Media release
The Auditor-General for New South Wales, Margaret Crawford today released her report on the findings and recommendations from the 2019–20 financial audits that relate to internal controls and governance at 40 of the largest agencies in the NSW public sector.
The bushfire and flood emergencies and the COVID‑19 pandemic continue to have a significant impact on the people and public sector of New South Wales. The scale of the government response to these events has been significant. The report focuses on the effectiveness of internal controls and governance processes, including relevant agencies’ response to the emergencies. In particular, the report focuses on:
- financial and information technology controls
- business continuity and disaster recovery planning arrangements
- procurement, including emergency procurement
- delegations that support timely and effective decision-making.
Due to the ongoing impact of COVID‑19 agencies have not yet returned to a business‑as‑usual environment. ‘Agencies will need to assess their response to the recent emergencies and update their business continuity, disaster recovery and other business resilience frameworks to reflect the lessons learnt from these events’ the Auditor-General said.
The report noted that special procurement provisions were put in place to allow agencies to better respond to the COVID-19 pandemic. The Auditor-General recommended agencies update their procurement policies to reflect the current requirements of the NSW Procurement Framework and the emergency procurement requirements.
Executive summary
This report analyses the internal controls and governance of 40 of the largest agencies in the NSW public sector for the year ended 30 June 2020. These 40 agencies constitute an estimated 85 per cent of total expenditure for all NSW public sector agencies.
1. Internal control trends
New, repeat and high risk findings |
Internal control deficiencies increased by 13 per cent compared to last year. This is predominately due to a seven per cent increase in new internal control deficiencies and 24 per cent increase in repeat internal control deficiencies. There were ten high risk findings compared to four last year. The recent emergencies have consumed agency time and resources and may have contributed to the increase in internal control deficiencies, particularly repeat deficiencies. Agencies should:
|
Common findings |
A number of findings remain common across multiple agencies over the last four years, including:
|
2. Information technology controls
IT general controls |
We found deficiencies in information security controls over key financial systems including:
The deficiencies above increase the risk of non-compliance with the NSW Cyber Security Policy, which requires agencies to have processes in place to manage user access, including privileged user access to sensitive information or systems and remove that access once it is not required or employment is terminated. |
3. Business continuity and disaster recovery planning
Assessing risks to business continuity and Scenario testing |
The response to the recent emergencies and the COVID-19 pandemic has encompassed a wide range of activities, including policy setting, on-going service delivery, safety and availability of staff, availability of IT and other systems and financial management. Agencies were required to activate their business continuity plans in response, and with the continued impact of COVID-19 have not yet returned to a business-as-usual environment. Our audits focused on the preparedness of agency business continuity and disaster recovery planning arrangements prior to the onset of the COVID-19 pandemic. We identified deficiencies in agency business continuity and disaster recovery planning arrangements. Twenty-three per cent of agencies had not conducted a business impact analysis (BIA) to identify critical business functions and determine business continuity priorities. Agencies can also improve the content of their BIA. For example, ten per cent of agencies' BIAs did not include recovery time objectives and six per cent of agencies did not identify key IT systems that support critical business functions. Scenario testing improves the effectiveness with which a live crisis is handled, but 40 per cent of agencies had not conducted a business continuity scenario testing exercise in the period from 1 January 2019 to 31 December 2019. There were also opportunities to improve the effectiveness of scenario testing exercises by:
Agencies have responded to the recent emergencies but addressing deficiencies will ensure agencies have adequate safeguards in their processes to again respond in the future, if required. During 2020–21 we plan to conduct a performance audit on 'Business continuity and disaster recovery planning'. This audit will consider the effectiveness of agency business continuity planning arrangements to maintain business continuity through the recent emergencies and/or COVID-19 pandemic and return to a business-as-usual environment. We also plan to conduct a performance audit on whole-of-government 'Coordination of emergency responses'. |
Responding to disruptions |
We found agencies' governance functions could have been better informed about responses to disruptive incidents that had activated a business continuity or disaster recovery response between 1 January 2019 to 31 December 2019. For instance: in 89 per cent of instances where a business continuity response was activated, a post-incident review had been performed. In 82 per cent of these instances, the outcomes were reported to a relevant governance or executive management committee in 95 per cent of instances where a disaster recovery response was activated, a post incident review had been performed. In 86 per cent of these instances, the outcomes were reported to a relevant governance committee or executive management committee. Examples of recorded incidents included extensive air quality issues and power outages due to bushfires, system and network outages, and infected and hijacked servers. Agencies should assess their response to the recent emergencies and the COVID-19 pandemic and update business continuity, disaster recovery and other business resilience frameworks to incorporate lessons learned. Agencies should report to those charged with governance on the results and planned actions. |
Management review and oversight | Eighty-two per cent and 86 per cent of agencies report to their audit and risk committees (ARC) on their business continuity and disaster recovery planning arrangements, respectively. Only 18 per cent and five per cent of ARCs are briefed on the results of respective scenario testing. Briefing ARCs on the results of scenario testing exercises helps inform their decisions about whether sound and effective business continuity and disaster recovery arrangements have been established. |
4. Procurement, including emergency procurement
Policy framework |
Agency procurement policies did not capture the requirements of several key NSW Procurement Board Directions (the Directions), increasing the risk of non-compliance with the Directions. We noted:
Recommendation: Agencies should review their procurement policies and guidelines to ensure they capture the key requirements of the NSW Government Procurement Policy Framework, including NSW Procurement Board Directions. |
Managing contracts |
Eighty-eight per cent of agencies maintain a central contract register to record all details of contracts above $150,000, which is a requirement of GIPA legislation. Of the agencies that maintained registers, 13 per cent did not capture all contracts and eight per cent did not include all relevant contract details. Sixteen per cent of agencies did not periodically review their contract register. Timely review increases compliance with GIPA legislation, and enhances the effectiveness with which procurement business units monitor contract end dates, contract extensions and commence new procurement. |
Training and support |
Ninety-three per cent of agencies provide training to staff involved in procurement processes, and a further 77 per cent of agencies provide this training on an on-going basis. Of the seven per cent of agencies that had not provided training to staff, we noted gaps in aspects of their procurement activity, including:
Training on procurement activities ensures there is effective management of procurement processes to support operational requirements, and compliance with procurement directions. |
Procurement activities | While agencies had implemented controls for tender activities above $650,000, 43 per cent of unaccredited agencies did not comply with the NSW Procurement Policy Framework because they had not had their procurement endorsed by an accredited agency within the cluster or by NSW Procurement. This endorsement aims to ensure the procurement is properly planned to deliver a value for money outcome before it commences. |
Emergency procurement |
As at 30 June 2020, agencies within the scope of this report reported conducting 32,239 emergency procurements with a total contract value of $316,908,485. Emergency procurement activities included the purchase of COVID-19 cleaning and hygiene supplies. The government, through NSW Procurement released the 'COVID-19 Emergency procurement procedure', which relaxed procurement requirements to allow agencies to make COVID-19 emergency procurements. Our review against the emergency procurement measures found most agencies complied with requirements. For example:
Complying with the procedure helps to ensure government resources are being efficiently, effectively, economically and in accordance with the law. Recommendation: Agency procurement frameworks should be reviewed and updated so they can respond effectively to emergency situations that may arise in the future. This includes:
|
5. Delegations
Instruments of delegation |
We found that agencies have established financial and human resources delegations, but some had not revisited their delegation manuals following the legislative and machinery of government changes. For those agencies impacted by machinery of government changes we noted:
Delegations manuals are not always complete; 16 per cent of agencies had no delegation for writing off bad debts and 26 per cent of agencies had no delegation for writing off capital assets. Recommendation: Agencies should ensure their financial and human resources delegation manuals contain regular set review dates and are updated to reflect the Government Sector Finance Act 2018, machinery of government changes and their current organisational structure and roles and responsibilities. |
Compliance with delegations |
Agencies did not understand or correctly apply the requirements of the Government Sector Finance Act 2018 (GSF Act), resulting in non-compliance with the Act. We found that 18 per cent of agencies spent deemed appropriations without obtaining an authorised delegation from the relevant Minister(s), as required by sections 4.6(1) and 5.5(3) of the GSF Act. Further detail on this issue will be included in our Auditor-General's Reports to Parliament on Central Agencies, Education, Health and Stronger Communities, which will be tabled throughout December 2020. Recommendation: Agencies should review financial and human resources delegations to ensure they capture all key functions of laws and regulations, and clearly specify the relevant power or function being conferred on the officer. |
6. Status of 2019 recommendations
Progress implementing last year's recommendations |
Recommendations were made last year to improve transparency over reporting on gifts and benefits and improve the visibility management and those charged with governance had over actions taken to address conflicts of interest that may arise. This year, we continue to note:
While we acknowledge the significance of the recent emergencies, which have consumed agency time and resources, we note limited progress has been made implementing these recommendations. Further detail on the status of implementing all recommendations is in Appendix 2. Recommendation: Agencies should re-visit the recommendations made in last year's report on internal controls and governance and action these recommendations. |
1. Introduction
1.1 State sector agencies
This report covers the findings and recommendations from our 2019–20 financial audits that relate to internal controls and governance at 40 of the largest agencies in the NSW public sector. The agencies included in this report deliver a diverse variety of services and are exposed to numerous financial, operational and strategic risks. Effective internal controls and governance frameworks help to mitigate the likelihood of risks arising and their severity if they do.
A list of the 40 agencies included in this report is in Appendix three.
1.2 Financial snapshot
The 40 agencies selected for this volume constitute an estimated 85 per cent of total expenditure for all NSW public sector agencies. The snapshot below provides an indication of the collective size of assets, liabilities, revenue and expenses of these 40 agencies for the year ended 30 June 2020.
Number of agencies | Assets $ billion |
Liabilities $ billion |
Revenue $ billion |
Expenses $ billion |
|
Departments | 15 | 197.1 | 120.1 | 78.5 | 73.7 |
State Owned Corporations | 7 | 31.4 | 26.7 | 5.9 | 5.2 |
Statutory bodies | 18 | 214.6 | 23.6 | 33.2 | 29.1 |
Total | 40 | 443.1 | 170.4 | 117.6 | 108 |
1.3 Areas of focus
The report focuses on aspects of government preparedness for recent emergencies
The bushfire and flood emergencies and the COVID-19 pandemic continue to have a significant impact on the people and public sector of New South Wales. The scale of the government response to these events has been significant. It has involved emergency response coordination and service delivery in crisis conditions. It has required the development of, or changes to governance, policies, systems and processes so agencies can respond quickly and provide for the immediate needs of citizens.
The Audit Office is focussed on the changing risk environment presented by these events and how effectively emergency responses have been delivered, in particular the financial and governance risks arising from the scale and complexity of government responses to these events.
As a result, this report focuses on:
Internal control trends and Information technology controls | Business continuity and disaster recovery planning |
Our financial audits consider, at a minimum, the design and implementation of the internal controls agencies have in place that are relevant to our audit of the financial statements. This work also takes into account changes to financial and IT control environments arising from the recent emergencies and machinery of government changes. This includes the prevalence of remote working arrangements and changes in roles and responsibilities. Consistent with prior years, the report focusses on trends in high risk, common and repeat findings reported to agencies in our management letters, including any new or emerging risks that have arisen during the year. |
Business continuity and disaster recovery plans help government agencies build and maintain resilience during a disaster, crisis or other disruption to their essential operations. Good planning enables government agencies to maintain operations during these times, as well as restore operations to normal in the shortest time possible. This report focuses on whether agencies have:
|
Procurement, including emergency procurement | Delegations |
Procurement and purchasing are common areas where fraud and corruption can occur. This risk can increase in an emergency where pressure exists to take risks to procure goods and deliver services quickly. To do so may mean agreeing to contract variations or engaging in direct negotiations that would not be contemplated in normal circumstances. This report focusses on whether agencies have:
|
The machinery of government changes, effective from 1 July 2019 transferred staff and functions between agencies, as well as abolished and created new agencies. The staged implementation of the Government Sector Finance Act meant that from 1 July 2019 own-sourced revenues were designated as deemed appropriations limiting an agency's authority to spend from the consolidated fund. There were also a number of changes to key management personnel across agencies. It is important that instruments of delegation are updated whenever there are key changes so that agencies can continue to function and operate lawfully. |
Agencies can use this report to build resilience and agility by enhancing their internal control and governance frameworks
The report provides insights into the effectiveness of controls and governance processes in the NSW public sector by:
- highlighting the potential risks posed by weaknesses in controls and governance processes
- helping agencies benchmark the adequacy of their processes against their peers
- focusing on new and emerging risks, and the internal controls and governance processes that might address those risks.
The findings in this report should not be used to draw conclusions on the effectiveness of individual agency control environments and governance arrangements. Specific financial reporting, internal controls and audit observations are included in the individual 2020 cluster financial audit reports, which will be tabled in parliament during December 2020.
1.4 Sector wide learnings
Internal and information technology controls
|
|
Focus on review and update of policies and procedures that have passed their scheduled review date. A policy register should be maintained and policies and procedures that have passed their scheduled review date should be reported to those charged with governance regularly so remedial action can be taken.
|
|
|
Address repeat internal and information technology control deficiencies by ensuring:
|
|
Review the implementation of user access controls to adequately protect the key financial and non-financial systems, focussing on the processes in place to grant, remove and monitor user access.
|
|
Review the number of privileged users and the level of access granted to privileged users, and assess and document the risks associated with their activities. Based on this review agencies should:
|
Delegations
|
|
|
Ensure financial and human resources delegation manuals contain regular set review dates and a requirement to review delegations when events such as machinery of government changes, changes in key legislation, or internal restructures may indicate changes are required to delegated authorities.
|
|
Review financial and human resources delegations to ensure they capture all key functions of laws and regulations, and clearly specify the relevant power or function being conferred on the officer. This will also help to ensure they are accurate and avoid gaps and errors.
|
|
Regularly communicate the requirements of financial and human resources delegations to staff so that they have a strong awareness of their authority, including limitations/conditions on the ability to exercise their delegated power.
|
|
Regularly monitor and test compliance with financial and human resources delegations so that those charged with governance have assurance that there is a culture of compliance with delegations within the agency.
|
Business continuity and disaster recovery planning
|
|
|
Align business resilience frameworks, such as risk management, business continuity, crisis management and ICT disaster recovery to ensure they enable a co-ordinated and consistent response to an emergency, crisis or other business disruption.
|
|
Perform business impact analysis to identify critical business functions. The business impact analysis should capture several key elements, including the supporting IT systems and infrastructure, key dependencies and maximum tolerable outage and recovery time objectives.
|
|
Re-assess risks to business continuity, as a result of the recent emergency situations so that previously unforeseen or other emerging risks and opportunities are identified and treated or exploited.
|
|
Ensure disaster recovery plans are in place for all key IT systems and infrastructure identified by the business impact analysis.
|
|
Incorporate key third parties who support or contribute to critical business functions in business continuity and disaster recovery scenario testing exercises. Report on the outcomes of business continuity and disaster recovery scenario testing exercises to the audit and risk committee.
|
|
Assess the response to the recent emergencies and update business continuity, disaster recovery or other business resilience frameworks to capture any lessons learnt.
|
|
Create a forward plan to test all high risk critical business functions and key IT systems and infrastructure within a timeframe acceptable to those charged with governance.
|
|
Consider incorporating review of agency business continuity or disaster recovery planning arrangements in the strategic internal audit plan.
|
Procurement, including emergency procurement
|
|
|
Review procurement policies and guidelines to ensure they capture the key requirements of the NSW Procurement Policy Framework, including NSW Procurement Board Directions.
|
|
Ensure that procurement plans are established for significant procurement activities and that they adequately assess procurement requirements.
|
|
Ensure tender evaluation committees are established to oversee major procurement and that members have declared conflicts of interest, including nil declarations, and that those committees prepare tender evaluation plans and evaluation reports.
|
|
Maintain a centralised contract register that is reviewed by the procurement business unit on a regular basis to identify contracts that are nearing their end date so procurement activity can be commenced in a timely manner.
|
|
Perform and document robust value for money assessments for contract renewals or extensions where a competitive process is not undertaken. Consider developing a template to support this process.
|
|
Provide on-going training and support to staff undertaking procurement activity.
|
|
Review and update procurement frameworks to better respond to emergency situations that may arise in the future. This should include updating procurement policies and guidelines to define an emergency situation, specifying who can approve emergency procurement and capturing other key requirements and have reporting processes to report to those charged with governance and NSW Procurement on emergency procurements undertaken.
|
2. Internal control trends
Internal controls are processes, policies and procedures that help agencies to:
- operate effectively and efficiently
- produce reliable financial reports
- comply with laws and regulations
- support ethical government.
This chapter outlines the overall trends for agency controls and governance issues, including the number of audit findings, the degree of risk those deficiencies pose to the agency, and a summary of the most common deficiencies we found across agencies. The rest of this report presents this year’s controls and governance findings in more detail.
Section highlights We identified ten high risk findings, compared to four last year with two findings repeated from the previous year. There was an overall increase of 13 per cent in the number of internal control deficiencies compared to last year due to a seven per cent increase in new internal control deficiencies, and a 24 per cent increase in repeat internal control deficiencies. The recent emergencies have consumed agency time and resources and may have contributed to the increase in internal control deficiencies, particularly repeat deficiencies. We identified a number of findings that remain common across multiple agencies over the last four years. Some of these findings related to areas that are fundamental to good internal control environments and effective organisational governance. Examples include:
Policies, procedures and internal controls should be properly designed, be appropriate for the current organisational structure and its business activities, and work effectively. |
2.1 High risk findings
High risk findings arise from failures of key internal controls and/or governance practices of such significance they can affect an agency’s ability to achieve its objectives or impact the reliability of its financial statements. This in turn, increases the risk that the audit opinion will be modified.
We rate the risk posed by each financial and IT control deficiency as ‘High', ‘Moderate’ or ‘Low’. The rating is based on the likelihood of the risk occurring and the consequences if it does. The higher the rating, the more likely it is that agencies will suffer losses, or its service delivery will be compromised. Our risk assessment matrix aligns with the risk management framework in NSW Treasury’s Risk Management Toolkit for the NSW Public Sector.
The number of high risk findings has increased from last year
We identified ten high risk findings, compared to four high risk findings in 2018–19, with two repeat deficiencies from the previous year. Nine of the ten high risk deficiencies related to financial controls and one related to IT controls.
Agencies should continue to address high risk internal control deficiencies as a matter of priority.
High risk finding | Implication | Further reporting |
Deficiencies in controls to manage privileged user access administration and monitor privileged user activities were noted on a key business system. Audit logs were not maintained or reviewed. We identified generic privileged user accounts and privileged user accounts with unidentified users. |
Privileged users are able to access key systems and functions. They may also be able to remove records of their activity if programmed logging features are disabled. Inappropriate privilege user access exposes agencies to greater risk of unauthorised changes to systems and data by these users, or by cyber criminals using their logon details. The unauthorised changes may not be identified in a timely manner and/or be traceable to individual users. |
Further detail on this issue will be included in the Report on Education, which will be tabled in December 2020. |
We noted a high number of exceptions in underlying lease data maintained by an agency managing a high volume of leases. This included differences between recorded data and the key terms and conditions in the underlying contracts, including lease payments, lease terms and extension options. | Data quality issues could create a risk of material misstatement to the agency’s financial statements. Inaccurate data may also render the agency unable to effectively manage its portfolio of leases. | Further detail on this issue will be included in the Report on Planning, Industry and Environment, which will be tabled in December 2020. |
An agency did not perform a timely and detailed assessment of the impact of the new revenue and leasing accounting standards effective from 1 July 2019 and of the accounting treatment of several stimulus packages on the financial statements. These transactions were material to the agency. | Lack of timely and robust assessments with detailed documentation to support the application of the Australian Accounting Standards and Treasury Guidance Papers could result in a material misstatement to the agency’s financial statements. | Further detail on this issue will be included in the Report on Central Agencies, which will be tabled in December 2020. |
We identified an instance of non-compliance with the Appropriation Act 2019 (the Act) in relation to use of an appropriation received under the Act. The appropriation received under the Act is required to be used for specific purposes outlined in the Act. However, the cluster used the additional funding for purposes that were not consistent with the purpose for which it had been appropriated. | Inadequate legislative compliance processes and assessment of relevant legislative requirements before approving transactions can result in the agency not complying with key laws and regulations. | Further detail on this issue will be included in the Report on Central Agencies, which will be tabled in December 202 |
The fair value assessment of an asset class was not completed at an agency and as result these assets may not be recorded at fair value. | Lack of fair value assessments increases the risk of a material misstatement in the agency financial statements and non-compliance with the applicable Australian Accounting Standards and Treasury Guidance Papers. | Further detail on this issue will be included in the Report on Regional NSW, which will be tabled in December 2020. |
An agency did not either complete, or only partially completed a number of the mandatory early close procedures required under the Treasurer's Directions and Treasury Guidance Papers issued. | Non-compliance with Treasurer's Directions and Treasury Guidance Papers. | Further detail on this issue will be included in the Report on Regional NSW, which will be tabled in December 2020 |
As part of the current year valuation process for one agency, several properties were identified that were transferred to the agency in the prior year but had not been recorded at the date of transfer in a timely manner. |
Financial and non-financial risks and obligations in relation to the transferred assets may not be adequately assessed. Deficiencies in processes to identify and promptly account for transferred properties may result in material misstatement of the financial statements. |
Further detail on this issue will be included in the Report on Transport, which will be tabled in December 2020. |
An agency did not implement controls to monitor and record the transfer of capital works constructed on behalf of third parties. This resulted in the agency not recording the transfer of completed constructed assets to third parties in the financial year that it occurred. | Deficiencies in the processes to record the transfer of capital works may result in material misstatement of the financial statements. | Further detail on this issue will be included in the Report on Transport, which will be tabled in December 2020. |
An agency did not maintain adequate documentation to support the allocation of indirect costs recovered from specific funds managed by the agency. | Lack of documentation to support the allocation of indirect costs increases the risk that the allocation basis and methodology applied is inequitable. | Further detail on this issue will be included in the Report on Central Agencies, which will be tabled in December 2020. |
An agency was converted from a not-for-profit statutory body to a for-profit statutory state owned corporation from 1 July 2020. However, at the time of concluding our audit, the agency responsible for managing the transition had not finalised the operating model and Statement of Corporate Intent (SCI). | The arrangements may impact on financial reporting, which will be a key area of audit focus in 2020–21. | Further detail on this issue was included in the Report on State Finances 2020. |
2.2 Common findings
While it is important to monitor the number and nature of deficiencies across the NSW public sector, it is also useful to assess whether deficiencies are common to multiple agencies. Where deficiencies relate to multiple agencies, central agencies or the lead agency in a cluster can help ensure consistent, timely, efficient and effective responses to identified deficiencies.
We classified the 396 internal control deficiencies we identified in 2019–20 into common categories as follows:
- financial operational deficiencies
- IT operational deficiencies
- compliance deficiencies
- reporting deficiencies.
The graph above shows that 83 per cent of the deficiencies (78 per cent in 2018–19) were financial or IT operational deficiencies, with the remainder split between compliance deficiencies (15 per cent compared to 15 per cent in 2018–19) and reporting deficiencies (two per cent compared to seven per cent in 2018–19)
The table below describes the most common deficiencies across agencies, including their risk rating, the number of repeat deficiencies and the recommendations our management letters have communicated to agencies.
Operational | |||
High: | 7 new | 1 repeat | |
Moderate: | 88 new | 81 repeat | |
Low: | 101 new | 49 repeat |
Common issue | Findings/implication | Lessons for agencies |
Policies and procedures |
Agencies have not established policies, have gaps in policies or have policies that are past their scheduled review date. These issues increase the risk that outdated policies and procedures may be followed, that policies and procedures do not reflect better practice, or where practice is not documented, the agency is at risk from the loss of corporate knowledge when staff turnover. |
Agencies should establish processes that assure its policies reflect current requirements, the organisation's current structure and delegations, and avoid duplication, contradictions or gaps. |
Maintaining master files |
Controls were not established to:
|
Agencies should:
|
Use of purchase orders | Purchase orders were created and approved only after the goods and services were purchased. | Agencies should ensure staff are trained in their obligations to comply with proper procurement practices, policies and legislation. |
Preparedness of new accounting standards implementation | Agencies have not performed comprehensive assessment to adequately assess the financial impact of adopting the new leasing and revenue accounting standards. |
Agencies should ensure:
|
Information technology | IT control deficiencies related to IT governance, user access administration, program change and computer operations. | Refer to Section 3 of this report for further details. |
Compliance | |||
High: | 1 new | 1 repeat | |
Moderate: | 19 new | 19 repeat | |
Low: | 13 new | 7 repeat |
Common issue | Finding/implication | Lessons for agencies |
Contract registers |
Agencies have not established contract registers or have incomplete or inaccurate contract registers. These agencies may face challenges with:
|
Agencies should focus on establishing complete and accurate contract registers. This includes:
|
Document retention | Agencies do not always maintain documents to evidence performance of key control activities. Deficiencies reduce accountability and reduce compliance with state records legislation. |
Agencies should educate staff in their responsibilities and retain documentary evidence that they have discharged responsibilities. Agencies should ensure appropriate records management policies have been communicated to staff. |
Central registers, such as those used to manage conflicts and gifts and benefits. |
Central registers are not kept, or are not updated in a timely manner. Without a central register to capture such information, agencies may not have the visibility it needs to oversight whether their management of conflicts and/or gifts and benefits complies with requirements and internal policies. |
Agencies should ensure they have registers to capture staff disclosures in a way that complies with legislation and policies. Conflict of interest, gifts and benefits and other relevant policies should deal with the timeliness of how such registers are updated. |
Reporting | |||
High: | 0 new | 0 repeat | |
Moderate: | 3 new | 2 repeat | |
Low: | 3 new | 1 repeat |
Common issue | Finding/implication | Lessons for agencies |
Reconciliations |
Key reconciliations were not prepared, or were not reviewed in a timely manner. Reconciliations of inter-agency balances were not performed. There were unconfirmed balances in reconciliations. |
Reconciliations should be prepared and reviewed as part of month-end processes. Policies and procedures should be observed and management should ensure this key control is performed. Inter-agency balances should be reconciled regularly. Reconciliation differences should be resolved in a timely manner. |
2.3 New and repeat findings
We assess trends in agency controls by measuring the number of internal control findings that emerged from our financial audits. We use three measures:
- number of findings
- number of new and repeat findings
- risk level of findings.
Our 2019–20 audits identified 396 internal control deficiencies, comprising:
- 226 financial control deficiencies
- 170 IT control deficiencies. We reported these deficiencies to agency management and those responsible for governance at agencies, such as audit and risk committees and cluster secretaries. Our management letters outline each audit finding, assess its implications, rate the level of risk and make recommendations.
The number of internal control deficiencies has increased by 13 per cent from last year
The 13 per cent increase in internal control deficiencies is predominately due to a seven per cent increase in new internal control deficiencies and 24 per cent increase in repeat internal control deficiencies. This follows an increase in internal control deficiencies of 12 per cent in 2018–19.
The number of financial control deficiencies has increased by 15 per cent from last year
Over the last 12 months, the number of financial control deficiencies increased by 15 per cent from last year, following an increase of 25 per cent noted in 2018–19. We found financial control deficiencies at 85 per cent of agencies (85 per cent in 2018–19).
New financial control deficiencies increased by five per cent and repeat financial control deficiencies increased by 36 per cent from 2018–19. Deficiencies in internal controls increase the risk of intentional and accidental errors in processing information, producing management reports and generating financial statements. This can impair decision-making, affect service delivery and expose agencies to fraud, financial loss and reputational damage. Poor controls may also mean agency staff are less likely to follow internal policies, inadvertently causing the agency not to comply with legislation, regulation and central agency policies.
The graph below shows the risk rating of reported financial control deficiencies for the past five years.
The number of IT control deficiencies has increased by 11 per cent from last year
The number of reported IT control deficiencies has increased by 11 per cent compared to last year, indicating that significant number of IT control deficiencies noted in 2018–19 and 2017–18 remain unresolved.
Many of the IT control deficiencies in 2018–19 related to unresolved IT control deficiencies from the previous year. In 2019–20 repeat findings increased by 13 per cent, from 69 in 2018–19 to 78 in 2019–20. Also, new IT control deficiencies have increased slightly from 83 in 2018–19 to 92 in 2019–20.
Good IT controls are an essential ingredient underpinning effective processes, policies and procedures for managing information systems, securing sensitive information, and ensuring the integrity of agency data. Poor IT controls increase risks to agencies, including unauthorised access, cyber security attacks, fraud, data manipulation, privacy breaches, non-compliance with laws and regulations and information theft. The longer a deficiency remains unaddressed, the greater the risk that the vulnerability will not only be exploited, but will be repeatedly exploited increasing the potential losses to the agency.
The graph below shows the risk rating of reported IT control deficiencies for the past five years.
As the digital footprint of agencies increases, they need to continue to focus their attention on these issues and prioritise the rectification of IT weaknesses.
Repeat control deficiencies increased by 24 per cent from 2018–19
The number of repeat internal control deficiencies we identified has increased by 24 per cent from 2018–19. As a per centage of all internal control deficiencies, unresolved deficiencies from prior years now represent 41 per cent of all the internal control deficiencies we identified.
The graph below shows a continued increase in both repeat financial and IT control deficiencies in the current year. There was an increase of:
- 36 per cent in the number of repeat financial control deficiencies, following a 69 per cent increase in repeat financial control deficiencies in 2018–19
- 13 per cent in IT control deficiencies, following a 138 per cent increase in 2018–19.
Vulnerabilities in internal control systems can be exploited by internal and external parties and pose a threat to agencies. The longer these vulnerabilities exist, the higher the risk that they will be exploited and the higher the expected losses. Agencies need to address these challenges by ensuring:
- there is clear ownership of recommendations arising from internal control deficiencies, with timeframes and actions plans for their implementation
- audit and risk committees and agency executive teams monitor the implementation status regularly focussing on those actions that are past due or have deferred implementation dates.
3. Information technology controls
This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency controls to manage key financial systems.
Section highlights Government agencies’ financial reporting is heavily reliant on information technology (IT). We continue to see a high number of deficiencies related to IT general controls, particularly those related to user access administration. These controls are key in adequately protecting IT systems from inappropriate access and misuse. IT is also important to the delivery of agency services. These systems often provide the data to help monitor the efficiency and effectiveness of agency processes and services they deliver. Our financial audits do not review all agency IT systems. For example, IT systems used to support agency service delivery are generally outside the scope of our financial audit. However, agencies should also consider the relevance of our findings to these systems. Agencies need to continue to focus on assessing the risks of inappropriate access and misuse and the implementation of controls to adequately protect their systems, focussing on the processes in place to grant, remove and monitor user access, particularly privileged user access. |
3.1 IT general controls
IT governance
IT governance provides a structure to enable agencies to effectively manage and monitor their IT risks to ensure that associated activities are aligned to achieve their objectives to deliver services to the public.
Most agencies have implemented policies to manage their key IT systems
Ninety-seven per cent of agencies have established IT policies to ensure key IT processes and functions are appropriately managed. However, five per cent of these policies were not regularly reviewed. Regular review of IT policies ensure that the strategies and procedures agencies implement effectively manage the evolving IT risks affecting their IT environments. The implementation of IT policies ensures there are adequate processes in place for the on-going management of existing and new IT risks affecting agencies.
Information security
Information technology is often at the core of how agencies deliver services in every sector. While IT can improve service delivery, the growing dependency on technology and rapid transformation to a digital society means agencies face an increasing number of risks if they do not adequately protect their IT systems from unauthorised access and misuse.
In the Report on Central Agencies 2019 we found the NSW Public Sector's cyber security resilience needed urgent attention. This was based on agencies' self-assessments against the Australian Cyber Security Centre’s Essential 8 cyber risk mitigation strategies. While our audits do not look at all aspects of how agencies have implemented the ‘Essential 8’, the findings below do highlight areas of information security that agencies need to strengthen to better align to the ‘Essential 8’ and the NSW Cyber Security Policy.
User access administration
User access administration over IT systems needs to be improved
All agencies have implemented formal processes for user access creation and modification to IT systems, yet the practical application for managing user access management requires further improvement. We found:
- 6 issues related to granting user access across 13 per cent of agencies
- 8 issues related to removing user access across 15 per cent of agencies
- 39 issues related to periodic reviews of user access across 43 per cent of agencies
- 32 issues related to users with inappropriate access across 35 per cent of agencies.
Examples of deficiencies included:
- periodic user access reviews were not performed to ensure access levels align with the user’s role
- regular reviews of dormant user accounts and default/generic accounts were not performed
- there was no process to periodically review third party user access, nor were the profiles promptly removed once they were no longer required
- weaknesses in processes to ensure timely changes to access levels to reflect changes to staff responsibilities and terminations
- access to new users and changes to user access levels had been granted without approval, or without evidence of approval
- processes had not been implemented to disable default/generic accounts.
Poor management of user access:
- exposes agencies to the risk of fraud
- comprises data integrity and confidentiality
- increases the risk of unauthorised and invalid transactions
- increases the risk of dormant user profiles, particularly high-level profiles, being used for cyber-attacks or other illegal activity.
The deficiencies above increase the risk of non-compliance with the NSW Cyber Security Policy, which requires agencies to have processes in place to manage user access, including privileged user access to sensitive information or systems and remove that access once it is not required or employment is terminated.
Privileged access
Monitoring of privileged user accounts needs to be strengthened
Agency staff often have access to sensitive data. If that access is not properly controlled and monitored it can increase the risk of inappropriate access or use of sensitive information for a fraudulent or improper purpose, or of an intentional or unintentional data leak. This is particularly true for those privileged users who are ‘trusted insiders’ such as employees, business partners, or third-party contractors.
Forty-three per cent of agencies do not periodically review the activities of privileged users to identify suspicious or unauthorised activities. Overall, this is an increase from 2019, where 35 per cent of agencies did not perform these reviews.
Examples of deficiencies included:
- system audit logs not enabled to track user account activities
- no process to periodically review privileged user activities where system audit logs are enabled and maintained
- limited segregation of duties of staff with privileged IT user profiles from business operational responsibilities.
The absence of periodic reviews of privileged user accounts increases the risk that these accounts can be misused to:
- commit fraud
- access and extract confidential information for improper purposes
- access files, install and run programs, and change configuration settings
- maliciously or accidentally delete or distribute information.
Poor management of privileged access may also lead to breaches of Section 3.6 of the Government Sector Finance Act 2018 and the NSW Cyber Security Policy. This policy requires agencies to have appropriate security screening of users with privileged access rights, and remove access when it is no longer required, or when employment is terminated. Agencies should review the number of privileged users and the access granted to privileged users.
Agencies should assess and document the risks associated with their activities. Based on this review agencies should:
- grant and restrict privileged user access to only staff that require that level of access to perform their role
- identify controls to address the risks associated with privileged user activity, including regular monitoring of activity logs
- promptly remove access when it is no longer required.
Password controls
Management of password controls can be improved
Twenty-five per cent of agencies either did not comply with their own policy on password parameters, or did not enforce the minimum expected standard. This is an increase of five percentage points from 2019. The deficiencies identified were related to:
- passwords not meeting minimum password lengths
- passwords not meeting complexity requirements
- not enforcing limits on the number of failed login attempts
- not enforcing controls for password history (i.e. the number of passwords remembered and restricting the recycling of recently used passwords)
- minimum and maximum password age is applied (i.e. prompting the change of passwords frequently)
- no internal formalised password policy or enforcement of the requirements.
Our audits also identified the use of default and generic passwords being used by agencies. Weak passwords increase the risk of unauthorised use of, and changes to, financial information. Weaknesses were identified across agency IT applications, databases and database servers.
Agencies should review IT password settings to ensure that they comply with minimum standards and the requirements of their password policies.
Program changes
Approval of changes to IT programs prior to implementation can be strengthened
All agencies have established IT change management policies to ensure the changes to IT programs and related infrastructure components are appropriately authorised, performed and tested prior to implementation. We found deficiencies in agency IT program change controls at 25 per cent of agencies, which is a five per centage point increase from 2018–19. These deficiencies related to:
- inappropriate segregation of duties over developing and releasing IT program changes to the production environment
- inability to provide evidence for approval of IT program changes
- other issues, such as retaining evidence of approval provided to the service provider prior to releasing changes to production.
Weak program change controls expose agencies to the risk of:
- unauthorised and/or inaccurate changes to systems or programs
- issues with data accuracy and integrity
- inappropriately accepting releases that come with upgrades
Agencies should consistently perform user acceptance testing before system upgrades and program changes are deployed. Changes should not be made without appropriate approval and documentation to support the approval.
Computer operations
Management of computer operations is essential to an agency's IT environment as it ensures agencies have implemented appropriate policies and procedures to manage potential disasters and critical system failures. This includes developing business continuity plans and disaster recovery plans.
Findings from our detailed review of agency disaster recovery and business continuity processes are outlined in section 4.
4. Business continuity and disaster recovery planning
This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency business continuity and disaster recovery planning arrangements.
Section highlights We identified deficiencies in agency business continuity and disaster recovery planning arrangements and opportunities for agencies to enhance their business continuity management and disaster recovery planning arrangements. This will better prepare them to respond to a disruption to their critical functions, resulting from an emergency or other serious event. Twenty-three per cent of agencies had not conducted a business impact analysis (BIA) to identify critical business functions and determine business continuity priorities and 40 per cent of agencies had not conducted a business continuity scenario testing exercise in the period from 1 January 2019 to 31 December 2019. Scenario testing improves the effectiveness with which a live crisis is handled. This section focusses on the preparedness of agency business continuity and disaster recovery planning arrangements prior to the onset of the COVID-19 pandemic. While agencies have responded to the recent emergencies, proactively addressing deficiencies will ensure agencies have adequate safeguards in their processes to again respond in the future, if required. During 2020–21 we plan to conduct a performance audit on 'Business continuity and disaster recovery planning'. This audit will consider the effectiveness of agency business continuity planning arrangements to maintain business continuity through the recent emergencies and/or COVID-19 pandemic and return to a business-as-usual environment. We also plan to conduct a performance audit on whole-of-government 'Coordination of emergency responses'. |
4.1 Background
Agencies deliver a diverse range of essential services to the public. Ongoing delivery of these services is critical to the social and economic outcomes of the State. Agencies also often perform other key functions, that while not critical, are important.
Business continuity management helps agencies respond to and manage business disruptions, maintain or restore critical services and return to business as usual with minimal impact to service delivery. ICT disaster recovery planning forms part of an agency's business continuity management, focussing on the recovery and restoration of information and communications technology (ICT) systems that are critical to an agency maintaining business continuity. Business continuity and disaster recovery planning arrangements contribute to the resilience of an agency.
The recent emergency situations have highlighted the need for agencies to have business continuity and disaster recovery arrangements in place so that they can effectively respond to these situations with minimal disruption.
There is no specific NSW Government direction that requires agencies to maintain business continuity and disaster recovery planning arrangements
NSW Treasury Policy TPP 15-03 'Internal Audit and Risk Management Policy for the NSW Public Sector' requires agencies to maintain a risk management framework. The 'NSW Cyber Security Policy' requires agencies to maintain an approved cyber security plan, integrated with business continuity arrangements. However, there are no specific requirements or minimum standards agencies must adhere to with regards to their business continuity and disaster recovery planning arrangements.
As a result, our review considers how well agencies' business continuity and disaster recovery planning arrangements align to aspects of:
- ISO22301: 2019 Security and Resilience – Business Continuity Management Systems – Requirements; and
- ISO27031:2011 Information technology — Security techniques — Guidelines for information and communication technology readiness for business continuity.
In particular, we have focused on whether agencies have:
- implemented and maintained up-to-date business continuity and disaster recovery plans
- performed comprehensive risk assessments and business impact analysis
- regularly tested their business continuity and disaster recovery plans
- implemented processes to monitor and evaluate the performance of their business continuity and disaster recovery plans.
The review focussed on the state of agency business continuity and disaster recovery planning arrangements prior to the outbreak of COVID-19 in Australia. During 2020–21 we plan to conduct a performance audit on 'Business continuity and disaster recovery planning'. This audit will consider the effectiveness of agency business continuity planning arrangements to maintain business continuity through the recent emergencies and/or COVID-19 pandemic and return to a business-as-usual environment. We also plan to conduct a performance audit on whole-of-government 'Coordination of emergency responses'.
4.2 Policy framework
Business continuity policies have been developed
For the period 1 January 2019 to 31 December 2019, 88 per cent of agencies had developed a business continuity policy, but 18 per cent were past their scheduled review date. Business continuity policies generally include key requirements of the business continuity framework, such as the development of business continuity plans for critical business functions, performance of business impact analysis and establishment of roles and responsibilities. In addition, we found 21 per cent of agencies do not define a critical business function for the purpose of requiring a business impact assessment to be performed.
There is an opportunity for agencies to review and ensure their key resilience frameworks are aligned, so that business impacts, roles and responsibilities and recovery times are clear to stakeholders and consistent.
4.3 Assessing risks to business continuity
A key step of the business continuity management framework is to perform and document a business impact analysis (BIA). The BIA helps agencies identify critical business functions that support an agency's business objectives, including target recovery times and resource dependencies for each critical business function. The BIA should be supported by a comprehensive risk assessment to identify critical business functions.
Not all agencies have prepared a business impact analysis
Twenty-three per cent of agencies had not conducted a BIA to identify critical business functions and determine their business continuity priorities at 31 December 2019. In addition, of the agencies that had conducted a business impact analysis, 20 per cent are only performing this on an ad-hoc basis or when there is a significant change in operations, rather than at planned intervals. In particular, one agency last conducted a business impact analysis in October 2014.
We also found agencies can improve the content of their BIA. Some agencies did not include key elements that we would expect to see in a BIA, as detailed in the table below.
Elements of a business impact analysis | Percentage of agencies that did not include in BIA (%) |
Business processes and functions deemed critical to the agency (inclusive of locations and scope of services) | 3 |
Key IT systems used to support critical business processes and functions | 6 |
Dependencies and interdependencies within critical business processes | 6 |
Impact over time resulting from the disruption of these critical business processes | 13 |
Maximum tolerable period of disruption (i.e. the time frame within which the impacts of not resuming activities would be unacceptable) | 3 |
Recovery time objective (i.e. prioritised time frames within the time for resuming disrupted activities at a specified minimum acceptable capacity) |
10 |
Without an up-to-date and comprehensive BIA there is a risk that agencies will not be able to restore critical business functions within an acceptable timeframe. Agencies may also not know what to do in the event of a disruption if key systems and dependencies and interdependencies have not been identified, further elevating the risk that critical business functions will not be restored within an acceptable timeframe.
We are currently conducting a review on agency compliance with the 'NSW Cyber Security Policy'. This will examine, amongst other things, whether agency cyber security plans are linked to their business continuity arrangements. This review may identify further threats, risks and vulnerabilities associated with agency BIAs.
Disaster recovery plans not always prepared for IT systems that support critical business functions
We found only 81 per cent of agencies had a disaster recovery plan in place for all IT systems and infrastructure identified in the business impact analysis at 31 December 2019, meaning there is no plan in place to recover some key IT systems and infrastructure that support critical agency functions.
As noted above, 23 per cent of agencies have not conducted a BIA; for these agencies, we could not determine whether they had disaster recovery plans in place for all key IT systems.
Risks to business continuity should be re-assessed and updated
Agencies are required to maintain risk assessment processes and a risk management framework in accordance with NSW Treasury Policy TPP 15-03 'Internal Audit and Risk Management Policy for the NSW Public Sector'.
While the purpose of our review of agency business continuity and disaster recovery arrangements was not to review agency risk identification and assessment processes, we believe the recent emergency situations provide an opportunity for agencies to re-visit and update the nature, likelihood and consequence of risks impacting on business continuity and related risk treatments. For example, the COVID-19 pandemic has highlighted several new risks that agencies may not have previously captured in their risk registers or BIA, such as:
- concentration risks associated with being dependent on certain suppliers
- additional technology risks (e.g. ability to support a workforce working from home)
- additional cyber risks
- additional risks related to the delivery of key services, particularly where the agency has a citizen facing role e.g. unable to open branches or provide face to face support etc.
The table below outlines some common business continuity risks reviewed during the period 1 January 2019 to 31 December 2019 and the proportion of agencies that had identified the risk and had a plan to mitigate it.
Risk | Percentage of agencies (%) |
Natural disasters (e.g. floods, storms, bushfires and drought) | 78 |
Health pandemic | 44 |
Legal (e.g. insurance issues, contractual breaches, non-compliance with laws and regulations) | 75 |
IT failure (hardware and software), and cyber attack (malware, virus, spams, scams and phishing etc.) | 92 |
Security (e.g. theft, fraud, online security and fraud) | 92 |
Supply chain breakdowns (such as issues within their business or industry resulting in failure or interruptions to the services delivered) | 72 |
Utilities and securities (such as failures or interruptions to the delivery of power, water, transport and telecommunications) |
78 |
4.4 Business continuity and disaster recovery planning
Business continuity and disaster recovery plans should be prepared for critical business functions and key IT systems and infrastructure identified as part of the BIA process. Business continuity plans provide guidance and information to help teams to respond to a disruption and to assist an agency with response and recovery. A disaster recovery plan helps agencies maintain IT services in the event of an interruption, or restore IT systems and infrastructure in the event of a disaster or similar scenario.
Most agencies have developed business continuity and disaster recovery plans, but deficiencies in the BIA may impact their effectiveness
Eighty-eight per cent of agencies had developed business continuity plans and 81 per cent of agencies had developed disaster recovery plans for some or all of their critical IT systems and infrastructure during the period 1 January 2019 to 31 December 2019. However, there is a risk that agencies either do not have plans in place for all key business functions or IT systems and infrastructure, or do not have effective plans in place because the BIA has not captured key elements, as noted above.
We also considered how comprehensive business continuity and disaster recovery plans are. Comprehensive plans are important because they are the key document that will guide staff in the event of an interruption, disaster or crisis. They also specify key governance arrangements and reporting requirements in the event it is invoked.
The results are detailed in the tables below.
Business continuity plan elements | Percentage of agencies without the key element in their plan (%) |
Purpose, scope and objectives | 8 |
Roles and responsibilities | 3 |
Actions the business continuity team (or equivalent) will take to continue or to recover critical business activities within predetermined time frames, monitor the impact of the disruption and the agency’s response to it | 8 |
Actions to continue or to recover all critical business functions | 12 |
Resource requirements | 11 |
Activation criteria to allow the business continuity team (or equivalent) to determine which situations warrant the invocation of the plan | 11 |
Details to manage immediate consequences of disruption giving due regard to:
|
22 |
Reporting requirements (e.g. who to report to and by when) | 11 |
Documented processes to stand down the plan and to restore and return business activities from temporary measures implemented to ‘business as usual’ | 20 |
Requirement to perform a post incident review | 23 |
Disaster recovery plan elements | Percentage of agencies without the key element in their plan (%) |
Purpose, scope and objectives | -- |
Roles and responsibilities | 3 |
Specific technology and process that will support alternative arrangements until the IT system is recovered | 9 |
Resource requirements | 11 |
Activation criteria to allow the disaster recovery team (or equivalent) to determine which situations warrant the invocation of the plan | 6 |
References key material to guide the disaster recovery team | 14 |
Reporting requirements (e.g. who to report to and by when) | 26 |
Most agencies provide additional supporting material to help staff in the event of the business continuity plan being invoked
At 31 December 2019, 99 per cent of agencies had developed some supporting materials to help key staff involved in managing business continuity apply the business continuity plan in the event it is invoked. This helps staff understand their role and responsibilities and implement the key requirements of the business continuity plan, particularly when faced with the pressure of an emergency situation or other interruption.
Guidance material | Percentage of agencies that provide the guidance material (%) |
Procedural checklists | 89 |
Summaries of the business continuity plan (such as a 'plan on a page') | 67 |
Duty/role cards for key officers involved in business continuity management | 75 |
Contact details of key staff | 94 |
Agencies should consider whether the current level of support and guidance provided to staff involved in managing business continuity is sufficient. Scenario testing and post incident reviews provide a useful source in understanding whether this is the case, which we explore further below.
4.5 Responding to disruptions
Actual incidents or events provide an important feedback loop on the effectiveness of current business continuity and disaster recovery arrangements. It is therefore important that agencies record incidents that led to the activation (or not) of the business continuity or disaster recovery plan. Agencies should perform post incident reviews to identify what went well and what can be improved and report the outcomes of these reviews to those charged with governance.
Agencies are not always capturing, assessing and reporting disruptive incidents
We found that an incident log of events that led to activation of the business continuity and disaster recovery plans were maintained by only 40 per cent and 63 per cent of agencies respectively for the period 1 January 2019 to 31 December 2019.
The absence of a log or register to record incidents where agency personnel or business units considered activating the business continuity or disaster recovery plans makes it difficult for those charged with governance to determine whether the actions taken in relation to the incident were appropriate. A log or register of incidents also enables agencies to assess trends and determine the consistency of responses, as well as enable them to maintain a complete trail of incidents (and associated records) in the event that key staff leave the agency and that knowledge is lost.
Incident logs | Business continuity arrangements | Disaster recovery arrangements |
Incident log maintained where plan has been activated (percentage (%) of agencies) | 40 | 63 |
Incident log captures events or disruptions where the relevant team has determined not to activate the plan (percentage (%) of agencies) | 69* | 70* |
Source: Audit Office analysis.
Our findings from a review of a sample of recorded incidents between the period 1 January 2019 to 31 December 2019 are detailed in the table below.
Business continuity arrangements | Disaster recovery arrangements | |
Post incident review performed (percentage (%) of agencies) | 89* | 95 |
Outcomes reported to relevant governance committee or executive management committee (percentage (%) of agencies) | 82* | 86* |
Source: Audit Office analysis.
Without performing a post incident review, agencies may not adequately capture lessons learnt from the incident, and importantly, will not continuously improve the suitability, adequacy and effectiveness of business continuity and disaster recovery arrangements. Reporting to those charged with governance is also an essential accountability mechanism that helps to ensure agency responses to incidents are consistent and appropriate.
The exhibit below provides examples of the nature of business continuity and disaster recovery incidents recorded in agency incident registers.
Exhibit 1: Examples of business continuity and disaster recovery incidents
Our review of agency incident logs identified the following business continuity and disaster recovery incidents. Business continuity incidents:
Disaster recovery incidents:
|
The recent emergencies provide an opportunity for agencies to update and refine their business continuity, disaster recovery or other business resilience frameworks
Agencies should ensure that they assess their response to the recent emergencies and update their business continuity, disaster recovery or other business resilience frameworks to reflect the lessons learnt from these events. This should capture, but is not limited to:
- misalignment of business resilience frameworks and key indicators
- identification of previously unidentified risks and opportunities, and strategies to mitigate the risk or exploit the opportunity
- identification of procedural gaps in recovery, 'stand down' or other processes
- completeness of critical business functions, key IT systems, dependencies or inter-dependencies
- appropriateness of resources and roles and responsibilities and identifying any lack of clarity that may exist.
4.6 Scenario testing
Some agencies do not test their business continuity plans, or test them infrequently
We found 40 per cent of agencies had not conducted business continuity scenario testing exercises in the period from 1 January 2019 to 31 December 2019. This means they may not be well prepared to respond to business disruptions or incidents that arise.
We also found that agencies are not periodically testing their business continuity plans. For example, 68 per cent of agencies reported having tested their business continuity plans less than once per year, on average for the period between 1 January 2017 to 31 December 2019.
The table below shows how often agencies have tested their business continuity plans in the last three years from 1 January 2017 to 31 December 2019.
Number of times a business continuity scenario test was performed in the last three years | Number of agencies |
Three or more times | 13 |
Two times | 5 |
Once | 12 |
Nil | 10 |
Gaps in approaches to testing business continuity plans limit the effectiveness of scenario testing
Many agencies are reliant on other parties and service providers to support critical business functions or deliver critical services to the public. This includes other government agencies, private sector service providers and non-government organisations.
We previously noted that a key element of agency BIAs is the identification of dependencies and inter-dependencies that support critical business functions. However, our review of 22 business continuity testing scenarios performed before 31 December 2019 found that 61 per cent of agencies did not ask third parties (such as NGOs), other government agencies (such as the cluster lead agency) or service providers to participate in the scenario.
Where a key third party does not participate in the testing exercise, the effectiveness of scenario testing is limited because:
- no matter how well prepared the agency is, the third party may not be well prepared for a disruptive event should it arise, which may hinder the agency meeting its recovery time objectives
- roles and responsibilities, communication protocols and response and recovery procedures will not have been comprehensively tested to confirm the accuracy of the business continuity plan.
While we acknowledge some government-wide emergency and crisis management exercises have been performed, business continuity scenario testing at an agency level would benefit from greater involvement of key dependent and interdependent third parties that support or perform critical business functions for agencies.
We also found the effectiveness of business continuity testing exercises was limited because some agencies:
- did not test a high impact scenario they had identified in their business continuity plan (seven per cent)
- did not prepare formal post-exercise reports to document the outcome of the scenario testing (seven per cent) and of agencies that did, 12 per cent did not report the outcomes of testing to a relevant governance committee.
The exhibit below provides examples of nature of the business continuity scenario testing exercise conducted by agencies between 1 January 2019 to 31 December 2019.
Exhibit 2: Examples of business continuity scenario testing exercises
Our review of business continuity scenario testing exercises performed by agencies identified the following examples of testing exercises being performed:
|
Some agencies have not tested the effectiveness of their disaster recovery plans
IT systems and infrastructure are an important enabling resource associated with maintaining continuity of critical business functions. However, we found 43 per cent of agencies have not developed and tested their disaster recovery plans within the period from 1 January 2019 to 31 December 2019. Recovering IT systems is particularly problematic as they are often hosted by third parties, will inevitably involve some loss of data depending on the date and time data was last backed up, and if hosted in regional locations may function more slowly when service is restored.
Most agencies do not maintain a forward-looking business continuity testing plan, but many maintain forward looking disaster recovery testing plans
Seventy-one per cent of agencies do not maintain a forward-looking business continuity testing plan for high impact scenarios identified in their BIA.
A forward-looking plan to test all high impact scenarios provides assurance to those charged with governance that a plan is in place to test the plan within an appropriate timeframe. Testing increases the chance that should the high impact event occur, the agency will be able to effectively resume the critical business function within an acceptable timeframe.
Business continuity arrangements (%) | Disaster recovery arrangements (%) | |
Agencies that do not maintain a forward-looking scenario testing plan | 29 | 76 |
4.7 Management review and oversight
The model audit and risk committee charter in TPP 15-03 'Internal Audit and Risk Management Policy for the NSW Public Sector' requires agency audit and risk committees to 'review whether a sound and effective approach has been followed in establishing the agency’s business continuity planning arrangements, including whether disaster recovery plans have been tested periodically'.
Most agencies report business continuity and disaster recovery planning arrangements to their audit and risk committees, but testing outcomes are not as widely reported
Most agencies require senior management to review the key inputs of the business continuity management and disaster recovery systems at planned intervals. However, reporting to those charged with governance could be more comprehensive, as detailed in the table below.
Business continuity arrangements (%) | Disaster recovery arrangements (%) | |
Senior management review the key inputs of the plan at planned intervals to ensure its continuing suitability, adequacy and effectiveness 86 86 | 86 | 86 |
The outcomes of the management review are reported to the audit and risk committee | 67* | 62* |
Reporting to the audit and risk committee includes: | ||
|
61** | na |
|
64** | na |
|
64** | na |
|
57** | na |
Our review of a sample of agency business continuity and disaster recovery testing exercises conducted during the period 1 January 2019 to 31 December 2019 had found agencies are not always reporting on the outcomes of these exercises to their audit and risk committees. We found that while:
- 82 per cent reported on the outcomes of the business continuity scenario testing exercise conducted to an agency head, executive management committee or similar. However, only 18 per cent of agencies are reporting outcomes to audit and risk committee.
- 86 per cent reported the outcomes of disaster recovery plan testing to an agency head, executive management committee or similar. However, only five per cent of agencies reported the outcomes of the test to their audit and risk committee.
Audit and risk committees should be briefed on the results of scenario testing exercises to discharge their responsibilities to review whether sound and effective business continuity and disaster recovery arrangements have been established and adequately address identified risks.
A review of the agency's disaster recovery and business continuity management systems should be included on the internal audit function's forward plan
A review of the effectiveness of agency business continuity management systems and disaster recovery plan was included in the internal audit plan of only 56 and 58 per cent of agencies, respectively. Internal audit reviews of these plans would provide agencies and their governing bodies assurance that there is clarity in processes, alignment of arrangements to address risks, and an optimum level of preparedness.
5. Procurement
This chapter outlines our audit observations, conclusions and recommendations, arising from our review of procurement agency procurement policies and procurement activity.
Section highlights We found agencies have procurement policies in place to manage procurement activity, but the content of these policies was not sufficiently detailed to ensure compliance with NSW Procurement Board Directions (the Directions). The Directions aim to ensure procurement activity achieves value for money and meets the principles of probity and fairness. Agencies have generally implemented controls over their procurement process. In relation to emergency procurement activity, agencies reported conducting 32,239 emergency procurements with a total contract value of $316,908,485 up to 30 June 2020. Our review of emergency procurement activity conducted during 2019–20 identified areas where some agencies did not fully comply with the 'COVID-19 Emergency procurement procedure'. We also found not all agencies are maintaining complete and accurate contract registers. This not only increases the risk of non-compliance with GIPA legislation, but also limits the effectiveness of procurement business units to monitor contract end dates, contract extensions and commence new procurement in a timely manner. We noted instances where agencies renewed or extended contracts without going through a competitive tender process during the year. |
5.1 Background
The NSW Procurement Board issues policies and directions for procurement under the Public Works and Procurement Act 1912 (PWP Act). The PWP Act provides the legislative framework for procurement for NSW Government agencies. The PWP Act and the NSW Procurement Board’s policies and directions apply to all government agencies except for state-owned corporations.
Procurement of goods and services is a critical activity to enable NSW Public Sector agencies to effectively deliver services to the public. The Total State Sector Accounts for the year ended 30 June 2020 provides an overview of spend on goods and services by NSW Public Sector agencies, including:
- $2.2 billion on contractors
- $155 million on consultants
- $16.9 billion on supplies, services and other services.
NSW Procurement has established an accreditation program for goods and services procurement
The Accreditation Program for Goods & Services Procurement (the Program) establishes minimum standards for agency procurement as a basis for improving procurement outcomes delivered across NSW Government. It is governed by the NSW Procurement Board and NSW Procurement administers the Program on its behalf. Agencies can attain one of two accreditation levels and each level has specific minimum requirements for accreditation and a different authority to procure.
Accredited agencies have the authority to enter into any procurement arrangement consistent with its terms of accreditation, but exemptions for agencies may exist under some Procurement Board Directions, as identified in the NSW Government Procurement Policy Framework.
The table below sets out the accreditation status of agencies in the scope of this report.
Level of accreditation | Number of agencies* |
Unaccredited* | 21 |
Level 1 | 6 |
Level 2 (highest level of accreditation) | 5 |
We consider aspects of agency compliance with their accreditation status and the Enforceable Procurement Provisions later in this chapter.
5.2 Policy Framework
The NSW Procurement Policy Framework (the Framework) issued by NSW Procurement outlines the Procurement Board’s requirements as they apply to each step of the procurement process. The Framework is a policy under PWP Act and agencies must comply with the mandatory requirements outlined in the Framework.
Recommendation
Agencies should review their procurement policies and guidelines to ensure they capture the key requirements of the NSW Government Procurement Policy Framework, including NSW Procurement Board Directions.
All agencies have procurement policies, but some are past their scheduled revision date
All agencies have established policies and guidance to support procurement activity and manage procurement risks. However, 17 per cent of agencies have not reviewed their procurement policies by the scheduled date. On-going review and revision of procurement policies are important to ensure they reflect best practice and incorporate current NSW Procurement Board Directions on a timely basis.
Deficiencies in agency policies may be contributing to non-compliance with the Framework
Most agencies within the scope of this report are required to comply with the PWP Act and various NSW Procurement Board Directions (the Directions). These Directions can relate to broader aspects of procurement, such as appropriate supplier conduct or narrower procurement activity, such as construction, professional services or telecommunications procurement.
The Directions are extensive and agencies must have procurement policies that adequately capture the requirements of the Directions to support its compliance requirements and achieve the best outcomes from its procurement activity.
The table below details how well agencies’ procurement policies capture certain aspects of the Directions. Later in this chapter we highlight areas where agencies are not fully compliant with the Directions. It is likely gaps in agency procurement policies are contributing to these deficiencies.
NSW Government Procurement Policy Framework requirement | Percentage of agencies (%) |
Use the Whole of Government Scheme or contract to buy the goods or services needed | 97 |
Procurements above $650,000 must be open to market unless the goods and services are exempt or procured through an existing Whole of Government Scheme or contract^ | 67 |
The procurement must be hedged if it is above $500,000 and involves paying a supplier in a foreign currency | 36 |
The Agency Head or Cluster CFO must authorise the engagement of consultants where the proposal is not compliant with, or the supplier has not accepted the standard commercial framework | 69 |
Any supplier can be used to purchase goods and services valued up to $10,000, but the rates must be reasonable and consistent with normal market rates | 83 |
A purchase valued up to $250,000 can be made from a Small Business or an aboriginal supplier | 78 |
Purchasing exemptions applicable under the International Procurement Agreements (includes health and welfare services, education services and state motor vehicles) | 52 |
The procurement documentation required under a request for tender sourcing arrangement is specified | 88 |
Orders must not be split to avoid procurement threshold levels and/or government requirements | 89 |
Source: Audit Office analysis.
We have previously highlighted challenges for agencies complying with the directions in a compliance review conducted in September 2018.
Exhibit 3: Previous Audit Office Report on Procurement and Reporting of Consultancy Services (published September 2018)
The report examined how 12 agencies complied with their procurement and reporting obligations for consultancy services between 1 July 2016 and 31 March 2018 and also examined how NSW Procurement supports the functions of the NSW Procurement Board. The report found no participating agency materially complied with procurement requirements when engaging consultancy services and that the NSW Procurement Board is not fully effective in overseeing and supporting agencies' procurement of consultancy services. Agencies were not fully complying with the requirements in part due to the major advisory suppliers not consistently providing all the necessary information and agencies also reported the requirements were hard to understand, time consuming to apply and difficult to comply with. |
Agency policies are not always consistent with their accreditation status, and do not address risks associated with high risk procurement, such as direct negotiations
We found agency procurement policies do not contain the level of detail that would ensure it complies with its accreditation program status. For example:
- 55 per cent of the unaccredited agencies’ procurement policies do not specify that certain procurement activities for goods and services valued at $650,000 or higher requires approval by a level 2 accredited agency in the cluster or NSW Procurement
- 21 per cent of agencies that have level 1 accreditation program status did not specify in their procurement policies that a level 2 accredited agency or the NSW Procurement Board must concur before a procurement activity is commenced if the following risk and value thresholds are exceeded
Risk profile | Procurement value |
Low risk | <$50 million |
Medium risk | <$35 million |
High risk | <$25 million |
Concurrence from level 2 accredited agencies or NSW Procurement helps to ensure procurement risks are being appropriately managed and deliver a value for money outcome.
Agency procurement policies did not always provide clear guidance to staff about managing the risks associated with direct negotiations and conflicts of interest. Direct negotiations are exclusive dealings between an agency and a supplier without going through a competitive process. The risk of corrupt conduct in the procurement process is increased and it may also be more difficult for an agency to demonstrate it has achieved value for money. The NSW Independent Commission Against Corruption has developed guidelines for agencies engaging in direct negotiations, which can be accessed here.
The table below outlines the gaps in procurement policies related to direct negotiation and managing conflicts of interest.
Procurement requirements | Percentage of agencies (%) |
Includes guidance on procurement activity involving direct negotiations | 88 |
Seek approval/approval from the procurement business unit prior to proceeding with the direct negotiation | 95 |
For members of the committee to make written declarations of any known or perceived conflicts of interest in relation to the procurement process | 97 |
For members of the committee to provide a nil declaration where no conflict of interest exists | 70 |
5.3 Managing contracts
Most agencies maintain a central contract register, but many are incomplete risking non-compliance with GIPA legislation
All agencies are required to record all details of contracts above $150,000 in a central contract register. Eighty-eight per cent of agencies did so, but of these agencies, 13 per cent did not capture all contracts and eight per cent did not include all relevant contract details. Sixteen per cent of agencies also did not periodically review their contract register.
The Government Information (Public Access) Act 2009 (the GIPA Act) aims to improve the transparency and integrity of the NSW public sector by requiring agencies to proactively publish information in relation to their contracts with the private sector. If an agency does not maintain a central contract register, it increases the risk of non-compliance with GIPA Act. A centralised contract register can also enhance procurement and contract management outcomes because it:
- allows an agency’s central procurement team to monitor contract end dates, contract extensions and commence new procurement in a timely manner
- helps agencies manage their contractual commitments, budgeting and cash flow requirements.
We have previously identified concerns with the completeness and accuracy of contract registers maintained by agencies, and this remains an ongoing area of concern. The exhibit below details findings from a previous compliance review conducted in October 2016.
Exhibit 4: Previous Audit Office report on Agency compliance with the GIPA Act (published October 2016)
This report assessed whether 13 agencies were complying with Part 3 Division 5 of the Government Information (Public Access) Act 2009 (GIPA Act), relating to Government contracts with the private sector. All 13 agencies had published a Government contracts register, but there were instances where:
The report found that agencies do not have a common approach as to which business units is responsible for managing contract registers. Eight out of 13 agencies did not have their contracts register independently reviewed and only one agency reported to the audit and risk committee on the contract register. |
Some agency contracts that were renewed or extended during the year did not go through a competitive process, nor was a value for money assessment performed
While there can be valid and appropriate reasons to renew or extend a contract already executed with a supplier it is important for the agency to demonstrate that their procurement continues to represent value for money. Poor monitoring of contract end dates can lead to contracts being renewed or extended simply to avoid service interruption. The lead times required to plan for a new procurement preclude proper process being followed. Maintenance of a complete and accurate contract register and monitoring of contract end dates is an important aspect of managing this risk.
We reviewed 32 contracts that were renewed or extended during 2019–20. Seventy-eight per cent of agencies performed a value for money assessment prior to renewing or extending the contract with their existing supplier. However, documentation of this assessment was not always robust. For example:
- 7 per cent of agencies did not assess or document supplier performance (including meeting customer expectations and performance against key performance indicators)
- 21 per cent of agencies did not consider procurement arrangements or activities currently in place or planned for the future
- 19 per cent of agencies did not perform an analysis of the current market to determine if opportunities for cost or process efficiencies were available.
Of the agency contracts examined, all were approved by an appropriate delegated authority. However, we noted one contract where the approval was obtained only for the value of the contract extension and not the total contract value.
A proper consideration of the commerciality of renewing or extending an existing contract helps address the risk that the procurement will not meet business needs or that agencies do not identify potential alternate suppliers who can deliver the good or service at lower cost and/or higher quality.
5.4 Training and support
Most agencies provide some training and support to staff on procurement activities
Ninety-three per cent of agencies provide training to staff involved in procurement activity, and a further 77 per cent of agencies provide this training on an on-going basis. Thirteen per cent of these agencies did not ensure their training emphasised personal accountability, probity and transparency in relation procurement activity.
Of the seven per cent of agencies that had not provided training to staff we noted gaps in aspects of their procurement activity, including:
- not conducting value for money assessments prior to renewing or extending the contract with their existing supplier
- not obtaining approval from a delegated authority to commence the procurement process
- procurement documentation not specifying certain key details such as the conditions for participation including any financial guarantees and dates for the delivery of goods or supply of services.
On-going training and awareness programs allow agencies to communicate to all staff their responsibilities and obligations in relation to procurement activities which results in:
- effective performance management of vendors
- reduction in uncontrolled spend
- compliance with procurement guidelines and directions
- improvement in risk management processes undertaken.
5.5 Procurement activities
Most agencies have implemented procurement controls, but some unaccredited agencies did not have their procurements endorsed
We reviewed the implementation of certain procurement controls across 26 contracts valued above $650,000 that were executed in 2019–20. We noted:
- 10 per cent of agencies procured the goods or services under a whole-of-government contract or prequalification scheme and had obtained the minimum number of written quotes required
- 90 per cent of agencies procured the goods or services outside of a whole-of-government contract or prequalification scheme and had undertaken the open approach to market (OAM) with the minimum number of proposals obtained.
Forty-three per cent of unaccredited agencies did not have their procurement endorsed by an accredited agency within the cluster or by NSW Procurement, as required by the Framework. This is likely due to deficiencies in their current policies, as previously noted. We also noted other deficiencies in some processes across the 26 contracts reviewed, as detailed in the table below.
Activities for procurements above $650,000 | Percentage of agencies (%) |
Approval obtained to commence procurement activities | 97 |
Procurement plan developed and endorsed by the procurement business unit or equivalent | 97 |
Final approval obtained from the delegated authority for the contract value (exclusive of GST for the total estimated spend of the entire contract) | 97 |
Purchase order raised after the final approval was obtained and for the total value of the contract | 89 |
Purchase order approved by a delegated authority | 96 |
For an unaccredited agency, procurement endorsed by an accredited agency within the Cluster or by NSW Procurement | 57 |
Of the 26 contracts reviewed, a request for tender was issued for 21 of these contracts. The table below outlines some deficiencies in tender procurement documentation.
Procurement documentation for tender sourcing arrangements | Percentage of agencies (%) |
The nature, scope and quantity of the goods and services being procured, or if the quantity is not known, the estimated quantity | 100 |
Requirements to be fulfilled including any technical specifications, conformity certification, etc | 100 |
Conditions for participation including any financial guarantees | 93 |
The evaluation criteria that will be used to assess submissions | 100 |
Dates for the delivery of goods or supply of services | 100 |
Clear and complete tender documentation ensures that tender participants understand the agency’s requirements. Poor procurement documentation may result in:
- the product or service not being delivered as required
- offers from unsuitable suppliers or no offers because of a lack of clarity as to the agency's requirements
- additional time and resources required to issue addenda clarifying the specification to potential tenderers during the tender process
- multiple contract variations.
Evaluation committees were established for all the tenders noted above. Our review of documentation maintained by the evaluation committee found that:
- 93 per cent of agencies obtained conflicts of interest declarations from the evaluation committee members
- all agencies developed an evaluation plan
- all agencies prepared evaluation reports that outlined the results and recommendations for awarding tender
- 96 per cent of agencies had the final recommendations approved and signed off by the appropriate delegated authority to award the contract and had obtained approval from an appropriate delegated authority separate to the tender evaluation process or the actual tender process to award the contract.
5.6 Emergency procurement
Agencies have undertaken emergency procurement activities
NSW Procurement released the ‘COVID-19 Emergency procurement procedure’ (the procedure) to allow agencies to expedite the procurement of critical goods and services during the COVID-19 pandemic. The procedure aimed to help agencies comply with clause 4 of the Public Works and Procurement Regulation 2019 (PWP Regulation), which allows the Head of the Agency or their nominee, in an emergency situation, to authorise procurements to a value sufficient to meet that particular emergency.
As at 30 June 2020, agencies in the scope of this report had reported conducting 32,239 emergency procurements with a total contract value of $316,908,485. The procurement activity mainly related to:
- cleaning and hygiene supplies
- Information technology, phones and laptops to facilitate remote working and remote education
- engagement of consultants for crisis management planning
- site cleaning costs
- non-contact equipment such as soap and hand sanitiser dispensers, and thermometers
- medical supplies
- remote working office equipment.
Implementation of processes to effectively manage the procurement of critical goods and services ensure agencies are able to balance the need to act without delay and deliver the goods or services while also ensuring adequate levels of accountability are maintained.
Recommendation
Agency procurement frameworks should be reviewed and updated to respond to emergency situations that may arise in the future. This includes:
- updating procurement policies and guidelines to define an emergency situation, specify who can approve emergency procurement and capture other key requirements
- using standard templates and documentation to prompt users to capture key requirements, such as needs analysis, supplier selection criteria, price assessment criteria, licence and insurance checks
- having processes for reporting on emergency procurements to those charged with governance and NSW Procurement.
Some agencies did not establish policies or guidance to clearly communicate emergency procurement processes
Fifty-one per cent of agencies have established policies, procedures or other guidelines for emergency procurement activities. Effective communication of emergency procurement processes is critical as it ensures staff remain accountable and agencies are able to:
- manage procurement spend as prices may be inflated during this period
- manage fraud, corruption and conflicts of interest risks
- prioritise procurement activities for immediate business needs
- avoid entering into contracts on unfavourable terms and conditions.
The table below shows the gaps in the agency policies, procedures and guidelines. There is an opportunity to build this into procurement policies going forward, so agencies are better prepared for emergency situations that may arise in the future.
Key elements of the emergency procurement policy, procedures and guidelines | Percentage of agencies (%) |
Defining an emergency situation as ‘an occurrence, a sudden or urgent occasion for actions’ | 67 |
Conduct a case by case analysis of the proposed COVID-19 emergency procurement to assess that the procurement value is sufficient to meet the immediate needs of the emergency. | 78 |
Specify that all emergency procurement must be authorised by the Agency Head or nominated employee under Clause 4 of the PwP Regulation | 67 |
Confirm that there are available funds and seek approval from the relevant financial delegate to commit or incur expenditure | 61 |
Report every emergency procurement authorised under Clause 4 of the PwP Regulation to NSW Procurement as soon as possible | 61 |
Having in place a process to manage real or perceived conflicts of interest | 78 |
Most agencies complied with the COVID-19 'Emergency procurement procedure'
Twenty-two agencies within the scope of this report had undertaken emergency procurement activities during 2019–20. Where there is an authorised emergency procurement under clause 4 of the PWP Regulation, the agency is exempt from complying with certain procurement requirements, including the requirement to achieve value for money and the principles of probity and fairness.
Although the agency does not have to undertake a value for money evaluation when undertaking emergency procurements, it still must use government resources efficiently, effectively, economically and in accordance with the law.
Ninety-six per cent of agencies had maintained a register to record decisions and authorisations associated with these activities. Sample testing of emergency procurement activity showed that most agencies also complied with key elements of the procedure and PWP Regulation, as noted below.
Compliance with aspects of the COVID-19 Emergency Procurement guideline | Percentage of agencies (%) |
Documenting the assessment for the need for the emergency procurement for the good and/or service | 95 |
Authorisation of the emergency procurement by the agency head or the nominated employee under Clause 4 of the PWP Regulation | 86 |
Reporting emergency procurement to the NSW Procurement Board | 76 |
Including a defined contract period that does not exceed the agency’s need to respond to the emergency | 83 |
Including clauses in the contract that allow the agency to cease procuring the good or services once the emergency ends (may include reasonable closure payments to suppliers if contracts are terminated early) | 91 |
In addition, we noted 67 per cent of agencies had used standard documentation to document the criteria used for selecting suppliers and the outcome of any comparative assessment or price assessment.
Complying with the procedure helps to ensure government resources are being efficiently, effectively, economically and in accordance with the law.
6. Delegations
This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency compliance with financial and human resources delegations.
6.1 Background
Delegations are fundamental to the operation of the NSW public sector and a cornerstone of good governance. Legislation appropriates money to Ministers and confers on them power to make decisions. Ministers may then delegate that power to another Minister, or to the officer of an authority in writing. Those delegation instruments may contain limitations within which the officer upon whom the delegation is conferred must operate. The Minister may also reserve certain decisions only to themselves. An officer cannot lawfully exercise power unless delegated to do so by the Minister responsible.
Legislative and machinery of government changes have meant delegation instruments required review and in many cases, updating. We found some delegation instruments had not been updated in years. Others could not be located. Some referred to repealed legislation or regulation, contained errors, had gaps, did not align with current funding arrangements, referred to positions that do not exist, or did not contemplate the need to sub-delegate power to a more appropriate party within cluster arrangements. Some agencies were unsure of their obligations, and incorrectly relied on their enabling legislation for authority.
The importance of delegations, as a decision-making mechanism became apparent in the recent emergency situations, which required agencies to make clear and timely decisions. Clear, lawful delegations will also be necessary as agencies administer grant and stimulus programs and make investment decisions to aid in the recovery process.
In the NSW public sector, financial and human resources functions are predominately governed by the:
- Government Sector Finance Act 2018 - This act confers various functions on persons or entities. This act allows a Minister to delegate any of their delegable functions conferred to them under the act. Expenditure by accountable authorities and government officers must be authorised in accordance with a delegation, sub-delegation or under the authority of a law.
- Government Sector Employment Act 2013 - This act, along with the Government Sector Employment Regulation 2014 and the Government Sector Employment Rules 2014 form the legislative framework for the employment and administration of the NSW Government sector workforce. The framework encompasses various human resource functions, such as the recruitment, commencement, on-going employment and termination of staff.
Delegations help to ensure decisions are made by appropriately skilled and experienced staff and allow agencies to operate efficiently. But to be effective, delegations must be kept up-to-date, provide clear authority to decision makers and be widely communicated.
This chapter focusses on whether agencies have established valid and up to date delegations and whether, by sample testing, have complied with their financial and human resources delegations.
6.2 Instruments of delegation
In On 1 July 2019, machinery of government changes became effective. These changes created and abolished entities, as well as transferred staff and functions between entities. Agencies impacted by machinery of government changes should have reviewed and updated their delegations to take into account the changes in functions, roles and responsibilities.
Provisions in the Government Sector Finance Act 2018 (GSF Act) relating to budget, appropriations and Special Deposit Accounts commenced on 1 July 2019, which meant agencies needed to consider whether:
- delegations allow it to spend money from each source of money it receives e.g. deemed appropriations, annual appropriations, cluster grants etc.
- there is an approval to enter into financial arrangements and any corresponding required delegations
- it is covered by transitional provisions
- the function can be delegated and subdelegated under the GSF Act
- the delegate / subdelegate is a permissible delegate under the GSF Act
- the agency can operate without certain delegations, for example an agency, by virtue of its enabling legislation with a working account within the Special Deposits Account may not require an expenditure delegation.
Recommendation
Agencies should ensure their financial and human resources delegation manuals contain regular set review dates and are updated to reflect the Government Sector Finance Act 2018, machinery of government changes and their current organisational structure and roles and responsibilities.
Agencies' instruments of delegation and delegation manuals had not been updated following legislative or administrative changes, or do not have set dates for regular review
All agencies have established financial delegations to ensure employees have clear guidance and instruction to exercise their authority appropriately and effectively. However, we found:
- 12 per cent of agencies have not reviewed their financial delegations by the scheduled date or have not set a scheduled review date
- of the 19 agencies impacted by machinery of government changes, 16 per cent of these agencies had not updated their financial delegations to reflect the changes.
For these agencies, there is a risk that staff are inappropriately approving transactions, spending money unlawfully, or financially over-committing the agency. There is also a heightened risk that staff cannot respond in a timely manner to urgent situations, without the need to clarify their powers.
Some financial delegation manuals did not clearly capture certain financial transactions
We found that some agencies could improve the clarity of their financial delegation manuals, as set out in the tables below. Ensuring that financial delegations manuals capture all relevant functions and clearly reference the legislation that permits the delegation helps to ensure that staff have a clear understanding of their delegated power.
Function | Percentage of agencies not including in the financial delegations' manual (%) |
General expenditure with delegation of expenditure of money (as defined in GSF Act) for:
|
2 |
Write off bad debts | 16 |
Write off capital assets (e.g. plant and equipment, intangible assets and cancelled work in progress) | 26 |
Element | Percentage of agencies not including in the financial delegations' manual (%) |
Section of the legislation that provides the authority, power or function to the responsible Minister, Agency Head or other relevant roles | 12 |
Section of the legislation that permits the delegation | 12 |
Limitation applying to the delegate (by nature of expenditure) | 2 |
Delegate (described by position name) | -- |
Power or function being delegated | -- |
Limitation applying to the delegate (in dollars) | -- |
Agencies have established human resources delegations, but some did not revisit their delegation manuals following the machinery of government changes, or have not set dates to regularly review human resources delegations
Ninety-eight per cent agencies have a delegation manual to effectively manage the administration of the human resources function, but seven per cent of these are not supported by an instrument of delegation, meaning staff may be making decisions without delegated power. We also found:
- 12 per cent of agencies have not reviewed their human resources delegations by the scheduled date or have not set a scheduled review date
- of the 19 agencies impacted by machinery of government changes, 16 per cent of agencies did not update their human resources delegations to reflect the changes.
For these agencies, there is a risk that staff are inappropriately making decisions associated with the administration of staff, such as hiring decisions, determining rates of pay, and termination decisions.
Some human resources delegation manuals did not clearly capture certain functions
We found that some agencies could improve the clarity of their human resources delegation manuals, as set out in the tables below.
Function | Percentage of agencies not including in the financial delegations' manual (%) |
Fill the vacant role | -- |
Advertise the role vacancies internally and externally | 8 |
Employment into a classification of work, and assignment to a role | -- |
Commencement rates of pay | 8 |
Salary increments | 5 |
Higher duty allowance | 10 |
Overtime | 15 |
Acceptance of resignations | 5 |
Element | Percentage of agencies not including in the financial delegations' manual (%) |
Section of the legislation that provides the authority, power or function to the responsible Minister, Agency Head or other relevant roles | 13 |
Section of the legislation that permits the delegation | 20 |
Limitation applying to the delegate (by nature) | 5 |
Delegate (described by position name) | -- |
Power or function being delegated | -- |
6.3 Compliance with delegations
Recommendation
Agencies should review financial and human resources delegations to ensure they capture all key functions of laws and regulations, and clearly specify the relevant power or function being conferred on the officer.
Instances of non-compliance with the Government Sector Finance Act 2018
Agencies did not understand or correctly apply the requirements of the GSF Act, resulting in non-compliance with the Act. We found that 18 per cent of agencies spent deemed appropriations without obtaining an authorised delegation from the relevant Minister(s), as required by sections 4.6(1) and 5.5(3) of the GSF Act.
As previously noted in section 6.2, provisions in the Government Sector Finance Act 2018 relating to appropriations commenced on 1 July 2019. Agencies need to ensure that when new legislation commences or is amended that they adequately assess the impact on their operations and instruments of delegation.
Further detail on this issue will be included in our Auditor-General's Reports to Parliament on Central Agencies, Education, Health and Stronger Communities, which will be tabled throughout December 2020.
Instances of non-compliance with human resources delegations identified
We reviewed compliance against agency human resources delegations for a sample of new employees. We found not all agencies are complying with their human resources delegations' manual, as detailed in the table below.
Recruitment function | Percentage of agencies that did not comply (%) |
Fill a vacancy, subject to the availability of funds, the merit principle and public sector recruitment policy (prior to advertising the role) | 2 |
Advertise vacant roles in internal and external publications | 7 |
Selection committee recommendations based on the competitive merit principles (employment into a classification of work, and assignment to a role) | 7 |
Commencing rates of pay | 12 |
On-going employment of employee after the probation period | 47 |
These exceptions increase the risk of inappropriate decisions being made associated with the advertising of roles, appointment of staff and their commencing pay. This indicates staff do not have a clear understanding of their delegated powers, or there is a lack of awareness or culture around the importance of complying with delegations in the agencies. Agencies should monitor compliance with their human resources delegations and communicate exceptions back to staff to raise awareness.
Appendices
Appendix one – List of 2020 recommendations
Appendix two – Status of 2019 recommendations
Appendix three – Cluster agencies
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.