This report covers the findings and recommendations from our 2021–22 financial audits that relate to internal controls and governance at 25 of the largest agencies in the NSW public sector, excluding state-owned corporations and public financial corporations.

The agencies included in this report deliver a diverse variety of services and are exposed to numerous financial, operational and strategic risks. Effective internal controls and governance frameworks help to mitigate the likelihood of risks arising and their severity if they do.

A list of the 25 agencies included in this report is shown below in cluster groups.

The 25 agencies included in this report constitute an estimated 95% of total expenditure for all NSW public sector agencies, excluding state-owned corporations and public financial corporations. The snapshot below provides an indication of the collective size of assets, liabilities, income and expenses of these 25 agencies for the year ended 30 June 2022.

This report covers the following topics:

Our review identified sector-wide learnings that government agencies should consider in relation to their internal control and governance frameworks, which we have summarised below.

Internal and information technology controls

• Address repeat control deficiencies by ensuring:
  • there is clear ownership of recommendations arising from internal control deficiencies, with timeframes and action plans for their implementation
  • audit and risk committees and agency executive teams monitor the implementation status regularly, focusing on those actions that are past due or have deferred implementation dates.
• Ensure compliance with Treasurer's Direction TD 21-04 'Gifts of Government Property' (TD21-04) by annually certifying the accuracy and completeness of the agency's written register of gifts of government property, or attest that the agency has made no gifts.
• Review the implementation of user access controls to adequately protect the key financial and non-financial systems, focusing on the processes in place to grant, remove and monitor user access.
• Review the number of privileged users and the level of access granted to privileged users, and assess and document the risks associated with their activities. Based on this review, agencies should:
  • grant and restrict privileged user access only to staff who require that level of access to perform their role and only for the period for which they require that access
  • identify controls to address the risks associated with privileged user activity, including regular monitoring of activity logs
  • promptly remove access when it is no longer required.

Cyber security planning and governance

• Strengthen mechanisms that govern how third-party IT service providers comply with the agency's cyber security policy or plan, such as requiring:
  • compliance in standard term contracts with IT service providers
  • attestations or certifications from IT service providers confirming compliance
  • controls assurance reports relating to the IT service provider's controls around cyber security
  • the IT service provider notify the agency of any security incidents, regardless of whether they resulted in actual financial loss or breaches of information security.
• Continue to improve the agency's level of cyber maturity in the NSW Cyber Security Policy and Australian Cyber Security Centre Essential Eight Strategies to Mitigate Cyber Security Incidents frameworks to meet target levels.
• Ensure that the agency's reported level of self-assessed maturity is demonstrated by evidence, which could be verified by internal audit or an external expert.
• Continue to conduct mandatory, periodic cyber awareness training to all staff to build and support a cyber security culture, including:
  • reinforcing and improving the completion rates of staff mandatory training
  • ensuring third parties with access to the organisation's systems, such as contractors, consultants, vendors and partners are adequately trained in cyber risks
  • targeting training to certain groups of users who may be at greater risk of cyber attacks, such as procurement, payroll and executive staff
  • conducting simulated phishing exercises to test staff knowledge on responding to cyber threats. 

Engaging consultants and contractors

• Improve the design of policies to include consideration of:
  • probity requirements and conflict of interests
  • rotation of independent consultants from time-to-time
  • additional review where multiple consultants are engaged on the same topic to address the risk of opinion shopping.
• Improve policy guidelines on engaging external labour/contractors that include consideration of workforce planning and strategy, such as:
  • capability – if required specialist skills are not within the agency's core capability
  • timing of work – if unpredictable or infrequent
  • cost – if more efficient and effective to engage contractor
  • timeframes for engagement – short-term rather than long-term.
• Agencies that have re-engaged the same contractor for multiple years for the same role should periodically reassess that contract against the market before renewing the contract to demonstrate that the contractor continues to represent value for money and effectiveness in achieving performance objectives.

Employment screening practices

• Ensure compliance with the Government Sector Employment Act 2013 by screening citizenship requirements of public service employees.
• Perform credential checks for all appointments by validating educational and professional qualifications of the applicant, not just for roles which require a specific qualification.
• Non-permanent workers should be subject to the same employment screening checks as conducted for permanent workers.

Contract management

• Regularly review the completeness and accuracy of procurement contract registers to ensure compliance with the Government Information (Public Access) Act 2009.
• Establish central registers for contracts such as revenue or lease agreements.

Our report on internal controls and governance for the year ended 30 June 2021 made a number of recommendations. The table below sets out the status of those recommendations being addressed
by the relevant agencies.

High-risk findings arise from failures of key internal controls and/or governance practices of such significance they can affect an agency’s ability to achieve its objectives or impact the reliability of its financial statements. This in turn, increases the risk that the audit opinion will be modified.

We rate the risk posed by each control deficiency as high, moderate or low. The rating is based on the likelihood of the risk occurring and the consequences if it does. The higher the rating, the more likely it is that agencies will suffer losses, or its service delivery will be compromised. Our risk assessment matrix aligns with the risk management framework in NSW Treasury’s Risk Management Toolkit for the NSW Public Sector.

The number of high-risk findings has increased from last year

We identified 23 high-risk findings out of a total of 279 audit findings this year, compared to 20 high-risk findings out of a total of 338 audit findings in 2020–21. As a proportion of total audit findings, high-risk findings have also increased from 5.9% to 8.2%. Of concern were ten high-risk findings that were repeat deficiencies reported in the previous year, including two deficiencies previously reported as high-risk in 2020–21. Sixteen of the 23 high-risk deficiencies related to financial controls and seven related to IT controls.

Agencies need to address high-risk internal control deficiencies as a matter of priority.

While it is important to monitor the number and nature of deficiencies across the NSW public sector, it is also useful to assess whether deficiencies are common to multiple agencies. Where deficiencies relate to multiple agencies, central agencies or the lead agency in a cluster can help ensure consistent, timely, efficient and effective responses to identified deficiencies.

We classified the 279 internal control deficiencies we identified in 2021–22 into common categories as follows:

• financial operational deficiencies
• IT operational deficiencies
• compliance deficiencies
• governance deficiencies
• reporting deficiencies.

We assess trends in agency controls by measuring the number of internal control findings that emerged from our financial audits. We use three measures:

• number of findings
• number of new and repeat findings
• risk level of findings.

Our 2021–22 audits identified 279 internal control deficiencies, comprising:

• 204 financial related control deficiencies
• 75 IT related control deficiencies.

We reported these deficiencies to agency management and those responsible for governance at agencies, such as audit and risk committees and cluster secretaries. Our communications outline each audit finding, assess its implications, rate the level of risk and make recommendations.

The number of internal control deficiencies decreased by 17% from last year

There were 59 fewer control deficiencies identified in 2021–22. The composition of the findings showed a 30% decrease in IT findings and a 12% decrease in financial control findings, and an overall 17% decrease in repeat findings across both categories.

Background

Agencies must comply with section 5.6 of the Government Sector Finance Act 2018 (GSF Act) when making gifts of government property. Government property consists of all property held by, for or on behalf of the State or a government agency, but excludes money. A 'gift' is not defined in the GSF Act but by its ordinary meaning would include transfer of property for no or inadequate consideration. The GSF Act permits a person handling government resources to make a gift of government property only if it meets at least one of the following criteria:

• the property was acquired or produced to use as a gift
• the gift has been authorised by the Treasurer in writing
• the gift is made in accordance with the Treasurer's Directions
• the gift was authorised by or under any law.

The first category is not further defined in regulations or Treasurer's Directions, but may include awards, medals, prizes or complimentary hospitality items. The acquisition of such property would be subject to normal delegation and expenditure procedures.

Under the fourth category, agencies may expense government property for grants and subsidies in line with their operational objectives.

For the purpose of section 5.6(1)(c) of the GSF Act, NSW Treasury released a Treasurer's Direction TD 21-04 'Gifts of Government Property' which commenced on 23 April 2021. The direction authorises agencies to make a gift of government property if the agency is reasonably satisfied that the property meets all of the following criteria:

• it is genuinely surplus to the agency's requirements
• it cannot be transferred, with or without payment, to another agency which requires or can use the property
• a sale at fair value would be uneconomical.

Further, the gifted property must meet at least one of the following criteria:

• it holds historical or symbolic significance for the proposed recipient
• it holds some other special significance for the proposed recipient, and there are compelling reasons to justify the gift to that recipient
• it is a low value asset (an asset or group of assets below a total fair value of $500) and the gifting supports the achievement of a NSW government policy objective.

TD 21-04 required agencies to maintain a written register of all gifts of government property. On 5 September 2022, TD 21-04 was amended by Treasurer's Direction TD 22-27 'Amendment to TD21-04 Gifts of government property' to only require recording of gifts in the register if the gift has a fair value of over $10,000 when it is gifted. This change has allowed more gifts of government property to go unrecorded. Without recording those gifts, there is a heightened risk that agencies have inappropriately gifted government property that did not comply with the eligibility criteria.

Findings

Most agencies do not have a policy on gifts of government property

Only 20% of agencies have a policy or procedure for staff to follow in relation to gifts of government property. Although the Treasurer's Direction may be treated as a whole-of-government policy in itself, it lacks specific details for application within individual agencies.

Most agencies have not annually certified their register of gifts of government property or attested that the agency has not made any gifts

The Treasurer's Direction requires that agency heads annually review and certify the written register of gifts of government property, or attest in writing that the agency has not made any gifts. Only 16% of agencies have performed the certification/attestation, including submitting it to the agency's Audit and Risk Committee for review.

This low level of compliance may indicate a poor understanding of the scope and aim of the Treasurer's Direction.

Few agencies have recorded gifts of government property

Forty-four per cent of agencies have established a written record of gifts of government property in accordance with TD 21-04, although 55% of them have not recorded any gifts during 2021–22. In total, only 20% of agencies have made gifts of government property during the year.

Of the agencies that had gifted government property, not all have complied with the recording requirements of the Treasurer's Direction.

Only two agencies have published their registers on their websites, as required by the Treasurer's Direction.

Agencies rely on information systems to prepare their financial statements and deliver important services to the public. IT General Controls (ITGC) encompass policies, procedures and system settings, which support the effective functioning of operating system, database and application controls.

Robust IT controls are essential to support effective processes, policies and procedures for managing information systems, securing sensitive information, and ensuring the integrity and availability of agency data.

Poor IT controls increase agencies' vulnerability to the risk of:

• unauthorised access
• cyber security attacks
• fraud
• data manipulation
• privacy breaches
• information theft
• non-compliance with laws and regulations.

With the ever-increasing digital footprint of government, agencies should increase their focus on addressing IT weaknesses.

This summary provides a general indication of where control weaknesses exist. Agencies can use this information to improve the management of their overall control environments.

The following analysis is based on the IT internal control deficiencies identified at the 25 largest agencies in the NSW public sector, excluding state-owned corporations and public financial corporations. However, a number of these agencies provide IT shared services to other government agencies that may also be affected by these deficiencies. For the purposes of this report we have only identified the deficiency once at the responsible head agency.

Cyber security comprises technologies, processes and controls that are designed to protect IT systems and sensitive data from cyber attacks. The cyber security framework consists of threat identification, protection, detection, response and recovery of IT systems.

Cyber Security NSW, part of the Department of Customer Service, develops and manages the NSW Cyber Security Policy (CSP). The CSP sets out 20 mandatory requirements for agencies, including implementation of the Australian Cyber Security Centre (ACSC) Essential Eight Strategies to Mitigate Cyber Security Incidents (Essential Eight). The Essential Eight controls were developed by the ACSC to serve as a baseline set of protections for organisations to make it more difficult for adversaries to compromise a system.

Each year, agencies are required to self-assess their maturity against the CSP and the Essential Eight, and report that assessment to Cyber Security NSW. The Department of Customer Service administers the Digital Restart Fund which has allocated a total of $315 million in June 2021 towards continual uplift of agencies' cyber security maturity.

The CSP took effect from 1 February 2019, replacing the NSW Digital Information Security Policy following the Audit Office’s 2018 performance audit 'Detecting and responding to cyber security incidents'. The CSP is subject to annual review, which includes agency feedback. The current version of the CSP was issued in January 2022.

All agencies have established up-to-date cyber security plans to manage their cyber security risks which:

• were approved within the agency
• referenced the NSW CSP and the agency's risk management framework.

Except for one agency, all other agencies' cyber security plans:

• identified the key potential cyber threats, vulnerabilities and risk events that could affect the agency
• were aligned to the identified cyber risks
• set a risk appetite or target risk levels regarding cyber security that management has accepted.

Sixteen per cent of cyber security plans do not cover all of an agency's IT systems

Most agencies' cyber security plans cover all IT systems used. The remaining agencies' cyber security plans only cover crown jewels, which are critical systems, but may leave other systems relatively more exposed with less protection. The graph below shows the different coverage levels of agencies' cyber security plans.

All agencies have conducted a periodic risk assessment of cyber security risks during 2021–22. Agencies' consideration of relevant cyber risks for their business are summarised in the table below.

Sixty-eight per cent of agencies have not undertaken a process to identify digital or electronic assets that are intellectual property, such as patents, copyrighted material or trade secrets. Eleven of those agencies believe that they do not possess any intellectual property.

Twenty-four per cent of agencies have not undertaken a process to identify digital or electronic assets that are highly sensitive, such as Cabinet in confidence information, or data requiring security clearance to access, such as classified information.

All agencies report cyber risks to the board regularly, either monthly or quarterly. At a minimum, this has involved reporting of the enterprise risk register which includes cyber risk.

Third-party service providers

Agencies regularly use IT service providers to support their business operations as those vendors deliver specialised services and may offer cost savings or efficiencies. Consequently, third-party IT providers are part of the general IT ecosystem and embody certain risks that need to be managed. Being unaware of weaknesses in an IT service provider's cyber security controls means agencies may respond slowly, or not at all, to address vulnerabilities that can be exploited by threat actors to
gain access to the agency's systems, data and assets.

One example of a cyber incident at a service provider that affected a wide group of entities was the data breach at Frontier Software in November 2021¹. Frontier Software provides the widely used payroll system Chris 21, including cloud-based payroll system services. An unauthorised third-party gained access to Frontier Software's corporate network and removed a subset of data on that network. The data included personal information of client organisations' employees, including full name, date of birth, address, tax file number, banking details and superannuation information. Client employers were required to notify their affected employees (including former employees) and report the breach to regulatory bodies such as the Information and Privacy Commission NSW and Office of the Australian Information Commissioner. Although there was no reported direct financial loss from the incident, there has been reputational damage, and potential harm to individuals who may be subject to identity theft and further forms of cybercrime.

Agencies need to improve their cyber risk management relating to IT service providers

As mandated by the CSP, 96% of agencies have ensured that their cyber security policy or plan specifies that it applies to third-party service providers. However, only 80% of agencies actually specify how they monitor or ensure that service providers comply with the relevant parts of the CSP. Without detailed actions or requirements, it is difficult for agencies to address the risks relating to third-party service providers.

The table below outlines how agencies manage compliance of service providers.

Where IT service providers are required to notify agencies of security incidents, all of the agencies stipulate a timeframe of 48 hours or less from detection of the incident.

From 8 July 2022, amendments to the Security of Critical Infrastructure Act 2018 (SOCI Act) require that organisations with 'critical infrastructure assets' report cyber incidents to the ACSC within 12 hours of detection for critical incidents that have a significant impact on the availability of the asset, or 72 hours for other incidents that have a relevant impact on the asset. Given that many government agencies operate in critical infrastructure sectors as defined in the SOCI Act, such as energy, financial services and markets, health care and medical, transport, and water and sewerage, it is increasingly important that agencies ensure their IT service providers notify them of incidents.

Where breaches or incidents are identified at service providers, all agencies treat and report these in the same way as internal incidents. However, we have found that there is no consistent definition of breaches or incidents across agencies, which has resulted in very different records of the number of incidents occurring.

Incident registers

One agency has not established registers to record security incidents. Practices vary across other agencies where:

• 4% have multiple registers rather than one central register
• 21% of registers do not include attempted/blocked attacks. However, these are recorded separately, such as in security monitoring applications.

All agencies that record incidents reported that attempted/blocked attacks are monitored and reported for further assessment. However, not all are reported to the head of the agency or those charged with governance. Monitoring of attempted attacks enables entities to locate weaknesses in their processes and identify areas that are targeted by threat actors and are subject to regular attack. Those charged with governance may fail to take appropriate action to minimise the risk of future attacks if they are not made aware of these events through summary reporting or trend analysis. 

Details in incident registers need to be enhanced

We noted 96% of registers recorded detailed actions taken in response to incidents, while one agency's register only recorded whether the issue was resolved or closed. An absence of detail about the nature of the incident makes it more difficult to perform root cause analysis on the incidents and reduce the risk of the issues recurring in future.

It is important that senior management and those charged with governance appreciate the extent of the agency's risk exposure. Reporting the detail behind incidents, such as the type and number of incidents, is essential to their appreciation of the scale and gravity of the risks and informs their response to these risks.

Our review of the incident registers noted the points below.

Twelve per cent of registers were incomplete with blank fields that are expected to be remediated.

Twenty per cent of agencies recorded nil security incidents in their registers for 2021–22. As reported last year, we note again that agencies' definition of security incidents and data breaches is inconsistent. Agencies that do not disclose events such as account compromise, distributed denial of service (DDOS) attacks or data breaches to senior management and those charged with governance risk an inappropriate response to these potentially serious events.

For other agencies, the number of incidents recorded during the year ranged from two to 1,913. The percentage of incidents closed or resolved ranged from 61% to 100%. While only one agency reported a financial loss due to an incident, estimated to be under $50,000, all agencies have a responsibility to ensure the data they hold is kept secure and that reasonable steps are taken to secure the data they hold.

Control activities

All agencies have control activities in place to protect against DDOS attacks.

All agencies have conducted penetration testing and vulnerability scans for their crown jewel systems during the year, of which 72% engaged an external specialist to perform those tests.

All agencies have a patch management program including processes to:

• identify new patches or security vulnerabilities on a regular basis
• evaluate the potential impacts of the patches, test and implement authorised patches.

Two agencies do not have a formal process to periodically check and install security patches for applications such as Flash, web browsers, Microsoft Office, Java and PDF viewers.

Agencies have unpatched applications and operating systems

Twenty per cent of agencies do not patch or mitigate applications or operating systems for 'high-risk' vulnerabilities within 48 hours, as recommended by the Essential Eight.

One agency did not regularly update its operating systems with the latest patches, and three agencies only regularly updated their crown jewel systems rather than all systems. 

Over 72% of agencies run applications and operating systems that are no longer supported by the IT service provider and are unpatched. Most agencies claim that there are mitigating controls in place or there is a plan to decommission or upgrade old legacy systems over the next two to three years. Four agencies do not have plans to decommission unsupported applications and did not have mitigating controls systematically in place.

With the reported increase in cyber fraud and online hoaxes since the COVID-19 pandemic, a small number of agencies are aware of incidents where third parties have attempted to impersonate the agency or its staff to defraud members of the public. Those agencies have alerted their customers using different mediums and also communicated to staff to be aware of phishing campaigns or targeted attacks on staff and their personal devices. These same agencies had reported nil incidents in their incident registers during the year.

Maturity assessments

This section of the report on maturity assessments covers all NSW government agencies that are required to report their self-assessed maturity ratings in implementing the CSP mandatory requirements for the 2022 financial year. Detailed assessment criteria are provided in the CSP maturity model in relation to each requirement. The CSP maturity model for the mandatory requirements uses the following scale:

1. Initial – the policy requirement is not practiced
2. Managed (Developing) – the requirement of the policy may only be performed on an ad-hoc basis and/or is not completely covering the scope of the requirement
3. Defined – the requirement is practiced on a consistent and regular basis and the relevant processes are documented
4. Quantitatively Managed – the requirement is reviewed/audited/governed on a regular basis to ensure that it is being performed as per the documented process/requirement and address any potential blockers
5. Optimised – the requirement is delivered with improved effectiveness such as through increased coverage/stakeholder involvement, automation of processes, continuous improvement and compliance requirements.

The tables below summarise the results across whole of government, with the exception of three agencies that have not provided their results as at the date of this report. The maturity assessments were due on 31 October 2022, with seven agencies receiving an approved extension. Fifteen agencies submitted late reports after 31 October 2022. The maturity data presented below are as reported by agencies. Our 2021 report on 'Compliance with the NSW Cyber Security Policy' recommended Cyber Security NSW to monitor and report compliance with the CSP by requiring agencies to resolve inaccurate or anomalous self-assessments where these are apparent. At the date of this report, Cyber Security NSW is still in the process of reviewing the self-assessments.

Maturity levels to the left of the dotted line signify the requirement has been implemented in an ad hoc manner or has not been implemented at all. Maturity levels to the right of the dotted line indicate that the requirement is practiced in at least a consistent and documented manner.

The scope of maturity assessment reporting for Essential Eight controls changed in 2022

In July 2021, the Australian Cyber Security Centre (ACSC) updated its Essential Eight maturity model to focus on using the maturity levels to counter the sophistication of different levels of adversary tradecraft and targeting, and consequently redefined a number of maturity levels². In general, the changes introduced a number of new requirements for each control and lifted the standard required to meet each maturity level, but particularly Level One.

The Essential Eight maturity model uses a four-point scale. The definitions for each maturity level are:

• Level Zero – there are weaknesses in an organisation’s overall cyber security posture
• Level One – focused on adversaries who use common tactics that are widely available and opportunistically seek common weaknesses in many targets
• Level Two – focused on adversaries that are more selective in targeting and invest in more effective tools than Level One
• Level Three – focused on adversaries who are more adaptive and less reliant on public tools and techniques, and able to invest some effort in circumventing particular targets.

The July 2021 update also included a statement that the Essential Eight are designed to protect Microsoft Windows-based internet-connected networks. Consequently, while parts of the Essential Eight may be applied to non-Windows environments (including cloud services, Linux/Unix and other operating systems), the ACSC noted that alternative strategies may be more appropriate to mitigate unique cyber threats to those environments³.

Cyber Security NSW has estimated up to 80% of the crown jewel IT systems reported by agencies are based on non-Windows infrastructure. In August 2022, Cyber Security NSW issued guidance to agencies that outlined:

• for Windows-based systems, agencies should continue applying the Essential Eight controls and report their maturity assessment in accordance with the Essential Eight maturity model
• for non-Windows systems, agencies should consider alternative mitigation strategies and guidance from the ACSC, and apply a risk-based approach in implementing the Essential Eight controls as it may not be possible to uniformly implement the Essential Eight across all systems. These agencies may apply exceptions for maturity reporting under the updated Essential Eight maturity model.

Furthermore, agencies are required to assess their cyber maturity at 30 June 2022 against both the former and current Essential Eight models. Assessment against the former model allows direct comparability with previous years and visibility on year-on-year trends.

Agencies’ self-assessed maturity levels at 30 June 2022 against the former ACSC Essential Eight maturity model have not improved

Using a consistent benchmark in the former Essential Eight model, agencies' 2022 assessments showed little change from 2021.

Of concern are the median results for maturity implementing the Essential Eight controls since 2020. The graph below shows no improvement in agencies' implementation of the Essential Eight controls in 2022 against the former model, and a decrease in median maturity for patching operating systems.

2022 maturity ratings against the updated model are even lower, given the higher standard of requirements for each maturity level. Additional requirements to meet Maturity Level One have meant that some agencies have reassessed some maturity levels to Level Zero. The Essential Eight framework requires all elements of a maturity level to be met across all systems before an entity can progress to the next maturity level. The highest rating score relates to daily back ups, which although key to restoring services, does not close vulnerabilities or prevent attackers from gaining access to systems.

Engaging consultants

In the public service, many key decisions are based on, or supported by specialist advice, typically provided by an external subject matter expert. However, this process is subject to certain risks, such as:

• the advice is not impartial or has been deliberately manipulated, causing the decision-making process to be overly focused on achieving a desired outcome
• agencies becoming over-reliant on a single provider, and the advice not having been insufficiently canvassed from other perspectives or options
• 'shopping' for a consultant who will provide the advice that supports a desired outcome rather than considering alternative or better supported views.

Consultants are a subset of 'professional services' as defined by Procurement Board Direction PBD 2021-03:

A consultant is defined as a person or organisation engaged under contract on a temporary basis to provide recommendations or professional advice to
assist decision-making by management. Generally, it is the advisory nature of the work that differentiates a consultant from other contractors.

During the year ended 30 June 2022, the top 25 government agencies covered in this report recorded $127 million in combined consultant fees.

The trend in the agencies' combined consultant fees over the last five years is set out in the graph below.

Engaging consultants

NSW Procurement manages the Procurement Policy Framework and establishes whole-of-government schemes, such as the Performance and Management Services Scheme SCM0005 (PMS scheme). The PMS scheme has a pool of suppliers prequalified to supply professional services, including consultancy, to NSW government agencies.

The PMS scheme is not mandatory, so agencies are allowed to procure services outside of this scheme. In October 2021, the Procurement Board issued a Direction PBD 2021-03 which imposed additional conditions and governance arrangements for certain engagements outside the PMS scheme.

Under the PMS scheme, procurement rules require that:

• the agency must give specific instructions in a scope of work (SOW) to the supplier
• any variations to the SOW must be made in writing
• agencies must designate which agency personnel can instruct the supplier
• suppliers must disclose conflicts of interest at the point of engagement.

While there are guidelines from a whole-of-government scheme, it is important for agencies to establish their own policies and procedures, especially for circumstances where an agency may choose to procure outside of the PMS scheme.

Agencies' policies on engaging consultants could be improved

For consultants engaged to provide independent advice, the NSW Independent Commission Against Corruption (ICAC) released a better practice guide⁴ on processes to reduce the risk of bias, conflict of interests and corruption. Agencies could improve the design of their policies in the areas below.

Engaging contractors

The Procurement Policy Framework also governs the use of contractors as a subset of suppliers. Whilst the NSW Public Service Commission has carriage of the Contingent Workforce Management Guidelines that specifies considerations around workforce management and planning, the guidelines only apply to contingent workers engaged through a labour supplier.

The Victorian Public Service Commission has published guidelines on engaging contractors⁵ more generally which highlights the benefits and disadvantages for public sector. Contractors would be suitable for work that requires specialised skills, is infrequent or unpredictable in timing, or requires independence. Disadvantages include:

• loss of capability and increased dependency on external providers
• potential employee disengagement
• additional on-costs such as extensions and overruns, and diverting internal resources for contract management
• operational restrictions. 

Agencies' policies on engaging contractors could be improved

Although all agencies have a policy on engaging external labour, whether it be in a broader procurement policy or a contingent labour policy, these could be improved in the following areas. 

Guidelines on effectively managing contractors could also be enhanced in the following areas. 

Agencies risk over-reliance on the same consultants

In reviewing agencies' top three highest paid consultants for the last five years, 60% of agencies have relied on the same consultant for at least three of those years, and 28% have relied on the same consultant for at least four of those years.

Across the sector, there is a significant reliance on the 'Big 4' professional services firms which unsurprisingly make up the top four highest paid consultants over the past five years. The graph below shows the breakdown of consultant expenses for the agencies in this report from 2018 to 2019. The 'other' category comprises over 600 consultants.

One agency did not demonstrate probity in engaging contractors who are active and former employees

Although the agency has a secondary employment policy that prohibits staff who are Australian Business Number (ABN) holders from invoicing the agency under their private business, we identified the agency had paid at least ten vendors each year from 2018 to 2022 that are linked to active employees. None of those active employees identified in the agency's vendor register had declared secondary employment or pecuniary interests.

This agency had also transacted with at least 15 vendors each year from 2018 to 2022 that are linked to former employees. Total payments each year to those vendors ranged from $4 million to $11.2 million.

In one instance, a senior officer at the agency responsible for procurement had recommended a vendor for a $10 million contract in January 2018, left the agency in April 2018 and took a manager position with the vendor in September 2018. This individual then became a director at the vendor in 2019. No declaration of conflict of interest was made while the individual was an employee or as part of the procurement process. Agency management were unable to locate key documents relating to this transaction such as the signed briefing paper, original recommendation to award the contract, and tender evaluation records.

These practices may result in non-compliance with codes of conduct or other policies, and increase the risk of fraud. Undisclosed conflicts of interests can influence or be perceived to influence decisions at the agency that compromise the objectives of the Procurement Policy Framework around value for money and fair and open competition.

Sixteen per cent of agencies reported that they have engaged contractors who are former employees of the agency. Whilst this may be appropriate in some circumstances, it is important that these relationships are disclosed for transparency.

It would be prudent for agencies to consider additional policies or conditions in employment agreements addressing probity in the procurement process for contractors linked to active or former employees to mitigate risks of:

• fraud
• theft or inappropriate use of intellectual property
• familiarity threats – where procurement proposals by former employees are approved by former colleagues, or former colleagues are responsible for managing project delivery and quality of the work of former employees.

Over 40% of agencies have re-engaged the same contractors for more than five years

Eighty per cent of agencies have engaged contractors on a recurring basis over the last five years, and 11 of these agencies have re-engaged the same contractor for five or more years. All of these agencies have re-engaged contractors for the same role or type of work, and 37% had also re-engaged contractors for different work.

The highest number of contractors who have been re-engaged by an agency was 1,913 in the last five years.

The longest period a contractor was engaged continuously at an agency ranged from 12 months to 19 years. For those agencies with contractors engaged for more than five years, only 55% of them had reassessed the contract against the market before renewing the contract. More generally, this occurred at 63% of agencies for the longest term re-engaged contractor. While there are benefits from re-engaging a contractor who has already gained experience and familiarity working with the organisation, agencies may not be achieving the best value for money if they have not reviewed the market. This risk is particularly heightened the longer a contractor has been re-engaged as technological, regulatory and other environmental developments may have occurred to bring new suppliers on the market. There is also a risk that long-term contractors are also addressing a core capability and the role would be better addressed through recruitment of a permanent staff member.

Thirty-six per cent of agencies are outsourcing work that is a core capability

In 36% of agencies, we found that the highest paid contractors have been engaged to perform work that is considered a core capability for the agency. Examples include:

• temporary placements to fill a director, executive or senior management role
• a Big 4 accounting firm engagement linked to the core functions of an agency
• ensuring legislative compliance and delivering projects that are part of an agency's core function.

At 46% of agencies, the timing of work the contractor performed was not unpredictable or infrequent. For three agencies, the nature of the contractor's work was both a core capability and the timing was not unpredictable or infrequent.

In 2022, the highest paid individual contractor earned over $599,000, which represented 0.3% of the agency's total contractor expenses for the year. This contractor was engaged in a senior management role.

In 2021 and 2020, the highest paid individual contractor was the same person in both years and earned over $609,000 and $590,000 respectively (but was not the same contractor noted for 2022). Those costs represented less than 0.8% of the agency's total contractor expenses for each year. This contractor was also engaged in a senior management role.

Employment screening is used to ensure the suitability, integrity and identity of people employed in the NSW public sector. Agencies are subject to a number of legal and regulatory requirements that are relevant to employment screening practices, including:

• the Government Sector Employment Act 2013
• the Government Sector Employment (General) Rules 2014.

Undetected employment application fraud can undermine merit-based selection and result in hiring an employee who lacks not only the requisite expertise for the role, but also basic integrity. This can have a range of detrimental effects for an agency, including health and safety risks, poorer provision of public services, and impairment of public trust and confidence.

Agencies can address employment application fraud by implementing a range of measures, including but not limited to designing a risk-based employment screening framework, assigning roles and responsibilities, improving the quality of employment screening checks and conducting checks on non-permanent workers.

The Independent Commission Against Corruption (ICAC) published a report in February 2018 on 'Strengthening Employment Screening Practices in the NSW Public Sector'. Overall agencies can improve their processes by benchmarking to this report.

Most agencies have developed their own specific policy for employment screening checks and procedures. We have noted that opportunities still exist to make these employment screening policies more comprehensive.

The rigour/extent of security and credential checks vary across agencies

Pre-employment criminal record, qualification and employment history checks verify the credentials, identity and integrity of a prospective or current employee. Most agencies perform criminal record checks with all new appointments.

Agencies that require Working With Children Checks (WWCC) for all new appointments also require these checks for their non-permanent workers such as casual staff or contractors.

Only 40% of agencies conduct credential checks for all appointments by validating the educational/professional qualifications of the applicant, while other agencies only perform the credential check if a certain qualification is required for the role description. Not all positions in NSW government require qualifications or licences. However, if an applicant has purported to possess a qualification, even if it is not required for the role, this may have formed part of the merit assessment which favoured that applicant over other candidates. Credential checks for all appointments reduce the risk of applicants gaining the role through dishonest means.

Re-screening checks ensure relevant professional credentials exist and have not expired

Of those agencies that do not conduct credential checks on all appointments, 40% will conduct these important checks on roles considered as high-risk positions only. If guidance is not clear when checks should be conducted, this may increase the risk of under-screening which may lead to employment application fraud, including internal applications and acting roles.

Nearly half of all agencies report they have experienced barriers to conducting employment screening in the last 12 months, that is, from a lack of resources or time constraints. One agency responded that due to resource pressures (criticality to filling a role, often related to safety or legal obligations), employees have been commenced prior to the completion of their criminal history screening, conditional on the eventual clearance.

Non-permanent workers

Screening and induction practices for non-permanent workers are often less stringent than for permanent employees

The ICAC report on 'Strengthening Employment Screening Practices in the NSW Public Sector' noted that, due to the nature of their engagement, non-permanent workers can pose greater corruption risks to an organisation and should be subject to the same employment screening checks as done for permanent workers. While all agencies perform screening of non-permanent workers, 48% of agencies' screening checks differ for permanent and non-permanent workers. One agency’s policy does  not require the same employment screening practices for contractors such as contingent labour. As a result, there is an increased risk that agencies will:

• fail to identify an applicant with a past history of corrupt or criminal conduct
• not identify applications with false credentials
• hire a worker with unsuitable qualifications, skills or experience
• rely on screening practices of individuals in their organisation, which may be inconsistent, ad hoc and may not access all data available for applicants.

For 28% of agencies, the human resources/people management division is not responsible for recruiting and inducting non-permanent workers. This is assigned to the business departments. For some agencies, human resources may oversee and own the process with individual hiring managers conducting recruitment and induction. For other agencies, a third-party supplier is responsible for selection and induction of contract labour. These practices can lead to inconsistent screening activities or non-compliance with policy requirements where the business departments and hiring managers are less familiar with the process. These inconsistencies may increase the risk of fraudulent applications if the individuals involved in the process are not experienced with identifying false or misleading applications, particularly when screening checks are limited or not conducted.

The NSW Government Procurement Policy Framework (the Framework) sets the following objectives: value for money, fair and open competition, easy to do business, innovation, economic development, social outcomes and sustainability.

NSW government agencies must ensure their internal policies and controls are consistent with the mandatory requirements set out in the Framework. The mandatory requirements include financial management obligations and policies relating to fraud and corruption control. However, the Framework does not provide detailed guidance for contract management. It refers to other specific guidelines and policies for different types of contracts.

The NSW Public Service Commission (PSC) developed a capability framework for use across NSW government agencies. The capability framework describes the capabilities and associated behaviours that are expected of all NSW public sector employees. Whilst the framework is recommended, it is not mandatory. NSW Procurement, in consultation with the PSC, has developed a program called the Procurement Capability Compass. The compass program is a whole-of-government procurement capability assessment tool that is aligned with the PSC’s capability framework. The compass program is designed to measure the baseline of procurement knowledge across a team by helping individual staff identify their strengths and development areas.

All agencies have a policy governing contract management that is easily accessible. Twelve per cent of these policies are overdue for review.

The Framework recommends the following points as best practice. Agencies could improve how they establish contract management plans for high value contracts.

All agencies use the PSC capability framework for position descriptions for all staff.

Seventy-six per cent of agencies use the compass program to assess the procurement capability of their staff annually.

Ninety-six per cent of agencies use a range of approaches to validate performance data which contributes towards ensuring the agency is achieving value for money. These include:

• risk reviews included as part of regular performance reviews
• risk and complexity-based approach to levels of management, frequency and reporting requirements for contracts.

All agencies' policies and procedures provide instructions on how and when contract managers should monitor and review contract performance.

All agencies maintain a central contract register, but many are incomplete risking non-compliance with the GIPA Act

The GIPA Act aims to improve the transparency and integrity of the NSW public sector by requiring agencies to proactively publish information in relation to their contracts with the private sector. If an agency does not maintain a central contract register, it increases the risk of non-compliance with the GIPA Act. A centralised contract register can also enhance procurement and contract management outcomes because it:

• allows an agency’s central procurement team to monitor contract end dates, contract extensions and commence new procurement in a timely manner
• helps agencies manage their contractual commitments, budgeting and cash flow requirements.

We have previously identified concerns with the completeness and accuracy of contract registers maintained by agencies, and this remains an ongoing area of concern.

Twenty-four per cent of agencies do not have a proactive approach to identifying issues that may be systemic. They tend to rely on self-reporting and monitoring. Agencies should conduct monitoring activities throughout the life of the contract by:

• collecting and validating relevant performance information
• regularly monitoring and rigorously reviewing contract performance
• identifying and responding to contract performance issues in a timely and effective manner
• providing regular reporting to the senior management.

Three agencies do not have a specialised contract management system

Eighty-eight per cent of agencies have a contract management system that can support effective planning for end of contracts by alerting contract managers of pending expiry dates.

One agency is in the process of implementing a system that is capable of that function.

Only 60% of all agencies' contract registers are complete

One agency did not record details of contracts over $150,000 as required by the GIPA Act.

Five agencies record all contracts regardless of dollar value, while others set lower thresholds than the mandatory $150,000, ranging from $30,000 to $50,000.

Forty per cent of all agencies’ contract registers are incomplete, with either missing contracts or missing details such as:

• contractor reference number
• contract effective/end dates
• contract category
• the manager assigned.

Sixteen per cent of agencies do not regularly review the contract register for accuracy and completeness

Most agencies' policies require the contract register to be reviewed for accuracy and completeness at least annually. Thirty-six per cent of agencies review their contract registers monthly.

For one agency, the contract register is reviewed on an ad hoc basis. There was no evidence this was done in the last financial year. A lack of periodic review has contributed to this agency's incomplete and inaccurate contract register.

Half of all agencies do not maintain registers for revenue or lease agreements

Whilst not related to the Procurement Policy Framework, it is best practice for agencies to maintain a central register for other types of contracts such as revenue/grant agreements, leases, and service level agreements (including inter-agency service agreements that do not go through a procurement process).

Only half of the agencies have central registers for revenue or lease agreements. The management and monitoring of these agreements is decentralised in most agencies and reference to these types of agreements is not included in agencies' procurement policies.

This may increase the risk of financial reporting errors if contracts are not accounted for correctly or not in the correct period. It is important for finance staff to be aware of the existence of legal agreements to understand the accounting consequences. From an operational perspective, central registers for other types of key agreements help to ensure completeness of records and monitoring of updates and obligations.

Overall, 64% of agencies have central registers for other types of agreements. One-third of the agencies do not regularly review those registers to ensure accuracy and completeness.

Compliance with GIPA Act reporting requirements

Part 3, Division 5 of the GIPA Act states that information about contracts worth more than $150,000 between agencies and private sector bodies must be recorded in a register of government contracts. A copy of an agency's government contract register is to be published on the government tenders' website.

For Class 1 contracts (value of $150,000 or more), the agency must enter the following information in the government contracts register within 45 days of the contract becoming effective.

For Class 2 contracts, further information is required.

Class 2 contracts are Class 1 contracts to which any of the following applies:

• there has not been a tender process, the proposed contract has not been made publicly available and the terms and conditions have been negotiated directly with the contractor
• the proposed contract has been the subject of a tendering process and the terms and conditions have been substantially negotiated with the successful tenderer
• the obligations of one or more parties to maintain or operate infrastructure or assets could continue for ten years or more
• the contract involves a privately financed project as defined by guidelines published by Treasury
• the contract involves a transfer or a significant asset of the agency to another party in exchange for the transfer of an asset to the agency.

Contract renewal assessments could be improved

When contracts are renewed or extended without going through a competitive process, only 76% of agencies assessed value for money before deciding to renew/extend the contract. However, only half of the agencies used a standard template for the assessment, which included consideration of all of the following:

• supplier performance (including meeting customer expectation and performance against KPIs)
• business needs (whether there is still a need for the goods and services and/or have requirements changed)
• market analysis (including analysis of how the market changed/technology advances)
• coordinated procurement arrangement (consideration of procurement arrangements or activities planned or in place that may impact the extension or renewal).

Without a standard template or guidelines, agencies may have inconsistent application of their value for money assessment.

Twelve per cent of renewals were not approved by a delegated authority. For those renewals approved by a delegated authority, 14% of agencies' approval was only for the value of the contract from the date of extension, not the total value of the contract including extension. This practice may increase the risk that approvals for contract extensions are not reviewed by the appropriate level of authority as lower value contract extensions can add up. 

Ninety-two per cent of agencies provide some training and support to staff on procurement procedures

Of those agencies that provided training in 2021–22, it was recently conducted and placed emphasis on personal accountability, probity and transparency in relation to procurement procedures. However, we noted gaps in some aspects of their procurement procedures when reviewing contracts, including:

• procurement documentation not specifying certain key details such as the conditions for participation including any financial guarantees and dates for the delivery of goods or supply of services
• purchase orders were not raised and approved for the total value of the contract
• request for tender was not issued
• the evaluation plan was not signed off by the Evaluation Committee.

Ongoing training and awareness programs allow agencies to communicate to all staff their responsibilities and obligations in relation to procurement activities which results in:

• effective management and monitoring of contracts
• compliance with procurement policies, frameworks and guidelines
• improvement in risk management processes.

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.’