Chief Financial Officer (CFO) Certification

The CFOs of all GSF agencies are responsible to design, implement, continuously monitor and evaluate throughout the year a risk-based internal control framework over their financial systems and information.

This policy establishes this responsibility to assist Accountable Authorities (AAs) fulfil part of their responsibilities under the GSF Act.

Listen

Close up of businessman using a laptop with graphs and charts on a laptop computer.

On this page

Chief Financial Officer (CFO) Certification

High-quality financial information is essential for budgeting and resource allocation decisions. A strong internal control framework over financial systems and information helps maintain accuracy and reliability, ensuring informed decision-making.

CFOs have been required to submit an annual Letter of Certification since 2010. This process provides agency heads with greater assurance about the quality of financial information.

The CFO Certification on the Internal Control Framework over Financial Systems and Information (TPG24-08) (PDF 506.07KB):

Applies to all Government Sector Finance (GSF) agencies, helping Accountable Authorities (AAs) meet their responsibilities under the Government Sector Finance Act 2018.
Requires CFOs to submit an annual certification to their AAs.
Advises CFOs on designing, implementing, and continuously monitoring their internal control framework.
Supports implementation through the CFO Certification Policy Toolkit (PDF 848.07KB) and example checklist (DOCX 2.25MB), which provide guidance and control examples for effective financial information management.

CFO Certification frequently asked questions

What does the policy require?

The policy has 2 mandatory requirements for all GSF agencies:

the CFO must design, implement, and continuously monitor a risk-based internal control framework over financial systems and information
the CFO must provide a Certification to their Accountable Authority before finalising financial statements each year.

It is recommended that CFOs:

design or review the internal control framework before the financial year begins and share it with relevant stakeholders
develop an annual monitoring program in consultation with key stakeholders
provide a mid-year update to the Accountable Authority on the framework’s effectiveness.

What is the difference between mandatory requirements and recommendations?

Mandatory requirements must be followed. Recommendations are not compulsory but should be considered. If a CFO does not implement a recommendation, they must inform their Accountable Authority and Audit and Risk Committee, if applicable.

What has changed under the new policy?

the policy now applies to all GSF agencies, aligning with the Government Sector Finance Act 2018
CFOs must provide a signed Certification before financial statements are finalised
if the Accountable Authority is also the CFO, a separate Certification is still required
material agencies must submit Certifications to Treasury for Total State Financial Reporting, but Treasury no longer requires direct submission

When does the new policy take effect?

The policy applies from 1 July 2024. Agencies requiring significant changes may delay compliance until 1 July 2025.

Do CFOs need to submit their Certification to Treasury?

No, but material agencies must provide a copy to Treasury as part of the Total State Sector Accounts.

Do agencies delaying compliance until 2025 need an exemption?

No formal exemption is required. The decision rests with the Accountable Authority, but material agencies must still submit their CFO Certification to Treasury.

What if an internal control framework is implemented mid-year?

In the first year, agencies can note the framework’s start date on their Certification.

How can finance and budget managers support their CFO?

monitor internal controls in their area
promote a strong compliance culture
use available resources like the CFO Certification Toolkit
communicate the importance of internal controls to non-finance managers.

What is the Committee of Sponsoring Organisations of the Treadway Commission (COSO) 2013 Framework?

It is a widely used internal control framework comprising 5 components: Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring. Treasury has best practice resources available upon request.

What should an internal control framework include and what are the controls?

Refer to COSO guidance and best practice examples from Treasury. Contact finpol@treasury.nsw.gov.au for resources.

Internal controls manage risks to achieve objectives such as financial stewardship, public accountability, and compliance with laws.

What does continuous monitoring and evaluation involve?

Monitoring ensures internal controls function effectively. Frequency depends on the agency’s risk profile and can range from periodic to ongoing assessments.

What evidence is required for CFO Certification?

Agencies should provide evidence such as control lists, risk matrices, testing results, and review records. The level of detail depends on risk exposure.

Is using the checklist in the toolkit mandatory?

No, agencies can tailor monitoring methods to suit their needs.

When should the CFO update the Accountable Authority on internal controls?

The timing and format are flexible. Updates can be through meetings, reports, or presentations. If an update is not provided, the CFO must document the reason.

What should an annual program include?

An annual program can be a standalone document or a collection of various documents such as control libraries, risk registers, policies, and review timelines. Treasury provides best practice examples upon request.

Top