Customer Service 2021

Auditor-General’s foreword

This report analyses the results of our audits of the Customer Service cluster agencies for the year ended 30 June 2021.

Our preferred approach is to table the ‘Report on State Finances’ in Parliament before any other cluster report. This is because the ‘Report on State Finances’ focuses on the audit results and observations relating to the Total State Sector Accounts, in effect a consolidation of all government agencies. This year the ‘Report on State Finances’ has been delayed due to significant accounting issues being considered in the Total State Sector Accounts and which may impact the Treasury and Transport clusters.

As there are no outstanding matters relating to audits in the Customer Service cluster impacting the Total State Sector Accounts we have decided to break with normal practice and table this cluster report ahead of the ‘Report on State Finances’.

Report highlights

What the report is about

The results of Customer Service cluster agencies' financial statement audits for the year ended 30 June 2021.

What we found

Unmodified audit opinions were issued for all Customer Service cluster agencies.

The number of monetary misstatements decreased from 48 in 2019–20 to 46 in 2020–21.

Seven out of eight agencies did not complete all mandatory early close procedures.

What the key issues were

Upon the implementation of AASB 1059 'Service Concession Arrangements: Grantors', the Department of Customer Service (the department) recognised a service concession asset, the land titling database, totalling $845 million for the first time at 1 July 2019.

The department reported several retrospective corrections of prior period errors.

The 2020–21 audits identified three high-risk and 59 moderate risk issues across the cluster. The high-risk issues were related to:

  • the Department of Customer Service – internal control qualifications and control deviations in GovConnect service providers
  • the Department of Customer Service – significant control deficiencies in information technology change management controls
  • Rental Bond Board – uncertainties in the accounting treatment of rental bonds.

The percentage of repeat issues we report to management and those charged with governance in management letters increased from 29 per cent in prior year to 42 per cent in 2020–21 while the number of items decreased from 94 to 93.

The magnitude and number of internal control exceptions in GovConnect service providers increased resulting in additional audit procedures to address the risks of fraud and errors in the financial statements.

What we recommended

The department should improve the validation process of key valuation assumptions and inputs provided by the private operator NSW Land Registry Services. It should revisit its accounting treatment of new land titling records.

The department should ensure GovConnect service providers prioritise the remediation of control deficiencies in information technology services.

The department should continue to improve controls in cyber security management.

Cyber Security NSW and NSW Government agencies need to prioritise improvements to their cyber security resilience as a matter of urgency.

The New South Wales Government Telecommunications Authority should improve its fixed assets management and financial reporting process to accommodate its growing fixed assets profile.

Fast facts

The Customer Service cluster aims to plan, prioritise, fund and drive digital transformation and customer service across every cluster in the NSW Government.

  • $3.9b total expenditure incurred in 2020–21 
  • $34.1b total administered income managed on behalf of the NSW Government in 2020–21
  • 100% unqualified audit opinions were issued on agencies' 30 June 2021 financial statements 
  • 3 high-risk management letter findings were identified
  • 46 monetary misstatements were reported in 2020–21
  • 42% of reported issues were repeat issues.

1. Introduction

This report provides Parliament and other users of the Customer Service cluster’s financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:

  • financial reporting
  • audit observations.

1.1 Snapshot of the cluster

Source: NSW Budget Papers 2021–22.

1.2 Changes to the cluster

Office of the Independent Review Officer replaced WorkCover Independent Review Office

The Office of the Independent Review Officer (OIRO) is a statutory office established under the Personal Injury Commission Act 2020 effective 1 March 2021. The statutory functions of the OIRO include:

  • finding solutions for persons injured at work or in motor vehicle accidents with complaints about their insurers
  • managing and administering the Independent Legal Assistance and Review Service
  • conducting inquiries into matters arising in connection with the operation of the Personal Injury Commission Act 2020 and the workers’ compensation and motor vehicle accident legislation.

The NSW Government first established the WorkCover Independent Review Office (WIRO) in 2012 as an oversight mechanism across the New South Wales workers’ compensation system. The WIRO is the predecessor of the OIRO.

Establishment of Digital Restart Fund to support digital transformation projects

The Digital Restart Fund (the Fund) is a statutory deposit account established under the Digital Restart Fund Act 2020 (the Act) on 3 August 2020. The purpose of the Fund is to support digital and information and communications technology initiatives across the government sector.

Under the Act, the Minister for Digital and Minister for Customer Service is to control and manage the Fund. Section 14 of the Act requires the Fund to produce an annual report relating to the Fund each year. The report is also to include an audit of the Fund by the Auditor-General on whether the payments from the Fund have been made in accordance with the Act.

The Department of Customer Service administers the Fund. It prepared the Fund's inaugural special purpose financial report for the period from 3 August 2020 to 30 June 2021.

2. Financial reporting

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision-making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Customer Service cluster (the cluster) for 2021.

Section highlights

  • Unqualified audit opinions were issued on the financial statements of cluster agencies.
  • The number of reported misstatements has decreased from 48 in 2019–20 to 46 in 2020–21.
  • Agencies could do more work to improve the quality and timeliness of completing mandatory early close procedures.
  • The Department of Customer Service implemented the new accounting standard AASB 1059 'Service Concession Arrangements: Grantors', which resulted in recognition of a service concession asset of $845 million at 1 July 2019. The valuation of land titling database requires significant judgements and estimations.

2.1 Cluster financial information 2021

Agency Total assets
$(m)
Total liabilities
$(m)
Total income*
$(m)
Total expenses**
$(m)
Principal department        
Department of Customer Service 2,116.9 3,238.4 1,889.4 1,905.0
Other cluster agencies listed in Appendix A of Treasury Direction TD21-02
Long Service Corporation 2,162.7 1,636.7 380.1 108.6
New South Wales Government Telecommunications Authority 603.3 159.3 249.2 123.7
State Insurance Regulatory Authority 465.2 344.3 585.8 571.6
Service NSW 305.4 221.5 624.2 682.4
Rental Bond Board 206.3 0.1 215.8 69.1
Independent Liquor and Gaming Authority 13.8 12.6 28.6 28.2
Independent Pricing and Regulatory Tribunal 6.2 5.2 31.5 31.5
Office of the Independent Review Officer 6.0 6.0 36.2 36.2
Information and Privacy Commission 1.2 0.9 6.0 6.4
Immaterial agencies 246.3 12.3 494.5 294.7

* Include other gains.
** Include other losses.
Source: Agencies audited 2020–21 financial statements.

2.2 Quality of financial reporting

Audit opinions

Unqualified audit opinions were issued on agencies' financial statements

Unqualified audit opinions were issued on all cluster agencies' 30 June 2021 financial statements. Sufficient and appropriate audit evidence was obtained to conclude the financial statements were free of material misstatement.

Unqualified audit opinion was issued on a compliance audit of Digital Restart Fund

The Digital Restart Fund Act 2020 (the Act) created the Digital Restart Fund on 3 August 2020. The Act requires the Fund to prepare an annual report which includes an audit on whether the payments from the Fund have been made in accordance with the Act.

Unqualified audit opinion was issued on the compliance audit. Sufficient and appropriate audit evidence was obtained to conclude, in all material respects, payments from the Fund have been made in accordance with section 9 of the Act for the period 3 August 2020 to 30 June 2021.

The number of identified monetary misstatements decreased in 2020–21

The number of monetary misstatements identified during the audit of the financial statements decreased from 48 in 2019–20 to 46 in 2020–21. A monetary misstatement is an error in amount recognised in the financial statements initially submitted for audit.

Reported corrected misstatements decreased from 41 in 2019–20 to 33 with a gross value of $418.9 million in 2020–21. Reported uncorrected misstatements increased from seven in 2019–20 to 13 with a gross value of $78.0 million in 2020–21.

The table below shows the number and quantum of monetary misstatements for the past two years. 

Year ended 30 June 2021 2020
  Corrected misstatements Uncorrected misstatements Corrected misstatements Uncorrected misstatements
Less than $50,000 1 5 4 2
$50,000 to $249,999 4 2 2 2
$250,000 to $999,999 8 0 10 1
$1 million to $4,999,999 5 2 12 0
$5 million and greater 15 4 13 2
Total number of misstatements 33 13 41 7

Source: Engagement Closing Reports issued by the Audit Office of New South Wales.


Refer to Appendix one for details of corrected and uncorrected monetary misstatements by agency.

Of the 33 corrected misstatements, 15 had a gross value of greater than $5.0 million and primarily related to:

  • Long Service Corporation initially classified the liability of long service entitlements for some building and construction industry workers as non-current based on their expected settlement date. However, the liability should be classified as current as the workers had an unconditional right to the entitlements. The subsequent correction resulted in a $136.6 million transfer from non-current to current liabilities at 30 June 2021.
  • The Department of Customer Service (the department) derecognised appropriations received but not controlled by the department from 'revenue' of $90.7 million to 'transfer payments' in 2020–21 ($69.2 million in 2019–20). These payments were pass-through grants from the department to cluster agencies.
  • The department understated the valuation of the land tilting database by $31.5 million. The understatement was caused by inappropriate assumptions and inputs applied in the valuation model.
  • The department reclassified $25.2 million administrative fee of Rental Bond Board from 'sale of goods and services from contracts' to 'other revenue'. The department incorrectly applied AASB 15 'Revenue from Contracts with Customers' to this revenue stream as there was no contract between the department and Rental Bond Board for this administrative service.
  • The department reclassified $23.0 million of digital restart funding from 'contract liabilities' to 'grants and contributions' revenue as the department met the grant conditions related to the funding. It was no longer a liability for the department.
  • Independent Liquor and Gaming Authority (ILGA) recognised $12.5 million revenue and receivable of Bergin Inquiry costs recovered from Crown Resorts Limited; and $12.5 million expense and liability for the transfer of the Bergin Inquiry legal cost recovery to the department. ILGA did not recognise these transactions initially but disclosed it as a post-balance sheet date event as ILGA accepted Crown Resorts Limited's cost recovery offer on 1 July 2021. However, the ability to recover $12.5 million was virtually certain and evidenced by Crown Resorts Limited's offer letter received in May 2021. ILGA has a constructive obligation to return legal cost recovery to the department to the extent of Bergin Inquiry funding provided by the department.
  • New South Wales Government Telecommunications Authority (the Authority) incorrectly disclosed transactions relating to major programs totalling $12.1 million as 'administered items'. This treatment was based on management’s judgement that the Authority did not have control of these programs. However, the Authority had discretion to deploy the resources for the achievement of the Authority's objectives. The Authority corrected this misstatement by recognising related assets, liabilities, revenue and expenses of these programs in the financial statements.
  • The department wrote off $10.1 million office occupancy related costs receivable from cluster agencies. The office occupancy costs were incurred on behalf of cluster agencies. However, the costs were not subsequently recharged to cluster agencies.
  • The department recognised additional $9.6 million impairment of right-of-use assets to reflect the latest published market rent forecast in June 2021.

Of the 13 uncorrected misstatements, four had a gross value of greater than $5.0 million. These were:

  • The department recognised new land titling records in the land titling database as a revaluation movement instead of an adjustment to 'grant of the right to the operator' liability ($35.2 million). More details related to the nature of this misstatement is included in Section 2.4 of this report.
  • The department overstated property leases related balances by incorrectly applying a collar clause in the event of market rent review ($17.1 million) in the lease calculation model.
  • The department incorrectly recognised a liability for grants and subsidies when the department has no present obligations to provide grant funding at 30 June 2021 ($14.0 million).
  • The department overstated 'grants and contributions' revenue relating to Digital Restart Fund capital funding at 30 June 2021 ($6.0 million). The funding was yet to be spent therefore the department could not recognise it as revenue but a liability.

These uncorrected misstatements were not material to relevant agencies' financial statements.

New financial reporting provisions became effective from 1 July 2021

The financial reporting provisions in Division 7.2 of the Government Sector Finance Act 2018 (GSF Act) commenced on 1 July 2021. Agencies prepared their annual GSF financial statements for the 2020–21 financial year under Division 7.2 of the GSF Act.

One agency exempted from financial reporting in 2020–21

Part 3A Division 2 of the Government Sector Finance Regulation 2018 (GSF Regulation) prescribes certain kinds of GSF agencies not to be a reporting GSF agency. For 2020–21, the Office of the Greyhound Welfare and Integrity Commission, a staff agency, assessed and determined it met the reporting exemption criteria under the GSF Regulation, and therefore was not required to prepare annual financial statements.

Exempted agencies GSF Regulation reference Basis for reporting exemption
Special purpose staff agency
The Office of the Greyhound Welfare and Integrity Commission Part 3A, Division 2, Section 9F of the GSF Regulation GSF Regulation prescribes that a GSF agency that comprises solely of persons who are employed to enable another particular GSF agency to exercise its function not to be a reporting GSF agency.
The Office of the Greyhound Welfare and Integrity Commission satisfies this requirement and therefore is exempted from preparing financial statements in 2020–21.

In 2019–20, the Office of the Greyhound Welfare and Integrity Commission was also exempted from financial reporting under Schedule 2 of the Public Finance and Audit Regulation 2015.

2.3 Timeliness of financial reporting

Early close procedures

Early close mandatory procedures were not submitted on time

There were eight cluster agencies required by NSW Treasury to perform early close procedures. Only one of the eight agencies met the statutory deadlines for submitting their 2020–21 early close financial statements and other mandatory procedures. Agencies that delayed their submission of certain early close mandatory procedures were:

  • Department of Customer Service
  • Service NSW
  • New South Wales Government Telecommunications Authority
  • Long Service Corporation
  • Information and Privacy Commission
  • Rental Bond Board
  • State Insurance Regulatory Authority.

The delay was due to agencies:

  • not performing an assessment for accounting standards issued but not yet effective and concluding if these will have a material effect
  • not completing their review and documentation of significant management judgements
  • not implementing a formal process to confirm all significant inter and intra agency balances and transactions
  • not performing or not completing their documented review of property leases.

The table below summarises the agencies' completion of the 16 mandatory early close procedures, noting that some procedures are not relevant to all agencies. The 16 procedures are listed at Appendix one.

Agency Completed Not completed Not applicable**
Principal department
Department of Customer Service  6 7 3
Other cluster agencies listed in Appendix A of Treasury Direction TD19-02
New South Wales Government Telecommunications Authority 4 10 2
Service NSW 8 4 4
Information and Privacy Commission 7 4 5
Long Service Corporation 8 4 4
Rental Bond Board 8 2 6
State Insurance Regulatory Authority 8 2 6
Independent Pricing and Regulatory Tribunal 10 -- 6
Office of the Independent Review Officer* -- -- --
Independent Liquor and Gaming Authority* -- -- --

* Due to the size and nature of the agency, the audit team audited limited early close procedures and provided feedback informally to the agency.
** Some mandatory early close procedures were not applicable to the agency. For example, cluster agencies did not complete 'Changes in Accounting Policy' early close procedure as there were no changes to accounting policy at early close.
Source: Reports on early close procedures 2021 issued by the Audit Office of New South Wales.
 

Agencies need to improve their completion of early close procedures

Seven cluster agencies did not complete all required procedures at early close. Some procedures were not performed adequately to address the requirements of Treasurer's Directions.

Cluster agencies Description of incomplete early close procedures
Department of Customer Service
  •  Inter and intra (cluster) agency transactions and balances - some inter and intra agency transactions and balances were not agreed and confirmed with counterparty agencies.
  • Significant management judgements and assumptions - management did not finalise the valuation of land titling database including related judgments and assumptions applied when estimating the fair value.
  • Reconciliation of key account balances - some key account balances were not reconciled at early close.
  • Finalise right-of-use assets and lease liability balances - management did not finalise the impairment assessment of leased assets and the review of lease related reports to ensure all lease arrangements are accurate and complete.
  • Finalise assessment of all revenue contracts - management did not complete their assessment of all new revenue contracts and agreements for the year.
  • Delegations - management did not provide an approved delegation manual for its administered fund, Digital Restart Fund, at early close. The delegation manual was subsequently provided by management supporting appropriate delegations for transactions.
  • New and updated accounting standards - management did not finalise the impact of new accounting standard AASB 1059 in the early close financial statements.
New South Wales Government Telecommunications Authority
  • Proforma financial statements - the proforma financial statements were submitted on the due date however the impact from the comprehensive revaluation of property plant and equipment and new/revised lease contracts entered since 1 July 2020 were not included in the financial statements.
  • Revaluation of property, plant and equipment - management had not finalised the comprehensive revaluation of plant and equipment at 31 March 2021.
  • Inter and intra (cluster) agency transactions and balances - some inter and intra agency transactions and balances were not agreed and confirmed with counterparty agencies.
  • Significant management judgements and assumptions - management did not formally document judgements and assumptions made when estimating fair value of assets and lease related transactions.
  • Reconciliation of key account balances - some key account balances were not reconciled at early close.
  • Finalise right‑of‑use assets and lease liability balances - management did not finalise and document their review of new lease arrangements. Finalise assessment of all revenue contracts - management did not complete their assessment of all new revenue contracts and agreements for the year.
  • Prior year Management Letter and Engagement Closing Report issues - management had not addressed our recommendations in the prior year management letter at early close.
  • Complete Commonwealth Funding Agreement – Revenue Assessment Form for Commonwealth Funding Agreements - the revenue assessment form was not supported by a complete and accurate impact assessment against the relevant Australian Accounting Standards.
  • New and updated accounting standards - management had not conducted an assessment for accounting standards issued but not yet effective.
Service NSW
  • Fair value assessment of property, plant and equipment - management did not complete the annual review of assets' useful lives and impairment assessment of assets.
  • Significant management judgements and assumptions - some significant judgements and assumptions used when estimating assets' useful lives, credit loss assessment for receivables, assumptions in lease accounting were not documented.
  • Finalise right‑of‑use assets and lease liability balances - management did not finalise the impairment assessment of leased assets and some lease transactions were not disclosed accurately.
  • Changes to legislation - management did not document the impact of organisational restructure resulted from changes to legislation.
Information and Privacy Commission
  • Inter and intra (cluster) agency transactions and balances - some inter and intra agency transactions and balances were not agreed and confirmed with counterparty agencies.
  • Finalise right-of-use assets and lease liability balances - management did not perform impact assessment of the new lease arrangement with the Department of Customer Service.
  • Finalise assessment of all revenue contracts - management did not document revenue assessment against the relevant Australian Accounting Standards.
  • New and updated accounting standard - management did not document their assessment of the effects of new and updated accounting standards.
Long Service Corporation
  • Significant management judgements and assumptions - management did not provide documentation to support the significant judgements and assumptions used when estimating transactions and balances in the valuation of financial assets at fair value and scheme liabilities.
  • Finalise right‑of‑use assets and lease liability balances - management did not perform and document their review of lease arrangements.
  • Prior year Management Letter and Engagement Closing Report issues - management was in the progress of addressing prior year recommendations.
  • New and updated accounting standards - management did not perform a formalised assessment of accounting standards issued but not yet effective and disclose management's assessment of the impact in the financial statements.
Rental Bond Board
  • Prior year Management Letter and Engagement Closing Report issues - management did not resolve prior year management letter issue on the approval of grant payments at early close.
  • New and updated accounting standards - management had not conducted an assessment for accounting standards issued but not yet effective.
State Insurance Regulatory Authority
  • Fair value assessment of property, plant and equipment - management did not complete a fair value assessment of plant and equipment due to its immaterial balance at early close.
  • New and updated accounting standards - management did not document a formal assessment of the effects of new and updated Australian Accounting Standards.

Source: Reports on early close procedures 2021 issued by the Audit Office of New South Wales. 

The review of agencies' early close procedures found more work needs to be done to:

  • complete the impact assessment of revenue arrangements against AASB 15 'Revenue from contracts with customers', AASB 1058 'Income of Not-for-Profit Entities' and TPP 21-03 'Administered Items'
  • finalise comprehensive revaluation of assets in time for early close
  • complete inter and intra (cluster) confirmation of balances and transactions
  • perform impairment assessment of assets including right-of-use assets
  • document significant judgements and estimations applied in preparing the proforma financial statements.

NSW Treasury introduced early close procedures to improve the quality and timeliness of year-end financial statements. In March 2021, NSW Treasury reissued Treasurer’s Direction TD19-02 ‘Mandatory Early Close as at 31 March each year’ (TD19-02) and issued TPP21-01 ‘Agency Direction for the 2020–21 Mandatory Early Close’, requiring GSF agencies listed in Appendix A of TD 19-02 to perform early close procedures and provide the outcomes to the audit team by 26 April 2021. 

Year-end financial reporting

NSW Treasury extended financial reporting deadlines

Due to the COVID-19 pandemic, NSW Treasury extended the year-end financial reporting deadline for agencies listed in Appendix A of Treasury Direction TD21-02 'Mandatory Annual Returns to Treasury' (TD21-02) to 2 August 2021.

During May and June 2021, NSW Treasury issued a suite of Treasurer's Directions, Treasury Circular and policy papers for 2020–21 financial reporting requirements and timetables:

  • Treasurer's Direction TD21-02 and Treasury Policy Paper TPP21-04 'Agency Direction for the 2020–21 Mandatory Annual Returns to Treasury' require agencies listed in the Appendix A of TD21-02 to submit their 2020–21 financial statements to both NSW Treasury and the Audit Office by 26 July 2021
  • Treasury Circular TC21-04 '2020–21 Mandatory Annual Returns to Treasury for non-GSF agencies' requires NSW public sector agencies not listed in Appendix A of TD21-02 to submit their draft 2020–21 financial statements to NSW Treasury by 26 July 2021
  • Treasurer's Direction TD21-03 'Submission of Annual GSF Financial Statements to the Auditor-General' requires reporting GSF agencies that are not listed in Appendix A of TD21-02 to submit their annual financial statements within six weeks after the year-end.

The following agency obtained NSW Treasury's approval to further delay submission of their 30 June 2021 financial statements:

Cluster agencies Revised deadline Reason
Department of Customer Service 31 August 2021 The Department of Customer Service implemented the new accounting standard AASB 1059 'Service Concession Arrangements: Grantors' for the first time. It obtained an extension from NSW Treasury to submit AASB 1059 related balances and disclosures in the financial statements. Delays in finalising the valuation of a service concession asset, land titling database, supported the extension request.

Financial statements were submitted on time

Cluster agencies met the revised or approved reporting deadlines for submitting their 2020–21 year-end financial statements.

On 1 July 2021, the Public Finance and Audit Act 1983 (PF&A Act) was renamed the Government Sector Audit Act 1983 (GSA Act). Whilst the PF&A Act required the Auditor-General to audit agencies' financial statements within ten weeks of their receipt, the GSA Act does not specify the statutory deadline for issuing the audit reports. The audits of all cluster agencies financial statements have been completed.

The table in Appendix three shows the timeliness of the year-end financial reporting for cluster agencies.

2.4 Key accounting issues

The department reported retrospective corrections of prior period errors

 

Description of the prior period error Impact in comparatives
Administered items and transfer payments  
The department received appropriations to fund grant programs that are administered by cluster agencies on behalf of other government agencies. These appropriations were previously recognised as controlled 'revenue' and 'grant expense' by the department. Upon further assessment of AASB 1050 'Administered Items' and TPP 21-3 'Administered items', the department concluded that these activities should be recognised as 'transfer payments' to reflect the pass-through funds from the department to cluster agencies; or 'administered items' managed on behalf of other government agencies.
  • Reduction in 'appropriation revenue' and 'grants and subsidies expense' by $77.4 million in 2019–20.
  • Disclosing these activities in the notes to the financial statements as 'transfer payments' and/or 'administered items'.
Lapsed appropriations  
Previously, the department recognised an obligation in its financial statements for appropriated monies drawn down but not used by the end of the financial year. This was based on the premise that the spending authority conferred by the annual Appropriations Act had lapsed for the year, that the department did not have the legal authority to spend the unused amount in the following financial year and a liability existed to repay the money to the Consolidated Fund. In 2020–21 NSW Treasury reviewed the accounting for lapsed appropriations, concluding that the previous treatment had misapplied the legal concept of lapsed appropriations and therefore a liability should not have been recognised. Reduction in 'other current liabilities' and a corresponding increase of 'appropriation revenue' by
$72.4 million at 30 June 2020.
Contract assets and contract liabilities  
The department incorrectly disclosed 'contract assets' and 'contract liabilities' related to revenue streams accounted under AASB 15 'Revenue from Contracts with Customers' as 'receivables' and 'payables'. AASB 15 requires separate disclosure of these assets and liabilities. Reclassification $40.0 million from 'receivables' to 'contract assets' at 30 June 2020 and $35.7 million at 1 July 2019.
Reclassification $44.1 million from 'payables' to 'contract liabilities' at 30 June 2020 and $43.8 million at 1 July 2019.
Property leases  
Property NSW manages the department's office building leases. In 2020–21, it identified that some occupancy of certain floor space shared with other NSW Government agencies did not meet the criteria of right-of-use assets under AASB 16 'Leases'. Reduction in right-of-use assets and lease liabilities by $39.5 million at 30 June 2020.

Material misstatements identified in the implementation of AASB 1059 ‘Service Concession Arrangements – Grantor’

The department has a service concession arrangement with a private sector entity, Australian Registry Investments (trading as NSW Land Registry Services), to operate the NSW land titling registration concession. A service concession arrangement contractually obliges the private sector operator to create and maintain land titling records on behalf of the Department. Under the concession deed, the department controls the land titling database. The private sector operator is responsible for maintaining and operating the land titling database.

In 2017, the department received $2.7 billion from the private operator in consideration for the right to operate the NSW Land Titling Registry. The $2.7 billion upfront cash consideration was recorded as a 'service concession liability' and subsequently recognised as 'revenue' progressively over the concession period.

In 2020–21 AASB 1059 'Service Concession Arrangements: Grantors' became effective for all NSW public sector agencies. The new standard addressed the lack of specific guidance for public sector grantors or service concessions, and to minimise divergence of accounting practices for arrangements involving these arrangements. The department assessed its service concession arrangement and concluded that it was within the scope of AASB 1059.

The implementation of AASB 1059 had a significant impact on the department's financial statements. Upon initial adoption of AASB 1059 at 1 July 2020, the department recognised:

  • an increase in service concession assets of $845 million at 1 July 2019
  • an increase in accumulated funds of $845 million at 1 July 2019.

AASB 1059 mandates the use of current replacement cost as the fair value approach to measure service concession assets. The valuation of an intangible service concession asset requires significant judgements and estimations. The majority of valuation data inputs were sourced from the private operator. It is important that the department has appropriate systems, processes and resources to implement the new accounting standard. We found that the department had made some necessary modifications to system and processes to implement AASB 1059 in 2020–21. The main issues identified during the audit include:

  • late resolution of valuation judgements and assumptions resulted in delays in submitting related balances and disclosures in the financial statements
  • material exceptions in the data and assumptions applied in valuing the land titling database resulted in material adjustments to the financial statements which were corrected
  • validation required to verify valuation data input and assumptions applied by the private operator.

The department engaged an external valuer to value the land titling database. There were material exceptions in data and valuation assumptions. These resulted in an increase in the valuation of land titling database from initial valuation of $575 million to $845 million at the first day of implementation (1 July 2019). The department corrected this misstatement before it submitted the financial statements.

The current replacement cost of the database included direct labour costs and overhead costs provided by the private operator. Some of the data, including the allocation of staff across different registers in the database, were not sourced directly from the private operator's audited financial statements. The department is yet to implement a validation process to verify unaudited valuation data and assumptions.

A performance audit of integrity of data in the land titles registry is planned for 2021–22 to 2022–23. It will examine how effectively the Registrar General monitors the private operator's operation of the land titles registry in respect of defined service levels, key performance indicators and the integrity and security of the data in the register.

Uncertainty exists in applying AASB 1059 to account for new land titling records

Under AASB 1059, the department (the grantor) should recognise an increase in service capacity of the land titling database as a service concession asset and a corresponding liability. As the department does not have a contractual obligation to pay cash or another financial asset to the operator for the increase in service capacity of the land titling database, and instead grants the operator the right to earn revenue from third-party users, the department should recognise a 'grant to a right to the operator' (GORTO) liability as the unearned portion of the revenue arising from the exchange of assets between the grantor and the operator.

The department recognised new records in the land tilting database in 2019–20 and 2020–21 as a revaluation movement instead as an increase in GORTO liability. It could be reasonably argued that the new records increase the service potential of the database as they provide currency and completeness of land titling information in the database. In this case, new records would be considered as updates to the database contributed by the private operator and increased the GORTO liability. The accounting difference is $35.2 million which the audit team reported it as uncorrected misstatements in the Department’s financial statements.

Recommendation

We recommend the Department of Customer Service:

  • establish an independent process to validate key valuation inputs and assumptions provided by the private sector operator NSW Land Registry Services, such as the determination and allocation of labour costs to different registers in the land titling database
  • coordinate with NSW Treasury, as part of the new accounting standard post-implementation review process, to consult with staff members in the Australian Accounting Standards Board to clarify the application of AASB 1059 on subsequent capitalisation of intangible assets.

Valuation of plant and equipment

New South Wales Government Telecommunications Authority valued its plant and equipment for the first time

The New South Wales Telecommunications Authority (the Authority) obtained an independent valuation of plant and equipment for the first time. At 30 June 2021, The Authority recorded $401.9 million as 'plant and equipment'. Of this amount, $216.6 million was the value of 'assets under construction' relating to the Critical Communications Enhancement Program which is expected to be completed in December 2024.

The audit team identified exceptions in the valuation input testing and assumptions, resulted in material changes to the valuation outcome. The valuation movement changed from $50,000 valuation decrement to $9.4 million valuation increment. Other observations include:

  • The valuation was not completed in time for early close due to the complexity of valuing telecommunication assets and the delay in engaging an independent valuer to perform the valuation.
  • The allocation methodology of overhead including program management, network integration and construction, design and installation costs to individual assets within plant and equipment was not formalised on a timely basis to ensure consistent and reasonable allocation of these costs.
  • Fixed assets register was not used for its annual stocktake and valuation source which raises concern over the completeness, accuracy and existence of assets subject to valuation. The valuer used the asset listing which is used by the Authority's external service provider for its maintenance program. The external service provider's asset listing was not reconciled to the fixed assets register.
  • The fixed assets register is yet to be updated to reflect the outcome of the valuation including the revised useful lives of assets.

Recommendation

We recommend New South Wales Government Telecommunications Authority improve its fixed asset management and financial reporting process to accommodate its growing fixed asset profile.

Delivery of COVID-19 stimulus packages

Material misstatements from accounting of COVID-19 stimulus packages

The Customer Service cluster is responsible for delivering a series of NSW Government’s financial assistance, support measures and tax relief to help businesses and people across the state impacted by the COVID-19 restrictions. These include Dine and Discover NSW voucher scheme, payroll tax concessions, payroll tax deferral and gaming machine tax deferral.

In our early close audit, we reported delays in finalising the accounting assessment of government grants and subsidies, which resulted in material corrected misstatements in the department's financial statements (refer to previous commentary on the department's corrected misstatements and prior period errors relating to administered items).  

Impairment of assets

Impairment of assets due to uncertainty on the direction of an IT program

The department led the implementation of a cross-cluster shared services and Enterprise Resource Planning (ERP) systems rationalisation program named ERP 2.0, a strategic and collaborative five-cluster approach to standardise the ERP programs across five of the eight clusters:

  • Treasury
  • Customer Service
  • Planning, Industry and Environment
  • Premier and Cabinet
  • Stronger Communities.

The Secretaries Board endorsed this program which started on 1 July 2019 with estimated investment of $177.3 million ($125 million capital and $52.3 million operating) over four years. The program had completed strategic and design phases. The department was originally included in the ERP program scope and was a key player along with the other clusters, however its involvement in the program has been delayed and the program is moving to Stronger Communities as the new sponsor.

The department spent $23.0 million in 2020–21, which is funded by the Digital Restart Fund, on Enterprise Resource Planning (ERP) 2.0 and whole-of-government SAP licenses. At year-end, the department recorded an impairment loss of $21.5 million in the financial statements for costs capitalised during the year. The impairment was based on management assessment that the future economic benefits of these costs to the department expired when the Secretary Board changed the future direction and sponsor of this program on 12 August 2021. Management's view was that there was significant uncertainty on this direction and role of the department under the new arrangement. 

2.5 Key financial statement risks

The table below details our specific audit coverage and response over key areas of financial statements risks that had the potential to impact the financial statements of cluster agencies.

Department of Customer Service

The department of Customer Service is an integrated customer service government department. It aims to plan, prioritise, fund and drive digital transformation and customer service across every Cluster in the NSW Government.

  Key financial statement risk Audit response
Service concession asset
- land tilting database
$844 million
Our audit risk rating is higher because:
  • the service concession arrangement is financially significant to the department's financial position
  • the accounting standard for the service concession arrangement has been applied for the first time
  • the measurement of the land titling database is complex and involve significant judgements and assumptions
  • of the additional disclosure requirements in the financial statements.
Our audit procedures assessed the competency, capability and objectivity of management's independent valuation expert, assessed the appropriateness of the methodology, key assumptions and judgements adopted, and tested the key inputs and mathematical calculation of the valuation model.
Note disclosure - Administered duties and taxes revenue
$32.7 billion

Note disclosure -
Administered taxation and fines receivables
$4.6 billion including
$356.8 million allowance for impairment for taxation and fines

Our audit risk rating is higher due to:

  • the financial significance of taxation revenue, and related receivable in the disclosure of the department’s administered activities
  • the significant impact on the timing of administered taxation revenue
  • the significant impact of COVID-19 stimulus measures implemented by the NSW Government on the recognition and measurement of administered taxation revenue including deferral of lodgements in returns for self-assessed taxes
  • significant judgements and assumptions required in the calculation of the allowance related to taxation receivable.
Our audit procedures evaluated the design and tested operating effectiveness of controls over key administered revenue streams, including land tax, payroll tax, duties, gaming machine taxes and mineral royalties. The audit team recalculated key administered revenue streams for reasonableness against the requirements of the relevant taxation legislation.
Regarding the impairment of receivable, the audit team assessed the methodology and assumptions used to estimate the allowance for impairment related to administered taxation receivable against historical recoverability rates and write-off of debt for reasonableness, and recalculated the allowance for impairment recognised for mathematical accuracy.

Service NSW

Service NSW delivers one-stop-shop services for customers, businesses and partner agencies. It delivers transactional services on behalf of NSW Government agencies. Service NSW holds money in a Trust Fund which it performs only a custodial role in respect of these monies. The Trust Fund cannot be used for the achievement of Service NSW’s own objectives therefore transactions related to the fund are not recognised as 'revenue', 'expense', 'assets' and 'liabilities' in the financial statements. 

  Key financial statement risk Audit response

Note disclosure - Amounts Held on Behalf of Other Agencies

Receipts:
$4.6 billion

Payments:
$4.8 billion

Service NSW disclosed the Trust Fund in the notes 'Amounts Held on Behalf of Other Agencies' in the financial statements. Our audit risk rating is higher because:

  • the note disclosure is financially significant to Service NSW’s financial statements
  • the TPP 21-03 ‘Guidance on Administered Items’ released in April 2021 required management to assess the control of the underlying transactions depending on the realisation of benefits and discretion criteria by Service NSW for each program.
Our audit procedures reviewed management’s assessment of programs managed on behalf of other agencies. The audit team obtained confirmation with respective agencies that controlled the underlying transactions and/or balances, tested the design and implementation of key controls and transactions for selected grant programs, and assessed the adequacy of financial statement disclosures against applicable Australian Accounting Standards.


Long Service Corporation

Long Service Corporation (the Corporation) administers portable long service schemes in NSW for building and construction industry and contract cleaning industry. 

  Key financial statement risk Audit response
The valuation of scheme liabilities of
$1.6 billion

Our audit risk rating is higher because:

  • of the financial significance of the scheme liabilities to the Corporation
  • of the judgement needed to develop assumptions and the complexity of valuation models used to value the scheme liabilities
  • the scheme liabilities may change significantly and unexpectedly with changes in assumptions.
With the assistance of an actuarial specialist, the audit team evaluated the competence, capabilities and objectivity of the Corporation’s actuary, and performed an overall assessment of the valuation methodology, key assumptions and models used to value the Corporation's scheme liabilities.

Rental Bond Board

The Rental Bond Board (the Board) is the independent custodian of rental bonds paid by tenants to landlords for residential tenancies. Landlords must lodge tenants' bond money with the Board.

  Key financial statement risk Audit response
Note disclosure -
$1.7 billion in residential bonds are held in trust

Our audit risk rating is higher because:

  • the note disclosure is financially significant to the Board’s financial statements
  • the Board has determined that it does not control the rental bonds and plays a custodial role. Crown solicitors advised that in their view the rental bond funds held in the rental bond account were not moneys held in trust and the Residential Tenancies Act 2010 (the Act) should be reviewed and amended to remove any uncertainty concerning the treatment of bonds
  • TPP 21-03 'Guidance on Administered Items' released in April 2021 required management to assess the control of the underlying transactions.
Our audit procedures evaluated the design, implementation and operating effectiveness of the rental bond online system controls and sample tested the rental bonds movements and confirmed the fund balance at year-end.
The audit team accepted management’s accounting treatment of rental bonds however recommended to management that it seeks to have the Act clarified to remove any uncertainty concerning the treatment of bonds.

New South Wales Government Telecommunications Authority

The New South Wales Government Telecommunications Authority (the Authority) leads sector-wide reform and delivery of government operational communications to enable stakeholders to better respond to the NSW community.

  Key financial statement risk Audit response
Property, plant, and equipment
$404.4 million

Our audit risk rating is higher due to the:

  • financial significance of property, plant and equipment in the Statement of Financial Position
  • first time comprehensive revaluation performed by the Authority on plant and equipment in 2020–21
  • specialised nature of the telecommunication assets
  • extent of significant management judgements underpinning key assumptions used in the valuation process.
Our audit procedures assessed the competence, capability and objectivity of management’s independent valuer, tested the valuation assumptions and assets data, and evaluated the adequacy of the financial statement disclosures against the requirements of applicable Australian Accounting Standards and NSW Treasurer's Directions.

State Insurance Regulatory Authority

State Insurance Regulatory Authority (SIRA) regulates motor accidents CTP insurance, workers compensation insurance and the home building compensation scheme in NSW.

  Key financial statement risk Audit response
Insurer’s Guarantee Fund (IGF)
outstanding claims liability
$89.8 million

Our audit risk rating is higher due to:

  • the judgements and estimates applied in valuing the IGF outstanding claims liability
  • the claims liability may change significantly and unexpectedly with changes in assumptions.
With the assistance of an actuarial specialist, our audit procedures evaluated the competence, capabilities and objectivity of SIRA's actuary, and assessed the reasonableness of the valuation methodology, assumptions and key inputs used by SIRA's actuary to calculate the outstanding claims liability.


Office of Independent Review Officer

The Office of the Independent Review Office (the Office) was newly established on 1 March 2021. The Office manages and administers the Independent Legal Assistance and Review Service (ILARS). Grants of funding are provided by the Office to enable injured eligible workers to obtain independent legal advice, assistance and representation in respect to their rights and entitlements to workers compensation benefits.

  Key financial statement risk Audit response
Independent Legal Assistance and Review Service (ILARS) Grants
$30.3 million

Note disclosure - contingent ILARS grants liability
$118.4 million

Our audit risk rating is higher due to:

  • the financial significance of the grant expenditure and note disclosure to the Office
  • significant estimates and assumptions involved in predicting the contingent ILARS grants liability.
Our audit procedures evaluated management's accounting treatment of ILARS grants, tested a sample of grant transactions to ensure they were approved by appropriate authorities and recorded in the correct period.
The audit team reviewed management's accounting estimates of contingent ILARS grants liability and evaluated the key assumptions and judgements applied in the estimation.


Independent Liquor and Gaming Authority

The Independent Liquor & Gaming Authority (the Authority) is a statutory decision-maker responsible for a range of casino, liquor, registered club and gaming machine regulatory functions including determining licensing and disciplinary matters under the gaming and liquor legislation.

  Key financial statement risk Audit response
Legal costs
$11.6 million

Our audit risk rating is higher because of the:

  • significance of legal and related costs of the inquiry under section 143 of the Casino Control Act 1992
  • ability of the Authority to fund the inquiry.
Our audit procedures reviewed the funding arrangement of the Authority with the Department of Customer Service and tested on sample basis the legal and related costs for accuracy and validity.

3. Audit observations

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision-making.

This chapter outlines our observations and insights from our financial statement audits of agencies in the Customer Service.

Section highlights

  • The 2020–21 audits identified three high-risk and 59 moderate risk issues across the cluster. Twenty-six moderate risk issues were repeat issues. The most common repeat issues related to information technology controls around user access management.
  • The magnitude and number of internal control qualification issues from GovConnect service providers have increased. Ineffective controls at service providers increase the risk of fraud, error and security to data. Urgent attention is required to remediate the internal control exceptions in information and technology services.
  • The NSW Public Sector's cyber security resilience needs urgent attention. Cyber Security NSW and NSW Government agencies need to prioritise improvements to their cyber security resilience as a matter of urgency.

Findings reported to management

Forty-two per cent of findings reported to management were repeat issues

Breakdowns and weaknesses in internal controls increase the risk of fraud and error. Deficiencies in internal controls, matters of governance interest and unresolved issues were reported to management and those charged with governance of agencies. The Audit Office does this through management letters, which include observations, related implications, recommendations and risk ratings.

In 2020–21, there were 93 findings raised across the cluster (94 in 2019–20). Forty-two per cent of all issues were repeat issues (29 per cent in 2019–20).

The most common repeat issues related to weaknesses in controls over information technology user access administration.

A delay in implementing audit recommendations increases the risk of intentional and accidental errors in processing information, producing management reports and generating financial statements. This can impair decision-making, affect service delivery and expose agencies to fraud, financial loss and reputational damage. Poor controls may also mean agency staff are less likely to follow internal policies, inadvertently causing the agency not to comply with legislation, regulation and central agency policies.

The table below describes the common issues identified across the cluster by category and risk rating. 

Risk rating Issue
Information technology
High3
1 new,
1 repeat

The financial audits identified the need for agencies to improve information technology processes and controls that support the integrity of financial data used to prepare agencies' financial statements. Of particular concern are issues associated with:

  • internal control exceptions in information and technology services provided by GovConnect service providers
  • inadequate change management controls
  • poor user access administration and no monitoring of privileged user activities
  • insufficient cybersecurity controls and processes.

High-risk issues are discussed later in the chapter.

Moderate2
5 new,
8 repeat

Low1
7 new,
5 repeat

Internal control deficiencies or improvements

Moderate2
5 new,
3 repeat

The financial audits identified internal control weaknesses across key business processes, including:

  • lack of documentation support for payroll transactions
  • untimely removal of unused transaction negotiation authority facility and old bank signatories
  • inadequate fixed asset management controls including timely capitalisation of project overhead costs.

 Low1
3 new,
2 repeat

Financial reporting

High3
1 new

The financial audits identified opportunities for agencies to strengthen financial reporting, including:

  • uncertainties in legislation to support accounting of rental bonds as funds held in trust
  • improvements required in lease accounting including the review of extension options, assessing indicators of impairment and reviewing the lease reports for completeness and accuracy 
  • the removal of fully depreciated assets in the fixed asset register was not timely
  • the quality and timeliness of completing early close procedures required improvement.

High-risk issues are discussed later in the chapter.

Moderate2
9 new,
8 repeat

Low1
7 new,
3 repeat

Governance and oversight
Moderate2
10 new,
3 repeat

The financial audits identified opportunities for agencies to improve governance and oversight processes, including:

  • renewing or finalising service arrangement agreements between agencies were required 
  • lack of formalised documentation regarding arrangements with external providers for leasing and use of assets.
Low1
3 new
Non-compliance with key legislation and/or central agency policies
Moderate2
4 new,
4 repeat

The financial audits identified the need for agencies to improve its compliance with key legislation and central agency policies, including:

  • non-compliance with contract and procurement management policy, including the use of purchasing cards
  • non-compliance with TC 21-02 'Statutory Act of Grace Payments'
  • annual leave in excess of 30 days where Circular 2020-12 requires agency heads to reduce employee recreation leave balances to 30 days or less.
Low1
1 repeat

4 Extreme risk from the consequence and/or likelihood of an event that has had, or may have a negative impact on the entity.
3 High-risk from the consequence and/or likelihood of an event that has had, or may have a negative impact on the entity.
2 Moderate risk from the consequence and/or likelihood of an event that has had, or may have a negative impact on the entity.
1 Low risk from the consequence and/or likelihood of an event that has had, or may have a negative impact on the entity.
Note: Management letter findings are based on management letters issued to agencies.

2020–21 audits identified three high-risk findings

High-risk findings, including repeat findings, were reported at the following cluster agencies. One of the 2019–20 high-risk findings were not resolved.

Agency Description
2020–21 findings  
Department of Customer Service
Repeat finding:
Qualifications and control deviations in GovConnect NSW controls assurance reports

The GovConnect information technology general controls (ITGC) provided by the department, Infosys and Unisys were qualified in 2020–21. The key controls over user access, system changes and batch process failed in all ITGC reports. Most of these deviations were not mitigated or sufficiently mitigated to address the risk of unauthorised user access.

The control deficiencies in ITGC increase:

  • the risk of unauthorised transactions, system and configuration changes (workflow approvals, three-way match etc.) and modifications to the system reports
  • incomplete, invalid and inappropriate system access, segregation of duties controls and system reports for the customers using the SAPConnect.

The role of the department has changed significantly from a coordinating agency on behalf of GovConnect customers to a GovConnect IT service provider. It is leading a new IT operating model called ‘Service Integration and Application Management’ (SIAM) to strengthen governance and improve performance of GovConnect service providers. The Department is responsible for the remediation of control deficiencies and continuous improvement in the GovConnect environment.

This matter was assessed as high-risk, if not adequately addressed, it had the potential to result in material fraud and error in the department's financial statements and reputation damages.

This issue is further discussed later in this chapter.

2020–21 findings  
Department of Customer Service
New finding:
Change management significant control deficiencies

Revenue NSW, a division of the department has a key role in managing the State’s finances. It administers State taxes, manages fines, recovers State debt and administers grants and subsidies.

The audit team found significant control deficiencies in change management controls:

  •  appropriate system controls were not in place to restrict developers from releasing changes to the live business systems
  • 8 developers had direct access to the business application servers used for calculating and administering State taxes.

We have included this matter as a high-risk management letter finding, as the audit team could not identify mitigating controls. The system activity of these developers was also not being independently logged and monitored. This increases the risk of unauthorised system change. This can significantly affect the integrity of tax calculation, business process approvals, invalid changes to bank accounts, unauthorised refunds and write-offs. The audit team conducted a risk analysis over the relevant business processes affected by this issue and performed additional audit procedures to address the audit risk.

Rental Bond Board
Repeat finding: Accounting treatment of rental bonds held in trust

The Rental Bond Board (the Board) holds rental bonds totalling $1.7 billion at 30 June 2021. The Board treated the rental bonds off-balance sheet and disclosed the rental bonds as ‘trust funds’. This treatment is based on management’s judgement that the Board does not have control of these funds.

Previously the Board obtained advices from the Crown Solicitors who stated that in their view the rental bond funds held in the rental bond account were not moneys held in trust and the Residential Tenancies Act 2010 (the Act) should be reviewed and amended to better support its accounting treatment of rental bonds. The Board has initiated the need to amend the Act, however the implementation of the legislative amendments is still pending.

This matter was assessed as high-risk, if not adequately supported, it had the potential to result in material misstatements in the Board's financial statements.


The number of moderate risk findings increased from prior year

Fifty-nine moderate risk findings were reported in 2020–21, which was a 11.3 per cent increase from 2019–20. Of these, 26 were repeat findings, and 33 were new issues.

Moderate risk findings include:

  • weaknesses in user access management, such as untimely access removal for terminated staff, and a lack of periodic user access review
  • accounting for leases such as the review of extension options, assessing indicators of impairment and reviewing the lease reports for completeness and accuracy
  • formalising arrangements between agencies including corporate service arrangements, funding arrangements, leases, use of SAP system and computer assets
  • use of purchasing cards where our data analytics performed indicated potential gaps and controls and non-compliance with government policies.

The magnitude and number of internal control exceptions in GovConnect service providers have increased

In 2015, the NSW Government selected Unisys Australia Pty Limited’s (Unisys) as an information technology (IT) outsourced service provider and Infosys Limited (Infosys) as a business process outsourced service provider. The outsourced services arrangement was branded GovConnect NSW (GovConnect). The Department of Customer Service (the department) is the contract authority for the NSW Government. In 2019, the NSW Government transitioned a number of Unisys’ IT services progressively to the department and ceased all Unisys's IT services in May 2021. In 2020-21, Infosys, Unisys and the Department were co-providers of business processes and information technology services that constitute the GovConnect environment.

The role of the department has changed significantly from a coordinating agency on behalf of GovConnect customers to a GovConnect IT service provider. The department is responsible for the remediation of control deficiencies and continuous improvement in GovConnect internal control environment.

The department leads the project management of GovConnect services, including the arrangement to provide internal control assurance reports to customers in 2020–21. It engages an independent service auditor (service auditor) from the private sector to perform annual assurance reviews of controls at GovConnect service providers in accordance with Australian Standard on Assurance Engagements 3402 'Assurance Reports on Controls at a Service Organisation' (ASAE 3402). The service auditor reports on the internal controls at a service organisation, which are relevant to a user entity's internal control environment.

The service auditor issued eight ASAE 3402 reports covering business processes controls and information technology general controls (ITGC) provided by the service providers. Four out of eight reports were qualified, a significant increase from previous years.

The table below shows the service auditor's ASAE 3402 opinions issued in various business processes and information technology services provided by service providers for the last five years.

ASAE 3402 controls report# 2015–16^ 2016–17 2017–18 2018–19 2019–20 2020–21
Infosys Accounts receivable Qualified Unqualified Unqualified Unqualified Unqualified Qualified
Infosys Accounts payable Qualified Qualified Unqualified Unqualified Unqualified Unqualified
Infosys Fixed assets Qualified Unqualified Unqualified Unqualified Unqualified Unqualified
Infosys General ledger Qualified Qualified Unqualified Unqualified Unqualified Unqualified
Infosys Payroll Adverse Qualified Unqualified Unqualified Unqualified Unqualified
Infosys ITGC Qualified Qualified Unqualified Unqualified Unqualified Qualified
Unisys ITGC Qualified Unqualified Qualified Qualified Unqualified Qualified
The department ITGC* -- -- -- -- Qualified Qualified
ServiceFirst** Disclaimer -- -- -- -- --

# The ASAE 3402 controls reports were issued by an independent private sector service auditor appointed by the Department of Customer Service.
* Information technology services were transitioned from Unisys to the department in phases from 2019–20 to 2020–21.
** ServiceFirst was the shared service centre and its last reporting period was from 1 July 2015 to 13 December 2015.
^ GovConnect first reporting period from 14 December 2015 to 30 June 2016.

In 2020–21, the information technology services controls reports issued to the department, Infosys and Unisys were qualified. Infosys' accounts receivable business process controls report was also qualified. The audit qualifications were because:

  • the service auditor did not get access to the complete set of records processed during the financial year for several ITGC controls. The system that stored these records was hosted at Unisys. From December 2019 to 28 May 2021, the services at Unisys were progressively migrated to the department's IT environment but this system could not be migrated to the department in the required format, resulting in audit scope limitation for service auditors
  • of the deviations identified during sample testing of ITGC controls
  • the monthly follow up of outstanding receivables was not performed regularly, which was the only key control to address the timely collection of accounts receivable.

Internal control exceptions in GovConnect information and technology services require urgent remediations

The relevant controls over user access, system changes and password controls failed in all three ASAE 3402 GovConnect ITGC reports. These control failures can lead to unauthorised system access, system and configuration changes (workflow approvals, three-way match, etc.) and modifications to key reports. It increases the risk of:

  • fraud and error in the financial statements
  • ineffective segregation of duties controls
  • accuracy and completeness of system generated reports for the agencies using the SAPConnect system.

The table shows the number of ITGC control deviations compared to prior year:

Year ended 30 June 2021 2020
  Total controls tested Total number of control deviations and findings Total controls tested Total number of control deviations and findings
Infosys ITGC 41 16 35 8
Unisys ITGC 25 11 33 4
DCS ITGC 31 9 10 5

Most of these deviations were not mitigated or sufficiently mitigated to address the risk of unauthorised user access.

The service auditor identified significant areas for remediation:

  • governance arrangement of the IT services
  • user access management controls
  • SAP database controls
  • logical access
  • incident management.

In response to the internal control qualifications, the audit teams performed data analytics over payroll and accounts payable. The data analytics identified several terminated employees that were paid long after their termination dates which resulted in salary overpayments during 2020–21. While management had put processes in place to recover these overpayments, the payroll processing controls need to be improved to prevent such overpayments.

The Department of Customer Service advised that it established a ‘Control Reframe Project’ (the project) to address the internal control exceptions at GovConnect service providers. The objective of the project is to ensure the GovConnect assurance model is aligned with clear lines of responsibility and remediation actions are in place to support the delivery of services and achieve an improved outcome for future years.

Recommendation

We recommend the Department of Customer Service:

  • improve governance and internal control environment over the information technology services
  • ensure GovConnect service providers prioritise remediation actions to address internal control exceptions
  • perform a post-implementation review of the transition of the Unisys arrangement to identify lessons learnt and continuous improvement
  • develop data analytics to help analyse and identify high-risk patterns and anomalies in GovConnect key transaction systems, augmenting their existing monitoring and detective controls.

The NSW Public Sector's cyber security resilience needs urgent attention

The 2020 'Central Agencies' Report to Parliament highlighted the need for Cyber Security NSW, a business unit within the Department of Customer Service, and NSW Government agencies to prioritise improvements to their cyber security resilience as a matter of urgency. A status update of the 2020 recommendation is included in Appendix five of this report.

The Audit Office's Annual Work Program identifies cyber security as a focus area for the Audit Office in 2021–24. It outlines a three-pronged approach to auditing cyber security in this period:

  • considering how agencies are responding to the risks associated with cyber security across our financial audits across the NSW public sector
  • examining the effectiveness of cyber security planning and governance arrangements for large NSW state government agencies for our Internal Controls and Governance report
  • conducting deep-dive performance audits of the effectiveness of specific agency activities in preparing for, and responding to cyber security risks.

A performance audit 'Managing cyber risks' was tabled in Parliament in July 2021. The audit made several recommendations to audited agencies to uplift their cyber security management. It also recommended the Department of Customer Service to:

  • clarify the requirement of the NSW Cyber Security Policy (CSP) reporting to all systems
  • require agencies to report the target level of maturity for each mandatory requirement.

A compliance audit 'Compliance with the NSW Cyber Security Policy' was tabled in October 2021. The audit examined whether agencies are complying with the NSW Cyber Security Policy to ensure all NSW Government departments and public service agencies are managing cyber security risks to their information and systems.

The report found that key elements to strengthen cyber security governance, controls and culture are not sufficiently robust and not consistently applied. There has been insufficient progress to improve cyber security safeguards across NSW Government agencies. The poor levels of cyber security maturity are a significant concern. Improvement requires dedicated leadership and resourcing. To comply with some elements of the government’s policy agencies will have to invest in technical uplift and some measures may take time to implement. However, other elements of the policy do not require any investment in technology. They simply require leadership and management commitment to improve cyber literacy and culture. And they require accountability and transparency. Transparent reporting of performance is a key means to improve performance.

The report noted that the CSP was not achieving the objective of improved cyber governance, controls and culture. The compliance audit made several recommendations to Cyber Security NSW and other NSW Government agencies.

The 2021 maturity self-assessment results against the Australian Cyber Security Centre Essential 8 for the 25 largest NSW State Government agencies are reported in the 2021 'Internal Control and Governance' Report to Parliament.

Repeat recommendation

Cyber Security NSW and NSW Government agencies need to prioritise improvements to their cyber security resilience as a matter of urgency.

Management of cyber security risk

Our 2020-21 financial audit assessed whether cyber security risks represent a risk of material misstatement to the department's own financial statements. A request performance audit 'Service NSW's handling of personal information' was tabled on 18 December 2020. The audit followed two cyber security incidents that resulted in data breaches of customer information. As part of our audit procedures, we obtained an understanding of the controls the department has in place to address the risk of cyber security incidents and respond to any incidences which may have occurred during the year, including its impact on the audit.

Our assessment of the department’s own cyber risk management shows that:

  • an approved security incident response plan was not in place during the reporting period. There was a lack of testing over incident detection and monitoring process
  • a formal process over patch management that includes assessment, determining relevance and priority, timely rollout and escalation and reporting of long outstanding patches to senior management is being established.

The department provides information security services including cyber security management to cluster agencies. We found that there were insufficient communications within the Customer Service cluster over the controls and assurance over cyber security risk management. Some cluster agencies had put in place limited controls over cyber security risk management.

Recommendation

We recommend the Department of Customer Service:

  • establish an approved security incident response plan and formal process over patch management
  • improve communications with cluster agencies over the controls and assurance in cyber security management.

4. Appendices

Appendix one – Misstatements in financial statements submitted for audit

Appendix two – Early close procedures

Appendix three – Timeliness of financial reporting

Appendix four – Financial data

Appendix five – Status of 2020 recommendations

 

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.