Report highlights
What the report is about
In this report, we have analysed the key findings and recommendations from our audit reports over the past four years.
This analysis includes financial audits, performance audits, and compliance audits of state and local government entities that were tabled in NSW Parliament between July 2018 and February 2022.
The report is framed by recognition that the past four years have seen significant challenges and emergency events.
The scale of government responses to these events has been wide-ranging, involving emergency response coordination, service delivery, governance and policy.
The report is a resource to support public sector agencies and local government to improve future programs and activities.
What we found
Our analysis of findings and recommendations is structured around six key themes:
- Integrity and transparency
- Performance and monitoring
- Governance and oversight
- Cyber security and data
- System planning for disruption
- Resource management.
The report draws from this analysis to present recommendations for elements of good practice that government agencies should consider in relation to these themes. It also includes relevant examples from recent audit reports.
In this report we particularly call out threats to the integrity of government systems, processes and governance arrangements.
The report highlights the need for balanced advice to government on options and risks, for transparent documentation and reporting of directions and decisions, and for early and open sharing of information with integrity bodies and audit.
A number of the matters highlighted in this report are similar to those described in our previous Insights Report, (Performance Audit Insights: key findings from 2014–2018) specifically in relation to cyber and information security, to performance measurement, reporting and evaluation, and system and workforce planning and capability.
Fast facts
- 72 audits included in the Audit Insights 2018–2022 analysis
- 4 years of audits tabled by the Auditor-General for New South Wales
- 6 key themes for Audit Insights 2018–2022.
1. Auditor-General’s foreword
I am pleased to present the Audit Insights 2018–2022 report. This report describes key findings, trends and lessons learned from the last four years of audit. It seeks to inform the New South Wales Parliament of key risks identified and to provide insights and suggestions to the agencies we audit to improve performance across the public sector.
The report is framed by a very clear recognition that governments have been responding to significant events, in number, character and scale, over recent years. Further, it acknowledges that public servants at both state and council levels generally bring their best selves to work and diligently strive to deliver great outcomes for citizens and communities. The role of audit in this context is to provide necessary assurance over government spending, programs and services, and make suggestions for continuous improvement.
A number of the matters highlighted in this report are similar to those described in our previous Insights Report, (Performance Audit Insights: key findings from 2014–2018) specifically in relation to cyber and information security, to performance measurement, reporting and evaluation, and system and workforce planning and capability.
However, in this report we particularly call out threats to the integrity of government systems, processes and governance arrangements. We highlight the need for balanced advice to government on options and risks, for transparent documentation and reporting of directions and decisions, and for early and open sharing of information with integrity bodies and audit. Arguably, these considerations are never more important than in an increasingly complex environment and in the face of significant emergency events and they will be key areas of focus in our future audit program.
While we have acknowledged the challenges of the last few years have required rapid responses to address the short-term impacts of emergency events, there is much to be learned to improve future programs. I trust that the insights developed in this report provide a helpful resource to public sector agencies and local government across New South Wales. I would be pleased to receive any feedback you may wish to offer.
Margaret Crawford
Auditor-General for New South Wales
Key Insights
Integrity and transparency | Performance and monitoring | Governance and oversight | Cyber security and data | System planning | Resource management |
Insufficient documentation of decisions reduces the ability to identify, or rule out, misconduct or corruption. | Failure to apply lessons learned risks mistakes being repeated and undermines future decisions on the use of public funds. | The control environment should be risk-based and keep pace with changes in the quantum and diversity of agency work. | Building effective cyber resilience requires leadership and committed executive management, along with dedicated resourcing to build improvements in cyber security and culture. | Priorities to meet forecast demand should incorporate regular assessment of need and any emerging risks or trends. Absence of an overarching strategy to guide decision-making results in project-by-project decisions lacking coordination. | Governments must weigh up the cost of reliance on consultants at the expense of internal capability, and actively manage contracts and conflicts of interest. |
Government entities should report to the public at both system and project level for transparency and accountability. | Government activities benefit from a clear statement of objectives and associated performance measures to support systematic monitoring and reporting on outcomes and impact. | Management of risk should include mechanisms to escalate risks, and action plans to mitigate risks with effective controls. | In implementing strategies to mitigate cyber risk, agencies must set target cyber maturity levels, and document their acceptance of cyber risks consistent with their risk appetite. | Service planning should establish future service offerings and service levels relative to current capacity, address risks to avoid or mitigate disruption of business and service delivery, and coordinate across other relevant plans and stakeholders. | Negotiations on outsourced services and major transactions must maintain focus on integrity and seeking value for public funds. |
Entities must provide balanced advice to decision-makers on the benefits and risks of investments. | Benefits realisation should identify responsibility for benefits management, set baselines and targets for benefits, review during delivery, and evaluate costs and benefits post-delivery. | Active review of policies and procedures in line with current business activities supports more effective risk management. | Governments hold repositories of valuable data and data capabilities that should be leveraged and shared across government and non-government entities to improve strategic planning and forecasting. | Formal structures and systems to facilitate coordination between agencies is critical to more efficient allocation of resources and to facilitate a timely response to unexpected events. | Transformation programs can be improved by resourcing a program management office. |
Clear guidelines and transparency of decisions are critical in distributing grant funding. | Quality assurance should underpin key inputs that support performance monitoring and accounting judgements. | Governance arrangements can enable input into key decisions from both government and non-government partners, and those with direct experience of complex issues. | Workforce planning should consider service continuity and ensure that specialist and targeted roles can be resourced and allocated to meet community need. | ||
Governments must ensure timely and complete provision of information to support governance, integrity and audit processes. | |||||
Read more | Read more | Read more | Read more | Read more | Read more |
2. Introduction
This report brings together a summary of key findings arising from NSW Audit Office reports tabled in the New South Wales Parliament between July 2018 and February 2022. This includes analysis of financial audits, performance audits, and compliance audits tabled over this period.
- Financial audits provide an independent opinion on the financial statements of NSW Government entities, universities and councils and identify whether they comply with accounting standards, relevant laws, regulations, and government directions.
- Performance audits determine whether government entities carry out their activities effectively, are doing so economically and efficiently, and in accordance with relevant laws. The activities examined by a performance audit may include a selected program or service, all or part of an entity, or more than one government entity. Performance audits can consider issues which affect the whole state and/or the local government sectors.
- Compliance audits and other assurance reviews are audits that assess whether specific legislation, directions, and regulations have been adhered to.
This report follows our earlier edition titled 'Performance Audit Insights: key findings from 2014–2018'. That report sought to highlight issues and themes emerging from performance audit findings, and to share lessons common across government. In this report, we have analysed the key findings and recommendations from our reports over the past four years. The full list of reports is included in Appendix 1. The analysis included findings and recommendations from 58 performance audits, as well as selected financial and compliance reports tabled between July 2018 and February 2022. The number of recommendations and key findings made across different areas of activity and the top issues are summarised at Exhibit 1.
The past four years have seen unprecedented challenges and several emergency events, and the scale of government responses to these events has been wide-ranging involving emergency response coordination, service delivery, governance and policy. While these emergencies are having a significant impact today, they are also likely to continue to have an impact into the future. There is much to learn from the response to those events that will help the government sector to prepare for and respond to future disruption. The following chapters bring together our recommendations for core elements of good practice across a number of areas of government activity, along with relevant examples from recent audit reports.
This 'Audit Insights 2018–2022' report does not make comparative analysis of trends in public sector performance since our 2018 Insights report, but instead highlights areas where government continues to face challenges, as well as new issues that our audits have identified since our 2018 report. We will continue to use the findings of our Insights analysis to shape our future audit priorities, in line with our purpose to help Parliament hold government accountable for its use of public resources in New South Wales.
3. Integrity and transparency
What we found
Our audits highlighted gaps in core elements of public service accountability
Integrity is core to the work of the New South Wales public sector. Since 2018, audits have continued to identify deficient practices in transparency and integrity in the delivery of government services and the expenditure of public funds. The Government Sector Employment (GSE) Act 2013 is unambiguous. In the administration of public funds, public sector employees must uphold core ethical principles such as impartiality, transparency, equity, and fiscal responsibility. This is core to maintaining integrity in government activities.
In more than half of performance audit reports, a common finding was related to gaps in public reporting on government activities. Transparency to the public and keeping good records of decisions taken are fundamental elements of integrity in the public sector. They are also legislated requirements of all public sector agencies. Agencies are obliged to provide complete and timely records to the Audit Office and other integrity bodies, as highlighted in our recent report on 'State Finances 2021'. Failure to do so risks undermining public trust in agency activities and impedes the ability to provide assurance over the use of public funds.
Our reports highlight core elements that all agencies should uphold to protect the integrity of government administration. Clear accountability for decisions taken, and ensuring that probity obligations are not sacrificed in haste and in the pursuit of an outcome, are examples where audits identified opportunities for greater rigour in the use of public funds. Accountability and transparency are fundamental to the role of the public service in providing advice to decision-makers and supporting evidence-based programs and services, and for building community confidence in government entities.
Key insights
Public reporting and transparency Public reporting on spending and performance - at both system and project level - is core for agencies to demonstrate the public sector values of transparency and accountability for their activities. |
Advice to government Government agencies have a responsibility to provide decision-makers with documented, accurate and balanced advice, particularly in relation to the benefits and risks of different investment options. |
Conflicts of interest Understanding and documenting perceived and actual conflicts of interest helps to manage risks to agency independence, and improves confidence that decisions are taken in the public interest. |
Documenting ministerial directions Documentation of directions, deliberations, negotiations, and decisions is necessary to enable oversight and accountability, particularly for complex or contentious projects, or decisions made out-of-session. |
Administering decisions of government Public sector employees are required under the GSE Act 2013 to adhere to core ethical principles in administering the allocation of government funds, such as impartiality, transparency, equity, and fiscal responsibility. |
External assurance Obtaining external or independent assurance can be an effective means for improving confidence in program outcomes, and for supporting the integrity of systems or controls, particularly for major programs such as infrastructure. |
Record keeping Without effective record keeping, government agencies cannot demonstrate that proper process was followed, to identify, or rule out, misconduct or corruption, or provide adequate justification of funding decisions. |
Probity Policies and frameworks documenting probity requirements should include controls for fraud and corruption and provide guidance on circumstances when probity advisors should be used. |
Provision of information Governments must ensure timely and complete provision of information to support governance, integrity and audit processes. |
Audit examples
Balancing project outcomes with due diligence: Acquisition of 4–6 Grand Avenue, Camellia
In response to a request from the Minister for Transport and Roads, we audited the acquisition of a parcel of land at Grand Avenue, Camellia, connected with a transport project. This report found shortcomings in areas of integrity and transparency. It found:
- advice to decision-makers did not give enough focus to achieving value for money and omitted key information about cost estimations and due diligence activities undertaken. A summary report of due diligence activities and outcomes would have supported more informed executive consideration of land acquisition proposals
- important risks to program integrity included insufficient probity controls around conflicts of interest, inadequate documentation of negotiations and decisions, and major decisions being made out-of-session with short deadlines. These all created risks to identifying misconduct or corruption
- independent valuation on assessments of land market value was sought after acquisition decisions had been made, and excluded the costs to remediate known land contamination. This overstated the value of the site and created risks to obtaining value for money
- insufficient risk management practices, including a lack of guidance on escalation within key policy frameworks, resulted in a failure to escalate significant risks. Examples included pressure from external parties to finalise a transaction and accepting responsibility for land remediation without assessing the cost of known contamination risks
- improved controls assurance processes would have increased compliance with key policies and procedures. For example, ensuring that delegations authorities are clear. The audit found that the Transport for NSW staff did not have the necessary delegation to approve land acquisitions that proceeded.
Preserving trust in government: State Finances 2021
Under the Government Sector Audit Act 1983 the Auditor-General provides an independent auditor's opinion on the State's consolidated financial statements. In 2021, this opinion was delayed due to significant accounting issues relating to the State's equity investment in the Transport Asset Holding Entity (TAHE). The report noted shortcomings relating to the integrity of processes and systems, including:
- inadequate governance and quality control processes for the complete and timely sharing of information with integrity bodies prevents effective oversight and reduces accountability for decisions
- extensive reliance on consultants to provide advice on government decisions, including a lack of adequate oversight of the use of consultants, can give rise to a risk of opinion shopping and create gaps in internal capability.
Documenting ministerial directions: Integrity of grant program administration
Our audit of two grant programs assessed the integrity of the assessment and approval process for allocating grant funds. This audit identified significant shortcomings in the integrity of both programs and raised important insights about the way public sector employees should document and respond to ministerial directions on funding allocations. The audit raised issues including:
- inadequate program guidelines, with critical gaps relating to how funding would be prioritised and how projects would be assessed against criteria, meant that the assessment and approvals process for selecting grant recipients lacked integrity
- funding allocations were distributed in accordance with ministerial directions, without merit assessment of projects selected for funding
- incomplete records documenting ministerial directions to allocate funding outside of the grant assessment process, prevented accountability and transparency of the decisions and approvals for the distribution of grant funding
- failure to capture reasons for ministerial funding directions compromised the agency’s ability to demonstrate integrity and value for money in the grant approvals process, and created a perception that factors other than project merits influenced the decision.
4. Performance measurement and monitoring
What we found
Measuring and monitoring performance is necessary to demonstrate value
Since 2018, our audits have identified opportunities for government agencies to better measure their performance, through establishing expected performance levels and developing metrics to assess activities and outcomes. Defining measurable outcomes, tracking and reporting performance are core to delivering system stewardship, and to ensure effective and economical use of public funds. New South Wales Treasury policy specifies that agencies are expected to make performance-based investment decisions in line with principles of Outcome Budgeting.
Audits have identified gaps in setting performance targets and in the monitoring and evaluation of service delivery activities, both for in-house and externally commissioned services. We identified similar deficiencies across a wide range of government activities including infrastructure and development works, short-term programs and campaigns, grant funding initiatives, and planning and forecasting activities. All of these activities should be supported by performance frameworks that provide structure for agencies to set performance targets, assess performance gaps, measure outcomes achieved and benefits realised, capture lessons learned, and implement continuous improvement. Our audit findings also offer an opportunity for agencies to learn from the experiences of other parts of government and reflect on their own practices.
Key insights
Performance measures Government activities benefit from a clear statement of objectives and associated performance measures to support systematic monitoring and reporting on outcomes and impact. Where possible, direct performance measures give a more complete view of performance than proxy measures. |
Monitoring Undertaking a schedule of regular review helps government ensure that performance (both internal and outsourced) is on track to achieve intended policy objectives, take action when delivery is not on-track, and manage progress against milestones. |
Benchmarking Quantifiable indicators provide an opportunity to benchmark performance against comparators and to create common performance standards across different services or entities. |
Capturing and using lessons learnt Failure to capture and apply lessons learned from programs and initiatives, especially those developed under time constraints, risks mistakes being repeated and undermines future decisions on the use of public funds. Capturing lessons from pandemic response solutions allows relevant lessons to be integrated into business-as-usual and to support future emergency responses. |
Benefits management Benefit realisation plans should be in place at the beginning of a program and be regularly revisited during implementation. Plans should define clear accountability and resourcing, define measurement of benefits with baselines and targets, review benefits during delivery, and evaluate costs and benefits realised post-delivery. |
Regular reporting Regular and timely reporting to senior management should include progress against milestones and budget, and highlight key risks to support effective decision-making and risk management. |
Evaluation Evaluation of key programs and services should be undertaken and include an assessment of whether they are achieving intended outcomes and were implemented in accordance with policy and procedures. |
Quality assurance Quality assurance and validation should underpin key inputs that support performance monitoring and accounting judgements. |
Audit examples
Evaluating new initiatives and emergency responses: Responses to homelessness
This audit considered how effectively the Department of Communities and Justice was implementing a five-year strategy to address homelessness, and efforts to address street homelessness in the government’s COVID-19 response. It found that the strategy would have limited immediate impact on its objectives to prevent homelessness and support people experiencing homelessness, because it was designed to build evidence to inform future state-wide action. The audit also found that a crisis response was effectively planned and implemented to assist people sleeping on the streets during the first year of the pandemic. The report identified opportunities to improve practice, including:
- opportunities to use data and analysis identified through the strategy would enable the Department to advise the government on addressing homelessness, and to understand demand and unmet need for homelessness supports, across the state
- an evaluation framework was designed and implemented for the strategy, but delays in the delivery of initiatives create a risk that the Department will have limited evidence available during evaluation of the strategy to inform future service development and funding opportunities
- gaps in the collection and monitoring of data on outcomes for service users, and those not engaged in services, created obstacles for developing evidence-based initiatives to break the cycle of homelessness, and to drive a program of continuous improvement
- a ‘lessons learned’ review would ensure effective pandemic response solutions can be captured and integrated into business-as-usual, where appropriate, and support future emergency responses
- updates to policies and procedures would assist the agency to embed changes to practice resulting from the COVID-19 pandemic response.
Developing effective performance measures: Train station crowding
We examined the effectiveness of management strategies for platform crowding at Sydney train stations. This audit found that management strategies for reducing crowding at stations were being delivered locally under devolved management, without overarching centralised strategic guidance, or defined performance indicators, Lack of centralised oversight of management activities meant that the agencies did not know if the crowding risk was being effectively managed. The report highlighted several areas where performance measurement and monitoring could be strengthened, including:
- the use of proxy metrics to estimate performance may not give a complete view of an activity or situation, whereas a performance indicator that directly measures output or outcomes, where possible, would allow a more accurate understanding of performance
- gaps in policies and procedures had impeded the identification of common or shared risks relating to station crowding for stations under devolved management and had also affected the effective implementation of management controls to address these risks
- the absence of evaluation of new programs or initiatives meant agencies could not demonstrate value for money of ongoing investment in demand management strategies or programs
- identifying lessons learned from new initiatives would allow effective approaches or outcomes to be embedded into future strategies seeking to manage demand and reduce risk.
Quantifying and measuring benefits: Supporting the District Criminal Court
This audit considered whether the Department of Communities and Justice is supporting the efficient operation of the District Criminal Court system, including through the provision of data and technology services. Key gaps in the controls around data accuracy, and outdated technology, meant that the audit concluded the Department was not effectively supporting the efficient operation of the District Criminal Courts. The audit also found gaps in the collection and use of information to assess performance, with opportunities to improve several aspects of performance monitoring and measurement including:
- lack of alignment with the NSW Government’s Benefits Realisation Management Framework impeded the measurement of expected benefits relative to funding proposals
- without specific performance measures to quantify the Department’s activities, there was no way to assess the quality of service or the impact of new initiatives
- evaluation of options was needed to improve the level of service in regional and rural locations, including through the use of service agreements to measure and track performance, to improve state-wide efficiency and consistency of service.
5. Governance and oversight
What we found
Good governance is a critical foundation for success
Good practice principles for public sector governance are detailed in the NSW Audit Office 2015 'Governance Lighthouse' framework and other NSW Government resources, such as the New South Wales Public Sector Governance Framework. Key pillars of governance include the need for clear strategy, accountability, measurement, and reporting. These principles are relevant across all areas and levels of government, from administering agencies to short-term projects and programs. Governance structures provide the foundation for effective decision-making that balances complex or competing objectives, strategic priorities, input from relevant stakeholders, cross-agency interactions, and legal or regulatory obligations.
Strong systems of governance are increasingly important in the current environment of uncertainty, and in view of the growing level of coordination and engagement required between agencies and with external stakeholders in responding to this uncertainty. Collaboration offers many opportunities for government, including opportunities to improve planning efforts, to align priorities and objectives, to diversify the available expertise and capabilities, and to improve the management of shared risks such as cyber risk. However, it also brings challenges including the time and resource investment required, and the difficulties that arise when authority isn’t clear or where speed is prioritised over effectiveness. Genuine engagement should be facilitated through formal governance arrangements that embed stakeholder input into decision-making systems and processes.
Audit reports frequently identify gaps in governance and oversight, including inconsistent risk management practices, and gaps in the oversight of outsourced programs and services. These create a risk for the ability to assess success and ensure value is delivered for contracted services and cross-agency activities. Audits have found significant gaps in the structure and function of oversight bodies, including unclear roles and responsibilities, incorrect or out-of-date delegations, and inadequate processes for executive involvement. We also raised concerns regarding deficiencies in the internal control environments that support efficiency of operation, compliance, and risk mitigation.
Key insights
Governance structures Governance frameworks should include systems that enable transparent and consistent processes for obtaining executive consideration on matters, including for decisions made out-of-session. Governance arrangements can also support meaningful engagement with government and non-government partners, those with direct experience of complex issues, in order to facilitate input into key decisions. |
Delegations Delegation manuals should be regularly updated to reflect changes in machinery of government or organisational structure, to capture key functions arising from laws and regulations, and to clearly specify the power or function being conferred. Delegations enable efficient and appropriate decision-making at the level closest to the work but represent a significant governance risk if inadequately documented or monitored. |
Effectiveness of boards and oversight bodies To be effective, oversight bodies need role clarity consistent with their legislative functions, with regular review of charters and membership, including members capabilities and development requirements. Oversight systems must define devolved or delegated responsibilities, including activities relating to regulatory authorisations and contracted services. |
Risk management Understanding strategic and operational risks requires a documented risk appetite; robust risk assessments with ownership and mitigating actions, timeframes and accountabilities; ensuring controls adequately address risk; and undertaking regular review. Management of risk should include mechanisms to escalate risks, and action plans to mitigate risks with effective controls. |
Internal controls The internal control environment determines the effectiveness of systems for risk management and organisational governance, and the documentation and regular testing of expected controls is fundamental to business processes and probity requirements. The control environment must be risk-based and keep pace with changes in the quantum and diversity of agency work. |
Policies and processes Policies and processes should be regularly reviewed to ensure roles and responsibilities are clear, and that any changes to the risk profile or control environment are adequately reflected. Active review of policies and procedures in line with current business activities supports more effective risk management and the implementation of management controls. |
Roles and responsibilities Clearly defined roles and responsibilities are crucial for effective governance. Specific activities and obligations should be documented, create appropriate accountability, and avoid gaps or duplication of efforts. |
Compliance Effective systems for monitoring and ensuring compliance with legislative and regulatory requirements are needed for government agencies to ensure they are upholding their obligations, and to prevent misconduct. |
Agency coordination and engagement Coordination across state and local government bodies and other government entities is key to facilitate progress on common issues and shared priorities. This could be achieved through formal agreements with partner agencies, and utilising governance mechanisms to resolve cross-agency issues. |
Audit examples
Monitoring controls and compliance: Internal controls and governance 2021
Each year the Audit Office tables an omnibus report to the Parliament on the 'Internal controls and governance' of the largest New South Wales government agencies. This report covers a range of issues including trends in internal controls and IT controls. The 2021 report also focused on control environments relevant to agencies' response to emergencies, including cyber security, conflicts of interest and tracking responses to recommendations. It noted sector-wide lessons in relation to internal controls and governance frameworks, including:
- conflicts of interest policies should apply the same standard of requirements of senior executives to all employees and contractors, including annual declarations, and requiring updated declarations if circumstances change
- agencies need formalised policies and systems for addressing repeat control deficiencies, and for tracking and monitoring progress in implementing recommendations relating to internal control deficiencies as well as other reviews such as performance audits or public inquiries, particularly those arising from emergency events or natural disasters
- policies and procedures guiding the management of masterfiles for supplier or employee information should include controls for validating changes, periodic review of compliance and completeness, and controls for information security.
Cross-agency partnerships to improve services: Their Futures Matter
This audit of the 'Their Futures Matter' out-of-home care reform assessed the governance and cross-agency partnership arrangements established to deliver this program. The audit identified that important foundations were put in place, and several new programs were trialled, but the key objective to establish an evidence-based whole-of-government early intervention approach was not achieved. It found various shortcomings and opportunities for improvement, including:
- governance arrangements were ineffective for enabling a whole-of-government approach to deliver on the reform’s intent. These arrangements also failed to include sufficient representation from Aboriginal leaders or services
- inadequate mechanisms for cross-agency partnerships to compare the effectiveness of different initiatives and drive reprioritisation of government investment in evidence-based and earlier intervention, meant that most investment funding remained tied to existing agency programs
- while the reform created a significant cross-agency linked dataset and the first cross-cluster outcomes framework, the evidence base did not comprehensively assess whether existing services were meeting needs, identify duplication or gaps, or demonstrate which initiatives were most effective.
Managing internal controls: Integrity of data in the Births, Deaths and Marriages Register
This audit of the Births, Deaths and Marriages Register assessed the control environment over the accuracy and security of information in the Register maintained by Service NSW and the Department of Customer Service. It found there were effective controls in place to ensure the accuracy of data entered in the Register, but noted gaps relating to the oversight of information in the Register. This included:
- deficiencies in internal controls for monitoring user access and detecting breaches such as unauthorised changes or distribution of data, which created a risk to the integrity of data in the Register
- lack of clearly delineated responsibilities for oversight resulted in gaps in implementation and lack of assurance over third-party vendors
- inadequate monitoring of compliance with information security policies relating to user activity and password settings, meant that the Department could not know whether the integrity of the system had been breached.
Increasing senior executive oversight in local councils: Governance and internal controls over local infrastructure contributions
This audit assessed the effectiveness of four local councils' oversight over the use of local infrastructure contributions. Councils collect funding contributions from developers, and the funds are used to deliver infrastructure required to service and support new development, such as water and sewer infrastructure. The audit found that most councils had a high level of compliance with legislative and regulatory requirements for these contributions, but some councils had gaps in governance and internal controls over the scheme, including:
- the information provided to senior management about the status of contributions plans for the use of funds was insufficient to guide strategic decision-making. Some councils needed to increase the seniority of membership for the local infrastructure contributions oversight committee
- deficiencies in internal controls relating to the collection and valuation of infrastructure contributions meant the controls did not adequately address risks such as a lack of independence in conducting valuations, developers failing to make contributions or making insufficient contributions, data security risks, and probity controls guiding negotiations with developers
- staff were generally knowledgeable about the scheme, but not all procedures were kept up-to-date. Some councils had significant gaps in guidance, such as for probity management of works delivered in-kind.
6. Cyber security and data
What we found
Inadequate cyber security is a serious and increasing risk to agencies and citizens
Audits have extensively considered the government response to risks relating to cyber security, including mitigating security threats such as service disruption or cyber-attack, and better managing and using the increasing volume of data being collected. In line with the NSW Government Cyber Security policy, agencies must assess maturity against the Australian Cyber Security Centre Essential Eight baseline strategies recommended for mitigating risk of cyber incidents. Strategies include the use of application controls, patches for applications and operating systems, user application hardening, configuring macro settings, restricting administrative privileges, multi-factor authentication, and maintaining regular backups. Deficiencies were found in agencies setting and meeting target levels of maturity against cyber security policy requirements, and a lack of documentation of risk acceptance decisions.
Disruption of government services due to cyber-attack is a critical and increasing risk that a number of our audits have highlighted. Audits have also noted risks relating to the privacy and security of personal information held by government agencies, and critical gaps in the controls that protect the integrity of this data. Audits have made findings relating to inadequate leadership in prioritising cyber resilience and identified necessary improvements in IT system capability and administration and data management capabilities.
Sharing data between agencies also represents an important area of both growth and risk in New South Wales, as agencies increasingly collaborate to achieve efficiencies and realise strategic opportunities. Systemwide platforms should be leveraged for sharing research and information across relevant entities, facilitating formal information sharing arrangements, and improving the security and quality of shared information.
Key insights
Cyber security The NSW Cyber Security Policy and the Essential Eight frameworks should be a baseline for the implementation of controls to mitigate cyber risk, through setting target cyber maturity levels and documenting acceptance of risks consistent with agency risk appetite. Building effective cyber resilience requires focused leadership and committed executive management, along with dedicated resourcing to build improvements in cyber security and culture. |
Information security Controls around the security of information must provide assurance over the integrity of data and prevent misuse of information, with key risk areas including user access controls, password controls, outdated technology and manual data entry. |
Privacy Data governance arrangements should specify responsibilities for privacy obligations; the scope and complexity of personal information; collection, storage and deletion of information; and processes for responding to requests and sharing information. |
IT system improvements Responsive updates to the functionality of IT systems, particularly those with customer-facing interfaces, are required to ensure systems are fit-for-purpose, mitigate risk to systems or information, and integrate with other systems. |
Data collection and validation Data governance frameworks determine the quality of data systems and collections by assigning oversight and quality assurance responsibilities. Risk-based controls to check and verify data should be in place for routine data quality assurance, to validate agency or stakeholder data sources, and to assess performance on external contracts. |
Sharing data and information Governments hold repositories of valuable data, as well as data modelling capabilities, that should be leveraged and shared across both government and non-government entities to improve strategic planning and forecasting and reduce duplication of initiatives. |
Audit examples
Meeting target levels of cyber maturity: Compliance with NSW Cyber Security Policy
We audited the compliance of selected New South Wales government agencies with the requirements of the NSW Cyber Security Policy. The Policy aims to strengthen cyber security governance, controls and culture across New South Wales government agencies. Significant shortcomings were identified that have created a serious risk to agency systems, including:
- gaps in the central cyber security policy meant there were no minimum levels for agencies to achieve in implementing the 'mandatory requirements' of the policy. Agencies were not required to improve their cyber security maturity, nor to report on their target levels, or to document their acceptance of known risk due to gaps in their cyber maturity
- agencies had not implemented mandatory requirements of the policy or the Essential Eight mitigation strategies, or they had implemented requirements in an ad hoc or inconsistent manner, resulting in significant system weaknesses
- agencies tended to over-estimate their cyber security maturity, which risked undermining effective decision-making and risk management for responding to cyber risks
- lack of requirements for formal monitoring or oversight of agencies’ cyber self-assessment processes.
Leadership to guide priorities: Managing cyber risks
This performance audit was an in-depth assessment of the effectiveness of two agencies in identifying and managing their cyber security risks, including a simulated cyber-attack and physical system security tests. The audit found shortcomings in the identification and management of cyber risk, including:
- significant weaknesses in cyber security risk identification meant that agency processes for risk assessment were not effective in identifying all potential vulnerabilities and risks. The audit exposed cyber weaknesses that the agencies were not previously aware of
- neither agency had fully mitigated its cyber security risks or reduced these risks to acceptable levels. Several enterprise-level cyber risks exceeded risk tolerance ratings set by the agencies
- low levels of cyber maturity relative to target levels on Essential Eight strategies exposed the agencies to significant risk and specific vulnerabilities
- gaps in executive oversight, including inadequate reporting to executives on the management of cyber risks and the effectiveness of cyber controls, prevented the agencies from fostering a culture where cyber security risk management is an important part of executive decision-making
- low numbers of staff completing basic cyber security awareness training, further hampered the development of a culture where cyber security is prioritised.
Protecting customers’ privacy: Service NSW’s handling of personal information
In response to a ministerial request, we reviewed the implementation and governance of systems for managing the privacy of personal customer and business information held by Service NSW. The audit identified significant gaps in the management of personal customer and business information, including:
- weaknesses in general IT and security controls over the customer management system, such as user access controls and monitoring, and partitioning of access to information, which increased the risk of unauthorised access to information
- failure to maintain an up-to-date privacy management plan, including inadequately defined obligations and incomplete reflection of changes in governance, led to a lack of proactive communication to customers about how their information would be used and stored
- inadequate business processes for storing and sharing information directly contributed to a data breach incident and posed an ongoing risk to the privacy of information
- inadequate risk-based governance and regular review over systems and processes for maintaining privacy of information had allowed high-risk business processes to continue
- opportunities to implement additional safeguards to protect customer information had not been implemented, such as customers applying for multi-factor authentication, and reviewing the history of access to their information.
Controls for information security and program change: Internal controls and governance
Our report of 'Internal controls and governance' considers effectiveness across the largest New South Wales government agencies on a range of issues including cyber and information security and managing sensitive data, and program change management. We have found a number of key deficiencies that recur across multiple years, including:
- deficiencies in information security controls, including user access administration, user activity reviews, and password controls, heightened the risk of fraudulent or inappropriate use of data
- the COVID-19 pandemic and other emergencies of 2020 highlighted the importance of strong cyber security and IT controls for managing remote working and grants distribution
- gaps in program change controls, such as the segregation of duties for developing and promulgating changes, or the use of user acceptance testing for program changes, increased the risk of unreliable data and transaction processing, as well as software issues and gaps in controls following an IT system change
- the management of sensitive data can be improved by maintaining an inventory of sensitive data and assessing and prioritising the protection of high-risk data
- deficiencies in policies for managing security incidents and maintaining data breach registers to record key information relating to incidents, reduced agencies ability to contain, evaluate and remediate incidents.
7. System planning for disruption
What we found
Governments must prepare for the future, respond to emergency events and adapt to new ways of working to meet community need
We recognise the many challenges governments face in planning for the future while responding to immediate pressures. Governments have to balance competing priorities and finite resources, while coordinating across agencies to deliver sustainable solutions that consider intergenerational equity and complex social issues. Robust system-level planning is critical for delivery of programs and services that meet the needs of target populations and provide value for the use of public funds in the short and long-term.
The frequency of unprecedented events during the period since 2018 has demonstrated the importance of maintaining a focus on system coordination and preparing for the unexpected. This is particularly important in light of increasingly severe environmental disruption and climate change risk. Governments have a responsibility to be prepared for disruption and ensure continuity of systems and services for the community. A number of our audits made findings relating to a need for capturing post-incident lessons to inform future practice. Effective planning requires a multi-layered approach incorporating both a strategic and operational view, making use of tools such as business continuity planning, service mapping, as well as understanding the capacity and capability of the workforce against forecast needs. Priorities to meet forecast demand, including short- and long-term programs, should incorporate regular assessment of need and any emerging risks or trends.
Our 2018 'Performance Audit Insights' report also discussed some of the opportunities and risks afforded by substantial growth in expenditure on infrastructure to meet changing population needs. In particular, we called out instances of flawed analysis and inadequate planning that created risks for the ability of investments to deliver value for money and to meet future community needs. We note that the landscape has not significantly improved since 2018. Our audits continue to identify inadequate analyses and flawed advice to government on investment options, and significant gaps in long-term planning to guide decisions.
Key insights
Long-term planning Effective planning requires government to develop priorities that address forecasted need and mitigate risks to services and systems. Plans must extend beyond the budget or political cycles, coordinate across other relevant plans and strategies, and incorporate two-way feedback with those on the ground. |
Strategic planning Development of robust strategies to guide planning and prioritisation of resources supports more responsive system administration that can build on lessons learned. Absence of an overarching strategy to guide decision-making results in project-by-project decisions lacking coordination. |
Agency capability Building agency capability to deliver a responsive system or to implement transformation programs requires an assessment of staff readiness for implementation, building a quality framework to monitor performance, and periodic reviews to identify capability gaps. |
Service planning Service planning should establish future service offerings and service levels relative to current capacity, define commensurate resourcing models, align relevant organisational structures, and incorporate an evaluation framework. Planning must address risks to avoid or mitigate disruption of business and service delivery, including business continuity planning and scenario mapping. |
Prioritisation of options Identifying priorities for investment requires up-to-date analysis and evidence, alignment with strategic priorities and objectives, a systemic approach with input from oversight structures and key stakeholders, and transparency of funding decisions and changes to priority. |
Guidance materials Operational guidance materials such as procedures or training materials help to strengthen the sector's capability, and improve consistency of staff practice and decision-making. In emergency events, agencies must ensure this guidance is kept up-to-date to reflect rapidly evolving requirements, and that communication with staff clearly outlines expectations. |
Audit examples
Adapting to future uncertainty: Managing climate risks to assets and services
We audited the response of two New South Wales government agencies in addressing climate-related risks to government assets and services. The audit considered whether the [then] Department of Planning, Industry and Environment and NSW Treasury are effectively supporting agencies in providing information on identifying physical risks to assets, and in developing mitigation responses. We found deficiencies in the support provided to agencies to address expected risks, including:
- the lack of state-wide climate change adaptation plan limited the implementation of a coordinated program of support to agencies to undertake climate risk assessments and identify relevant risks to assets and services
- numerous state agencies had not conducted climate risk assessments and did not have a climate risk management plan in place for their assets and services
- data projections and forecasting on expected risks and climate-related impacts were not effectively communicated to agencies in a way that supported them to make use of the information
- local and regional planning documents and strategic plans did not provide adequate guidance to development authorities on climate change adaptation to guide future land use decisions
- oversight of the program of support to agencies on climate risk was limited by inconsistency in monitoring and reporting on progress and outcomes.
Agency capability for change: One TAFE NSW modernisation program
We assessed the effectiveness of planning, governance, and reporting arrangements for a major transformation program, the One TAFE NSW modernisation program. This program sought to shift TAFE NSW to a new organisational model, to improve efficiency and deliver commercial objectives. The audit found the program was not effectively managed to deliver on planned timeframes and objectives. A number of deficiencies were identified, including:
- insufficient definition of strategic objectives and roles and responsibilities led to inadequate governance arrangements and blurred accountabilities for decision-making
- deficiencies in program delivery were a result of inadequate planning and preparation for the transition to a new organisational model, including gaps in service mapping and inadequate analysis of projected outcomes and benefits. Commercial objectives of the program conflicted with legislated social objectives
- gaps in assessment of agency capability and capacity to undertake transformation on this scale, including undertaking many large-scale programs concurrently, resulted in under-developed project management at critical stages
- pursuing a complex change program within compressed timeframes resulted in risks to implementation including lack of project prioritisation or sequencing, and pressure on senior management oversight and project management resources.
Coordination of planning and regulatory responsibilities: Support for regional town water infrastructure
In this this audit, we examined whether the [then] Department of Planning, Industry and Environment effectively supported the planning for and funding of town water infrastructure in regional New South Wales. Local council utilities own and operate this infrastructure, and the Department is the primary regulator of these utilities. The report found that the Department’s regulatory approach was poorly defined, and it lacked a strategic, evidence-based approach to targeting investments. Key areas for improvement included:
- lack of formalised, transparent processes for administering strategic and operational support to local water utilities, resulted in poor integration between program funding and planning activities across state and local government
- inadequate governance mechanisms for overseeing performance and engaging with the local council water utilities, resulted in gaps in inter-agency coordination on regulation issues
- conducting local government sector and community consultation on tight timeframes limited the opportunities for information sharing and the ability to engage on local issues to inform strategic planning and investment decisions.
8. Resource management
What we found
Poor resource management practices compromise the ability to obtain value for use of public funds
Effective resource management underpins agencies’ ability to meet future needs, and to adapt to changing models of service delivery. Since 2018, we have conducted several audits with a specific focus on areas of resource management, such as procurement and contract management of consultants and commissioned services, and found opportunities to improve practice and compliance with requirements in these areas.
We identified significant challenges in maintaining oversight and validation of contractor performance that create a risk for demonstrating value for money from contracted services and outsourcing. Our reports have highlighted instances of overreliance on consultants and the outsourcing of expertise, and our recent report on State Finances 2021 highlights some important associated risks, including the risk that agencies shop for an opinion that suits a desired outcome, are not equipped to adequately challenge an expert's recommendations, and are facing a lack of capability within government to inform discussion and decision-making. Gaps in other aspects of resource management arose in a number of audits, for example ensuring adequate resourcing to meet deliverables both in transformation programs and workforce planning for ongoing programs and services.
Key insights
Procurement management Compliance with the NSW Government Procurement Policy Framework and Procurement Board Directions requires that policies and procedures be aligned with the requirements, internal controls be implemented to manage compliance, and staff capability built through training and tools such as checklists and templates. |
Contract negotiation Contract negotiation strategies should be documented, and agencies should not disclose pricing information to proponents in advance. Where relevant, negotiations should be pursued with more than one supplier in line with the Procurement Framework. Negotiations on outsourced services and major transactions must maintain focus on integrity and seeking value for public funds. |
Contract management Adequate documentation of steps taken up to the awarding of a contract is necessary to ensure accountability. Contracts should make use of tools such as contract management plans in line with relevant policy, document clear roles and responsibilities for relevant parties, and incorporate supplier performance management plans with targets. |
Oversight of contracts and consultants Governments must weigh up the cost of reliance on consultants at the expense of internal capability. Adequate oversight of contractor engagement must include validation of the quality and completeness of data provided by suppliers, and monitoring of performance according to performance management plans. |
Adequate resourcing Adequate resourcing levels should be defined in resourcing models to ensure delivery can reach expected performance levels, meet complex needs, be responsive to changing environments, and coordinate requirements across programs or services. The success of transformation programs can be improved through adequately resourcing a program management office. |
Workforce planning Workforce planning for the future should address workforce supply challenges such as geography and incorporate modelling to project and meet future needs, including for specialist positions and across remote and regional areas. |
Audit examples
Compliance with requirements: Procurement and reporting of consultancy services
Our compliance audit on the procurement and reporting of consultancy services considered compliance with procurement requirements across 12 New South Wales government agencies. This audit found deficiencies in all 12 agencies’ compliance with NSW Procurement Board Directions on the use of consultants, with specific findings including:
- inconsistent reporting regarding expenditure on consultants, and failure to comply with annual reporting requirements on consultancy fees, reduced the transparency of expenditure relating to outsourced services
- a lack of whole-of-government guidance led to inconsistent definitions of ‘consultants’ and resulted in gaps in reporting on expenditure and adherence with financial delegations, and variations in practice between agencies
- inadequate guidance for agency staff created challenges for implementing procurement frameworks and associated processes, with a need for additional tools, automated processes, and other internal controls to improve compliance with requirements
- reliance on agency and supplier self-reporting, and a lack of validation of supplier performance information, reduced oversight of whether outcomes were being achieved and whether value for money was being delivered
- opportunities to improve the quality of information from suppliers would address gaps in compliance with reporting policy, and also support monitoring of performance.
In addition, our performance audit of 'Procurement management in Local Government' identified a number of similar issues relating to procurement policy implementation, including gaps in staff training, inconsistent reporting, and gaps in oversight and performance evaluation.
Using data to guide resourcing decisions: Supply of secondary teachers in STEM-related disciplines
This report examined the effectiveness of the Department of Education's plans and strategies to respond to the demand for secondary teachers in disciplines of Science, Technology, Engineering and Mathematics. We found that incomplete data was preventing accurate tracking of supply and demand for particular types of teachers. The audit also found:
- gaps in the workforce planning model around supply and demand for teachers by discipline and location meant the Department was not targeting workforce plans and strategies to areas of need
- inadequate strategies to attract and retain teachers have resulted in scholarship programs not targeted to workforce needs, poor uptake and retention for training scholarships, and gaps in the oversight of professional experience placements.
Local government transformation: Workforce reform in three amalgamated councils
The NSW Government amalgamated 42 existing councils into 20 new councils in 2016, with the accompanying establishment of an amalgamated workforce. Our 2019 audit assessed whether three of the new councils were effectively implementing this workforce reform to realise expected benefits and manage the impact on staff. The audit found all three councils demonstrated broad progress towards an efficient organisation structure, with audit findings including:
- detailed workforce planning was undertaken to understand organisational requirements for reform. Two councils, however, were not adequately monitoring and reporting on the outcomes of the reform initiatives
- gaps in service mapping and service planning meant that the councils had not determined future service offerings or service levels, nor completed integration of IT systems. These gaps also prevented finalisation of organisational and workforce structures
- the high degree of change meant that, despite substantial change management programs in place, there was a need for additional support for staff through the transition
- inadequate measures for monitoring the effectiveness of these change management programs meant that impact could not be assessed, and staff feedback could not be tracked over time.
Monitoring contract performance: Ensuring contract management capability in government – HealthShare NSW
Agencies are required to comply with whole-of-government guidance on procurement and contract management. We assessed whether HealthShare NSW (part of NSW Health) was effectively implementing contract management requirements and had the relevant capabilities for managing high-value contracts. We found several deficiencies in contract management for high value contracts, including:
- mandatory contract management plans and tools were not being routinely used to track obligations and deliverables, leading to inconsistent practices and gaps in oversight
- inadequate performance monitoring and reliance on supplier self-reporting meant there were gaps in the oversight of supplier performance, and instances of failing to manage under-performance
- a lack of guidance on validating performance information limited the ability of contract managers to demonstrate value for money through outcomes achieved
- management of some contracts was delegated to devolved entities, which contradicted agency policy.
Our audit of 'Ensuring contract management capability in government – Department of Education' identified instances of similar issues in the use of contract management plans, and guidance on the validation of performance information.
Appendices
Appendix one – Included reports, 2018–2022
Appendix two – About this report
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.