Skip to content

On this page

The Standing Directions 2018 (the directions) under the Financial Management Act 1994 (FMA) require relevant organisations to attest to compliance with a range of requirements, including those in the Victorian Government Risk Management Framework (VGRMF). These organisations must attest annually in their annual reports. The attestation must be verified by their Audit Committee.

We won’t go into detail about each VGRMF requirements here but explore the act of attesting and the work involved. For specific details about the mechanics of attesting, go to Department of Treasury and Finance’s (DTF) website. It includes which government agencies are covered, reporting deadlines, year-end checklists and important compliance information.

What does the word “attest” mean?

Attesting is an act of communication, certifying something is true to someone else. To attest, you need to carefully examine and conclude whether something is true by analysing best available information (this includes when something is partially true).

Who attests?

Standing Direction 5.1.4 of the FMA requires the responsible body (or one of its members) to attest every year to the public. This body is normally the Board or, if no Board exists, the Accountable Officer authorised to act for the organisation.

The risk practitioner’s role is to facilitate the process which includes:

  • Understanding how the VGRMF requirements apply to the organisation
  • Preparing the Accountable Body to attest by finding out what evidence they need
  • Gathering and analysing the evidence to provide to the Audit Committee for verification
  • Recommending the extent to which the attestation can be made
  • Identifying any deficiencies in the risk management framework and determining a plan to remediate

When does the work of attesting take place?

Government organisations typically carry out a sequence of year-end tasks to close off, audit and publish their financial results in an annual report. This can take several months.

Attesting occurs between the end of the financial year and the annual reporting submission deadline.

For most organisations, the Audit Committee of the Board will examine the operation and design of the risk management framework as part of its ordinary work. Based on its findings, the Committee then recommends to the full Board how it will attest for that financial year – whether partially or fully.

Agencies then provide their attestation in a compliance report to their relevant Portfolio Department, which reports into DTF and finally the Assistant Treasurer.

How do we disclose this publicly?

You’ll record your conclusion in a statement for others to read. This typically is an internal document which records the words used to attest and links it to evidence that supports the conclusion.

For public disclosure, the Standing Direction 5.1.4 only requires you to record a blanket statement of compliance with the Financial Management Act and any material compliance deficiencies. To see the required wording for your Annual Report, see DTF’s model report.

  • There are benefits in publicly disclosing your risk management practices, for example:

    • In your annual report
    • On your website, especially where your risk management framework needs community cooperation for it to work. There are many examples in Victoria, such as managing risks to:
      • patient safety in healthcare
      • school excursions and camps
      • Occupational Health and Safety (OHS) assessments for all employers
      • information management for Victorian agencies
      • climate change in the water sector
      • public infrastructure projects like the level crossing removal

Publicly disclosing your risks and the adequacy of your risk management framework provides the public with confidence that you’re actively considering future uncertainty. Some risks, such as climate change and cyber security, are of high community interest. Acknowledging these risks and the work being undertaken to address them can contribute to a more positive public reputation.

Attesting to the VGRMF is part of how the government fosters good practice

In Victoria, the requirements for using public resources are set out in a series of statutes, supported by directions issued by Ministers. The FMA is one such statute and the Assistant Treasurer issues the directions.

The directions require agencies to prudently manage the State’s finances by requiring adherence to minimum standards. This holds agencies and their responsible bodies accountable for the public resources provided to them.

One direction is the requirement for agencies to practice risk management in line with the VGRMF. Others relate to activities such as using purchasing cards, controlling fraud, internal auditing and running an Audit Committee.

The VGRMF mandates 16 minimum standards for government organisations in the areas of risk management and insurance. To boil these requirements down to the main ideas, you’re attesting that you’ve:

  • applied a principles-based approach to managing risk, aligning to the International Standard, AS ISO 31000:2018. This means ensuring your risk management framework assists your decision makers protect and create value 
  • taken the time to consider what can be insured, what can’t, and whether you have the right insurances in place
  • Material compliance deficiency

    An inability to comply with the direction is referred to as a ‘material compliance deficiency’. This is a compliance deficiency that a reasonable person would consider has a material impact on the Agency or the State's reputation, financial position or financial management.

How does attesting benefit you?

To attest, you devote time and effort to examine your risk management framework. This provides you the opportunity to ensure your framework:

  • continues to reflect the internal and external context in which you operate
  • has the right quality and is adequate for your main activities and functions
  • helps your decision-makers protect the value of the places and systems your care and be innovative and alert for opportunities to create value

By attesting each year, you’re able to continuously adjust and improve the risk management framework.

What work needs to be done?

The real work is gathering sufficient evidence to enable a responsible body to attest, whether partially or fully, to the mandatory requirements. To make it easier, use this attestation checklist [DOCX, 121KB] which takes you through the requirements and a simple process.

You’re attesting that you’re satisfied

Your responsible body needs to be satisfied that their organisation has met the requirements. This requires judgement and should consider the organisation's context.

For the risk practitioner, the challenge is working out how much information is needed to satisfy the people who need to attest. This includes making time early in the year to: 

  • explain the requirements to those who’ll attest and confirm their understanding
  • agree what evidence will satisfy them
  • openly discuss mandatory requirements which can’t be easily met before year end and start planning to address these gaps
  • What is meant by judgement?

    Minor gaps or departures from the mandatory requirements shouldn’t stop someone being satisfied the requirements are met. It’s about whether you’ve got major reservations about your ability to manage risks. Take these examples:

    • The responsible body can be satisfied from its experience that there’s a good risk culture despite a lack of documentation.
    • Alternatively, if the responsible body has little confidence about how the organisation is managing the forecast impacts of climate change, it won’t be able to fully attest.

    Note: not fully attesting may not mean a material compliance deficiency has occurred.

  • Gathering the right evidence

    The amount of evidence you’ll need to satisfy your responsible body’s attestation varies based on their own judgements of what’s sufficient and the organisation’s size and complexity. To help you determine the evidence you’ll need, try and answer these questions:

    • do we understand the 16 requirements and how they relate to our organisation?
    • how do we ensure the evidence covers all our main functions and activities?
    • who can help us gather the information we need?
    • when or how often should we gather the information?
    • how can we be reasonably sure the information's correct?

    Much of the evidence you need won’t be hard to find. These should be the ordinary records of risk management and insurance activities. Obvious examples are the records of the Audit Committee of the Board, reports from Executives accountable for the main functions and activities and training records. The records of the person or team tasked with the organisation’s risk services and insurance management are a primary source of evidence.

    Responsible bodies may also desire an independent review of their ability to meet the requirements, often undertaken by internal auditors.