Report highlights

What this report is about

Workers compensation schemes in NSW provide compulsory workplace injury insurance. The effective management of workers compensation is important to ensure injured workers are provided with prompt support to ensure timely, safe and sustainable return to work.

Insurance and Care NSW (icare) manages workers compensation insurance. The State Insurance and Regulatory Authority (SIRA) regulates workers compensation schemes. NSW Treasury has a stewardship role but does not directly manage the schemes.

This audit assessed the effectiveness and economy of icare’s management of workers compensation claims, and the effectiveness of SIRA’s oversight of workers compensation claims. 

Findings

icare is implementing major reforms to its approach to workers compensation claims management - but it is yet to demonstrate if these changes are the most effective or economical way to improve outcomes.

icare’s planning and assurance processes for its reforms have not adequately assessed existing claims models or analysed other reform options.

icare's activities have not focused enough on its core responsibilities of improving return to work and maintaining financial sustainability.

SIRA has improved the effectiveness of its workers compensation regulatory activities in recent years. Prior to 2019, SIRA was mostly focused on developing regulatory frameworks and was less active in its supervision of workers compensation schemes.

NSW Treasury's role in relation to workers compensation has been unclear, which has limited its support for performance improvements.

Recommendations

icare should:

• ensure that its annual Statement of Business Intent clearly sets out its approach to achieving its legislative objectives
• monitor and evaluate its workers compensation scheme reforms
• develop a quality assurance program to ensure insurance claim payments are accurate.

NSW Treasury should:

• work with relevant agencies to improve public sector workers compensation scheme outcomes
• engage with the icare Board to ensure icare's management is in line with relevant NSW Treasury policies.

SIRA should:

• address identified gaps in its fraud investigation
• develop a coordinated research strategy.

Further information

Please contact Ian Goodwin, Deputy Auditor-General on 9275 7347 or by email.

What this report is about

Results of the local government sector financial statement audits for the year ended 30 June 2023.

Findings

Unqualified audit opinions were issued for 85 councils, eight county councils and 12 joint organisations.

Qualified audit opinions were issued for 36 councils due to non-recognition of rural firefighting equipment vested under section 119(2) of the Rural Fires Act 1997.

The audits of seven councils, one county council and one joint organisation remain in progress at the date of this report due to significant accounting issues.

Fifty councils, county councils and joint organisations missed the statutory deadline of submitting their financial statements to the Office of Local Government, within the Department of Planning, Housing and Infrastructure, by 31 October.

Audit management letters included 1,131 findings with 40% being repeat findings and 91 findings being high-risk. Governance, asset management and information technology continue to represent 65% of the key areas for improvement.

Fifty councils do not have basic governance and internal controls to manage cyber security.

Recommendations

To improve quality and timeliness of financial reporting, councils should:

• adopt early financial reporting procedures, including asset valuations
• ensure integrity and completeness of asset source records
• perform procedures to confirm completeness, accuracy and condition of vested rural firefighting equipment.

To improve internal controls, councils should:

• track progress of implementing audit recommendations, and prioritise high-risk repeat issues
• continue to focus on cyber security governance and controls.

Further information

Please contact Aaron Green, Assistant Auditor-General on 9275 7347 or by email.

What this report is about

NSW local councils provide a wide range of essential services and infrastructure to their communities and are increasingly reliant on digital technologies. 

Councils need to manage cyber security risks to ensure their information, data and systems are appropriately safeguarded. Councils also need to be prepared to detect, respond and recover when a cyber security incident occurs. 

The audit assessed how effectively three selected councils identified and managed cyber security risks.  

The audit also included the Department of Planning, Housing and Infrastructure (Office of Local Government) and Department of Customer Service (Cyber Security NSW), due to their roles in providing guidance and support to local councils. 

Audit findings

The audit found that the selected councils are not effectively identifying and managing cyber security risks. Each of the councils undertook activities to improve their cyber security during the audit period, but this audit found significant gaps in their cyber security risk management and cyber security processes.  

Such gaps result in unmitigated risks to the security of information and assets which, if compromised, could impact their local communities, service delivery and public infrastructure. 

Cyber Security NSW and the Office of Local Government recommend that councils adopt requirements in the Cyber Security Guidelines for Local Government, but could do more to monitor whether the Guidelines are enabling better cyber security risk management in the sector.

Audit recommendations

In summary, the councils should: 

• integrate assessment and monitoring of cyber security risks into corporate governance processes  

• self-assess their performance against Cyber Security NSW's guidelines for local government 

• develop and implement a risk-based cyber security improvement plan and program of activities 

• develop, implement and test a cyber incident response plan. 

Cyber Security NSW and the Office of Local Government should regularly consult on cyber security risks facing local government, and review the effectiveness of guidelines and related resources for the sector. 

While this report focuses on the performance of the selected councils, the findings and recommendations should be considered by all councils to better understand their risks and challenges relevant to managing cyber security risks.  

Further information

Please contact Claudia Migotto, Assistant Auditor-General on 9275 7347 or by email.

What this report is about

In this report, we present findings and recommendations relevant to regulation from selected reports between 2018 and 2024.

This analysis includes performance audits, compliance audits and the outcomes of financial audits.

Effective regulation is necessary to ensure compliance with the law as well as to promote positive social and economic outcomes and minimise risks with certain activities.

The report is a resource for public sector leaders. It provides insights into the challenges and opportunities for more effective regulation.

Audit findings

The analysis of findings and recommendations is structured around four key themes related to effective regulation:

• governance and accountability
• processes and procedures
• data and information management
• support and guidance.

The report draws from this analysis to present insights for agencies to promote effective regulation. It also includes relevant examples from recent audit reports.

In this report, we also draw out insights for agencies that provide a public sector stewardship role.

The report highlights the need for agencies to communicate a clear regulatory approach. It also emphasises the need to have a consistent regulatory approach, supported by robust information about risks and accompanied with timely and proportionate responses.

The report highlights the need to provide relevant support to regulated parties to facilitate compliance and the importance of transparency through reporting of meaningful regulatory information.

Further information

Please contact Claudia Migotto, Assistant Auditor-General on 9275 7347 or by email.

What this report is about

WestInvest is a $5 billion funding program announced in September 2021 to provide ‘local infrastructure to help communities hit hard by COVID-19’ in 15 local government areas (LGAs) selected by the government. It was divided into three parts: $3 billion for NSW government agency projects; $1.6 billion for competitive grants to councils and community groups; and $400 million for non-competitive grants to councils.

Following the change of government at the 2023 election, the program was renamed the Western Sydney Infrastructure Grants Program. Funding decisions made for the community and local government grants were retained, but multiple funding decisions for the NSW government projects were changed.

The audit objective was to assess the integrity of the design and implementation of the program and the award of program funding.

Findings

The design of the program lacked integrity because it was not informed by robust research or analysis to justify the commitment of public money to a program of this scale.

The then government did not have sufficient regard to the implications for the state's credit rating. A risk to the credit rating arose because the government may have been perceived to be using proceeds from major asset sales to fund new expenditure, rather than pay down its debt.

Decisions about program design were made by the then Treasurer's office without consultation with affected communities. The rationale for these decisions was not documented or made public.

For the NSW government projects, funding allocations did not follow advice from departments. Many funded projects did not meet the objectives of the program.

The two other rounds of the program were administered effectively, except for some gaps in documentation and quality assurance. The program guidelines did not require an equitable or needs-based distribution of funding across LGAs and there was a significant imbalance in funding between the 15 LGAs. 

Recommendations

Our recommendations for the administration of future funding programs included:

• considering whether competitive grants are the best way to achieve the program's purpose
• completing program design and guidelines before announcements
• ensuring adequate quality assurance.

We also recommended that when providing advice for submissions by Ministers to Cabinet, agencies should ensure that departmental advice is clearly identified and is distinct from other advice or political considerations.

Further information

Please contact Ian Goodwin, Deputy Auditor-General on 9275 7347 or by email.

What this report is about

This report assesses how effectively SafeWork NSW, a part of the Department of Customer Service (DCS), has performed its regulatory compliance functions for work health and safety in New South Wales.

The report includes a case study examining SafeWork NSW's management of a project to develop a real-time monitoring device for airborne silica in workplaces.

Findings

There is limited transparency about SafeWork NSW's effectiveness as a regulator. The limited performance information that is available is either subsumed within DCS reporting (or other sources) and is focused on activity, not outcomes.

As a work health and safety (WHS) regulator, SafeWork NSW lacks an effective strategic and data-driven approach to respond to emerging WHS risks.

It was slow to respond to the risk of respirable crystalline silica in manufactured stone.

SafeWork NSW is constrained by an information management system that is over 20 years old and has passed its effective useful life.

While it has invested effort into ensuring consistent regulatory decisions, SafeWork NSW needs to maintain a focus on this objective, including by ensuring that there is a comprehensive approach to quality assurance.

SafeWork NSW's engagement of a commercial partner to develop a real-time silica monitoring device did not comply with key procurement obligations.

There was ineffective governance and process to address important concerns about the accuracy of the real-time silica monitoring device.

As such, SafeWork NSW did not adequately manage potential WHS risks.

Recommendations

The report recommended that DCS should:

• ensure there is an independent investigation into the procurement of the research partner for the real‑time silica detector
• embed a formal process to review and set its annual regulatory priorities
• publish a consolidated performance report
• set long-term priorities, including for workforce planning and technology uplift
• improve its use of data, and start work to replace its existing complaints handling system
• review its risk culture and its risk management framework
• review the quality assurance measures that support consistent regulatory decisions.

Further information

Please contact Ian Goodwin, Deputy Auditor-General on 9275 7347 or by email.

What this report is about

Extreme rainfall across eastern Australia in 2021 and 2022 led to a series of major flood events in New South Wales.

This audit assessed how effectively the NSW Government provided emergency accommodation and temporary housing in response to the early 2022 Northern Rivers and late 2022 Central West flood events.

Responsible agencies included in this audit were the Department of Communities and Justice, NSW Reconstruction Authority, the former Department of Planning and Environment, the Department of Regional NSW and the Premier’s Department.

Audit findings

The Department of Communities and Justice rapidly provided emergency accommodation to displaced persons immediately following these flood events.

There was no plan in place to guide a temporary housing response and agencies did not have agency-level plans for implementing their responsibilities.

The NSW Government rapidly procured and constructed temporary housing villages. However, the amount of temporary housing provided did not meet the demand.

There is an extensive waitlist for temporary housing and the remaining demand in the Northern Rivers is unlikely to be met. The NSW Reconstruction Authority has not reviewed this list to confirm its accuracy.

Demobilisation plans for the temporary housing villages have been developed, but there are no long-term plans in place for the transition of tenants out of the temporary housing.

Agencies are in the process of evaluating the provision of emergency accommodation and temporary housing.
 
The findings from the 2022 statewide lessons process largely relate to response activities.

Audit recommendations

The NSW Reconstruction Authority should:

• develop a plan for the provision of temporary housing
• review the temporary housing waitlist
• determine a timeline for demobilising the temporary housing villages
• develop a strategy to manage the transition of people into long-term accommodation
• develop a process for statewide recovery lessons learned.

All audited agencies should:

• finalise evaluations of their role in the provision of emergency accommodation and temporary housing
• develop internal plans for implementing their roles under statewide plans.

Further information

Please contact Ian Goodwin, Deputy Auditor-General on 9275 7347 or by email.

What this report is about

Transport for NSW (TfNSW) uses the driver vehicle system (DRIVES) to support its regulatory functions. The system covers over 6.2 million driver licences and over seven million vehicle registrations.

DRIVES first went live in 1991 and has been significantly extended and updated since, though is still based around the same core system. The system is at end of life but has become an important service for Service NSW and the NSW Police Force.

DRIVES now includes some services to other parts of government and non-government entities which have little or no connection to transport. There are 141 users of DRIVES in total, including commercial insurers, national regulators, and individual citizens.

This audit assessed whether TfNSW is effectively managing DRIVES and planning to transition it to a modernised system.

Audit findings

TfNSW has not effectively planned the replacement of DRIVES.

It is now working on its third business case for a replacement system but has failed to learn lessons from its past attempts.

In the meantime, TfNSW has not taken a strategic approach to managing DRIVES’ growth.

TfNSW has been slow to reduce the risk of misuse of personal information held in DRIVES. With its delivery partner Service NSW, TfNSW has also been slow to develop and implement automatic monitoring of access.

TfNSW uses recognised processes for managing most aspects of DRIVES, but has not kept the system consistently available for users. TfNSW has lacked accurate service availability information since June 2022, when it changed its technology support provider.

TfNSW needs to significantly prioritise cyber security improvements to DRIVES. TfNSW is seeking to lift DRIVES’ cyber defences, but it will not achieve its stated target safeguard level until December 2025.

Even then, one of the target safeguards will not be achieved in full until DRIVES is modernised.

Audit recommendations

TfNSW should:

• implement a service management framework including insight into the views of DRIVES users, and ensuring users can influence the service
• ensure it can accurately and cost effectively calculate when DRIVES is unavailable due to unplanned downtime
• ensure implementation of a capability to automatically detect anomalous patterns of access to DRIVES
• ensure that DRIVES has appropriate cyber security and resilience safeguards in place as a matter of priority
• develop a clear statement of the future role in whole of government service delivery for the system
• resolve key issues currently faced by the DRIVES replacement program including by:
  • clearly setting out a strategy and design for the replacement
  • preparing a specific business case for replacement.

Further information

Please contact Ian Goodwin, Deputy Auditor-General on 9275 7347 or by email.

What this report is about

Results of the audit of the Consolidated State Financial Statements of the New South Wales General Government Sector (GGS) and Total State Sector (TSS) for the year ended 30 June 2023.

Findings

The audit opinion on the 2022–23 Consolidated State Financial Statements was qualified in relation to two issues and included an emphasis of matter.

The first qualification matter is a continuation of the prior year limitation of scope on the audit relating to the Catholic Metropolitan Cemeteries Trust (CMCT), a controlled state entity, who continued to deny access to its management, books and records for the purposes of a financial audit. As a result, the Audit Office was unable to obtain sufficient appropriate audit evidence to support the assets, liabilities, income and expenses relating to CMCT recorded in the TSS and the equity investment recognised in the GGS relating to the net assets of CMCT.

The second qualification matter relates to the limitations on the accuracy and reliability of financial information relating to Statutory Land Managers (SLMs) and Common Trust entities (CTs) controlled by the State and were either exempted from requirements to prepare financial reports, or who were required to submit financial reports and have not done so. The Audit Office was unable to obtain sufficient appropriate audit evidence to determine the impact on the value of non-land assets and liabilities, income and expenses that should be recognised in the 2022–23 Consolidated State Financial Statements and which have not been recorded in the Consolidated State Financial Statements.

The independent audit opinion also includes an emphasis of matter drawing attention to key decisions made by the NSW Government regarding the future of the Transport Asset Holding Entity of New South Wales (TAHE).

Recommendations

The report includes recommendations for NSW Treasury to address several high-risk findings, including:

• ensuring accurate and reliable financial information is available to recognise the non-land balances of SLMs and CTs
• ensuring the CMCT, SLMs and CTs meet their statutory reporting obligations
• conducting a broader review of the financial reporting exemption framework
• continued monitoring of TAHE's control over its assets
• providing timely guidance to the sector relating to legislative or policy changes that impact financial reporting
• developing an accounting policy for the reimbursement of unsuccessful tender bid cost contributions.

Further information

Please contact Ian Goodwin, Deputy Auditor-General on 9275 7347 or by email.

What this report is about

This report analyses the internal controls and governance of the 25 largest agencies in the NSW public sector, excluding state owned corporations and public financial corporations, for the year ended 30 June 2023.

Findings

Internal control trends
The proportion of control deficiencies identified as high-risk this year decreased to 4.5% (8.2% in 2022).

Repeat findings of control deficiencies represent 38% of all findings (48% in 2022).

Information technology
Over half of the agencies reviewed have deficiencies in managing user access to their information systems. Over a third of agencies had deficiencies in their controls over privileged user accounts within their information technology environments.

Cyber security
Over 80% of assessments for maturity levels against the NSW Cyber Security Policy have reported one or more self-assessed Mandatory Requirements are not practiced on a consistent and regular basis.

Essential Eight cyber controls have not improved, and they need to.

Governance framework
Deficiencies were noted in agencies' governance and risk management frameworks, namely: outdated risk management policies, lack of risk appetite statements, and internal audit functions not being externally evaluated.

Payroll and work health and safety (WHS)
Overtime expenses increased by 40% between 2020 and 2023, compared to salaries and wages which increased by 16% over the same period.

Five agencies have WHS policies that do not reflect current WHS regulations.

Recommendations

Several important recommendations were made for agencies to prioritise efforts to improve cyber security controls and cyber resilience measures.

It was also recommended that agencies periodically review their risk management maturity and implement action plans, and ensure their WHS policies and procedures reflect current legislation requirements including the need to manage psychosocial risks.

Further information

Please contact Ian Goodwin, Deputy Auditor-General on 9275 7347 or by email.