the DHS budget had experienced unfavourable budget variances for an extended period, yet any attempt to conduct detailed analysis of this budget variance had been hindered by DHS budget information being unreliable.

 

The consultants acknowledge that the Department of Health has acted to address many of the key findings but considered that further work was required to place the financial management of the Department on a sound foundation. In order to implement the recommendations of the consultants the Department has established a steering committee which has embarked on the ‘Financial Management Improvement Project’ (the project). A number of the recommendations have been implemented and others are in the process of implementation. The project is also responsible for managing the Cabinet approved ‘Improved Consolidated Financial Reporting’ initiative across the health portfolio.

 

Audit Communications to Management and Other Matters

 

Matters arising during the course of the audit were detailed in management letters to the Chief Executive.  Responses to the management letters were generally considered to be satisfactory.  The following is a summary of the headings in this section that contain audit commentary relating to the operations of the Department:

 

·                     Risk Management

·                     Recurrent Funding to Health Services

·                     Capital Funding to Health Services

·                     Funding to Non-government Organisations

·                     Interstate Patient Transfers

·                     Commonwealth Government Grants

·                     Payroll

·                     Accounts Payable

·                     Accounts Receivable

·                     Shared Services Arrangements

·                     Information and Communication Technology Management and Control

·                     Complete Human Resources Information System (CHRIS)

·                     DH Communications Network HSNet

·                     Regionalisation of Metropolitan Health Services

·                     Changes to Country Health Services

 

Risk Management

 

Good governance constitutes a number of generally accepted and practised elements, including corporate and operational policy and planning; development and operation of risk and control systems and practices; and the development and operation of internal and external reporting processes.

 

Effective governance at whatever level it is applied, will facilitate and support the achievement of strategic and operational goals/objectives, whether they be at the whole of government, agency or project levels.  One of the important elements of effective governance relates to risk management. 

 

Since 1997, Treasurer’s Instructions and/or the Financial Management Framework (FMF) have placed requirements on agencies and their Chief Executives in relation to the elements of good governance, including risk management practice.

 

In my report for the year ended 30 June 2005 I commented that the effectiveness of governance and risk management practices also require that there be timely response to changing circumstances. For example, the split of the former Department of Human Services into the Department of Health and the Department for Families and Communities, and the dissolution of a number of health service organisations as separate legal entities, and the establishment in their place of three new metropolitan health service legal entities  has given rise to important governance and risk management issues. These changes have, in my opinion, necessitated a comprehensive review of the government and risk management practices that were formerly in operation in these agencies.

 

During 2005-06, Audit reviewed the progress made by the Department in establishing effective risk management practices. As a result of this review, the following observations were made:

 

Strategic Directions

 

As a result of the split of the former Department of Human Services, the Department needed to develop and implement new planning and control processes. To this end the Department developed ‘Strategic Directions 2004-06’ which ‘provides a framework for planning and prioritising actions across the State health system towards achieving the outcomes expected by the Government and the community’.

 

The Department’s ‘Strategic Direction 2004-06’ document was linked to South Australia’s Strategic Plan and also outlined that on an annual basis the Department would develop a companion document detailing the Department’s priorities for action.

 

Audit considers the preparation of a Strategic Directions document, which outlines the Department’s strategic goals and objectives, to be integral to effective risk management.

 

Risk Management and Audit Committee

 

The Department has a Risk Management and Audit Committee (the Committee). The terms of reference of the Committee state that the ‘Committee is responsible for overseeing risk management, internal controls, auditing and monitoring compliance with laws’ policies and relevant codes of conduct, and reports to the Chief Executive’.

 

Further, the terms of reference states that Government policy in South Australia requires the Chief Executive to develop risk management standards and practices to protect and enhance their resources and enable the achievement of corporate objectives.  The purpose of the Committee is to assist the Chief Executive in the identification of risks, determining priorities for action, developing and implementing strategies for effective risk management and in ensuring accountabilities are met.

 

The Department’s ‘Risk Management Policy and Framework’ (RMPF) states  that the ‘Department is committed to protecting itself from situations or events that would prevent it from achieving its strategic goals and objectives’. and that ‘Risk Management is regarded as an integral part of good management practice and the adoption of an agency-wide approach to risk management is a key strategy towards the achievement of the Department’s corporate objectives’.

 

An important element of the RMPF is the identification, analysis, evaluation, treatment and monitoring of risks on a consistent basis across the Department. To facilitate this process the Risk Management and Internal Audit Division have been involved in providing workshops to assist Divisions across the Department in preparing their risk registers and treatment plans.

 

At the Committee’s April 2006 meeting the Committee was advised that a number of risk registers and treatment plans were outstanding.

 

Audit considers that the timely return of risk registers and treatment plans is essential to ensure that appropriate mechanisms are implemented to mitigate risk. An important element of the monitoring and review of identified risks is the development of a risk based Internal Audit Plan. This process is protracted by the incomplete return of risk registers and treatment plans. Audit sought advice from the Department concerning the action the Department proposes to take to progress the completion of risk registers and treatment plans.

 

Departmental Response

In response, the Department advised that the strategic directions and objectives of the Department of Health have been under review for some time and remain under review pending Government’s consideration of its long term strategy for the provision of health services within the State in future.  Notwithstanding, a relevant pragmatic risk management practice is continuing to be followed within the Department.  In addition, each division within the Department has now completed a risk register and treatment plan.

 

Audit will review the Department’s progress during 2006-07.

 

Recurrent Funding to Health Services

 

Recurrent funding to Health Services comprises Departmental expenditure which amounted to $2.1 billion in 2005-06.  The arrangements implemented by the Department to support this function are significant in the context of the monetary amounts involved as well as the impact on the achievement of Departmental and Government objectives.

 

The current funding model has, as its foundation, Health Service Agreements between the Health Units and the Minister which reflect a focus on the Department as a funder purchasing outputs from the Health Units as service providers.

 

The Health Service Agreements between the Minister of Health and Health Services represents a key element of the control framework relied upon by the Department to secure accountability over funds allocated to Health Services.  This framework is premised on the basis that the roles, rights and responsibilities are clearly understood and agreed upon by each party.  It is Audit’s view that executed agreements are a significant component of the control framework over the funding allocation process.

 

Health Service Agreements - Reporting of Key Deliverables

 

As a result of the 2004-05 audit, Audit sought advice from the Department as to whether the Department had established a framework for the reporting of Health Service key deliverables specified within the Health Service Agreements. In response the Department indicated that it was in the process of establishing a framework for the reporting of key deliverables. 

 

Audit review of progress during 2005-06 revealed that the Department has contributed considerable time revamping the content and structure of the Performance Agreements for 2005-06 In particular, Audit noted that the Department has:

 

·                     adopted a uniform format for the Health Service Performance Agreements and the related Companion Document for both Metropolitan and Country Health Services;

·                     adopted a consistent approach across the health sector regarding the indicators to be reported on by each Health Service.

 

In addition, Audit acknowledges that the Department has invested considerable time and effort in the development of a performance framework for the monitoring and reporting of compliance with Health Service Performance Agreements. For example, in early 2005-06 the Department established a Health System Performance Indicator Committee comprising representatives from the Department and Health Services. Audit has been advised that the objectives of the Committee are to:

 

·                     Develop, implement and review a suite of performance indicators that assist the Department of Health and Health Services to monitor and improve health system performance and accountability;

·                     Assist in the presentation and dissemination of related performance reports.

 

Audit acknowledges that the development of a performance framework is a lengthy process and is still evolving. Audit commends the Department on the progress that has been made to date.

 

Funding to Non-Government Organisations

 

The level of funding to Non-Government Organisations (NGOs) for 2005-06 was $53 million. 

 

The 2003-04 Audit review of controls over grant funding provided by the Department to non-government service providers identified a number of control deficiencies relating to the administration and management of grant funding. Control deficiencies identified by Audit included:

 

·                     No evidence to support formal analysis by the Department that linked funding for specific programs to the Department’s strategic objectives;

·                     The lack of a central Contracts Register;

·                     Variations in practice across Divisions;

·                     Lack of formal evaluation of service providers to assess the effectiveness and accountability of funded programs;

·                     Lack of documentation to support performance monitoring;

·                     Funding agreements were not appropriately executed; and

·                     Lack of documented policies and procedures for a number of key areas of operation.

 

During 2004-05 Internal Audit engaged a contractor to undertake a review of NGO Performance Management. Given that the scope of the internal audit review covered areas which would have been tested by Audit, these findings were relied upon by Audit in forming an opinion over the controls in place in relation to grant funding to NGOs.

 

The results of the internal audit review concluded that the performance management of NGOs was unsatisfactory. The review found that there was inconsistency in the application of procedures to manage funding provided to NGOs and a lack of active monitoring and management of the performance of NGOs.

 

Accordingly, the Department’s Controls Opinion for 2004-05 was qualified in relation to grant funding to NGOs.

 

Audit wrote to the Department in July 2006 seeking their advice on the progress regarding action taken in response to the 2003-04 audit of Funding to NGOs and the action proposed in response to the findings of the Internal Audit review.

 

In response the Department indicated that it had established a working group to discuss the issues identified by Internal Audit and establish a set  of recommendations to the internal audit review.

 

NGO Performance Management Reform Project

 

As a result of the issues raised by the Auditor-General and Internal Audit, the Department commenced a ‘NGO Performance Management Reform Project’ (the Project).  The Project outline states that the objective of the Project is to ‘reform the Department of Health’s performance management procedures in relation to non-government organisations’. An external consultant was engaged by the Department and a Project management group was established to oversee the Project.

 

Audit has monitored the progress of the Project during the year.

 

Audit review of the final report by the consultant revealed that the Department has developed a number of processes to address the recommendations made by Internal Audit. In addition it was noted that a number of draft policies have been developed and are in the process of being approved.

 

Audit acknowledges that the Department has undertaken significant work to improve the controls over grant funding to NGOs. Due to the size of the Project Audit understands that many of these processes have only been recently implemented or are in the process of implementation.

 

Audit will follow-up the implementation of these processes during 2006-07.

 

Interstate Patient Transfers

 

The Department enters into a number of Agreements with other States and Territories which sets out the basis of reimbursements between the States and Territories where residents of a State and/or Territory receive admitted patient services in the jurisdiction of another State or Territory.

 

The Interstate Patient Transfer activities affect a number of balances including Revenue and Expenditure.  In the 2005-06 year the balance for Interstate Patient Transfer Revenue was $28.6 million while for expenditure the balance was $18.7 million representing a material balance in the financial statements.

 

Following the 2004-05 financial statement audit a number of issues were communicated to the Department in relation to the Interstate Patient Transfer balances.  These issues included:

 

·                     the need to review the administrative practices and accounting treatment of Interstate Patient Transfers;

·                     the development of appropriate policies and procedures to ensure consistency.

 

A positive response was received from the Department.

 

During 2005-06 Audit undertook a review of the current processes to determine whether they were operating effectively.  These processes included:

 

·                     execution of Agreements

·                     monitoring of payments made/received

·                     the journals processed to reflect the total revenue and expenditure.

 

The results of the review revealed that there are currently no controls in place for the majority of the key processes.

 

In summary the control weaknesses noted included:

 

·                     Inadequate documented policies and procedures for key processes including establishing agreements, monitoring of payments and the gross up journal process;

·                     Failure to receive payments in a timely manner and in accordance with the Agreements;

·                     Agreements and related Schedules being outdated and not reflecting current conditions;

·                     Lack of Monitoring over the payments made/received.

 

In response the Department indicated that it agreed with the recommendations made by Audit and had progressed the implementation of improved processes. Audit will review progress during 2006-07.

 

Commonwealth Government Grants

 

Commonwealth Government grants represent a major source of revenue for the Department.  In 2005-06 the Department received $843 million in Commonwealth Government grants.

 

The results of the audit review during 2004-05 revealed that there are a number of areas where the controls relating to the Grant Revenue environment could be improved.  In particular, Audit considered there to be a strong need for the Department to consider centralising the grant revenue management, monitoring and reporting practices across the Department and to establish and implement policies which explicitly detail the controls and responsibilities over this area of departmental operations. During the 2005-06 audit, Audit noted that a significant amount of work has been put into centralising these processes. Notwithstanding, Audit observed that there are still areas for improvement, including increasing the level of communication between the key divisions and the specialist areas for the major agreements.

 

Whilst Audit recognises that a significant amount of progress has been made with regards to the existing controls and to centralising the process, the following control weaknesses were noted:

 

·                     Absence of formal policies for all key activities including the receipt, management, monitoring and acquittal of Commonwealth funds;

·                     Absence of a verification process of the amount to be funded under the Australian Health Care Agreement to ensure the State receives all funding entitlements.

 

In response the Department concurred with the findings and recommendations made by Audit and indicated the progress that has been made to date with respect to the issues raised by Audit.  Audit will monitor progress during 2006-07.

 

Payroll

 

Salaries and Wages expenditure processed through the Payroll system represents a significant expenditure item for the Department amounting to $58.2 million in 2005-06.  Audit review included assessing system controls over transactions processed by the CHRIS payroll system. 

 

Audit coverage also included a follow up of the Department’s progress in addressing issues raised as a result of the 2004-05 audit. 

 

Audit has previously identified and reported on a number of control weaknesses relating to payroll control environment which has ultimately lead to the controls opinion issued by the Auditor-General to be qualified. 

 

In summary the control weaknesses noted in past audits have included:

 

·                     inadequate documented policies and procedures for key payroll processes;

·                     ineffective bona fide certification process;

·                     poor return rate of bona fide reports;

·                     unreliable leave recording and management processes; and

·                     breakdowns in performance of key reconciliations and effective maintenance of clearing accounts.

 

A Service Level Agreement (SLA) was entered into by the Department for the 2005-06 year with the Southern Adelaide Health Service (SAHS) whereby a number of the payroll functions are now performed by SAHS.  In undertaking the 2005-06 audit for Payroll, the control environment of SAHS was also considered to ascertain whether reliance can be placed on the controls relating to the processing and recording of payroll.  Although the SLA has resulted in SAHS being responsible for a number of key payroll processes, other key controls are still the responsibility of the Department, one such being the bona fide review process which is considered a key control in the Department’s payroll environment.

 

The results of the 2005-06 audit revealed while that some progress has been made on addressing the abovementioned control weaknesses, in particular development of documented policies and procedures ,there remains significant control weaknesses in the payroll processing environment.

 

In summary the control weaknesses noted during the 2005-06 audit included:

 

·                     absence of return of all bona fide certificates from Departmental managers;

·                     failure to update current Departmental policies to reflect the new payroll environment (ie incorporating the use of SAHS into the policies);

·                     absence of a formalised Departmental policy over all key control areas;

·                     absence of review over the reconciliations performed to ensure the Payroll System (CHRIS) is completely and accurately updating to the General Ledger (GL).

 

As a consequence of these control weaknesses, the Department’s controls opinion has continued to be qualified in relation to the payroll control environment.

 

Bona Fide Certificates

 

The issue of bona fide certificates has been raised with the Department over the last few years. The bona fide certification process represents a key element of the Department’s internal control environment and is relied on to provide the Department with assurance that payroll payments are made to bona fide employees, for work actually performed and at the correct classification.

 

Audit review revealed that a significant number of bona fide certificates relating to the Department were not returned to the payroll area within the required time frame or, in a number of instances, not returned at all. As previously mentioned the lack of return of bona fide certificates by the relevant managers exposes the Department to the following risks:

 

·                     invalid people being paid by the Department;

·                     employees being paid at incorrect rate, for hours not worked or for overtime not entitled to;

·                     employees leave details not being accurately and completely captured and recorded in the payroll system.

 

It is Audit’s view that for this highly important control to be effective, the Payroll Services division as well as each Departmental cost centre must work together to achieve, as close as possible, full compliance on an ongoing and timely basis with the bona fide Policy. Commitment from every accountable officer is required to effectively address the control weakness.

 

As a result of the control weaknesses noted Audit made a number of recommendations to the Department.  In response the Department indicated that it agreed with the recommendations of Audit and outlined actions underway to improve processes.  Audit will monitor progress during 2006-07.

 

Accounts Payable

 

The scope of the audit included consideration of the control arrangements relating to both the Masterpiece Online Purchasing and the Accounts Payable systems. Specific areas of focus included:

 

·                     use of the online purchase order system to authorise expenditure;

·                     use of the online purchase order system to validate goods and services received;

·                     use of payment vouchers to authorise expenditure;

·                     arrangements for the disbursement of funds;

·                     management and maintenance of the vendor masterfile;

·                     update of accounts payable information to the general ledger;

·                     review over credit card processes; and

·                     progress of issues raised in prior years audits.

The Department has not only responsibility for processing their own accounts payable transactions but also for the Department for Families and Communities (DFC) under a Shared Service Arrangement. In addition, DFC provide services to the Department in relation to the online purchase order system.

 

Audit has previously identified and reported on a number of control weaknesses relating to the Accounts Payable control environment which ultimately led to the controls opinion issued by the Auditor-General to be qualified in the 2004-05 year.  In prior years, the control weaknesses mainly related to the delegations resulting in Audit being unable to place any reliance over the delegations in place.

 

The results of the 2005-06 audit revealed a number of the previously highlighted control weaknesses still exist including those in relation to the delegations which has again resulted in the controls opinion being qualified.

 

In summary the control weaknesses noted during the 2005-06 audit included:

 

·                     the absence of a regular review of the online purchase order system delegations to the approved delegations as documented on the Department’s intranet;

·                     instances where requisitions had been approved based on the line amount rather than the total value of the requisition;

·                     instances where non-exempt expenditure was processed using Manual Payment vouchers rather than the online purchasing system; and

·                     Lack of documented policies for key controls and processes.

 

As reported in previous reports, Audit considers the online purchase order system incorporates sound controls.  It is Audit’s view that the use of the system provides stronger controls than are available with the use of manual payment vouchers.  Review of the Department’s processes for raising purchase orders, processing supplier invoices and disbursements found that the system is not being used in all applicable instances, as is required by the Department’s Online Purchasing Policy.

 

In some instances reliance is placed upon the approval of a manual payment voucher to ensure expenditure has been authorised and that the goods/services have been received.  Due to the size and the decentralised operations of the Department, Audit considers that the reliance on an authorising officer’s signature to process a payment voucher or invoice does not represent a strong control.

 

A positive response was received from the Department.

 

Invoice Processing - BasWare

 

In January 2006 the Department implemented a new system for invoice processing called BasWare that requires the electronic approval of invoices based on system delegations. This will provide a system control in a similar way to the online purchase order system.

 

Audit is aware that the implementation of BasWare has encountered some problems. The Department has indicated that ‘BasWare implementation issues have led to some delays in the payment of accounts. These issues include some technical problems, procedural issues, difficulties experienced by staff in adapting to the system and some mistakes in the implementation strategy’. The BasWare system will be reviewed by Audit during 2006-07.

 

Delegations of Authority

 

Delegations of Authority are an important matter in ensuring that proper controls are operating within an agency regarding expenditure approvals and are specifically mandated by the Treasurer’s Instructions issued pursuant to the Public Finance and Audit Act 1987.

 

Treasurer’s Instruction 8.21 allows a responsible Minister to grant annually to a Chief Executive of a Government Department a standing authority to incur expenditure for the financial year. Where such an authority has been granted, the Chief Executive can in turn sub-delegate to officers of that public authority.

 

As part of the audit of the Department of Health for the year ending 30 June 2006, Audit requested a copy of the delegation of authority to incur expenditure from the Minister of Health to the Chief Executive. Despite exhaustive checks, the Departmental officers could not locate any such delegation for the year ending 30 June 2006. The last delegation on file was signed on 31 July 2004 and based upon this delegation, the Department had established a series of sub-delegations which underpinned its operations throughout the 2005-06 financial year.

It should be noted that the Treasurer’s Instructions expressly provides for the annual refreshment of a delegation of authority as an important control mechanism in ensuring the continuing appropriateness of existing delegations of authority.

 

In the absence of a delegation from the Minister, all expenditure, with the exception of employee benefits, reflected in the Department’s financial report for the year ending 30 June 2006 was not appropriately authorised in accordance with the Treasurer’s Instructions.

 

Whilst the obligations of Government to external parties acting in good faith, will not, per se, be affected by an unauthorised approval within Government, nevertheless, the failure to ensure that proper delegations are in place and properly managed is a serious control deficiency.

 

Accounts Receivable

 

The results of the audit of Accounts Receivable revealed that there is a number of control weaknesses relating to the accounts receivable processing environment.  Audit noted the following control weaknesses:

 

·                     Cash handling Controls — failure to review the monthly deposit reconciliation;

·                     Approval of Invoice Requests — absence of appropriate approval over invoice request forms in accordance with the Department’s Financial Services Customer Service Manual;

·                     Review over invoices raised — absence of Departmental policy concerning operational controls for the review of invoices raised;

·                     Debtor Follow up Procedures — failure to adhere to Departmental policy.

 

In its response the Department indicated action would be taken to address the recommendations made by Audit.

 

Shared Services Arrangements

 

As a result of the restructure of the former Department of Human Services, certain business services were retained by DH and DFC respectively.  As a result, shared services arrangements were entered into for the 2004-05 and 2005-06 years to facilitate the delivery of certain business services to both agencies.  Under these arrangements, the services provided to DFC by DH include Financial Services; and Legal Services. Services provided to DH by DFC include Risk Management and Internal Audit Services; Purchasing; Information and Communication Technology for Telecommunications Services and Masterpiece Services; and Fleet Management.

 

Audit review of the 2005-06 Shared Services arrangements between DH and DFC revealed that the Shared Services Agreements were not executed on a timely basis. The agreements for the provision of services by the Department of Health and vice versa were executed in late June 2006.

 

Audit considers that the Shared Service Agreements between the Department of Health and DFC represent an important element of the control framework as they document expectations of both agencies regarding the roles, rights and responsibilities that have been agreed upon by each party. Audit considers it important that the agreements are executed on a timely basis.

 

This matter was raised in late August 2006 with the Department and at the date of finalisation of this Report, a response had not been received.

 

Commentary on Computer Information Systems (CIS) Environments

 

During the year, Audit continued to review various aspects of information technology associated with the Department’s responsibilities and operations.  The audits, where applicable, included follow up of issues identified in previous reviews. 

 

Information and Communication Technology Management and Control

 

During the year, Audit conducted a review and consideration of matters of an Information and Communications Technology (ICT) strategic planning and management control nature relating to the Department of Health (DH).  The review noted that:

 

·                     DH was progressing the formalisation of ICT governance structure and arrangements and that, importantly, regions and health units were represented on the ICT Steering Committee and the individual ICT Governance Boards;

·                     DH has a comprehensive ICT strategic plan;

·                     DH has up to date Information Security Standards.  There are still some areas in need of management attention as commented below; and

·                     Disaster recovery planning for the majority of DH ICT systems was deficient and would be addressed as new whole of health enterprise systems were implemented, albeit over an extended period of time.

 

Regarding information security, a security management systems certification audit by an external consultancy identified some action items to be addressed.

 

With respect to disaster recovery planning, it is the intention of ICT management to initiate a dedicated project early in the new financial year to examine the issues associated with disaster recovery planning for mission critical applications across health, and the quality and extent of business continuity plans that are in place at the health unit levels.

 

These matters relating to information security and disaster recovery planning will be the subject of further review in 2006-07.

 

Complete Human Resource Information System (CHRIS)

 

The 2004-05 Report included commentary in regard to a review that was undertaken in 2005 of the Department of Health (DH) Complete Human Resource Information System (CHRIS). The DH CHRIS Human Resource Management System (HRMS) is processed at a bureau service managed by an external service provider.  The review also addressed compliance by both parties to the Bureau Service Agreement (BSA) between the Minister for Health and the external service provider.  DH is responsible for managing the contract of the CHRIS HRMS application on behalf of DH and all health units.

 

The 2005 Audit review also included follow up of action taken on matters raised in a 2003 external consultancy security review of the bureau service commissioned jointly by DH and the Department for Administrative and Information Services (DAIS).

 

The observations arising from the 2005 Audit review principally related to variations to the Bureau Service Agreement, outstanding issues from the 2003 external consultancy security review, applicability of DH security patch management policy and procedures to the external service provider, testing of the external service provider Disaster Recovery and Business Resumption Plan, the establishment and testing of a business continuity plan for the now Department for Families and Communities (DFC) Workforce Services, and establishment of service level agreements between DH Central Support Unit and individual business units and health units.  Further, Audit observed that regular security assessments have not been conducted subsequent to 2003 by DH and DAIS to examine the external service provider CHRIS operational environments to confirm that hardware, software and general computer controls meet compliance with the Government’s Information Security Management Framework.

 

Last year’s report also advised that the Department had identified a range of measures to be taken in relation to the matters raised by Audit.

 

During the year, a follow up review was undertaken to obtain a current update status of resolution of action items from the 2005 review.  The review revealed that certain areas have been satisfactorily addressed.  Notwithstanding, there still remains matters to be fully actioned by the Department.  The Department advised that it:

 

·                     was consulting with DAIS to complete a security review of the external service provider in the 2006 calendar year;

·                     would progress the assessment of the DH security patch management policy and procedures for applicability to the external service provider;

·                     intended to undertake a physical test of the external service provider Disaster Recovery and Business Resumption Plan within the 2006-07 financial year;