Internal controls and governance 2020

Media release

The Auditor-General for New South Wales, Margaret Crawford today released her report on the findings and recommendations from the 2019–20 financial audits that relate to internal controls and governance at 40 of the largest agencies in the NSW public sector.

The bushfire and flood emergencies and the COVID‑19 pandemic continue to have a significant impact on the people and public sector of New South Wales. The scale of the government response to these events has been significant. The report focuses on the effectiveness of internal controls and governance processes, including relevant agencies’ response to the emergencies. In particular, the report focuses on:

  • financial and information technology controls
  • business continuity and disaster recovery planning arrangements
  • procurement, including emergency procurement
  • delegations that support timely and effective decision-making.

Due to the ongoing impact of COVID‑19 agencies have not yet returned to a business‑as‑usual environment. ‘Agencies will need to assess their response to the recent emergencies and update their business continuity, disaster recovery and other business resilience frameworks to reflect the lessons learnt from these events’ the Auditor-General said.

The report noted that special procurement provisions were put in place to allow agencies to better respond to the COVID-19 pandemic. The Auditor-General recommended agencies update their procurement policies to reflect the current requirements of the NSW Procurement Framework and the emergency procurement requirements.

Read the PDF report

Executive summary

This report analyses the internal controls and governance of 40 of the largest agencies in the NSW public sector for the year ended 30 June 2020. These 40 agencies constitute an estimated 85 per cent of total expenditure for all NSW public sector agencies.

1. Internal control trends
New, repeat and high risk findings

Internal control deficiencies increased by 13 per cent compared to last year. This is predominately due to a seven per cent increase in new internal control deficiencies and 24 per cent increase in repeat internal control deficiencies. There were ten high risk findings compared to four last year.

The recent emergencies have consumed agency time and resources and may have contributed to the increase in internal control deficiencies, particularly repeat deficiencies.

Agencies should:

  • prioritise addressing high-risk findings
  • address repeat internal control deficiencies by re-setting action plans and timeframes and monitoring the implementation status of recommendations.
Common findings

A number of findings remain common across multiple agencies over the last four years, including:

  • out of date or missing policies to guide appropriate decisions
  • poor record keeping and document retention
  • incomplete or inaccurate centralised registers or gaps in these registers.
2. Information technology controls
IT general controls

We found deficiencies in information security controls over key financial systems including:

  • user access administration deficiencies relating to inadequate oversight of the granting, review and removal of user access at 53 per cent of agencies
  • privileged users were not appropriately monitored at 43 per cent of agencies
  • deficient password controls that did not align to the agency's own password policies at 25 per cent of agencies.

The deficiencies above increase the risk of non-compliance with the NSW Cyber Security Policy, which requires agencies to have processes in place to manage user access, including privileged user access to sensitive information or systems and remove that access once it is not required or employment is terminated.

3. Business continuity and disaster recovery planning
Assessing risks to business continuity and Scenario testing

The response to the recent emergencies and the COVID-19 pandemic has encompassed a wide range of activities, including policy setting, on-going service delivery, safety and availability of staff, availability of IT and other systems and financial management. Agencies were required to activate their business continuity plans in response, and with the continued impact of COVID-19 have not yet returned to a business-as-usual environment.

Our audits focused on the preparedness of agency business continuity and disaster recovery planning arrangements prior to the onset of the COVID-19 pandemic.

We identified deficiencies in agency business continuity and disaster recovery planning arrangements. Twenty-three per cent of agencies had not conducted a business impact analysis (BIA) to identify critical business functions and determine business continuity priorities. Agencies can also improve the content of their BIA. For example, ten per cent of agencies' BIAs did not include recovery time objectives and six per cent of agencies did not identify key IT systems that support critical business functions. Scenario testing improves the effectiveness with which a live crisis is handled, but 40 per cent of agencies had not conducted a business continuity scenario testing exercise in the period from 1 January 2019 to 31 December 2019. There were also opportunities to improve the effectiveness of scenario testing exercises by:

  • involving key dependent or inter-dependent third parties who support or deliver critical business functions
  • testing one or more high impact scenarios identified in their business continuity plan
  • preparing a formalpost-exercise report documenting the outcome of their scenario testing.

Agencies have responded to the recent emergencies but addressing deficiencies will ensure agencies have adequate safeguards in their processes to again respond in the future, if required.

During 2020–21 we plan to conduct a performance audit on 'Business continuity and disaster recovery planning'. This audit will consider the effectiveness of agency business continuity planning arrangements to maintain business continuity through the recent emergencies and/or COVID-19 pandemic and return to a business-as-usual environment. We also plan to conduct a performance audit on whole-of-government 'Coordination of emergency responses'.

Responding to disruptions

We found agencies' governance functions could have been better informed about responses to disruptive incidents that had activated a business continuity or disaster recovery response between 1 January 2019 to 31 December 2019. For instance:

in 89 per cent of instances where a business continuity response was activated, a post-incident review had been performed. In 82 per cent of these instances, the outcomes were reported to a relevant governance or executive management committee

in 95 per cent of instances where a disaster recovery response was activated, a post incident review had been performed. In 86 per cent of these instances, the outcomes were reported to a relevant governance committee or executive management committee.

Examples of recorded incidents included extensive air quality issues and power outages due to bushfires, system and network outages, and infected and hijacked servers.

Agencies should assess their response to the recent emergencies and the COVID-19 pandemic and update business continuity, disaster recovery and other business resilience frameworks to incorporate lessons learned. Agencies should report to those charged with governance on the results and planned actions.

Management review and oversight Eighty-two per cent and 86 per cent of agencies report to their audit and risk committees (ARC) on their business continuity and disaster recovery planning arrangements, respectively. Only 18 per cent and five per cent of ARCs are briefed on the results of respective scenario testing. Briefing ARCs on the results of scenario testing exercises helps inform their decisions about whether sound and effective business continuity and disaster recovery arrangements have been established.
4. Procurement, including emergency procurement
Policy framework

Agency procurement policies did not capture the requirements of several key NSW Procurement Board Directions (the Directions), increasing the risk of non-compliance with the Directions. We noted: 

  • 67 per cent of agencies did specify that procurement above $650,000 must be open to market unless exempt or procured through an existing Whole of Government Scheme or contract
  • 36 per cent of agencies did specify that procurements above $500,000 payable in foreign currencies must be hedged
  • 69 per cent of agencies' policies did specify that the agency head or cluster CFO must authorise the engagement of consultants where the engagement of the supplier does not comply with the standard commercial framework.

Recommendation: Agencies should review their procurement policies and guidelines to ensure they capture the key requirements of the NSW Government Procurement Policy Framework, including NSW Procurement Board Directions.

Managing contracts

Eighty-eight per cent of agencies maintain a central contract register to record all details of contracts above $150,000, which is a requirement of GIPA legislation. Of the agencies that maintained registers, 13 per cent did not capture all contracts and eight per cent did not include all relevant contract details.

Sixteen per cent of agencies did not periodically review their contract register. Timely review increases compliance with GIPA legislation, and enhances the effectiveness with which procurement business units monitor contract end dates, contract extensions and commence new procurement.

Training and support

Ninety-three per cent of agencies provide training to staff involved in procurement processes, and a further 77 per cent of agencies provide this training on an on-going basis. Of the seven per cent of agencies that had not provided training to staff, we noted gaps in aspects of their procurement activity, including:

  • not conducting value for money assessments prior to renewing or extending the contract with their existing supplier
  • not obtaining approval from a delegated authority to commence the procurement process
  • procurement documentation not specifying certain key details such as the conditions for participation including any financial guarantees and dates for the delivery of goods or supply of services.

Training on procurement activities ensures there is effective management of procurement processes to support operational requirements, and compliance with procurement directions.

Procurement activities While agencies had implemented controls for tender activities above $650,000, 43 per cent of unaccredited agencies did not comply with the NSW Procurement Policy Framework because they had not had their procurement endorsed by an accredited agency within the cluster or by NSW Procurement. This endorsement aims to ensure the procurement is properly planned to deliver a value for money outcome before it commences.
Emergency procurement

As at 30 June 2020, agencies within the scope of this report reported conducting 32,239 emergency procurements with a total contract value of $316,908,485. Emergency procurement activities included the purchase of COVID-19 cleaning and hygiene supplies.

The government, through NSW Procurement released the 'COVID-19 Emergency procurement procedure', which relaxed procurement requirements to allow agencies to make COVID-19 emergency procurements. Our review against the emergency procurement measures found most agencies complied with requirements. For example:

  • 95 per cent of agencies documented an assessment of the need for the emergency procurement for the good and/or service
  • 86 per cent of agencies obtained authorisation of the emergency procurement by the agency head or the nominated employee under Public Works and Procurement Regulation 2019
  • 76 per cent of agencies reported the emergency procurement to the NSW Procurement Board.

Complying with the procedure helps to ensure government resources are being efficiently, effectively, economically and in accordance with the law.

Recommendation: Agency procurement frameworks should be reviewed and updated so they can respond effectively to emergency situations that may arise in the future. This includes:

  • updating procurement policies and guidelines to define an emergency situation, specify who can approve emergency procurement and capture other key requirements
  • using standard templates and documentation to prompt users to capture key requirements, such as needs analysis, supplier selection criteria, price assessment criteria, licence and insurance checks
  • having processes for reporting on emergency procurements to those charged with governance and NSW Procurement.
5. Delegations
Instruments of delegation

We found that agencies have established financial and human resources delegations, but some had not revisited their delegation manuals following the legislative and machinery of government changes. For those agencies impacted by machinery of government changes we noted:

  • 16 per cent of agencies had not updated their financial delegations to reflect the changes
  • 16 per cent of agencies did not update their human resources delegations to reflect the changes.

Delegations manuals are not always complete; 16 per cent of agencies had no delegation for writing off bad debts and 26 per cent of agencies had no delegation for writing off capital assets.

Recommendation: Agencies should ensure their financial and human resources delegation manuals contain regular set review dates and are updated to reflect the Government Sector Finance Act 2018, machinery of government changes and their current organisational structure and roles and responsibilities.

Compliance with delegations

Agencies did not understand or correctly apply the requirements of the Government Sector Finance Act 2018 (GSF Act), resulting in non-compliance with the Act. We found that 18 per cent of agencies spent deemed appropriations without obtaining an authorised delegation from the relevant Minister(s), as required by sections 4.6(1) and 5.5(3) of the GSF Act.

Further detail on this issue will be included in our Auditor-General's Reports to Parliament on Central Agencies, Education, Health and Stronger Communities, which will be tabled throughout December 2020.

Recommendation: Agencies should review financial and human resources delegations to ensure they capture all key functions of laws and regulations, and clearly specify the relevant power or function being conferred on the officer.

6. Status of 2019 recommendations
Progress implementing last year's recommendations

Recommendations were made last year to improve transparency over reporting on gifts and benefits and improve the visibility management and those charged with governance had over actions taken to address conflicts of interest that may arise. This year, we continue to note:

  • 38 per cent of agencies have not updated their gifts and benefits register to include all the key fields required under the minimum standards set by the Public Service Commission
  • 56 per cent of agencies have not provided training to staff and 63 per cent of agencies have not implemented an annual attestation process for senior management
  • 97 per cent of agencies have not published their gifts and benefits register on their website and 41 per cent of agencies are not reporting on trends in the gifts and benefits register to those charged with governance.

While we acknowledge the significance of the recent emergencies, which have consumed agency time and resources, we note limited progress has been made implementing these recommendations. Further detail on the status of implementing all recommendations is in Appendix 2.

Recommendation: Agencies should re-visit the recommendations made in last year's report on internal controls and governance and action these recommendations.

1. Introduction

1.1 State sector agencies

This report covers the findings and recommendations from our 2019–20 financial audits that relate to internal controls and governance at 40 of the largest agencies in the NSW public sector. The agencies included in this report deliver a diverse variety of services and are exposed to numerous financial, operational and strategic risks. Effective internal controls and governance frameworks help to mitigate the likelihood of risks arising and their severity if they do.

A list of the 40 agencies included in this report is in Appendix three.

1.2 Financial snapshot

The 40 agencies selected for this volume constitute an estimated 85 per cent of total expenditure for all NSW public sector agencies. The snapshot below provides an indication of the collective size of assets, liabilities, revenue and expenses of these 40 agencies for the year ended 30 June 2020.

  Number of agencies Assets
$ billion
Liabilities
$ billion
Revenue
$ billion
Expenses
$ billion
Departments 15 197.1 120.1 78.5 73.7
State Owned Corporations 7 31.4 26.7 5.9 5.2
Statutory bodies 18 214.6 23.6 33.2 29.1
Total 40 443.1 170.4 117.6 108

 
Note: The reported figures above include the impact of inter-agency transactions and balances, which are eliminated at a total state sector level.
Source: Audited financial statements.

1.3 Areas of focus

The report focuses on aspects of government preparedness for recent emergencies

The bushfire and flood emergencies and the COVID-19 pandemic continue to have a significant impact on the people and public sector of New South Wales. The scale of the government response to these events has been significant. It has involved emergency response coordination and service delivery in crisis conditions. It has required the development of, or changes to governance, policies, systems and processes so agencies can respond quickly and provide for the immediate needs of citizens.

The Audit Office is focussed on the changing risk environment presented by these events and how effectively emergency responses have been delivered, in particular the financial and governance risks arising from the scale and complexity of government responses to these events.

As a result, this report focuses on:

Internal control trends and Information technology controls Business continuity and disaster recovery planning
Our financial audits consider, at a minimum, the design and implementation of the internal controls agencies have in place that are relevant to our audit of the financial statements. This work also takes into account changes to financial and IT control environments arising from the recent emergencies and machinery of government changes. This includes the prevalence of remote working arrangements and changes in roles and responsibilities. Consistent with prior years, the report focusses on trends in high risk, common and repeat findings reported to agencies in our management letters, including any new or emerging risks that have arisen during the year.

Business continuity and disaster recovery plans help government agencies build and maintain resilience during a disaster, crisis or other disruption to their essential operations. Good planning enables government agencies to maintain operations during these times, as well as restore operations to normal in the shortest time possible. This report focuses on whether agencies have:

  • implemented and maintained up-to-date business continuity and disaster recovery plans
  • performed comprehensive risk assessments and business impact analysis
  • regularly tested their business continuity and disaster recovery plans
  • implemented processes to monitor and evaluate the performance of their business continuity and disaster recovery plans.

 

Procurement, including emergency procurement Delegations

Procurement and purchasing are common areas where fraud and corruption can occur. This risk can increase in an emergency where pressure exists to take risks to procure goods and deliver services quickly. To do so may mean agreeing to contract variations or engaging in direct negotiations that would not be contemplated in normal circumstances. This report focusses on whether agencies have:

  • implemented procurement frameworks
  • implemented controls to engage in emergency procurement activity and report on this activity to NSW Procurement
  • assessed value for money and business needs prior to engaging in contract variations
  • complied with best practice procurement processes, including NSW Procurement Board Directions.

The machinery of government changes, effective from 1 July 2019 transferred staff and functions between agencies, as well as abolished and created new agencies.

The staged implementation of the Government Sector Finance Act meant that from 1 July 2019 own-sourced revenues were designated as deemed appropriations limiting an agency's authority to spend from the consolidated fund.

There were also a number of changes to key management personnel across agencies.

It is important that instruments of delegation are updated whenever there are key changes so that agencies can continue to function and operate lawfully.

Agencies can use this report to build resilience and agility by enhancing their internal control and governance frameworks

The report provides insights into the effectiveness of controls and governance processes in the NSW public sector by:

  • highlighting the potential risks posed by weaknesses in controls and governance processes
  • helping agencies benchmark the adequacy of their processes against their peers
  • focusing on new and emerging risks, and the internal controls and governance processes that might address those risks.

The findings in this report should not be used to draw conclusions on the effectiveness of individual agency control environments and governance arrangements. Specific financial reporting, internal controls and audit observations are included in the individual 2020 cluster financial audit reports, which will be tabled in parliament during December 2020.

1.4 Sector wide learnings

Our review identified sector-wide learnings that government agencies should consider in relation to their internal controls and governance frameworks, which we have summarised below.
 
 
Internal and information technology controls
Focus on review and update of policies and procedures that have passed their scheduled review date. A policy register should be maintained and policies and procedures that have passed their scheduled review date should be reported to those charged with governance regularly so remedial action can be taken.
Address repeat internal and information technology control deficiencies by ensuring:
  • there is clear ownership of recommendations arising from internal control deficiencies, with timeframes and actions plans for their implementation
  • audit and risk committees and agency executive teams monitor the implementation status regularly focussing on those actions that are past due or have deferred implementation dates.
Review the implementation of user access controls to adequately protect the key financial and non-financial systems, focussing on the processes in place to grant, remove and monitor user access.
Review the number of privileged users and the level of access granted to privileged users, and assess and document the risks associated with their activities. Based on this review agencies should:
  • grant and restrict privileged user access to only staff that require that level of access to perform their role only for the period they require that access
  • identify controls to address the risks associated with privileged user activity, including regular monitoring of activity logs
  • promptly remove access when it is no longer required.
Delegations
Ensure financial and human resources delegation manuals contain regular set review dates and a requirement to review delegations when events such as machinery of government changes, changes in key legislation, or internal restructures may indicate changes are required to delegated authorities.
Review financial and human resources delegations to ensure they capture all key functions of laws and regulations, and clearly specify the relevant power or function being conferred on the officer. This will also help to ensure they are accurate and avoid gaps and errors.
Regularly communicate the requirements of financial and human resources delegations to staff so that they have a strong awareness of their authority, including limitations/conditions on the ability to exercise their delegated power.
Regularly monitor and test compliance with financial and human resources delegations so that those charged with governance have assurance that there is a culture of compliance with delegations within the agency.
Business continuity and disaster recovery planning
Align business resilience frameworks, such as risk management, business continuity, crisis management and ICT disaster recovery to ensure they enable a co-ordinated and consistent response to an emergency, crisis or other business disruption.
Perform business impact analysis to identify critical business functions. The business impact analysis should capture several key elements, including the supporting IT systems and infrastructure, key dependencies and maximum tolerable outage and recovery time objectives.
Re-assess risks to business continuity, as a result of the recent emergency situations so that previously unforeseen or other emerging risks and opportunities are identified and treated or exploited.
Ensure disaster recovery plans are in place for all key IT systems and infrastructure identified by the business impact analysis.
Incorporate key third parties who support or contribute to critical business functions in business continuity and disaster recovery scenario testing exercises. Report on the outcomes of business continuity and disaster recovery scenario testing exercises to the audit and risk committee.
Assess the response to the recent emergencies and update business continuity, disaster recovery or other business resilience frameworks to capture any lessons learnt.
Create a forward plan to test all high risk critical business functions and key IT systems and infrastructure within a timeframe acceptable to those charged with governance.
Consider incorporating review of agency business continuity or disaster recovery planning arrangements in the strategic internal audit plan.
Procurement, including emergency procurement
Review procurement policies and guidelines to ensure they capture the key requirements of the NSW Procurement Policy Framework, including NSW Procurement Board Directions.
Ensure that procurement plans are established for significant procurement activities and that they adequately assess procurement requirements.
Ensure tender evaluation committees are established to oversee major procurement and that members have declared conflicts of interest, including nil declarations, and that those committees prepare tender evaluation plans and evaluation reports.
Maintain a centralised contract register that is reviewed by the procurement business unit on a regular basis to identify contracts that are nearing their end date so procurement activity can be commenced in a timely manner.
Perform and document robust value for money assessments for contract renewals or extensions where a competitive process is not undertaken. Consider developing a template to support this process.
Provide on-going training and support to staff undertaking procurement activity.
Review and update procurement frameworks to better respond to emergency situations that may arise in the future. This should include updating procurement policies and guidelines to define an emergency situation, specifying who can approve emergency procurement and capturing other key requirements and have reporting processes to report to those charged with governance and NSW Procurement on emergency procurements undertaken.

 

2. Internal control trends

Internal controls are processes, policies and procedures that help agencies to:

  • operate effectively and efficiently
  • produce reliable financial reports
  • comply with laws and regulations
  • support ethical government.

This chapter outlines the overall trends for agency controls and governance issues, including the number of audit findings, the degree of risk those deficiencies pose to the agency, and a summary of the most common deficiencies we found across agencies. The rest of this report presents this year’s controls and governance findings in more detail.

Section highlights

We identified ten high risk findings, compared to four last year with two findings repeated from the previous year. There was an overall increase of 13 per cent in the number of internal control deficiencies compared to last year due to a seven per cent increase in new internal control deficiencies, and a 24 per cent increase in repeat internal control deficiencies. The recent emergencies have consumed agency time and resources and may have contributed to the increase in internal control deficiencies, particularly repeat deficiencies.

We identified a number of findings that remain common across multiple agencies over the last four years. Some of these findings related to areas that are fundamental to good internal control environments and effective organisational governance. Examples include:

  • out of date or missing policies to guide appropriate decisions
  • poor record keeping and document retention
  • incomplete or inaccurate centralised registers, or gaps in these registers.

Policies, procedures and internal controls should be properly designed, be appropriate for the current organisational structure and its business activities, and work effectively.

2.1 High risk findings

High risk findings arise from failures of key internal controls and/or governance practices of such significance they can affect an agency’s ability to achieve its objectives or impact the reliability of its financial statements. This in turn, increases the risk that the audit opinion will be modified.

We rate the risk posed by each financial and IT control deficiency as ‘High', ‘Moderate’ or ‘Low’. The rating is based on the likelihood of the risk occurring and the consequences if it does. The higher the rating, the more likely it is that agencies will suffer losses, or its service delivery will be compromised. Our risk assessment matrix aligns with the risk management framework in NSW Treasury’s Risk Management Toolkit for the NSW Public Sector.

The number of high risk findings has increased from last year

We identified ten high risk findings, compared to four high risk findings in 2018–19, with two repeat deficiencies from the previous year. Nine of the ten high risk deficiencies related to financial controls and one related to IT controls.

Agencies should continue to address high risk internal control deficiencies as a matter of priority.

High risk finding Implication Further reporting
Deficiencies in controls to manage privileged user access administration and monitor privileged user activities were noted on a key business system. Audit logs were not maintained or reviewed. We identified generic privileged user accounts and privileged user accounts with unidentified users.

Privileged users are able to access key systems and functions. They may also be able to remove records of their activity if programmed logging features are disabled.

Inappropriate privilege user access exposes agencies to greater risk of unauthorised changes to systems and data by these users, or by cyber criminals using their logon details. The unauthorised changes may not be identified in a timely manner and/or be traceable to individual users.

Further detail on this issue will be included in the Report on Education, which will be tabled in December 2020.
We noted a high number of exceptions in underlying lease data maintained by an agency managing a high volume of leases. This included differences between recorded data and the key terms and conditions in the underlying contracts, including lease payments, lease terms and extension options. Data quality issues could create a risk of material misstatement to the agency’s financial statements. Inaccurate data may also render the agency unable to effectively manage its portfolio of leases. Further detail on this issue will be included in the Report on Planning, Industry and Environment, which will be tabled in December 2020.
An agency did not perform a timely and detailed assessment of the impact of the new revenue and leasing accounting standards effective from 1 July 2019 and of the accounting treatment of several stimulus packages on the financial statements. These transactions were material to the agency. Lack of timely and robust assessments with detailed documentation to support the application of the Australian Accounting Standards and Treasury Guidance Papers could result in a material misstatement to the agency’s financial statements. Further detail on this issue will be included in the Report on Central Agencies, which will be tabled in December 2020.
We identified an instance of non-compliance with the Appropriation Act 2019 (the Act) in relation to use of an appropriation received under the Act. The appropriation received under the Act is required to be used for specific purposes outlined in the Act. However, the cluster used the additional funding for purposes that were not consistent with the purpose for which it had been appropriated. Inadequate legislative compliance processes and assessment of relevant legislative requirements before approving transactions can result in the agency not complying with key laws and regulations. Further detail on this issue will be included in the Report on Central Agencies, which will be tabled in December 202
The fair value assessment of an asset class was not completed at an agency and as result these assets may not be recorded at fair value. Lack of fair value assessments increases the risk of a material misstatement in the agency financial statements and non-compliance with the applicable Australian Accounting Standards and Treasury Guidance Papers. Further detail on this issue will be included in the Report on Regional NSW, which will be tabled in December 2020.
An agency did not either complete, or only partially completed a number of the mandatory early close procedures required under the Treasurer's Directions and Treasury Guidance Papers issued. Non-compliance with Treasurer's Directions and Treasury Guidance Papers. Further detail on this issue will be included in the Report on Regional NSW, which will be tabled in December 2020
As part of the current year valuation process for one agency, several properties were identified that were transferred to the agency in the prior year but had not been recorded at the date of transfer in a timely manner.

Financial and non-financial risks and obligations in relation to the transferred assets may not be adequately assessed.

Deficiencies in processes to identify and promptly account for transferred properties may result in material misstatement of the financial statements.

Further detail on this issue will be included in the Report on Transport, which will be tabled in December 2020.
An agency did not implement controls to monitor and record the transfer of capital works constructed on behalf of third parties. This resulted in the agency not recording the transfer of completed constructed assets to third parties in the financial year that it occurred. Deficiencies in the processes to record the transfer of capital works may result in material misstatement of the financial statements. Further detail on this issue will be included in the Report on Transport, which will be tabled in December 2020.
An agency did not maintain adequate documentation to support the allocation of indirect costs recovered from specific funds managed by the agency. Lack of documentation to support the allocation of indirect costs increases the risk that the allocation basis and methodology applied is inequitable. Further detail on this issue will be included in the Report on Central Agencies, which will be tabled in December 2020.
An agency was converted from a not-for-profit statutory body to a for-profit statutory state owned corporation from 1 July 2020. However, at the time of concluding our audit, the agency responsible for managing the transition had not finalised the operating model and Statement of Corporate Intent (SCI). The arrangements may impact on financial reporting, which will be a key area of audit focus in 2020–21. Further detail on this issue was included in the Report on State Finances 2020.

 

2.2 Common findings

While it is important to monitor the number and nature of deficiencies across the NSW public sector, it is also useful to assess whether deficiencies are common to multiple agencies. Where deficiencies relate to multiple agencies, central agencies or the lead agency in a cluster can help ensure consistent, timely, efficient and effective responses to identified deficiencies.

We classified the 396 internal control deficiencies we identified in 2019–20 into common categories as follows:

  • financial operational deficiencies
  • IT operational deficiencies
  • compliance deficiencies
  • reporting deficiencies.
Source: Audit Office management letters

The graph above shows that 83 per cent of the deficiencies (78 per cent in 2018–19) were financial or IT operational deficiencies, with the remainder split between compliance deficiencies (15 per cent compared to 15 per cent in 2018–19) and reporting deficiencies (two per cent compared to seven per cent in 2018–19)

The table below describes the most common deficiencies across agencies, including their risk rating, the number of repeat deficiencies and the recommendations our management letters have communicated to agencies.

Operational
High: 7 new 1 repeat
Moderate: 88 new 81 repeat
Low: 101 new 49 repeat
Common issue Findings/implication Lessons for agencies
Policies and procedures

Agencies have not established policies, have gaps in policies or have policies that are past their scheduled review date.

These issues increase the risk that outdated policies and procedures may be followed, that policies and procedures do not reflect better practice, or where practice is not documented, the agency is at risk from the loss of corporate knowledge when staff turnover.

Agencies should establish processes that assure its policies reflect current requirements, the organisation's current structure and delegations, and avoid duplication, contradictions or gaps.
Maintaining master files

Controls were not established to:

  • ensure sufficient segregation of duties over access to key master files
  • verify the validity, accuracy and/or completeness of changes to key master files, such as vendor and payroll tables.

Agencies should:

  • review controls established over access to key master files to prevent inappropriate access to, change or erasure of data
  • regularly review system access of business users to ensure incompatible duties are removed.
Use of purchase orders Purchase orders were created and approved only after the goods and services were purchased. Agencies should ensure staff are trained in their obligations to comply with proper procurement practices, policies and legislation.
Preparedness of new accounting standards implementation Agencies have not performed comprehensive assessment to adequately assess the financial impact of adopting the new leasing and revenue accounting standards.

Agencies should ensure:

  • staff are provided with training to understand the key requirements of the new accounting standards
  • performed robust assessments with appropriate supporting documentation.
Information technology IT control deficiencies related to IT governance, user access administration, program change and computer operations. Refer to Section 3 of this report for further details.

 

Compliance
High: 1 new 1 repeat
Moderate: 19 new 19 repeat
Low: 13 new 7 repeat
Common issue Finding/implication Lessons for agencies
Contract registers

Agencies have not established contract registers or have incomplete or inaccurate contract registers. These agencies may face challenges with:

  • complying with GIPA obligations
  • identifying contracts that are nearing completion, and commencing timely procurement activity
  • effectively managing their contractual commitments
  • disclosing contractual commitments accurately in their financial statements.

Agencies should focus on establishing complete and accurate contract registers. This includes:

  • developing policies and procedures that govern the timely and accurate updating of the contracts register
  • monitoring the contracts register, including identifying contracts nearing completion so a new procurement can be commenced in a timely manner.
Document retention Agencies do not always maintain documents to evidence performance of key control activities. Deficiencies reduce accountability and reduce compliance with state records legislation.

Agencies should educate staff in their responsibilities and retain documentary evidence that they have discharged responsibilities.

Agencies should ensure appropriate records management policies have been communicated to staff.

Central registers, such as those used to manage conflicts and gifts and benefits.

Central registers are not kept, or are not updated in a timely manner.

Without a central register to capture such information, agencies may not have the visibility it needs to oversight whether their management of conflicts and/or gifts and benefits complies with requirements and internal policies.

Agencies should ensure they have registers to capture staff disclosures in a way that complies with legislation and policies.

Conflict of interest, gifts and benefits and other relevant policies should deal with the timeliness of how such registers are updated.


 

Reporting
High: 0 new 0 repeat
Moderate: 3 new 2 repeat
Low: 3 new 1 repeat
Common issue Finding/implication Lessons for agencies
Reconciliations

Key reconciliations were not prepared, or were not reviewed in a timely manner.

Reconciliations of inter-agency balances were not performed.

There were unconfirmed balances in reconciliations.

Reconciliations should be prepared and reviewed as part of month-end processes.  

Policies and procedures should be observed and management should ensure this key control is performed.

Inter-agency balances should be reconciled regularly. Reconciliation differences should be resolved in a timely manner.


 

2.3 New and repeat findings

We assess trends in agency controls by measuring the number of internal control findings that emerged from our financial audits. We use three measures:

  • number of findings
  • number of new and repeat findings
  • risk level of findings.

Our 2019–20 audits identified 396 internal control deficiencies, comprising:

  • 226 financial control deficiencies
  • 170 IT control deficiencies. We reported these deficiencies to agency management and those responsible for governance at agencies, such as audit and risk committees and cluster secretaries. Our management letters outline each audit finding, assess its implications, rate the level of risk and make recommendations.

The number of internal control deficiencies has increased by 13 per cent from last year

The 13 per cent increase in internal control deficiencies is predominately due to a seven per cent increase in new internal control deficiencies and 24 per cent increase in repeat internal control deficiencies. This follows an increase in internal control deficiencies of 12 per cent in 2018–19.

Source: Audit Office management letters

The number of financial control deficiencies has increased by 15 per cent from last year

Over the last 12 months, the number of financial control deficiencies increased by 15 per cent from last year, following an increase of 25 per cent noted in 2018–19. We found financial control deficiencies at 85 per cent of agencies (85 per cent in 2018–19).

New financial control deficiencies increased by five per cent and repeat financial control deficiencies increased by 36 per cent from 2018–19. Deficiencies in internal controls increase the risk of intentional and accidental errors in processing information, producing management reports and generating financial statements. This can impair decision-making, affect service delivery and expose agencies to fraud, financial loss and reputational damage. Poor controls may also mean agency staff are less likely to follow internal policies, inadvertently causing the agency not to comply with legislation, regulation and central agency policies.

The graph below shows the risk rating of reported financial control deficiencies for the past five years.

Source: Audit Office management letters

The number of IT control deficiencies has increased by 11 per cent from last year

The number of reported IT control deficiencies has increased by 11 per cent compared to last year, indicating that significant number of IT control deficiencies noted in 2018–19 and 2017–18 remain unresolved.

Many of the IT control deficiencies in 2018–19 related to unresolved IT control deficiencies from the previous year. In 2019–20 repeat findings increased by 13 per cent, from 69 in 2018–19 to 78 in 2019–20. Also, new IT control deficiencies have increased slightly from 83 in 2018–19 to 92 in 2019–20.

Good IT controls are an essential ingredient underpinning effective processes, policies and procedures for managing information systems, securing sensitive information, and ensuring the integrity of agency data. Poor IT controls increase risks to agencies, including unauthorised access, cyber security attacks, fraud, data manipulation, privacy breaches, non-compliance with laws and regulations and information theft. The longer a deficiency remains unaddressed, the greater the risk that the vulnerability will not only be exploited, but will be repeatedly exploited increasing the potential losses to the agency.

The graph below shows the risk rating of reported IT control deficiencies for the past five years.

Source: Audit Office management letters

As the digital footprint of agencies increases, they need to continue to focus their attention on these issues and prioritise the rectification of IT weaknesses.

Repeat control deficiencies increased by 24 per cent from 2018–19

The number of repeat internal control deficiencies we identified has increased by 24 per cent from 2018–19. As a per centage of all internal control deficiencies, unresolved deficiencies from prior years now represent 41 per cent of all the internal control deficiencies we identified.

Source: Audit Office management letters

The graph below shows a continued increase in both repeat financial and IT control deficiencies in the current year. There was an increase of:

  • 36 per cent in the number of repeat financial control deficiencies, following a 69 per cent increase in repeat financial control deficiencies in 2018–19
  • 13 per cent in IT control deficiencies, following a 138 per cent increase in 2018–19.
Source: Audit Office management letters

Vulnerabilities in internal control systems can be exploited by internal and external parties and pose a threat to agencies. The longer these vulnerabilities exist, the higher the risk that they will be exploited and the higher the expected losses. Agencies need to address these challenges by ensuring:

  • there is clear ownership of recommendations arising from internal control deficiencies, with timeframes and actions plans for their implementation
  • audit and risk committees and agency executive teams monitor the implementation status regularly focussing on those actions that are past due or have deferred implementation dates.

3. Information technology controls

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency controls to manage key financial systems.

Section highlights

Government agencies’ financial reporting is heavily reliant on information technology (IT). We continue to see a high number of deficiencies related to IT general controls, particularly those related to user access administration. These controls are key in adequately protecting IT systems from inappropriate access and misuse.

IT is also important to the delivery of agency services. These systems often provide the data to help monitor the efficiency and effectiveness of agency processes and services they deliver. Our financial audits do not review all agency IT systems. For example, IT systems used to support agency service delivery are generally outside the scope of our financial audit. However, agencies should also consider the relevance of our findings to these systems.

Agencies need to continue to focus on assessing the risks of inappropriate access and misuse and the implementation of controls to adequately protect their systems, focussing on the processes in place to grant, remove and monitor user access, particularly privileged user access.

 

3.1 IT general controls

IT governance

IT governance provides a structure to enable agencies to effectively manage and monitor their IT risks to ensure that associated activities are aligned to achieve their objectives to deliver services to the public.

Most agencies have implemented policies to manage their key IT systems

Ninety-seven per cent of agencies have established IT policies to ensure key IT processes and functions are appropriately managed. However, five per cent of these policies were not regularly reviewed. Regular review of IT policies ensure that the strategies and procedures agencies implement effectively manage the evolving IT risks affecting their IT environments. The implementation of IT policies ensures there are adequate processes in place for the on-going management of existing and new IT risks affecting agencies.

Information security

Information technology is often at the core of how agencies deliver services in every sector. While IT can improve service delivery, the growing dependency on technology and rapid transformation to a digital society means agencies face an increasing number of risks if they do not adequately protect their IT systems from unauthorised access and misuse.

In the Report on Central Agencies 2019 we found the NSW Public Sector's cyber security resilience needed urgent attention. This was based on agencies' self-assessments against the Australian Cyber Security Centre’s Essential 8 cyber risk mitigation strategies. While our audits do not look at all aspects of how agencies have implemented the ‘Essential 8’, the findings below do highlight areas of information security that agencies need to strengthen to better align to the ‘Essential 8’ and the NSW Cyber Security Policy.

User access administration

User access administration over IT systems needs to be improved

All agencies have implemented formal processes for user access creation and modification to IT systems, yet the practical application for managing user access management requires further improvement. We found:

  • 6 issues related to granting user access across 13 per cent of agencies
  • 8 issues related to removing user access across 15 per cent of agencies
  • 39 issues related to periodic reviews of user access across 43 per cent of agencies
  • 32 issues related to users with inappropriate access across 35 per cent of agencies.

Examples of deficiencies included:

  • periodic user access reviews were not performed to ensure access levels align with the user’s role
  • regular reviews of dormant user accounts and default/generic accounts were not performed
  • there was no process to periodically review third party user access, nor were the profiles promptly removed once they were no longer required
  • weaknesses in processes to ensure timely changes to access levels to reflect changes to staff responsibilities and terminations
  • access to new users and changes to user access levels had been granted without approval, or without evidence of approval
  • processes had not been implemented to disable default/generic accounts.

Poor management of user access:

  • exposes agencies to the risk of fraud
  • comprises data integrity and confidentiality
  • increases the risk of unauthorised and invalid transactions
  • increases the risk of dormant user profiles, particularly high-level profiles, being used for cyber-attacks or other illegal activity.

The deficiencies above increase the risk of non-compliance with the NSW Cyber Security Policy, which requires agencies to have processes in place to manage user access, including privileged user access to sensitive information or systems and remove that access once it is not required or employment is terminated.

Privileged access

Monitoring of privileged user accounts needs to be strengthened

Agency staff often have access to sensitive data. If that access is not properly controlled and monitored it can increase the risk of inappropriate access or use of sensitive information for a fraudulent or improper purpose, or of an intentional or unintentional data leak. This is particularly true for those privileged users who are ‘trusted insiders’ such as employees, business partners, or third-party contractors.

Forty-three per cent of agencies do not periodically review the activities of privileged users to identify suspicious or unauthorised activities. Overall, this is an increase from 2019, where 35 per cent of agencies did not perform these reviews.

Examples of deficiencies included:

  • system audit logs not enabled to track user account activities
  • no process to periodically review privileged user activities where system audit logs are enabled and maintained
  • limited segregation of duties of staff with privileged IT user profiles from business operational responsibilities.

The absence of periodic reviews of privileged user accounts increases the risk that these accounts can be misused to:

  • commit fraud
  • access and extract confidential information for improper purposes
  • access files, install and run programs, and change configuration settings
  • maliciously or accidentally delete or distribute information.

Poor management of privileged access may also lead to breaches of Section 3.6 of the Government Sector Finance Act 2018 and the NSW Cyber Security Policy. This policy requires agencies to have appropriate security screening of users with privileged access rights, and remove access when it is no longer required, or when employment is terminated. Agencies should review the number of privileged users and the access granted to privileged users.

Agencies should assess and document the risks associated with their activities. Based on this review agencies should:

  • grant and restrict privileged user access to only staff that require that level of access to perform their role
  • identify controls to address the risks associated with privileged user activity, including regular monitoring of activity logs
  • promptly remove access when it is no longer required.

Password controls

Management of password controls can be improved

Twenty-five per cent of agencies either did not comply with their own policy on password parameters, or did not enforce the minimum expected standard. This is an increase of five percentage points from 2019. The deficiencies identified were related to:

  • passwords not meeting minimum password lengths
  • passwords not meeting complexity requirements
  • not enforcing limits on the number of failed login attempts
  • not enforcing controls for password history (i.e. the number of passwords remembered and restricting the recycling of recently used passwords)
  • minimum and maximum password age is applied (i.e. prompting the change of passwords frequently)
  • no internal formalised password policy or enforcement of the requirements.

Our audits also identified the use of default and generic passwords being used by agencies. Weak passwords increase the risk of unauthorised use of, and changes to, financial information. Weaknesses were identified across agency IT applications, databases and database servers.

Agencies should review IT password settings to ensure that they comply with minimum standards and the requirements of their password policies.

Program changes

Approval of changes to IT programs prior to implementation can be strengthened

All agencies have established IT change management policies to ensure the changes to IT programs and related infrastructure components are appropriately authorised, performed and tested prior to implementation. We found deficiencies in agency IT program change controls at 25 per cent of agencies, which is a five per centage point increase from 2018–19. These deficiencies related to:

  • inappropriate segregation of duties over developing and releasing IT program changes to the production environment
  • inability to provide evidence for approval of IT program changes
  • other issues, such as retaining evidence of approval provided to the service provider prior to releasing changes to production.

Weak program change controls expose agencies to the risk of:

  • unauthorised and/or inaccurate changes to systems or programs
  • issues with data accuracy and integrity
  • inappropriately accepting releases that come with upgrades

Agencies should consistently perform user acceptance testing before system upgrades and program changes are deployed. Changes should not be made without appropriate approval and documentation to support the approval.

Computer operations

Management of computer operations is essential to an agency's IT environment as it ensures agencies have implemented appropriate policies and procedures to manage potential disasters and critical system failures. This includes developing business continuity plans and disaster recovery plans.

Findings from our detailed review of agency disaster recovery and business continuity processes are outlined in section 4.

4. Business continuity and disaster recovery planning

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency business continuity and disaster recovery planning arrangements.

Section highlights

We identified deficiencies in agency business continuity and disaster recovery planning arrangements and opportunities for agencies to enhance their business continuity management and disaster recovery planning arrangements. This will better prepare them to respond to a disruption to their critical functions, resulting from an emergency or other serious event. Twenty-three per cent of agencies had not conducted a business impact analysis (BIA) to identify critical business functions and determine business continuity priorities and 40 per cent of agencies had not conducted a business continuity scenario testing exercise in the period from 1 January 2019 to 31 December 2019. Scenario testing improves the effectiveness with which a live crisis is handled.

This section focusses on the preparedness of agency business continuity and disaster recovery planning arrangements prior to the onset of the COVID-19 pandemic. While agencies have responded to the recent emergencies, proactively addressing deficiencies will ensure agencies have adequate safeguards in their processes to again respond in the future, if required.

During 2020–21 we plan to conduct a performance audit on 'Business continuity and disaster recovery planning'. This audit will consider the effectiveness of agency business continuity planning arrangements to maintain business continuity through the recent emergencies and/or COVID-19 pandemic and return to a business-as-usual environment. We also plan to conduct a performance audit on whole-of-government 'Coordination of emergency responses'.

 

4.1 Background

Agencies deliver a diverse range of essential services to the public. Ongoing delivery of these services is critical to the social and economic outcomes of the State. Agencies also often perform other key functions, that while not critical, are important.

Business continuity management helps agencies respond to and manage business disruptions, maintain or restore critical services and return to business as usual with minimal impact to service delivery. ICT disaster recovery planning forms part of an agency's business continuity management, focussing on the recovery and restoration of information and communications technology (ICT) systems that are critical to an agency maintaining business continuity. Business continuity and disaster recovery planning arrangements contribute to the resilience of an agency.

The recent emergency situations have highlighted the need for agencies to have business continuity and disaster recovery arrangements in place so that they can effectively respond to these situations with minimal disruption.

There is no specific NSW Government direction that requires agencies to maintain business continuity and disaster recovery planning arrangements

NSW Treasury Policy TPP 15-03 'Internal Audit and Risk Management Policy for the NSW Public Sector' requires agencies to maintain a risk management framework. The 'NSW Cyber Security Policy' requires agencies to maintain an approved cyber security plan, integrated with business continuity arrangements. However, there are no specific requirements or minimum standards agencies must adhere to with regards to their business continuity and disaster recovery planning arrangements.

As a result, our review considers how well agencies' business continuity and disaster recovery planning arrangements align to aspects of:

  • ISO22301: 2019 Security and Resilience – Business Continuity Management Systems – Requirements; and
  • ISO27031:2011 Information technology — Security techniques — Guidelines for information and communication technology readiness for business continuity.

In particular, we have focused on whether agencies have:

  • implemented and maintained up-to-date business continuity and disaster recovery plans
  • performed comprehensive risk assessments and business impact analysis
  • regularly tested their business continuity and disaster recovery plans
  • implemented processes to monitor and evaluate the performance of their business continuity and disaster recovery plans.

The review focussed on the state of agency business continuity and disaster recovery planning arrangements prior to the outbreak of COVID-19 in Australia. During 2020–21 we plan to conduct a performance audit on 'Business continuity and disaster recovery planning'. This audit will consider the effectiveness of agency business continuity planning arrangements to maintain business continuity through the recent emergencies and/or COVID-19 pandemic and return to a business-as-usual environment. We also plan to conduct a performance audit on whole-of-government 'Coordination of emergency responses'.

4.2 Policy framework

Business continuity policies have been developed

For the period 1 January 2019 to 31 December 2019, 88 per cent of agencies had developed a business continuity policy, but 18 per cent were past their scheduled review date. Business continuity policies generally include key requirements of the business continuity framework, such as the development of business continuity plans for critical business functions, performance of business impact analysis and establishment of roles and responsibilities. In addition, we found 21 per cent of agencies do not define a critical business function for the purpose of requiring a business impact assessment to be performed.

There is an opportunity for agencies to review and ensure their key resilience frameworks are aligned, so that business impacts, roles and responsibilities and recovery times are clear to stakeholders and consistent.

4.3 Assessing risks to business continuity

A key step of the business continuity management framework is to perform and document a business impact analysis (BIA). The BIA helps agencies identify critical business functions that support an agency's business objectives, including target recovery times and resource dependencies for each critical business function. The BIA should be supported by a comprehensive risk assessment to identify critical business functions.

Not all agencies have prepared a business impact analysis

Twenty-three per cent of agencies had not conducted a BIA to identify critical business functions and determine their business continuity priorities at 31 December 2019. In addition, of the agencies that had conducted a business impact analysis, 20 per cent are only performing this on an ad-hoc basis or when there is a significant change in operations, rather than at planned intervals. In particular, one agency last conducted a business impact analysis in October 2014.

We also found agencies can improve the content of their BIA. Some agencies did not include key elements that we would expect to see in a BIA, as detailed in the table below.

Elements of a business impact analysis Percentage of agencies that did not include in BIA (%)
Business processes and functions deemed critical to the agency (inclusive of locations and scope of services) 3
Key IT systems used to support critical business processes and functions 6
Dependencies and interdependencies within critical business processes 6
Impact over time resulting from the disruption of these critical business processes 13
Maximum tolerable period of disruption (i.e. the time frame within which the impacts of not resuming activities would be unacceptable) 3
Recovery time objective (i.e. prioritised time frames within the time for resuming disrupted activities at a specified minimum acceptable capacity)

10


Source: Audit Office analysis.

Without an up-to-date and comprehensive BIA there is a risk that agencies will not be able to restore critical business functions within an acceptable timeframe. Agencies may also not know what to do in the event of a disruption if key systems and dependencies and interdependencies have not been identified, further elevating the risk that critical business functions will not be restored within an acceptable timeframe.

We are currently conducting a review on agency compliance with the 'NSW Cyber Security Policy'. This will examine, amongst other things, whether agency cyber security plans are linked to their business continuity arrangements. This review may identify further threats, risks and vulnerabilities associated with agency BIAs.

Disaster recovery plans not always prepared for IT systems that support critical business functions

We found only 81 per cent of agencies had a disaster recovery plan in place for all IT systems and infrastructure identified in the business impact analysis at 31 December 2019, meaning there is no plan in place to recover some key IT systems and infrastructure that support critical agency functions.

As noted above, 23 per cent of agencies have not conducted a BIA; for these agencies, we could not determine whether they had disaster recovery plans in place for all key IT systems.

Risks to business continuity should be re-assessed and updated

Agencies are required to maintain risk assessment processes and a risk management framework in accordance with NSW Treasury Policy TPP 15-03 'Internal Audit and Risk Management Policy for the NSW Public Sector'.

While the purpose of our review of agency business continuity and disaster recovery arrangements was not to review agency risk identification and assessment processes, we believe the recent emergency situations provide an opportunity for agencies to re-visit and update the nature, likelihood and consequence of risks impacting on business continuity and related risk treatments. For example, the COVID-19 pandemic has highlighted several new risks that agencies may not have previously captured in their risk registers or BIA, such as:

  • concentration risks associated with being dependent on certain suppliers
  • additional technology risks (e.g. ability to support a workforce working from home)
  • additional cyber risks
  • additional risks related to the delivery of key services, particularly where the agency has a citizen facing role e.g. unable to open branches or provide face to face support etc.

The table below outlines some common business continuity risks reviewed during the period 1 January 2019 to 31 December 2019 and the proportion of agencies that had identified the risk and had a plan to mitigate it.

Risk Percentage of agencies (%)
Natural disasters (e.g. floods, storms, bushfires and drought) 78
Health pandemic 44
Legal (e.g. insurance issues, contractual breaches, non-compliance with laws and regulations) 75
IT failure (hardware and software), and cyber attack (malware, virus, spams, scams and phishing etc.) 92
Security (e.g. theft, fraud, online security and fraud) 92
Supply chain breakdowns (such as issues within their business or industry resulting in failure or interruptions to the services delivered) 72
Utilities and securities (such as failures or interruptions to the delivery of power, water, transport and telecommunications)

78


Source: Audit Office analysis.

4.4 Business continuity and disaster recovery planning

Business continuity and disaster recovery plans should be prepared for critical business functions and key IT systems and infrastructure identified as part of the BIA process. Business continuity plans provide guidance and information to help teams to respond to a disruption and to assist an agency with response and recovery. A disaster recovery plan helps agencies maintain IT services in the event of an interruption, or restore IT systems and infrastructure in the event of a disaster or similar scenario.

Most agencies have developed business continuity and disaster recovery plans, but deficiencies in the BIA may impact their effectiveness

Eighty-eight per cent of agencies had developed business continuity plans and 81 per cent of agencies had developed disaster recovery plans for some or all of their critical IT systems and infrastructure during the period 1 January 2019 to 31 December 2019. However, there is a risk that agencies either do not have plans in place for all key business functions or IT systems and infrastructure, or do not have effective plans in place because the BIA has not captured key elements, as noted above.

We also considered how comprehensive business continuity and disaster recovery plans are. Comprehensive plans are important because they are the key document that will guide staff in the event of an interruption, disaster or crisis. They also specify key governance arrangements and reporting requirements in the event it is invoked.

The results are detailed in the tables below.

Business continuity plan elements Percentage of agencies without the key element in their plan (%)
Purpose, scope and objectives 8
Roles and responsibilities 3
Actions the business continuity team (or equivalent) will take to continue or to recover critical business activities within predetermined time frames, monitor the impact of the disruption and the agency’s response to it 8
Actions to continue or to recover all critical business functions 12
Resource requirements 11
Activation criteria to allow the business continuity team (or equivalent) to determine which situations warrant the invocation of the plan 11

Details to manage immediate consequences of disruption giving due regard to:

  • the welfare of individuals
  • the prevention of further loss or unavailability of prioritised activities
  • the impact on the environment. 
22
Reporting requirements (e.g. who to report to and by when)  11
Documented processes to stand down the plan and to restore and return business activities from temporary measures implemented to ‘business as usual’  20
Requirement to perform a post incident review 23

Source: Audit Office analysis.
 
Disaster recovery plan elements Percentage of agencies without the key element in their plan (%)
Purpose, scope and objectives --
Roles and responsibilities  3
Specific technology and process that will support alternative arrangements until the IT system is recovered  9
Resource requirements  11
Activation criteria to allow the disaster recovery team (or equivalent) to determine which situations warrant the invocation of the plan  6
References key material to guide the disaster recovery team  14
Reporting requirements (e.g. who to report to and by when)  26

Source: Audit Office analysis.

Most agencies provide additional supporting material to help staff in the event of the business continuity plan being invoked

At 31 December 2019, 99 per cent of agencies had developed some supporting materials to help key staff involved in managing business continuity apply the business continuity plan in the event it is invoked. This helps staff understand their role and responsibilities and implement the key requirements of the business continuity plan, particularly when faced with the pressure of an emergency situation or other interruption.

Guidance material Percentage of agencies that provide the guidance material (%)
Procedural checklists 89
Summaries of the business continuity plan (such as a 'plan on a page') 67
Duty/role cards for key officers involved in business continuity management 75
Contact details of key staff 94

Source: Audit Office analysis

Agencies should consider whether the current level of support and guidance provided to staff involved in managing business continuity is sufficient. Scenario testing and post incident reviews provide a useful source in understanding whether this is the case, which we explore further below.

4.5 Responding to disruptions

Actual incidents or events provide an important feedback loop on the effectiveness of current business continuity and disaster recovery arrangements. It is therefore important that agencies record incidents that led to the activation (or not) of the business continuity or disaster recovery plan. Agencies should perform post incident reviews to identify what went well and what can be improved and report the outcomes of these reviews to those charged with governance.

Agencies are not always capturing, assessing and reporting disruptive incidents

We found that an incident log of events that led to activation of the business continuity and disaster recovery plans were maintained by only 40 per cent and 63 per cent of agencies respectively for the period 1 January 2019 to 31 December 2019.

The absence of a log or register to record incidents where agency personnel or business units considered activating the business continuity or disaster recovery plans makes it difficult for those charged with governance to determine whether the actions taken in relation to the incident were appropriate. A log or register of incidents also enables agencies to assess trends and determine the consistency of responses, as well as enable them to maintain a complete trail of incidents (and associated records) in the event that key staff leave the agency and that knowledge is lost.

Incident logs Business continuity arrangements Disaster recovery arrangements
Incident log maintained where plan has been activated (percentage (%) of agencies) 40 63
Incident log captures events or disruptions where the relevant team has determined not to activate the plan (percentage (%) of agencies) 69* 70*

*This is calculated as a percentage of agencies that maintain an incident log.
Source: Audit Office analysis.

Our findings from a review of a sample of recorded incidents between the period 1 January 2019 to 31 December 2019 are detailed in the table below.

  Business continuity arrangements Disaster recovery arrangements
Post incident review performed (percentage (%) of agencies) 89* 95
Outcomes reported to relevant governance committee or executive management committee (percentage (%) of agencies) 82* 86*

*This is calculated as a percentage of agencies that maintain an incident register and reported an incident in the 12 month period from 1 January 2019 to 31 December 2019.
Source: Audit Office analysis.

Without performing a post incident review, agencies may not adequately capture lessons learnt from the incident, and importantly, will not continuously improve the suitability, adequacy and effectiveness of business continuity and disaster recovery arrangements. Reporting to those charged with governance is also an essential accountability mechanism that helps to ensure agency responses to incidents are consistent and appropriate.

The exhibit below provides examples of the nature of business continuity and disaster recovery incidents recorded in agency incident registers.
 

Exhibit 1: Examples of business continuity and disaster recovery incidents

Our review of agency incident logs identified the following business continuity and disaster recovery incidents.

Business continuity incidents:
  • system and network outages resulting in the inability to access multiple operational systems
  • disturbances at service centres preventing access and operation
  • Office 365 migration issues that resulted in staff unable to access their emails
  • extensive air quality issues across regional locations due to bushfires
  • power outage across regional service centres due to bushfires
  • water proofing of the roof top created fumes within the building via air conditioning units. The fumes were found to be non-toxic.

Disaster recovery incidents:

  • degraded network performance across multiple web-based applications
  • servers hosted by service providers were inaccessible
  • network connectivity unavailability affecting access to emails, inbound and outbound calls, application systems and internet/intranet sites
  • inability to access financial application systems
  • network infrastructure outages and unavailability of phone lines
  • servers experiencing service issues resulting in multiple web--based applications being unavailable
  • infected and hijacked servers.
Source: Audit Office analysis of agency disaster recovery and business continuity incident registers

The recent emergencies provide an opportunity for agencies to update and refine their business continuity, disaster recovery or other business resilience frameworks

Agencies should ensure that they assess their response to the recent emergencies and update their business continuity, disaster recovery or other business resilience frameworks to reflect the lessons learnt from these events. This should capture, but is not limited to:

  • misalignment of business resilience frameworks and key indicators
  • identification of previously unidentified risks and opportunities, and strategies to mitigate the risk or exploit the opportunity
  • identification of procedural gaps in recovery, 'stand down' or other processes
  • completeness of critical business functions, key IT systems, dependencies or inter-dependencies
  • appropriateness of resources and roles and responsibilities and identifying any lack of clarity that may exist.

4.6 Scenario testing

Some agencies do not test their business continuity plans, or test them infrequently

We found 40 per cent of agencies had not conducted business continuity scenario testing exercises in the period from 1 January 2019 to 31 December 2019. This means they may not be well prepared to respond to business disruptions or incidents that arise.

We also found that agencies are not periodically testing their business continuity plans. For example, 68 per cent of agencies reported having tested their business continuity plans less than once per year, on average for the period between 1 January 2017 to 31 December 2019.

The table below shows how often agencies have tested their business continuity plans in the last three years from 1 January 2017 to 31 December 2019.

Number of times a business continuity scenario test was performed in the last three years Number of agencies
Three or more times 13
Two times 5
Once 12
Nil 10

Source: Audit Office analysis.

Gaps in approaches to testing business continuity plans limit the effectiveness of scenario testing

Many agencies are reliant on other parties and service providers to support critical business functions or deliver critical services to the public. This includes other government agencies, private sector service providers and non-government organisations.

We previously noted that a key element of agency BIAs is the identification of dependencies and inter-dependencies that support critical business functions. However, our review of 22 business continuity testing scenarios performed before 31 December 2019 found that 61 per cent of agencies did not ask third parties (such as NGOs), other government agencies (such as the cluster lead agency) or service providers to participate in the scenario.

Where a key third party does not participate in the testing exercise, the effectiveness of scenario testing is limited because:

  • no matter how well prepared the agency is, the third party may not be well prepared for a disruptive event should it arise, which may hinder the agency meeting its recovery time objectives
  • roles and responsibilities, communication protocols and response and recovery procedures will not have been comprehensively tested to confirm the accuracy of the business continuity plan.

While we acknowledge some government-wide emergency and crisis management exercises have been performed, business continuity scenario testing at an agency level would benefit from greater involvement of key dependent and interdependent third parties that support or perform critical business functions for agencies.

We also found the effectiveness of business continuity testing exercises was limited because some agencies:

  • did not test a high impact scenario they had identified in their business continuity plan (seven per cent)
  • did not prepare formal post-exercise reports to document the outcome of the scenario testing (seven per cent) and of agencies that did, 12 per cent did not report the outcomes of testing to a relevant governance committee.

The exhibit below provides examples of nature of the business continuity scenario testing exercise conducted by agencies between 1 January 2019 to 31 December 2019.

Exhibit 2: Examples of business continuity scenario testing exercises

Our review of business continuity scenario testing exercises performed by agencies identified the following examples of testing exercises being performed:

  • NSW Government declaring a state of emergency as result of a major storm that impacts building services making the premises unsafe
  • hostage and siege situation close to office premises causing NSW Police to direct a lockdown
  • state-wide power outage between 15 to 72 hours
  • bushfire event near regional premises
  • relocation of premises to alternative premises on short notice
  • resolving a complex reputational issue arising from safety-related emergency situation following a significant accident
  • full evacuation due to a fire incident resulting in extended denial of access to the building and relocation
  • evacuation alarms triggered for no apparent reason with no cause ascertained but people are falling sick
  • relocation to alternative premises and the effectiveness of critical business functions while conducting services at alternative premises
  • water taste and odour complaints arising from algal bloom at a dam and lake that releases a toxin
  • earthquake damaged undersea fibre cables that causes a network failure
  • major power outages and loss of access to key facilities.
Source: Audit Office analysis of agency business continuity scenario testing exercises.

Some agencies have not tested the effectiveness of their disaster recovery plans

IT systems and infrastructure are an important enabling resource associated with maintaining continuity of critical business functions. However, we found 43 per cent of agencies have not developed and tested their disaster recovery plans within the period from 1 January 2019 to 31 December 2019. Recovering IT systems is particularly problematic as they are often hosted by third parties, will inevitably involve some loss of data depending on the date and time data was last backed up, and if hosted in regional locations may function more slowly when service is restored.

Most agencies do not maintain a forward-looking business continuity testing plan, but many maintain forward looking disaster recovery testing plans

Seventy-one per cent of agencies do not maintain a forward-looking business continuity testing plan for high impact scenarios identified in their BIA.

A forward-looking plan to test all high impact scenarios provides assurance to those charged with governance that a plan is in place to test the plan within an appropriate timeframe. Testing increases the chance that should the high impact event occur, the agency will be able to effectively resume the critical business function within an acceptable timeframe.

  Business continuity arrangements (%) Disaster recovery arrangements (%)
Agencies that do not maintain a forward-looking scenario testing plan 29 76

Source: Audit Office analysis.

4.7 Management review and oversight

The model audit and risk committee charter in TPP 15-03 'Internal Audit and Risk Management Policy for the NSW Public Sector' requires agency audit and risk committees to 'review whether a sound and effective approach has been followed in establishing the agency’s business continuity planning arrangements, including whether disaster recovery plans have been tested periodically'.

Most agencies report business continuity and disaster recovery planning arrangements to their audit and risk committees, but testing outcomes are not as widely reported

Most agencies require senior management to review the key inputs of the business continuity management and disaster recovery systems at planned intervals. However, reporting to those charged with governance could be more comprehensive, as detailed in the table below.

  Business continuity arrangements (%) Disaster recovery arrangements (%)
Senior management review the key inputs of the plan at planned intervals to ensure its continuing suitability, adequacy and effectiveness 86 86 86 86
The outcomes of the management review are reported to the audit and risk committee 67* 62*
Reporting to the audit and risk committee includes:    
  • variations to the scope of the business continuity management systems
61** na
  • update of the business impact analysis, risk assessment, business continuity strategies and solutions included in the business continuity plan
64** na
  • modification of procedures and controls to respond to respond to internal and external issues that may impact the business continuity systems
64** na
  • how the effectiveness of the controls will be measured
57** na

*    This is calculated as a percentage of agencies that perform a management review of key inputs.
**    This is calculated as a percentage of agencies that report to their audit and risk committee on the outcomes of management review of key inputs.
na    Analysis relevant to reporting of agency business continuity management arrangements only.
Source: Audit Office analysis.

Our review of a sample of agency business continuity and disaster recovery testing exercises conducted during the period 1 January 2019 to 31 December 2019 had found agencies are not always reporting on the outcomes of these exercises to their audit and risk committees. We found that while:

  • 82 per cent reported on the outcomes of the business continuity scenario testing exercise conducted to an agency head, executive management committee or similar. However, only 18 per cent of agencies are reporting outcomes to audit and risk committee.
  • 86 per cent reported the outcomes of disaster recovery plan testing to an agency head, executive management committee or similar. However, only five per cent of agencies reported the outcomes of the test to their audit and risk committee.

Audit and risk committees should be briefed on the results of scenario testing exercises to discharge their responsibilities to review whether sound and effective business continuity and disaster recovery arrangements have been established and adequately address identified risks.

A review of the agency's disaster recovery and business continuity management systems should be included on the internal audit function's forward plan

A review of the effectiveness of agency business continuity management systems and disaster recovery plan was included in the internal audit plan of only 56 and 58 per cent of agencies, respectively. Internal audit reviews of these plans would provide agencies and their governing bodies assurance that there is clarity in processes, alignment of arrangements to address risks, and an optimum level of preparedness.

5. Procurement

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of procurement agency procurement policies and procurement activity.

Section highlights

We found agencies have procurement policies in place to manage procurement activity, but the content of these policies was not sufficiently detailed to ensure compliance with NSW Procurement Board Directions (the Directions). The Directions aim to ensure procurement activity achieves value for money and meets the principles of probity and fairness.

Agencies have generally implemented controls over their procurement process. In relation to emergency procurement activity, agencies reported conducting 32,239 emergency procurements with a total contract value of $316,908,485 up to 30 June 2020. Our review of emergency procurement activity conducted during 2019–20 identified areas where some agencies did not fully comply with the 'COVID-19 Emergency procurement procedure'.

We also found not all agencies are maintaining complete and accurate contract registers. This not only increases the risk of non-compliance with GIPA legislation, but also limits the effectiveness of procurement business units to monitor contract end dates, contract extensions and commence new procurement in a timely manner. We noted instances where agencies renewed or extended contracts without going through a competitive tender process during the year.

 

5.1 Background

The NSW Procurement Board issues policies and directions for procurement under the Public Works and Procurement Act 1912 (PWP Act). The PWP Act provides the legislative framework for procurement for NSW Government agencies. The PWP Act and the NSW Procurement Board’s policies and directions apply to all government agencies except for state-owned corporations.

Procurement of goods and services is a critical activity to enable NSW Public Sector agencies to effectively deliver services to the public. The Total State Sector Accounts for the year ended 30 June 2020 provides an overview of spend on goods and services by NSW Public Sector agencies, including:

  • $2.2 billion on contractors
  • $155 million on consultants
  • $16.9 billion on supplies, services and other services.

NSW Procurement has established an accreditation program for goods and services procurement

The Accreditation Program for Goods & Services Procurement (the Program) establishes minimum standards for agency procurement as a basis for improving procurement outcomes delivered across NSW Government. It is governed by the NSW Procurement Board and NSW Procurement administers the Program on its behalf. Agencies can attain one of two accreditation levels and each level has specific minimum requirements for accreditation and a different authority to procure.

Accredited agencies have the authority to enter into any procurement arrangement consistent with its terms of accreditation, but exemptions for agencies may exist under some Procurement Board Directions, as identified in the NSW Government Procurement Policy Framework.

The table below sets out the accreditation status of agencies in the scope of this report.

Level of accreditation Number of agencies*
Unaccredited* 21
Level 1 6
Level 2 (highest level of accreditation) 5

Note: Eight agencies excluded from the table above are exempt under PWP Act from complying with the accreditation requirements.
* Certain unaccredited agencies may be conducting procurement activity through the cluster lead agency, which may have a level 1 or level 2 accreditation.
Source: Audit Office analysis.

We consider aspects of agency compliance with their accreditation status and the Enforceable Procurement Provisions later in this chapter.

5.2 Policy Framework

The NSW Procurement Policy Framework (the Framework) issued by NSW Procurement outlines the Procurement Board’s requirements as they apply to each step of the procurement process. The Framework is a policy under PWP Act and agencies must comply with the mandatory requirements outlined in the Framework.

Recommendation

Agencies should review their procurement policies and guidelines to ensure they capture the key requirements of the NSW Government Procurement Policy Framework, including NSW Procurement Board Directions.

All agencies have procurement policies, but some are past their scheduled revision date

All agencies have established policies and guidance to support procurement activity and manage procurement risks. However, 17 per cent of agencies have not reviewed their procurement policies by the scheduled date. On-going review and revision of procurement policies are important to ensure they reflect best practice and incorporate current NSW Procurement Board Directions on a timely basis.

Deficiencies in agency policies may be contributing to non-compliance with the Framework

Most agencies within the scope of this report are required to comply with the PWP Act and various NSW Procurement Board Directions (the Directions). These Directions can relate to broader aspects of procurement, such as appropriate supplier conduct or narrower procurement activity, such as construction, professional services or telecommunications procurement.

The Directions are extensive and agencies must have procurement policies that adequately capture the requirements of the Directions to support its compliance requirements and achieve the best outcomes from its procurement activity.

The table below details how well agencies’ procurement policies capture certain aspects of the Directions. Later in this chapter we highlight areas where agencies are not fully compliant with the Directions. It is likely gaps in agency procurement policies are contributing to these deficiencies.

NSW Government Procurement Policy Framework requirement Percentage of agencies (%)
Use the Whole of Government Scheme or contract to buy the goods or services needed 97
Procurements above $650,000 must be open to market unless the goods and services are exempt or procured through an existing Whole of Government Scheme or contract^  67
The procurement must be hedged if it is above $500,000 and involves paying a supplier in a foreign currency  36
The Agency Head or Cluster CFO must authorise the engagement of consultants where the proposal is not compliant with, or the supplier has not accepted the standard commercial framework  69
Any supplier can be used to purchase goods and services valued up to $10,000, but the rates must be reasonable and consistent with normal market rates  83
A purchase valued up to $250,000 can be made from a Small Business or an aboriginal supplier  78
Purchasing exemptions applicable under the International Procurement Agreements (includes health and welfare services, education services and state motor vehicles)  52
The procurement documentation required under a request for tender sourcing arrangement is specified  88
Orders must not be split to avoid procurement threshold levels and/or government requirements 89

^ The Procurement Board Direction PBD 19-05 Enforceable Procurement Provisions was effective from 29 November 2019. The estimated procurement value threshold for good and services increased to $680,000 from 2 September 2020.
Source: Audit Office analysis.

We have previously highlighted challenges for agencies complying with the directions in a compliance review conducted in September 2018.

Exhibit 3: Previous Audit Office Report on Procurement and Reporting of Consultancy Services (published September 2018)

The report examined how 12 agencies complied with their procurement and reporting obligations for consultancy services between 1 July 2016 and 31 March 2018 and also examined how NSW Procurement supports the functions of the NSW Procurement Board. The report found no participating agency materially complied with procurement requirements when engaging consultancy services and that the NSW Procurement Board is not fully effective in overseeing and supporting agencies' procurement of consultancy services. Agencies were not fully complying with the requirements in part due to the major advisory suppliers not consistently providing all the necessary information and agencies also reported the requirements were hard to understand, time consuming to apply and difficult to comply with.

Agency policies are not always consistent with their accreditation status, and do not address risks associated with high risk procurement, such as direct negotiations

We found agency procurement policies do not contain the level of detail that would ensure it complies with its accreditation program status. For example:

  • 55 per cent of the unaccredited agencies’ procurement policies do not specify that certain procurement activities for goods and services valued at $650,000 or higher requires approval by a level 2 accredited agency in the cluster or NSW Procurement
  • 21 per cent of agencies that have level 1 accreditation program status did not specify in their procurement policies that a level 2 accredited agency or the NSW Procurement Board must concur before a procurement activity is commenced if the following risk and value thresholds are exceeded
Risk profile Procurement value
Low risk <$50 million
Medium risk <$35 million
High risk <$25 million

Source: NSW Government Procurement Policy Framework.

Concurrence from level 2 accredited agencies or NSW Procurement helps to ensure procurement risks are being appropriately managed and deliver a value for money outcome.

Agency procurement policies did not always provide clear guidance to staff about managing the risks associated with direct negotiations and conflicts of interest. Direct negotiations are exclusive dealings between an agency and a supplier without going through a competitive process. The risk of corrupt conduct in the procurement process is increased and it may also be more difficult for an agency to demonstrate it has achieved value for money. The NSW Independent Commission Against Corruption has developed guidelines for agencies engaging in direct negotiations, which can be accessed here.

The table below outlines the gaps in procurement policies related to direct negotiation and managing conflicts of interest.

Procurement requirements Percentage of agencies (%)
Includes guidance on procurement activity involving direct negotiations 88
Seek approval/approval from the procurement business unit prior to proceeding with the direct negotiation 95
For members of the committee to make written declarations of any known or perceived conflicts of interest in relation to the procurement process 97
For members of the committee to provide a nil declaration where no conflict of interest exists 70

 

5.3 Managing contracts

Most agencies maintain a central contract register, but many are incomplete risking non-compliance with GIPA legislation

All agencies are required to record all details of contracts above $150,000 in a central contract register. Eighty-eight per cent of agencies did so, but of these agencies, 13 per cent did not capture all contracts and eight per cent did not include all relevant contract details. Sixteen per cent of agencies also did not periodically review their contract register.

The Government Information (Public Access) Act 2009 (the GIPA Act) aims to improve the transparency and integrity of the NSW public sector by requiring agencies to proactively publish information in relation to their contracts with the private sector. If an agency does not maintain a central contract register, it increases the risk of non-compliance with GIPA Act. A centralised contract register can also enhance procurement and contract management outcomes because it:

  • allows an agency’s central procurement team to monitor contract end dates, contract extensions and commence new procurement in a timely manner
  • helps agencies manage their contractual commitments, budgeting and cash flow requirements.

We have previously identified concerns with the completeness and accuracy of contract registers maintained by agencies, and this remains an ongoing area of concern. The exhibit below details findings from a previous compliance review conducted in October 2016.

Exhibit 4: Previous Audit Office report on Agency compliance with the GIPA Act (published October 2016)

This report assessed whether 13 agencies were complying with Part 3 Division 5 of the Government Information (Public Access) Act 2009 (GIPA Act), relating to Government contracts with the private sector. All 13 agencies had published a Government contracts register, but there were instances where:
  • contracts valued at $150,000 or more were not recorded in the contracts register
  • contracts were not entered into the register within 45 working days of the contracts becoming effective
  • information was recorded in the register did not agree to the contracts
  • additional information required for certain classes of contracts was not disclosed in registers.

The report found that agencies do not have a common approach as to which business units is responsible for managing contract registers. Eight out of 13 agencies did not have their contracts register independently reviewed and only one agency reported to the audit and risk committee on the contract register.

Some agency contracts that were renewed or extended during the year did not go through a competitive process, nor was a value for money assessment performed

While there can be valid and appropriate reasons to renew or extend a contract already executed with a supplier it is important for the agency to demonstrate that their procurement continues to represent value for money. Poor monitoring of contract end dates can lead to contracts being renewed or extended simply to avoid service interruption. The lead times required to plan for a new procurement preclude proper process being followed. Maintenance of a complete and accurate contract register and monitoring of contract end dates is an important aspect of managing this risk.

We reviewed 32 contracts that were renewed or extended during 2019–20. Seventy-eight per cent of agencies performed a value for money assessment prior to renewing or extending the contract with their existing supplier. However, documentation of this assessment was not always robust. For example:

  • 7 per cent of agencies did not assess or document supplier performance (including meeting customer expectations and performance against key performance indicators)
  • 21 per cent of agencies did not consider procurement arrangements or activities currently in place or planned for the future
  • 19 per cent of agencies did not perform an analysis of the current market to determine if opportunities for cost or process efficiencies were available.

Of the agency contracts examined, all were approved by an appropriate delegated authority. However, we noted one contract where the approval was obtained only for the value of the contract extension and not the total contract value.

A proper consideration of the commerciality of renewing or extending an existing contract helps address the risk that the procurement will not meet business needs or that agencies do not identify potential alternate suppliers who can deliver the good or service at lower cost and/or higher quality.

5.4 Training and support

Most agencies provide some training and support to staff on procurement activities

Ninety-three per cent of agencies provide training to staff involved in procurement activity, and a further 77 per cent of agencies provide this training on an on-going basis. Thirteen per cent of these agencies did not ensure their training emphasised personal accountability, probity and transparency in relation procurement activity.

Of the seven per cent of agencies that had not provided training to staff we noted gaps in aspects of their procurement activity, including:

  • not conducting value for money assessments prior to renewing or extending the contract with their existing supplier
  • not obtaining approval from a delegated authority to commence the procurement process
  • procurement documentation not specifying certain key details such as the conditions for participation including any financial guarantees and dates for the delivery of goods or supply of services.

On-going training and awareness programs allow agencies to communicate to all staff their responsibilities and obligations in relation to procurement activities which results in:

  • effective performance management of vendors
  • reduction in uncontrolled spend
  • compliance with procurement guidelines and directions
  • improvement in risk management processes undertaken.

5.5 Procurement activities

Most agencies have implemented procurement controls, but some unaccredited agencies did not have their procurements endorsed

We reviewed the implementation of certain procurement controls across 26 contracts valued above $650,000 that were executed in 2019–20. We noted:

  • 10 per cent of agencies procured the goods or services under a whole-of-government contract or prequalification scheme and had obtained the minimum number of written quotes required
  • 90 per cent of agencies procured the goods or services outside of a whole-of-government contract or prequalification scheme and had undertaken the open approach to market (OAM) with the minimum number of proposals obtained.

Forty-three per cent of unaccredited agencies did not have their procurement endorsed by an accredited agency within the cluster or by NSW Procurement, as required by the Framework. This is likely due to deficiencies in their current policies, as previously noted. We also noted other deficiencies in some processes across the 26 contracts reviewed, as detailed in the table below.

Activities for procurements above $650,000 Percentage of agencies  (%)
Approval obtained to commence procurement activities 97
Procurement plan developed and endorsed by the procurement business unit or equivalent 97
Final approval obtained from the delegated authority for the contract value (exclusive of GST for the total estimated spend of the entire contract) 97
Purchase order raised after the final approval was obtained and for the total value of the contract 89
Purchase order approved by a delegated authority 96
For an unaccredited agency, procurement endorsed by an accredited agency within the Cluster or by NSW Procurement 57

Source: Audit Office analysis.

Of the 26 contracts reviewed, a request for tender was issued for 21 of these contracts. The table below outlines some deficiencies in tender procurement documentation.

Procurement documentation for tender sourcing arrangements Percentage of agencies  (%)
The nature, scope and quantity of the goods and services being procured, or if the quantity is not known, the estimated quantity 100
Requirements to be fulfilled including any technical specifications, conformity certification, etc 100
Conditions for participation including any financial guarantees 93
The evaluation criteria that will be used to assess submissions 100
Dates for the delivery of goods or supply of services 100

Source: Audit Office analysis.

Clear and complete tender documentation ensures that tender participants understand the agency’s requirements. Poor procurement documentation may result in:

  • the product or service not being delivered as required
  • offers from unsuitable suppliers or no offers because of a lack of clarity as to the agency's requirements
  • additional time and resources required to issue addenda clarifying the specification to potential tenderers during the tender process
  • multiple contract variations.

Evaluation committees were established for all the tenders noted above. Our review of documentation maintained by the evaluation committee found that:

  • 93 per cent of agencies obtained conflicts of interest declarations from the evaluation committee members
  • all agencies developed an evaluation plan
  • all agencies prepared evaluation reports that outlined the results and recommendations for awarding tender
  • 96 per cent of agencies had the final recommendations approved and signed off by the appropriate delegated authority to award the contract and had obtained approval from an appropriate delegated authority separate to the tender evaluation process or the actual tender process to award the contract.

5.6 Emergency procurement

Agencies have undertaken emergency procurement activities

NSW Procurement released the ‘COVID-19 Emergency procurement procedure’ (the procedure) to allow agencies to expedite the procurement of critical goods and services during the COVID-19 pandemic. The procedure aimed to help agencies comply with clause 4 of the Public Works and Procurement Regulation 2019 (PWP Regulation), which allows the Head of the Agency or their nominee, in an emergency situation, to authorise procurements to a value sufficient to meet that particular emergency.

As at 30 June 2020, agencies in the scope of this report had reported conducting 32,239 emergency procurements with a total contract value of $316,908,485. The procurement activity mainly related to:

  • cleaning and hygiene supplies
  • Information technology, phones and laptops to facilitate remote working and remote education
  • engagement of consultants for crisis management planning
  • site cleaning costs
  • non-contact equipment such as soap and hand sanitiser dispensers, and thermometers
  • medical supplies
  • remote working office equipment.

Implementation of processes to effectively manage the procurement of critical goods and services ensure agencies are able to balance the need to act without delay and deliver the goods or services while also ensuring adequate levels of accountability are maintained.

Recommendation

Agency procurement frameworks should be reviewed and updated to respond to emergency situations that may arise in the future. This includes:

  • updating procurement policies and guidelines to define an emergency situation, specify who can approve emergency procurement and capture other key requirements
  • using standard templates and documentation to prompt users to capture key requirements, such as needs analysis, supplier selection criteria, price assessment criteria, licence and insurance checks
  • having processes for reporting on emergency procurements to those charged with governance and NSW Procurement.

Some agencies did not establish policies or guidance to clearly communicate emergency procurement processes

Fifty-one per cent of agencies have established policies, procedures or other guidelines for emergency procurement activities. Effective communication of emergency procurement processes is critical as it ensures staff remain accountable and agencies are able to:

  • manage procurement spend as prices may be inflated during this period
  • manage fraud, corruption and conflicts of interest risks
  • prioritise procurement activities for immediate business needs
  • avoid entering into contracts on unfavourable terms and conditions.

The table below shows the gaps in the agency policies, procedures and guidelines. There is an opportunity to build this into procurement policies going forward, so agencies are better prepared for emergency situations that may arise in the future.

Key elements of the emergency procurement policy, procedures and guidelines Percentage of agencies  (%)
Defining an emergency situation as ‘an occurrence, a sudden or urgent occasion for actions’ 67
Conduct a case by case analysis of the proposed COVID-19 emergency procurement to assess that the procurement value is sufficient to meet the immediate needs of the emergency. 78
Specify that all emergency procurement must be authorised by the Agency Head or nominated employee under Clause 4 of the PwP Regulation 67
Confirm that there are available funds and seek approval from the relevant financial delegate to commit or incur expenditure 61
Report every emergency procurement authorised under Clause 4 of the PwP Regulation to NSW Procurement as soon as possible 61
Having in place a process to manage real or perceived conflicts of interest 78

Source: Audit Office analysis.

Most agencies complied with the COVID-19 'Emergency procurement procedure'

Twenty-two agencies within the scope of this report had undertaken emergency procurement activities during 2019–20. Where there is an authorised emergency procurement under clause 4 of the PWP Regulation, the agency is exempt from complying with certain procurement requirements, including the requirement to achieve value for money and the principles of probity and fairness.

Although the agency does not have to undertake a value for money evaluation when undertaking emergency procurements, it still must use government resources efficiently, effectively, economically and in accordance with the law.

Ninety-six per cent of agencies had maintained a register to record decisions and authorisations associated with these activities. Sample testing of emergency procurement activity showed that most agencies also complied with key elements of the procedure and PWP Regulation, as noted below.

Compliance with aspects of the COVID-19 Emergency Procurement guideline Percentage of agencies  (%)
Documenting the assessment for the need for the emergency procurement for the good and/or service 95
Authorisation of the emergency procurement by the agency head or the nominated employee under Clause 4 of the PWP Regulation 86
Reporting emergency procurement to the NSW Procurement Board 76
Including a defined contract period that does not exceed the agency’s need to respond to the emergency 83
Including clauses in the contract that allow the agency to cease procuring the good or services once the emergency ends (may include reasonable closure payments to suppliers if contracts are terminated early) 91

Source: Audit Office analysis.

In addition, we noted 67 per cent of agencies had used standard documentation to document the criteria used for selecting suppliers and the outcome of any comparative assessment or price assessment.

Complying with the procedure helps to ensure government resources are being efficiently, effectively, economically and in accordance with the law.

6. Delegations

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency compliance with financial and human resources delegations.

Section highlights
We found that agencies are not always regularly reviewing and updating their financial and human resources delegations when there are changes to legislation or other organisational changes within the agency or from machinery of government changes. For example, agencies did not understand or correctly apply the requirements of the GSF Act, resulting in non-compliance with the Act. We found that 18 per cent of agencies spent deemed appropriations without obtaining an authorised delegation from the relevant Minister(s), as required by sections 4.6(1) and 5.5(3) of the GSF Act.
In order for agencies to operate efficiently, make necessary expenditure and human resource decisions quickly and lawfully, particularly in emergency situations, it is important that delegations are kept up to date, provide clear authority to decision makers and are widely communicated.

6.1 Background

Delegations are fundamental to the operation of the NSW public sector and a cornerstone of good governance. Legislation appropriates money to Ministers and confers on them power to make decisions. Ministers may then delegate that power to another Minister, or to the officer of an authority in writing. Those delegation instruments may contain limitations within which the officer upon whom the delegation is conferred must operate. The Minister may also reserve certain decisions only to themselves. An officer cannot lawfully exercise power unless delegated to do so by the Minister responsible.

Legislative and machinery of government changes have meant delegation instruments required review and in many cases, updating. We found some delegation instruments had not been updated in years. Others could not be located. Some referred to repealed legislation or regulation, contained errors, had gaps, did not align with current funding arrangements, referred to positions that do not exist, or did not contemplate the need to sub-delegate power to a more appropriate party within cluster arrangements. Some agencies were unsure of their obligations, and incorrectly relied on their enabling legislation for authority.

The importance of delegations, as a decision-making mechanism became apparent in the recent emergency situations, which required agencies to make clear and timely decisions. Clear, lawful delegations will also be necessary as agencies administer grant and stimulus programs and make investment decisions to aid in the recovery process.

In the NSW public sector, financial and human resources functions are predominately governed by the:

  • Government Sector Finance Act 2018 - This act confers various functions on persons or entities. This act allows a Minister to delegate any of their delegable functions conferred to them under the act. Expenditure by accountable authorities and government officers must be authorised in accordance with a delegation, sub-delegation or under the authority of a law.
  • Government Sector Employment Act 2013 - This act, along with the Government Sector Employment Regulation 2014 and the Government Sector Employment Rules 2014 form the legislative framework for the employment and administration of the NSW Government sector workforce. The framework encompasses various human resource functions, such as the recruitment, commencement, on-going employment and termination of staff.

Delegations help to ensure decisions are made by appropriately skilled and experienced staff and allow agencies to operate efficiently. But to be effective, delegations must be kept up-to-date, provide clear authority to decision makers and be widely communicated.

This chapter focusses on whether agencies have established valid and up to date delegations and whether, by sample testing, have complied with their financial and human resources delegations.

6.2 Instruments of delegation

In On 1 July 2019, machinery of government changes became effective. These changes created and abolished entities, as well as transferred staff and functions between entities. Agencies impacted by machinery of government changes should have reviewed and updated their delegations to take into account the changes in functions, roles and responsibilities.

Provisions in the Government Sector Finance Act 2018 (GSF Act) relating to budget, appropriations and Special Deposit Accounts commenced on 1 July 2019, which meant agencies needed to consider whether:

  • delegations allow it to spend money from each source of money it receives e.g. deemed appropriations, annual appropriations, cluster grants etc.
  • there is an approval to enter into financial arrangements and any corresponding required delegations
  • it is covered by transitional provisions
  • the function can be delegated and subdelegated under the GSF Act
  • the delegate / subdelegate is a permissible delegate under the GSF Act
  • the agency can operate without certain delegations, for example an agency, by virtue of its enabling legislation with a working account within the Special Deposits Account may not require an expenditure delegation.
Recommendation

Agencies should ensure their financial and human resources delegation manuals contain regular set review dates and are updated to reflect the Government Sector Finance Act 2018, machinery of government changes and their current organisational structure and roles and responsibilities.

Agencies' instruments of delegation and delegation manuals had not been updated following legislative or administrative changes, or do not have set dates for regular review

All agencies have established financial delegations to ensure employees have clear guidance and instruction to exercise their authority appropriately and effectively. However, we found:

  • 12 per cent of agencies have not reviewed their financial delegations by the scheduled date or have not set a scheduled review date
  • of the 19 agencies impacted by machinery of government changes, 16 per cent of these agencies had not updated their financial delegations to reflect the changes.

For these agencies, there is a risk that staff are inappropriately approving transactions, spending money unlawfully, or financially over-committing the agency. There is also a heightened risk that staff cannot respond in a timely manner to urgent situations, without the need to clarify their powers.

Some financial delegation manuals did not clearly capture certain financial transactions

We found that some agencies could improve the clarity of their financial delegation manuals, as set out in the tables below. Ensuring that financial delegations manuals capture all relevant functions and clearly reference the legislation that permits the delegation helps to ensure that staff have a clear understanding of their delegated power.

Function Percentage of agencies not including in the financial delegations' manual (%)

General expenditure with delegation of expenditure of money (as defined in GSF Act) for:

  • the commitment of money for expenditure
  • incurring the expenditure
  • making the payment
2
Write off bad debts 16
Write off capital assets (e.g. plant and equipment, intangible assets and cancelled work in progress) 26

Note: The power to write off bad debts or capital assets is not specified in the Government Sector Finance Act 2018, but we consider this a matter of best practice that clear delegated authorities exist in relation to these activities. In some cases, the power to write off certain debts, or sell or write off assets may exist in other legislation an agency administers.
Source: Audit Office analysis.
 
Element Percentage of agencies not including in the financial delegations' manual (%)
Section of the legislation that provides the authority, power or function to the responsible Minister, Agency Head or other relevant roles 12
Section of the legislation that permits the delegation 12
Limitation applying to the delegate (by nature of expenditure) 2
Delegate (described by position name) --
Power or function being delegated --
Limitation applying to the delegate (in dollars) --

Source: Audit Office analysis.

Agencies have established human resources delegations, but some did not revisit their delegation manuals following the machinery of government changes, or have not set dates to regularly review human resources delegations

Ninety-eight per cent agencies have a delegation manual to effectively manage the administration of the human resources function, but seven per cent of these are not supported by an instrument of delegation, meaning staff may be making decisions without delegated power. We also found:

  • 12 per cent of agencies have not reviewed their human resources delegations by the scheduled date or have not set a scheduled review date
  • of the 19 agencies impacted by machinery of government changes, 16 per cent of agencies did not update their human resources delegations to reflect the changes.

For these agencies, there is a risk that staff are inappropriately making decisions associated with the administration of staff, such as hiring decisions, determining rates of pay, and termination decisions.

Some human resources delegation manuals did not clearly capture certain functions

We found that some agencies could improve the clarity of their human resources delegation manuals, as set out in the tables below.

Function Percentage of agencies not including in the financial delegations' manual (%)
Fill the vacant role --
Advertise the role vacancies internally and externally 8
Employment into a classification of work, and assignment to a role --
Commencement rates of pay 8
Salary increments 5
Higher duty allowance 10
Overtime 15
Acceptance of resignations 5

Source: Audit Office analysis.
 
Element Percentage of agencies not including in the financial delegations' manual (%)
Section of the legislation that provides the authority, power or function to the responsible Minister, Agency Head or other relevant roles 13
Section of the legislation that permits the delegation 20
Limitation applying to the delegate (by nature) 5
Delegate (described by position name) --
Power or function being delegated --

Source: Audit Office analysis.

6.3 Compliance with delegations

Recommendation

Agencies should review financial and human resources delegations to ensure they capture all key functions of laws and regulations, and clearly specify the relevant power or function being conferred on the officer.

Instances of non-compliance with the Government Sector Finance Act 2018

Agencies did not understand or correctly apply the requirements of the GSF Act, resulting in non-compliance with the Act. We found that 18 per cent of agencies spent deemed appropriations without obtaining an authorised delegation from the relevant Minister(s), as required by sections 4.6(1) and 5.5(3) of the GSF Act.

As previously noted in section 6.2, provisions in the Government Sector Finance Act 2018 relating to appropriations commenced on 1 July 2019. Agencies need to ensure that when new legislation commences or is amended that they adequately assess the impact on their operations and instruments of delegation.

Further detail on this issue will be included in our Auditor-General's Reports to Parliament on Central Agencies, Education, Health and Stronger Communities, which will be tabled throughout December 2020.

Instances of non-compliance with human resources delegations identified

We reviewed compliance against agency human resources delegations for a sample of new employees. We found not all agencies are complying with their human resources delegations' manual, as detailed in the table below.

Recruitment function Percentage of agencies that did not comply (%)
Fill a vacancy, subject to the availability of funds, the merit principle and public sector recruitment policy (prior to advertising the role) 2
Advertise vacant roles in internal and external publications 7
Selection committee recommendations based on the competitive merit principles (employment into a classification of work, and assignment to a role) 7
Commencing rates of pay 12
On-going employment of employee after the probation period 47

Source: Audit Office analysis.

These exceptions increase the risk of inappropriate decisions being made associated with the advertising of roles, appointment of staff and their commencing pay. This indicates staff do not have a clear understanding of their delegated powers, or there is a lack of awareness or culture around the importance of complying with delegations in the agencies. Agencies should monitor compliance with their human resources delegations and communicate exceptions back to staff to raise awareness.

Appendices

Appendix one – List of 2020 recommendations 

Appendix two – Status of 2019 recommendations

Appendix three – Cluster agencies

 

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.