This report focuses on key observations and findings from 2016 audits and highlights key areas of focus for financial and performance audits in 2017.
2. Looking back at 2016
3. Looking forward
4. Financial performance and reporting
|Only one qualified audit opinion was issued on the 2015–16 financial statements of NSW public sector agencies, compared to two in 2014–15.||The quality of financial reporting continued to improve across the NSW public sector.|
|More 2015–16 financial statements and audit opinions were signed within three months of the year end.||Timely financial reporting was facilitated by more agencies resolving significant accounting issues early, completing asset valuations on time and compiling sufficient evidence to support financial statement balances.|
NSW Treasury’s early close procedures in 2015–16 were again successful in improving the quality and timeliness of financial reporting, largely facilitated by the early resolution of accounting issues.
For 2016–17, NSW Treasury has narrowed the scope of mandatory early close procedures.
The narrowed scope of mandatory early close procedures may diminish the good performance in ensuring the quality and timeliness of financial reporting achieved in recent years.
To mitigate this risk, NSW Treasury has mandated that agencies perform non-financial asset valuations and prepare proforma financial statements in their early close procedures. It also encourages them to continue with the good practices embedded in recent years.
|Although most agencies complied with NSW Treasury’s early close asset revaluation procedures we identified areas where they can improve.||Asset revaluations need to commence early enough to ensure all assets are identified and the results are analysed, recorded and reflected accurately in the early close financial statements.|
|Number of misstatements|
|Year ended 30 June||2015-16||2014-15||2013-14||2012-13||2011-12|
|Total reported misstatements||298||396||459||661||1,077|
All material misstatements identified by agencies and audit teams were corrected before the financial statements and audit opinions were signed. A material misstatement relates to an incorrect amount, classification, presentation or disclosure in the financial statements that could reasonably be expected to influence the economic decisions of users.
Significant matters reported to the portfolio Minister, Treasurer and Agency Head
In 2015–16, we reported the following significant matters to the portfolio Minister, Treasurer and agency head in our Statutory Audit Reports:
5. Financial controls
Appropriate financial controls help ensure the efficient and effective use of resources and the implementation and administration of agency policies. They are essential for quality and timely decision making.
In 2015–16, our audit teams made the following key observations on the financial controls of NSW public sector agencies.
|More needs to be done to implement audit recommendations on a timely basis. We found 212 internal control issues identified in previous audits had not been adequately addressed by 30 June 2016.||
Delays in implementing audit recommendations can impact the quality of financial information and the effectiveness of decision making.
Agencies need to ensure they have action plans, timeframes and assigned responsibilities to address recommendations in a timely manner.
|Agencies continue to face challenges managing information security. Most information technology issues we identified related to poor IT user administration in areas like password controls and inappropriate access.||Agencies should review the design and effectiveness of information security controls to ensure data is adequately protected.|
We found shared service provider agreements did not always adequately address information security requirements.
Where agencies use shared service providers they should consider whether the service level arrangements adequately address information security.
|Thirteen of 108 agencies required to attest to having a minimum set of information security controls did not do so in their 2015 annual reports.||The 'NSW Government Digital Information Security Policy' recognises the growing need for effective information security. With cyber security threats continuing to increase as digital services expand we plan to look at cyber security as part of our 2017–18 performance audit program.|
|We identified instances where service level agreements with shared service providers were outdated, signed too late or did not exist.||Corporate and shared service arrangements are more effective when service level arrangements are negotiated and signed in time, clearly detail rights and responsibilities and include meaningful KPIs, fee arrangements and dispute resolution processes.|
|Internal controls at GovConnect, the private sector provider of transactional and information technology services to many NSW public sector agencies were ineffective in 2015–16. We found mitigating actions taken to manage transition risks from ServiceFirst to GovConnect were ineffective in ensuring effective control over client transactions and data.||The Department of Finance, Services and Innovation should ensure GovConnect addresses the control deficiencies. It should also examine the breakdowns in the transition of the shared service arrangements and apply the learnings to other services being transitioned to the private sector.|
|Maintenance backlogs exist in several NSW public sector agencies, including Roads and Maritime Services, Sydney Trains, NSW Health, the Department of Education and the Department of Justice.||To address backlog maintenance it is important for agencies to have asset lifecycle planning strategies that ensure newly built and existing assets are funded and maintained to a desired service level.|
|SLA Security Restrictions||Shared service provider|
|SLA is current|
|Acceptable use of IT (forbidden sites, code of conduct, etc.)|
|Access controls (methods, lockout, etc.)|
|Breaches and incidents|
|Management responsible for confidentiality, integrity and compliance|
|Administering new, modified and terminated users|
|No IT security issues raised in our 2016 audit|
7. Service delivery