Report snapshot
About this report
Internal controls are key to the accuracy and reliability of agencies’ financial reporting processes. This report analyses the internal controls and governance of 26 of the NSW public sector’s largest agencies for the 2023–24 financial year.
Findings
There are gaps in key business processes, which expose agencies to risks. These gaps are identified in 121 findings across the 26 agencies—including 4 high risk, 73 moderate risk and 44 low risk findings. All four high-risk issues related to IT controls and 19% of control deficiencies were repeat issues. Thirty-five per cent of agencies had deficiencies in control over privileged access.
Shared IT services
Six agencies provide IT shared services to 120 other customer agencies. All six had control deficiencies—three of these were high risk. Four agencies provide no independent assurance to their customers about the effectiveness of their own IT controls.
Cyber security
Eighteen agencies assessed cyber risk as being above their risk appetite. Fourteen of these agencies had not set a timeframe to resolve these risks and two agencies have not funded plans to improve cyber security.
Fraud and corruption control
Agencies need to improve fraud and corruption control. Instances of non-compliance with TC18-02 NSW Fraud and Corruption Policy were identified, including gaps such as a lack of comprehensive employment screening policies and not reporting matters to the audit and risk committee.
Gifts and benefits
Management of gifts and benefits requires better governance and transparency. All agencies had policy and guidance but all had gaps in management and implementation—such as not publishing registers nor providing ongoing training.
Information Technology
Nine agencies did not effectively restrict or monitor user access to privileged accounts.
Recommendations
The report makes recommendations to agencies to implement proper controls and improve processes in relation to:
- organisational processes
- information technology
- cyber security
- fraud and corruption, and
- gifts and benefits.
Read the PDF report
Fast facts
Executive summary
Introduction
This report contains findings and recommendations from the Audit Office of New South Wales’ (the Audit Office) 2023–24 interim financial audits. These findings and recommendations relate to internal controls and governance at 26 of the largest state-sector agencies in the New South Wales (NSW) public sector.
The 26 agencies deliver a diverse range of services and are exposed to numerous financial, operational and strategic risks. Effective internal controls and governance frameworks help to mitigate the likelihood of risks arising and the severity of those risks if they do.
Internal controls are key to the accuracy and reliability of agencies' financial reporting processes. They ensure that key business processes are capable of producing reliable, timely and accurate financial information. An agency's internal control environment assists in the orderly and efficient conduct of its business. It provides the agency with reliable and timely management information, ensuring that it complies with relevant legislation and regulation, manages risk, avoids the misuse of public money and meets the needs of citizens.
Summary of findings
We identifed gaps in key business processes that expose the agencies to a number of risks. Interim audits generated 121 findings, which were reported to the NSW government agencies. These comprise four high-risk, 73 moderate risk and 44 low-risk findings. The high-risk findings relate to deficiencies in controls to secure information technology (IT) systems.
We have made recommendations to agencies to implement proper controls, improve their processes and reduce their risk profiles in the following areas:
- organisational processes
- information technology (IT)
- cyber security
- fraud and corruption
- gifts and benefits.
Key findings and recommendations
Agencies need to strengthen internal controls and address repeat control deficiencies
Our audits identified 121 internal control deficiencies including four high risk information technology (IT) findings. Common findings identified across multiple agencies include:
- deficiencies in key business processes such as payroll, fixed asset procurement and lease management
- incomplete or inaccurate registers or gaps in these registers
- deficiencies in complying with legislation and Treasurer’s Directions
- policies, procedures or controls no longer suited to the current organisational structure or business activities
- gaps in assessing and recording account balances in the financial statement close process.
The majority of the 23 repeat control issues relate to fixed asset management, employee leave liabilities and IT controls. Agencies need to ensure they are managing and mitigating the risks associated with leaving vulnerabilities in internal control systems unaddressed for extended periods of time.
Central agencies, or the lead agency in a portfolio group can play a lead role in helping ensure agency responses to common findings are consistent, timely and properly address the recommendations.
IT shared service providers have high risk deficiencies in their control environments, which impact multiple customer agencies
Six agencies within the scope of this report provide shared IT services to other agencies. Over 110 customer agencies rely on these service providers, including 16 of the agencies covered by this report.
Control deficiencies at shared IT service provider agencies can have a material impact on the integrity of financial data at their customer agencies. Key findings are as follows:
- Four of the six IT shared services do not seek independent assurance over the effectiveness of their control environments.
- All of the six agencies that provide IT shared services had moderate risk issues with their core IT controls, and three had high-risk issues that undermine the effectiveness of controls across their customer base.
- Four of the six shared IT service provider agencies did not follow their own standards in managing user access.
Agencies failed to effectively manage user access to key systems
Control deficiencies were identified relating to user access, and in particular, to privileged account management. Specifically:
- nine agencies did not effectively restrict privileged user accounts, or did not effectively monitor those accounts
- four agencies did not effectively configure password security to their systems. One agency avoided a cyber intrusion to its core finance system through effective password security configuration
- eight agencies failed to effectively review and revalidate user access.
Some agencies do not have adequate plans to address cyber security risks assessed to be above their risk appetites
Cyber security is an essential component of an agency’s overall control framework. Risk to the public increases as systems and data managed by government are subject to higher volumes of increasingly sophisticated cyber attacks. The 2023–24 NSW Cyber Security Policy is a risk-based approach to managing cyber security. It requires the Head of the Agency to make an annual attestation as to how the agency has assessed and managed cyber risks. We found that:
- cyber security risks are above the risk appetites for 18 of the 20 agencies that evaluated their cyber risk
- 14 of these agencies have open-ended timeframes to resolve their risks
- two agencies have not funded their plans to improve cyber security
- three agencies had not defined their cyber security training requirements or mandated annual cyber security training
- four of the 26 agencies had not provided additional cyber security awareness training to high-risk staff.
Agencies need to improve fraud and corruption control
All agencies have a fraud and corruption control framework that is in line with the NSW Treasury Circular TC18-02 NSW Fraud and Corruption Control Policy (the Circular), which sets out minimum requirements. We found non-compliance with the policy, including failure to:
- review the fraud and corruption control framework
- perform and document fraud risk assessments
- implement employment screening policies or address gaps in their policies
- document policy or procedures for carrying out investigations into actual or suspected fraud
- report incidents of fraud and corruption to the audit and risk committee.
Agencies' management of gifts and benefits requires better governance and more transparency
The 2022 Public Service Commission Direction (the Direction) established minimum standards (the minimum standards) to help agencies effectively manage gifts and benefits received by, or offered to public sector employees. All agencies had a gifts and benefits policy and guidance outlining obligations for agency staff in relation to gifts and benefits. However, we found gaps in the management of gifts and benefits including failure to:
- include timeframes for approval processes within their policies
- ensure gifts and benefits registers contain all necessary key fields
- publish gifts and benefits registers online
- establish and publish a statement of business ethics online
- provide on-going training, awareness activities and support to employees
- regularly report relevant information about gifts and benefits to the executive or other governance committee.
1. Introduction
1.1 State sector agencies
This report covers the findings and recommendations from our 2023–24 financial audits that relate to internal controls and governance at 26 of the largest agencies in the New South Wales (NSW) public sector, excluding state owned corporations and public financial corporations.
The agencies included in this report deliver a diverse variety of services and are exposed to numerous financial, operational and strategic risks. Effective internal controls and governance frameworks help to mitigate the likelihood of risks arising and their severity if they do.
A list of the 26 agencies included in this report is shown below in portfolio groups as at 30 June 2024.
Note: The structure and name of agencies included in Exhibit 1 is as at 30 June 2024.
A number of Machinery of Government changes were announced through Administrative Orders, which have affected the structure and names of some agencies in the scope of this report. These are listed in the table below.
Instrument | Description |
Administrative Arrangements (Administrative Changes—Miscellaneous) Order (No 4) 2023 | Effective 1 July 2023, this Order changed the name of the Department of Premier and Cabinet to the Premier’s Department and transferred parts of the former Department of Premier and Cabinet to The Cabinet Office. |
Administrative Arrangements (Administrative Changes—Miscellaneous) Order (No 6) 2023 | Effective on 1 January 2024, this Order changed the name of the Department of Planning and Environment to Department of Planning, Housing and Infrastructure, and created a new Department of Climate Change, Energy, the Environment and Water. |
1.2 Sector snapshot
The 26 agencies included in this report constitute an estimated 95% of total expenditure of all NSW public sector agencies, excluding state owned corporations and public financial corporations. That is, these agencies are within the general government sector or are public non-financial corporations.
The 'General government sector' is defined under the government finance statistics as the institutional sector comprising all government units and non-profit institutions controlled by the government. Also included are public non-financial corporations that are non-commercial enterprises primarily engaged in the production of market goods and/or non-financial services.
The snapshot below provides an indication of the collective size of assets, liabilities, income and expenses of these 26 agencies for the year ended 30 June 2024.
| Number of agencies | Assets | Liabilities | Income | Expenses |
Departments | 11 | 316.3 | 42.0 | 126.5 | 118.5 |
Public non-official corporations | 3 | 72.1 | 8.7 | 4.0 | 6.6 |
Statutory bodies | 12 | 87.0 | 35.5 | 27.0 | 21.8 |
Total | 26 | 475.4 | 86.2 | 157.5 | 146.9 |
Note: The reported figures above include the impact of inter-agency transactions and balances, which are eliminated at a total state sector level. Income and expenses exclude income tax and other comprehensive income.
Source: financial statements of agencies, for the consolidated entity (if consolidated).
1.3 Areas of focus
This report covers the following topics:
Topic | Description |
Internal control trends | All agencies are required to establish and maintain internal controls to help them to:
Each year we review the design and implementation of processes and key controls at agencies. We summarised the internal control deficiencies identified during our audits. |
Cyber security risk | Agencies are required to adopt risk management practices consistent with international standards and with the NSW Government policy. These practices help ensure that agencies identify and respond to the risks they face. We assessed whether agencies:
|
Cyber security awareness and training | Cyber security awareness training and exercises aim to make users more conscious of their responsibilities to work in a secure manner, and be less susceptible to common cyber attacks such as phishing. We assessed whether agencies are meeting the mandatory requirements of the recently revised Cyber Security Policy:
|
Fraud and corruption control | The commissioning, outsourcing of services, and the advancement of digital technology is changing government agencies' fraud and corruption risks. The law requires the public sector’s employees to act with integrity, accountability, impartiality and ensure public finances and assets are protected. We reviewed agencies’ fraud and corruption control framework, policies and practices. |
Gifts and benefits | The Public Service Commissioner Direction No 1 of 2022 requires all NSW Public Sector agencies to have in place:
The objective of a system for managing gifts and benefits is to minimise the risk that unethical or corrupt behaviour will occur. We assessed agencies’ gift and benefit policies and practices. |
1.4 Sector-wide learnings
Our financial audits identified sector-wide learnings that government agencies should consider in relation to their internal control and governance frameworks, which we have summarised below.
Internal and information technology controls
All agencies should:
- require standardised, independent reporting on the effectiveness of controls at their key IT service providers, even if these providers are other government agencies
- ensure they are aware of the systems being used within their business units, and where systems are not under the management of the central IT functions, that they are subject to an appropriate governance framework
- ensure that staff who perform key control activities, such as managing user access, are aware of the purpose of the control, and that control failures identified through periodic reviews are actively investigated
- ensure that adequate governance is in place during and after major system changes, and that access required for projects is removed once the project is complete
- ensure consistent performance of user access management processes for IT systems
- address repeat control deficiencies to ensure weaknesses in the internal controls which can be exploited are addressed.
Cyber security
All agencies should:
- have an independent and robust assessment of their cyber security controls as part of evaluating whether they have risks which are outside their risk appetite
- review and prioritise cyber uplift programs and remediation of cyber security risks above the corporate and cyber security risk appetites
- prioritise requirements to meet the NSW Cyber Security Policy for the full year to 30 June 2025, including:
- mandating annual cyber security training
- tailoring focused and enhanced cyber security training for high risk staff
- completing regular phishing simulations.
Fraud and corruption control
All agencies should:
- ensure their policies comply with TC18-02 NSW Fraud and Corruption Control Policy
- document and regularly review their fraud risks
- consider the use of data monitoring programs to supplement preventative internal controls, such as segregation of duties and line management reviews
- foster a culture that supports staff reporting actual or suspected fraud and corruption by increasing the number of reporting lines that are available to staff, and publicising these options more widely
- report fraud and corruption matters to their audit and risk committees.
Gifts and benefits
All agencies should:
- ensure their gifts and benefits register includes all key fields specified in the minimum standards set out in the 2022 Public Service Commission Direction (the direction) and perform regular reviews of the register to ensure completeness
- provide on-going training, awareness and support activities to employees, not just upon induction
- establish an annual attestation process for senior management to attest compliance with gifts and benefits policies and procedures
- publish their gifts and benefits registers on their websites to demonstrate their commitment to a transparently ethical environment
- regularly report to the agency executive or other governance committee on trends in the offer and acceptance of gifts and benefits.
1.5 Status of 2023 report recommendations
Our report on internal controls and governance for the year ended 30 June 2023 made a number of recommendations. Agencies progressed many of the recommendations, but more action is required to fully address them. The table below sets out the status of the previous year's recommendations being addressed by the relevant agencies.
Recommendation | Current status | |
Cyber security | ||
Agencies’ Essential Eight maturity reporting to Cyber Security NSW (CSNSW) should be measured against the latest version of the ACSC Essential Eight Maturity model. | All 26 agencies are planning to measure their compliance against the current ACSC Essential Eight. The mandatory NSW Cyber Security Policy requires reporting against the latest version in October 2024. | Partially addressed |
As reported in both 2021 and 2022, agencies need to prioritise improvements against the NSW Cyber Security Policy as a matter of urgency. | All 26 agencies are prioritising improvements into their forward cyber security uplift programs, to meet the updated NSW Cyber Security Policy. | |
Agencies need to do more to ensure their uplift plans deliver measurable improvements in cyber security. | One agency did not have an uplift program in progress during 2023–24. The remaining 25 agencies have plans in progress with regular reporting on improvements. | Partially addressed |
All agencies need to:
| One lead agency did not test its cyber incident response plan in 2023–24. The agency was a lead agency with one dependent agency. The remaining 25 other agencies have tested and identified learnings for their cyber incident response plans. | Partially addressed |
Agencies should keep sufficient records to demonstrate that they are applying their cyber incident classification criteria in a consistent way. | All 26 agencies have addressed the recommendation. Refer to the example on identifying cyber incidents in chapter 4. | Fully addressed |
Governance framework | ||
Agencies should perform periodic assessments and reviews of their risk maturity and implement action plans. The results of the assessments should be reported to the agency's audit and risk committee for review and to track the effectiveness of action plans over time. | Twenty-four out of 26 agencies have addressed the recommendation. Two agencies have action plans in progress. | Partially addressed |
Managing payroll and work health and safety | ||
Agencies should update their WHS policies and procedures to include current legislative requirements, including management of psychosocial risks. | Eighteen out of 26 agencies have addressed the recommendation. Eight agencies have action plans in progress. | Partially addressed |
2. Internal control trends
Internal controls are processes, policies and procedures that help agencies to:
- operate effectively and efficiently
- produce reliable financial reports
- comply with laws and regulations
- support ethical government.
This chapter outlines the overall trends for agency controls and governance issues, including the number of audit findings, the degree of risk those deficiencies pose to the agency, and a summary of the most common deficiencies found across agencies.
Section highlights
The 2024 audits identified:
- Four high-risk findings, which relate to IT controls.
- Nineteen per cent of issues were repeat issues. Repeat issues mainly related to fixed asset management, employee leave liabilities and information technology controls.
2.1 High-risk findings
High-risk findings arise from failures of key internal controls and/or governance practices of such significance that they can affect an agency’s ability to achieve its objectives or impact the reliability of its financial statements. This in turn, increases the risk that the audit opinion will be modified.
The Audit Office of NSW (the Audit Office) rates the risk posed by each control deficiency as ‘Extreme’, ‘High', ‘Moderate’ or ‘Low’. The rating is based on the likelihood of the risk occurring and the consequences if it does. The higher the rating, the more likely it is that agencies will suffer loss, or its service delivery will be compromised. Our risk assessment matrix aligns with the risk management framework in NSW Treasury’s Risk Management Toolkit for the NSW Public Sector.
Four high-risk findings reported
The Audit Office identified four high-risk findings out of a total of 121 interim audit findings:
- one agency failed to manage risks in a key system, which was being operated independently of the central IT function
- one agency inappropriately allocated high level privileged user access several times to a user who did not require it
- one agency failed to restrict privileged access during and after two system upgrades
- an attempted cyber attack on one agency's finance system was not identified and investigated.
Further details are in Chapter 3.
Agencies need to prioritise addressing high-risk internal control deficiencies.
2.2 Common findings
While it is important to monitor the number and nature of deficiencies across the NSW public sector, it is also useful to assess whether deficiencies are common to multiple agencies. Where deficiencies relate to multiple agencies, central agencies or the lead agency in a portfolio can help ensure consistent, timely, efficient and effective responses to those deficiencies.
The Audit Office identified 121 internal control deficiencies during interim audits, which are categorised as follows:
- financial operational deficiencies
- IT operational deficiencies
- compliance deficiencies
- governance deficiencies
- reporting deficiencies.
Source: Audit Office of NSW Interim audit findings.
Our management letters identified gaps in key processes at agencies
Each year we review agencies' design and implementation of key business processes and controls. We report control deficiencies to the relevant agencies for rectification in our management letters. This year, we identified the following common control deficiencies within key transaction cycles.
Common control deficiencies
The table below describes the number of common control deficiencies across agencies, the risks and risk rating, and recommendations we communicated to management and those charged with governance.
Operational (94) | New issues | Repeat issues |
High | 4 | -- |
Moderate | 51 | 15 |
Low | 20 | 4 |
Source: Audit Office findings.
Four agencies had deficiencies in key payroll controls
Government agencies are a major employer in NSW. Good controls within payroll processes are essential and ensure that transactions are processed accurately, completely and promptly. We identified deficiencies in the payroll processes, which included instances where:
- Review and approval of payroll exception reports, which summarise transactions that exceed predetermined risk parameters in a single report prior to final processing, did not occur because:
- a system issue prevented generation of the report, or
- the reviewer was not available and an alternative staff member to perform the review had not been identified.
- Processing of a termination payment to an employee was unreasonably delayed. The line manager had cancelled the separation request, which triggers the termination process. The line manager subsequently left the agency before the conclusion of the termination process, which further prolonged the release of the termination payment.
- An agency transitioned into a new payroll system during the year and was unable to extract complete and accurate payroll masterfile data. The new system had generated multiple versions of the masterfile with substantially different and inconsistent results. The system parameters applied produced inaccurate outputs, excluded payroll exceptions and a manual error resulted in capturing non-agency employees within the report.
- An agency’s payroll reports were incorrectly generated by the payroll officer. For a number of employees, there were discrepancies between their agreed wage amount and their payslips. The payroll officer was unaware of the proper process to generate payroll information from system and was using manual workarounds.
Risks
Failure to implement proper payroll processes and controls increases risks to agencies, because:
|
Agencies should improve controls to:
- ensure key exception reports are reviewed and approved by appropriate levels of management
- ensure staff absences do not cause delays in review and approval processes to release payments to staff
- promptly resolve issues in masterfile data
- deal with systems implementation issues and reduce reliance on manual workarounds.
Five agencies had deficiencies in key asset management controls
We identified the following internal control deficiencies in agencies’ asset management processes. Deficiencies in fixed and intangible asset processes reduce the reliability of the underlying data in asset registers. Issues noted in the management of agencies’ fixed and intangible assets, included:
- componentisation of assets had not been reviewed, resulting in incorrect depreciation of the distinct components of assets
- general project codes being assigned to projects rather than specific project codes resulting in a revaluation misstatement
- timely reconciliations of asset registers to the asset management system were not being performed, and omissions of assets in the asset register were not detected
- capitalisation thresholds exceeding those nominated by NSW Treasury’s Financial Reporting Code for General Government Agencies
- stocktakes identifying that fixed assets were not labelled, or not correctly labelled, resulting in difficultly identifying them within asset registers
- assets still in use, but designated as being disposed of within the asset register.
Risks
Inadequate implementation of appropriate controls can lead to:
|
Agencies should improve their quality review processes over the accuracy and completeness of fixed asset data supporting the preparation of the financial statements and ensure:
- subsidiary ledgers are complete and accurate, and omissions and errors are promptly investigated and resolved. The fixed assets reconciliation should be performed and reviewed at least monthly. Discrepancies should be promptly investigated and resolved
- information presented to valuers is fit for their purposes, and has been reconciled to the general ledger and draft financial statements
- assets are clearly labelled to expedite identification and stocktakes
- the financial statement close process is in sufficient detail to identify and resolve any differences between the general and subsidiary ledgers
- that the application of a threshold is appropriate. The higher the capitalisation threshold the greater the need to assess whether expensing items beneath the threshold generates material misstatements in expenses, asset carrying values and depreciation
- estimated useful lives are regularly reviewed to avoid depreciation misstatements.
Four agencies had deficiencies in key controls over capital projects in progress
We identified the following internal control deficiencies in agencies’ accounting for capital projects in progress. Issues noted included:
- unidentified errors in recorded data and inappropriate capitalisation of work in-progress (WIP) in registers provided to external valuers
- impairment assessments had not been carried out for capitalised costs on projects long overdue for completion
- delays incurred in capitalising completed work in-progress due to staff being unfamiliar with the policies and requirements, or being unaware that the project is already completed and in use
- salaries manually allocated to capital projects using forecasted rather than actual costs. Project managers had not reviewed the source data
- project costs coded against purchase order lines that lacked sufficient detail to indicate whether the expenditure should have been capitalised or expensed
- an overhead allocation model for distributing shared costs among projects had not been developed and documented
- inconsistent review process for WIP journal entries
- payments were advanced to contractors to fund future works. Capitalisation to WIP relied on the contractors' self-declarations
- incorrect classification of cloud-based software costs at the commencement of the project as an infrastructure asset under construction.
Risk
Inadequate implementation of appropriate controls including review processes can lead to:
|
Agencies should:
- review capitalised WIP data to detect errors at the point the completed asset is ready for use. Completed WIP should be transferred to fixed assets registers promptly and depreciation/ amortisation commenced as soon as the asset is ready for use
- perform impairment assessments on overdue and long running projects
- assess the sufficiency and effectiveness of its accounting tools to deal with the scale of projects, including the potential use of integrated project accounting software where overheads are allocated to multiple projects
- document the overhead allocation model for distributing shared costs among projects
- ensure project accounting software has sufficient work breakdown structures (WBS) to provide better data and interface with the general ledger
- implement and document appropriate review processes to ensure consistent practices and accurate and valid WIP journals are made to the respective project codes
- evaluate the risks associated with the provision of advance project payments to third parties, including the value for money principle and consider whether other funding arrangements are possible
- develop formal policies or procedures for the review of project classification (and hence capitalisation practices) at critical points, such as at project commencement and when there is a significant change in project scope. The policies and procedures should also set out the roles of each responsible party.
Two agencies had deficiencies in key controls over lease management
We identified the following deficiencies in lease management at agencies. Issues included:
- the expected end dates of leases differed between the agency’s lease extension assessment masterfile and the external property management system
- items in monthly exception reports had not been properly investigated and resolved, including:
- instances of recurring billing lines not aligning to lease end dates, and leases with missing recurring billing line dates
- leases were incorrectly classified as ‘exempt leases’ within the exempt leases exception report and not accounted for properly
- carpark leases were incorrectly included as a ‘non-lease component’
- formal notification had not been provided to a lessee of a lease modification.
Risk
Inaccurate and inconsistent data within lease management systems increases the risk of misstatement. Failure to properly understand changes to lease terms and the contractual requirements of both parties increases the likelihood of disputes and misunderstandings between the contracting parties and misstatements within the financial statements. |
Agencies should:
- ensure all month end lease exception reports are properly assessed, and exceptions explained and investigated on a timely basis
- implement progress status reporting with external parties to ensure issues are reported and resolved in a timely manner
- ensure requirements of leases are properly executed so that any change in a lease is binding on both parties, and there is a basis upon which to account for the lease modification or reassessment.
Three agencies had deficiencies in key controls over purchases and payable processes
We identified deficiencies in the purchases and payable process of the agencies. Issues included:
- purchase orders approved after the invoice had already been received
- gaps in identifying, estimating and recording the underlying activity data used to calculate subsidy income.
Risk
Delays in approving purchase orders may result in agencies making inappropriate, unauthorised or fraudulent payments. Inaccurate underlying activity data may lead to the over or underpayment of subsidies, increasing the risk of foregone income, repaying overpayments and misstatements within the financial statements. |
Agencies should implement processes to:
- ensure that a purchase order is raised and approved by an appropriate delegate upon execution of a contract and prior to the delivery of the goods or the commencement of the service
- identify, estimate and accurately record the underlying activity data so that the related revenue is appropriately recognised and received.
Four agencies had deficiencies in key reconciliation controls over general ledger balances
We identified the following deficiencies in the general ledger reconciliation process of the agencies within this report.
- a policy on general ledger reconciliation has not been reviewed since 2020
- a number of account reconciliations were:
- not prepared on a timely basis
- prepared, but not reviewed and approved
- prepared and reviewed, but after the due date
- had significant delays between the review and approval dates
- not supported by proper documentation.
Risk
Key policies and procedures that are out of date may no longer describe current positions or practices, be irrelevant to the staff responsible for processes, or result in observation of the control becoming irregular. Delays preparing, reviewing, and approving reconciliations can increase the risk of not detecting unauthorised, inappropriate or fraudulent transactions. Lack of appropriate supporting documentation may prevent management from identifying inappropriate balances or reconciling items. Not resolving reconciling items increases the risk of misstatements within the financial statements. |
Agencies should:
- Review policies and procedures at least annually and ensure it aligns with current agency positions and structures and supports proper processes.
- Review and update procedures and controls to ensure the timely completion, review and approval of reconciliations including the investigation and resolution of reconciling items.
- Ensure supporting documents are included along with the reconciliations presented to senior staff for review and approval. Supporting documents should provide the approving staff with an appropriate level of detail to inform a thorough review.
Agencies continue to report excessive annual leave balances
NSW Treasury guidelines stipulate annual leave balances exceeding 30 days are considered excess annual leave balances. The state’s leave policy Circular C2020-12 Managing Accrued Recreation Leave Balances requires agencies to manage accrued recreation leave and for reasonable attempts to be made by the head agencies to ensure employees’ accrued recreation leave balances are kept to no more than 30 days to maintain the physical and mental health of their workforce. Some staff had accrued between 31 to 202 days in annual leave.
Risk
Failure to manage excessive recreation leave may result in:
|
Agencies should continue monitoring and managing excessive annual leave balances by establishing individual management plans for staff to reduce excess annual leave balances within an acceptable timeframe.
Thirteen agencies had deficiencies in information technology controls
Control deficiencies were noted relating to IT governance, user access administration, program change and computer operations. Refer to Section 3 of this report for further details.
Common compliance deficiencies
The table below describes the number of common compliance deficiencies across agencies, including their risk rating and the number of repeat deficiencies.
Compliance (5) | New isssues | Repeat issues |
High | -- | -- |
Moderate | 2 | -- |
Low | 3 | -- |
Source: Audit Office findings.
Two agencies had deficiencies in management of contract registers
We identified the following internal control deficiencies in agencies’ management of contract registers. Issues noted included:
- a number of contracts with contract value above $150,000 were not disclosed in the contract register published on the eTendering website, as required by the Government Information (Public Access) Act 2009 (GIPA Act)
- a number of contracts with contract value above $150,000 were not included in the internal contract register
- some contracts in the register lack supporting documentation to demonstrate procurement assurance was obtained as per the agency’s procurement framework
- contract management plans were not available for some contracts in the register.
Risk
There is an increased risk of:
|
Agencies should:
- ensure the contract register is maintained and disclosed according to the requirements of GIPA Act and regularly reviewed to identify, monitor and report the financial impacts in the financial statements
- maintain contract management plans and/or checklists for all contracts in line with the procurement framework.
Three agencies did not fully comply with legislation and Treasurer Circular
We identified internal control deficiencies in agencies’ compliance with legislation and Treasurer Circular. Issues included:
- Some agencies received legal advice in 2016 questioning whether they are legally empowered to recover surcharges on card payments as per the requirements of Treasury Circular TC18 18 ‘Agency recouping of merchant interchange fees’. These agencies recovered merchant fees plus the Goods and Services Tax (GST) on credit and debit card payments, as well as online payment services such as PayPal and PayID. No updated legal advice had been sought to clarify the legality of these charges.
- Cluster grant payments of an agency to a statutory corporation, which operates a special deposit account (SDA), did not receive appropriate approval under the Government Sector Finance Act 2018 (GSF Act). As these cluster grants were payments to an SDA, they constitute a payment out of the consolidated fund and therefore required approval by a delegated officer under the GSF Act. Legal advice was obtained to confirm the appropriate treatment.
Risk
Failure to comply with legislation and Treasurer Circulars may result in:
|
Agencies should:
- Clarify the legality of current practices and monitor possible and identified compliance breaches for potential implications, including financial reporting. Staff should include any non-compliance in certifications and / or representation letters. Resolution may require specific discussion with the agencies' risk, compliance, and legal teams.
- Implement processes to ensure appropriate approvals are sought for all payments out of the consolidated fund.
Common governance deficiencies
The table below describes the number of common governance deficiencies across agencies, including their risk rating and the number of repeat deficiencies.
Governance (12) | New issues | Repeat issues |
High | -- | -- |
Moderate | 1 | -- |
Low | 10 | 1 |
Source: Audit Office findings.
Seven agencies had deficiencies in their policies and procedures
We identified the following internal control deficiencies in agencies’ policies and procedures. Issues included:
- key policies and procedures past their scheduled review dates
- control gaps in fraud and corruption policy and processes, such as:
- fraud control activities not included
- policies not reviewed within the last two years
- training not provided to all employees, and in particular to those in high risk roles, within the last two years
- internal audit programs not including a review of fraud and corruption control or fraud identification
- control gaps in gifts and benefits policy and process such as:
- risks specific to agency were not identified
- no formal documentation on actions or steps when breaches by staff are detected
- lack of clarity on the timeframe to declare gifts and benefits
- missing information in the register
- training not included in the induction process for new staff
- control gaps in legislative compliance policy and process such as:
- lack of legislative updates on the register
- no evidence of periodic review and approval of the register
- access to the register is not restricted
- attestation of the agency’s compliance with the legislative requirements is not supported by formal signoff.
Risk
There is an increased risk of:
|
Agencies should:
- update any outdated policies and procedures and implement processes to track policies and procedures nearing their review date so they can be followed up, updated and approved by the respective owners
- regularly report to senior management on overdue policies and policies past their scheduled review dates to facilitate accountability over the process
- ensure periodic reviews of the fraud and corruption control framework is undertaken, fraud and corruption training is provided to all employees and a fraud risk assessment is completed
- incorporate a timeframe in the gifts and benefits policy in relation to staff declarations, approval of the declarations and updating of the gifts and benefits register
- assess and include relevant information within the gifts and benefits register to ensure completeness, accuracy and transparency
- ensure compliance with legislative obligations, update and review changes to the compliance register, formally sign off attestations, and restrict access to the register to authorised staff.
Common reporting deficiencies
The table below describes the number of common deficiencies identified in the draft financial statements prepared by agencies at early close, including their risk rating and the number of repeat deficiencies.
Reporting (10) | New issues | Repeat issues |
High | -- | -- |
Moderate | 2 | 2 |
Low | 5 | 1 |
Source: Audit Office findings.
One agency's data integrity deficiencies were identified in the long service leave triennial review
The Crown recognises the Long Service Leave (LSL) liability for the Crown Funded LSL Agencies and the Agency Funded Crown LSL Pool members in its financial statements. To determine the LSL liability and annual leave and long service leave on-cost factors, NSW Treasury appoints an actuary to determine a shorthand valuation approach to calculate LSL expense and liability according to AASB 119 Employee Benefits. This process occurs every three years and relies on agencies providing complete and reliable individual employee data.
In 2020–21 audit, we identified and reported several data integrity issues to management.
During the 2023–24 interim audit, we identified the following deficiencies in the long service leave review process, which have been reported to management. The deficiencies were:
- Inconsistencies between the employee start dates in the payroll master file and the leave liability report, which is used to accumulate the LSL liability. Employees who had started as casuals had initially been recorded as ‘casual’ but some had converted to permanent. The initial status as ‘casual’ generated multiple versions of the start date in payroll reports for those employees.
- One agency extracted the triennial review data approximately one week before the date specified by the Treasury. The early extraction generated larger than expected variations between the extracted data and the source data in the agency’s systems.
Additional reconciliations and investigations were required to resolve these issues, resulting in delays finalising management’s review.
Risk
Inaccurate and inconsistent employee and long service leave data in key payroll systems increase the risk of:
|
The agency should:
- conduct a systemic review of inconsistencies in leave entitlement start dates between payroll master file and other source systems
- follow NSW Treasury’s instructions noting data extraction cut-off dates.
Three agencies did not assess the proper accounting treatments for balances
The NSW Treasury has mandated early close procedures for all NSW government agencies. This includes a requirement to assess compliance with relevant accounting standards.
We identified the following deficiencies in agencies’ accounting assessments:
- One agency failed to perform an assessment on new and modified revenue contracts at the individual revenue stream level to determine whether they should be accounted for under AASB 15 Revenue from contracts with customers or AASB 1058 Income of Not-for-profit entities.
- One agency failed to present or disclose restricted balances in its financial statements to reflect the assets under its control. The agency had not formally documented how these balances should be accounted for or disclosed within their financial statements.
- One agency had properties valued at $5.4 million classified as ‘non-current assets held for sale’ and measured at fair value less costs to sell. The responsible minister has not approved the sale of the three properties and agency has not yet engaged an agent to sell the properties. The agency had no documented rationale for its accounting treatment.
Risk
There is an increased risk of:
|
Agencies should:
- ensure the accounting standards are applied to the transactions and balances appropriately and consistently within the financial statements
- document their review of the accounting treatment of transactions and balances and ensure that documentation is available to support the assessment.
Four agencies did not review the property, plant and equipment valuation reports in sufficient detail
The property, plant and equipment balances are financially significant to the NSW government financial statements. NSW Treasury mandates that assets are recorded at fair value. Management needs to assess the fair value of its property, plant and equipment at each balance date. This assessment requires management to exercise judgement and make certain assumptions, which underpin key estimates in the valuation process. Often, this requires the assistance of a qualified valuer.
NSW government agencies are required to perform and document their fair value assessments of non-financial assets as part of their early close procedures. NSW Treasury guidance TPG23-09 Guidance when performing valuations of physical non-current assets states agencies should review at minimum:
- methodology and assumptions made by valuers for consistency with instructions provided
- assets covered by the report for completeness and accuracy (by comparing to the original list provided to the valuer)
- reasonableness of inputs and assumptions used by valuer
- where an index movement is a valuation input, investigate the reasons for and appropriateness of major changes.
In addition, management should ensure that restrictions have been properly considered and reflected in valuations in accordance with TPP21-09 Valuation of Physical Non-Current Assets at Fair Value.
We identified the following internal control deficiencies in agencies’ processes to conduct periodic comprehensive asset valuations and annual fair value assessments of property plant and equipment, which included:
- An agency engaged an independent valuer to perform a comprehensive revaluation on its heritage and cultural assets. The comprehensive valuation report did not:
- include seven assets
- evidence the sighting of nine assets
- include unique identifier for 239 assets, limiting the ability to reconcile to the fixed asset register at the individual asset level
- provide a valuation policy on the asset type
- provide evidence for the basis of the fair value hierarchy allocation
- support the inputs used to determine costs.
- An agency engaged an independent valuer to perform a comprehensive revaluation assessment for its commercial and community properties. Management failed to provide key information such as floor space and formal lease agreement to the valuer.
- An agency engaged an independent valuer to perform a desktop valuation assessment for its land and buildings. There was limited documentation evidencing management’s review of the external valuation reports including whether the methodology and assumptions made by the valuers were appropriate to the asset class, and that the work performed by the valuer was consistent with management’s instructions.
- The carrying value of an agency's property plant and equipment used depreciated historical cost, as the agency applied the exemption within the TPP for non-specialised, short lived assets. As some of the assets had long useful lives and were specialised, the use of this exemption was not appropriate.
Risk
The risk of misstatement in the financial statements increases where:
|
Agencies should:
- review their fixed asset policy to ensure it is consistently and appropriately applied to its property, plant and equipment
- review the valuation reports to see if valuers’ findings are consistent with the nature of the agency’s assets and operations
- assess the appropriateness of the methodology, key assumptions and judgements adopted in the valuation
- ensure underlying data is complete and accurate
- check the validity of assumptions about market sensitivities used by the valuer
- assess the fair value movements and investigate unexpected changes
- ensure that any restrictions attached to the property have been properly considered
- document management’s review. Matters identified during management’s review should be discussed with the valuer and documentation retained evidencing how they were addressed.
2.3 Trends in findings
The Audit Office assesses trends in agency controls by measuring the number of internal control findings identified during interim audits. Three measures are used:
- number of findings
- risk level of findings
- number of new and repeat findings.
Our 2023–24 audits identified 121 internal control deficiencies, comprised of:
- 36 financial related control deficiencies
- 68 IT related control deficiencies
- 17 other control deficiencies.
We communicated these deficiencies, outlining each audit finding, its implications, the level of risk posed to the agency and our recommendations.
Deficiencies in financial and other controls increase the risk of intentional and accidental errors in processing information, producing management reports and generating financial statements. This can impair decision-making, affect service delivery and expose agencies to fraud, financial loss and reputational damage. Poor controls may also mean agency staff are less likely to follow internal policies, inadvertently causing the agency not to comply with legislation, regulation and central agency policies.
IT control deficiencies are detailed further in the Chapter 3.
Risk levels of internal control findings
The graph below shows the risk ratings of reported control deficiencies.
Source: Audit Office findings.
Repeat internal control gap findings represent 19% of all findings
Unresolved deficiencies from prior years represent 19% of all internal control deficiencies.
Source: Audit Office findings.
The graph below shows the ageing of reported control deficiencies.
Source: Audit Office findings.
Fourteen of the findings reported in 2023–24 had been repeated for at least two successive years.
Vulnerabilities in internal control systems can be exploited by internal and external parties and pose a threat to agencies. The longer these vulnerabilities exist, the higher the risk that they will be exploited and the higher the expected losses. Agencies should prioritise their resolution of these vulnerabilities by ensuring:
- there is clear ownership of the recommendations raised in respect of internal control deficiencies, including timeframes and action plans for their implementation
- agency executive teams monitor the implementation status regularly, focusing on those actions that are past due or have deferred implementation dates
- report progress on actioning recommendations regularly to audit and risk committees.
3. Information technology controls
This chapter outlines our audit observations, conclusions and recommendations arising from our review of agency controls to manage key financial systems.
Section highlights
- Four of the six agencies that provide shared IT services do not obtain independent assurance over the effectiveness of, or deficiencies in their control environment and provide the reports to their customers.
- All six shared service providers had moderate risk issues with their core IT controls, and three had high risk issues, which undermine the effectiveness of controls across their customer base.
- Four of the six agencies that provide shared IT services to other agencies did not follow their own standards in managing user access.
- One agency had failed to manage a key system as it was being operated independently of the central IT function.
- Nine agencies did not effectively restrict privileged user accounts, or did not effectively monitor those accounts.
- Four agencies did not have effectively configure their password security to their systems. One agency avoided a cyber intrusion to it’s core financial system because they had implemented these controls effectively.
3.1 Background
Agencies rely on information technology (IT) systems to prepare their financial statements and deliver services to the public. The use of IT introduces risks to the integrity of information used in financial reporting, and to agency operations.
Risks to the integrity of information used for financial reporting include:
- unauthorised access to data that may result in destruction of data or improper modification
- unauthorised changes to IT applications or other aspects of the IT environment that undermine the integrity of processing or reporting of transactions
- inappropriate manual intervention that bypasses established checks and reviews
- potential loss of data or inability to access data as required.
Operational risks include:
- inability to continue operations or to deliver services, for example due to system outages or denial of service attacks
- theft of data, such as through ransomware attacks
- fraudulent transactions or payments made through IT systems
- failing to protect the security of personal or sensitive information
- non-compliance with laws and regulations.
IT controls are the policies and processes which mitigate these risks arising from the use of IT. Effective and robust controls are the most effective way to mitigate these risks, and government agencies are required, under the Government Sector Finance Act 2018, to establish, maintain and keep under review:
- effective systems for risk management, internal control and assurance (including by meansof internal audits) that are appropriate systems for the agency
- arrangements for protecting the integrity of financial and performance information.
Source: GSF Act 2018 s3.6 (1)b.
This section summarises out observations across common financial system IT controls for the 26 agencies in scope for this report.
3.2 IT shared services
Many business and IT functions are provided on a shared services model, meaning that one agency operates a process or IT platform that is used by other agencies. These services are shared by several agencies (‘customers’), but generally operated and managed by one agency or department (‘providers’).
Twenty-two of the 26 agencies within the scope of this report are either customers or providers of IT shared services.
Advantages of relying on other agencies for these functions include:
- economies of scale and reduced cost per person or transaction through centralisation ofcommon processes for agencies with a similar culture, risk and industry
- reduced duplication of functions and processes across agencies
- potential for reduced disruption from some Machinery of Government changes.
The risks of interagency service reliance include:
- Issues and problems could become pervasive across the dependent agencies. Three of the four high risk issues identified this year relate to systems that are provided as a shared service to other agencies.
- Lack of visibility over control deficiencies or incidents that occur at the shared service provider, but impact the data belonging to the (customer) agency.
- Generalisation and loss of specialist and specific agency knowledge.
- Lack of clarity for what services are provided and service levels for customers.
- Lack of clarity of responsibilities between providers and customers.
- Additional governance, accountability and assurance processes are required to ensure delivery of high performing services.
- Uncertainty of governance and accountability when agencies are reorganised due to Machinery of Government Changes.
These benefits and risks depend on how the agencies relate, their performance and the governance of the services. Formally documented agreements help to clarify expectations and responsibilities for all parties, whether this is between separate agencies or within different divisions of the same government department. In practice, different models are used in the management of IT services within NSW government. We have included relationships within the 26 agencies scoped in their report, and where payment for corporate IT services is made between these agencies.
Organisation of IT services in large NSW agencies
There are six agencies in the scope of this report that are providers of IT shared services to other agencies. Between them, there are over 110 customer agencies relying on these services, including 16 of the agencies within the scope of this report. Of these 16, ten are fully reliant on shared services for their core IT systems, and six are partly reliant on shared services but also manage some of their own core IT systems.
Four of the agencies in this report neither provide nor rely on shared IT services.
Delivery models
There are three delivery models for how technology is delivered and engaged:
- a dedicated IT and system focused agency to provide services to the portfolio of agencies (eHealth)
- a centralised in-house function that leads the IT and system functions for and on behalf of the agencies in the same portfolio (Fire and Rescue NSW, Transport for NSW)
- a centralised in-house function that leads the IT and system functions for and on behalf of the agencies within the same portfolio and across other portfolios (Department of Customer Service, Department of Communities and Justice, Department of Planning, Housing and Infrastructure).
Scope of services provided
All six agencies use large enterprise resource planning systems such as SAP or Oracle as central to their finance, human resources and procurement functions, and core to the provision of services to their dependent agencies.
Grouping and consolidating common functions has been continuously occurring and evolving in the finance and IT spaces. Lead agencies have provided both financial systems and IT services to their dependent agencies. The types of IT services provided include application, database, servers, networks, IT governance, IT security processes, IT change management, IT operations and cyber security. Definitions of these functions are detailed in chapter 3.3.
Assurance over the service providers
Assurance is the independent review and formal reporting of the management processes and controls that a service organisation provides to user entities. Industry standards are based on international frameworks and exist for specific purposes, such as ISO 27001 for information security.
ASAE 3402 is the standard under which an auditor provides assurance on the controls of a service organisation (such as lead agencies) for use by entities (such as dependent agencies) and their auditors. In the type of shared service arrangements described above, audits under ASAE 3402 provide formal assurance over the effectiveness of the design and operating effectiveness of the controls at a service organisation that aim to manage the IT governance, access management, change management and IT operations described later in this chapter.
Only two of six provider agencies seek independent assurance under ASAE 3402
Only two of the six provider agencies that supply financial systems and IT services to other agencies seek formal external assurance over the design and effectiveness of the controls that they are responsible for, and upon which other agencies rely.
The absence of an ASAE 3402 assurance report over the shared service arrangements limits the formal accountability of the shared service provider to customer agencies. This leads to a lack of consistency for communicating and resolving control issues between provider and customer agencies.
Provider agency | Formalised service relationship | IT services provided | Cyber security services provided | Independent assurance reported to customer agencies |
eHealth | Agency meets the criteria | Agency meets the criteria | Agency meets the criteria | Agency meets the criteria |
Transport for NSW | Agency meets the criteria | Agency meets the criteria | Agency meets the criteria | Agency did not meet the criteria |
Department of Communities and Justice | Agency meets the criteria | Agency meets the criteria | Agency meets the criteria | Agency did not meet the criteria |
Department of Planning, Housing and Infrastructure | Agency meets the criteria | Agency meets the criteria | Agency meets the criteria | Agency did not meet the criteria |
Department of Customer Service | Agency meets the criteria | Agency meets the criteria | Agency meets the criteria | Agency meets the criteria |
Fire and Rescue NSW | Agency meets the criteria | Agency meets the criteria | Agency meets the criteria | Agency did not meet the criteria |
Source: Audit Office analysis.
Governance
One provider developed a co-partnering model for the governance of IT services, with clients partnering as a board to govern the performance of the centralised IT services.
Two providers combined the application service and established individual Service Partnership Agreements.
Governance of the IT services has remained centralised, but many agencies also use separate applications and IT infrastructure that is supported by their own IT teams. All agencies had established protocols and defined responsibilities for the communication and escalation of service issues as customer and provider agencies.
Management letter issues and their impact across agencies
One of the main risks of shared services is that issues and problems become pervasive across all dependent agencies. Three of the six lead agencies had high risk issues impacting the financial systems they provided, and all six agencies had moderate risk issues. These issues impacted not only the lead agency that provided the service, but also the customer agencies that used their services.
The table below shows provider agencies and the:
- spread of risk ratings of the management letter issues that affect them and customer agencies (in accordance NSW Treasury's Risk Management Toolkit for the NSW Public Sector)
- number of in-scope customer agencies (of the 26 focused in this report)
- number of customer agencies across NSW government that the provider services.
Provider agency | Level and spread of risk for management letter issues | Number of in-scope customer agencies affected | Total number of customer agencies affected | ||
eHealth |
| Moderate rated risk assessment | Low rated risk assessment | 1 | 28 |
Transport for NSW | High rated risk assessment | Moderate rated risk assessment | Low rated risk assessment | 3 | 8 |
Department of Communities and Justice | High rated risk assessment | Moderate rated risk assessment |
| 2 | 18 |
Department of Planning, Housing and Infrastructure |
| Moderate rated risk assessment | Low rated risk assessment | 5 | 29 |
Department of Customer Service |
| Moderate rated risk assessment | Low rated risk assessment | 8 | 30 |
Fire and Rescue NSW | High rated risk assessment | Moderate rated risk assessment | Low rated risk assessment | 1 | 2 |
Source: Audit Office analysis.
Cyber security in shared services
The scope and relationship of cyber security risk management adapts with the nature of the provider and customer agencies. Cyber security services have accompanied the IT shared services, or were related to the provider in the portfolios. Customer agencies may also have complementary cyber security functions where separate IT and infrastructure exists that is not serviced by the provider agency.
Two sets of provider and customer agencies have a defined hierarchy in their relationship, structured around a central hub and decentralised spoke model. This mirrors their risk management and IT services, with centralised corporate systems and infrastructure in the central hub, with decentralised infrastructure and systems for particular business units and operations. In practice, the cyber security risks, processes and issues are managed in the decentralised agency but visible and escalated to the central provider agency with set protocols and procedures.
3.3 IT governance
IT governance provides a framework for accountability and transparency in how IT is managed in alignment with the agency’s objectives.
We evaluated the following as part of all audits for the agencies in this report:
- policies and standards are defined and are current over all key areas of IT
- IT management identify and document risks, and report significant risks to senior management of the agency
- management obtains independent assurance that service providers maintain an appropriate level of control over their environment, proportionate to the reliance placed on that service provider.
From the audit work performed, the following themes were identified.
Two agencies did not have current policies and standards covering key IT systems
One of the 26 agencies had a division that operated its system independently from the central IT team. That division had no formal IT policies or procedures for user access management, change management, incident management, backup and disaster recovery for their IT systems. The divisional IT team did not follow the agency’s IT policies and procedures, and lacked communication with the agency’s central IT team. The other agency had not reviewed and updated their IT policies and procedures in accordance with their planned review schedule.
Risk
Failure to implement and maintain current policies and standards increases the risk of:
|
Agencies should ensure IT policies remain relevant and current, especially after significant changes to organisational structures or processes, including Machinery of Government changes. These changes can abolish or create agencies, transfer policy, programs and service delivery to other agencies, and consequently can require significant changes to policies and standards as well as control activities and business processes.
Ten of the 26 agencies have been subject to Machinery of Government changes since March 2023.
Case Study - High Risk issue – IT Governance One business unit within a department has historically operated with a degree of independence and uses an IT system to support its financial management, compliance and project management. Systems that are operated without involvement or awareness of the agency’s central IT function can be referred to as ‘Shadow IT’. This sometimes occurs through the business adapting to change quickly and implementing simple IT solutions for an immediate business need, or it can be as a result of changes to organisation structures. Shadow IT is generally not managed under a formal and mature control framework, as would be expected for systems under control of the agency’s central IT function. Shadow IT can be appropriate for low-risk situations, where the system does not present a security risk and does not play an important role in the overall business. The system we identified presents a high cyber security risk as is used for key financial functions, which the department is obliged to operate under an effective control framework. The department has now included this system in its list of ‘crown jewels.’ Several weaknesses were identified, including:
This situation exposed the department to a number of risks, including issues with system and data integrity, availability, financial costs, reputational damage, and data breaches. We recommended that the business unit and the agency’s central IT team work together to ensure that this system is brought under an appropriate governance framework that includes effective controls and oversight. Other agencies should ensure that they are aware of what systems are being used within their business units, and where there are systems not under management of the central IT functions, that they are subject to an appropriate governance framework. |
Weaknesses in evaluating third-party IT service providers
Three agencies have deficiencies in their oversight of IT service providers or other organisations that can access their data. Gaps include failing to:
- review independent audit reports on the effectiveness of controls of a service provider
- perform a risk assessment over all service providers used for IT services
- hold third parties accountable to meet their security obligations under agreements.
Risk
Failure to identify and respond to risks from third-party service providers may lead to:
|
Agencies should ensure third-party IT service providers meet or exceed the level of protection if the agency still held the data and are accountable to meet their obligations. Third parties subject to a high level of oversight provide agencies with an independent assurance report detailing the effectiveness of controls over the reporting period. Agencies should ensure weaknesses or incidents identified in these reports are responded to appropriately.
3.4 Access management
IT access management ensures that transactions and changes made to data are performed in the normal course of business by authorised staff.
We evaluated the following as part of the audits of all agencies in this report:
- access is approved
- access is removed when no longer required
- access rights are reviewed periodically and excessive access, if identified is removed
- highly privileged accounts are restricted and monitored
- systems are configured to reduce the risk of guessing or otherwise determining an account password.
Four agencies that provide shared services failed to effectively authorise access to their systems
Four agencies had deficiencies in ensuring that access is approved before it is provided to users. The systems managed by these four agencies are used by several other customer agencies for financial transactions and reporting. Issues included:
- one agency did not follow standard process and providing privileged user access to systems, while the systems were having significant changes as part of IT project work
- one agency did not evaluate security risks or obtaining appropriate approval when implementing an automated robot for transaction processing
- one agency did not obtain approval before a test account was created
- one agency could not create or renew user access in a timely manner, resulting in staff being unable to work.
Case Study - High Risk issue – User Access One department had a weakness in its process to ensure privileged user access was approved, and consequently reprovisioned inappropriate privileged access several times to a user who did not require it. This user required ordinary access. Management identified that at some time in the past the user had mistakenly been given full system privileges as part of their user access reviews, and restricted the level of the user's access. The restricted access rights assigned to the user's account were insufficient for their role, and the user was unable to perform the tasks required. The user requested that their access be reinstated. The level of access requested should have required approval from senior management, but instead the service desk reassigned the same full system access as they had previously without seeking the required approval. There was no evidence of wrongdoing on the part of the user, either in requesting greater access or in misusing the privileges, but that the cycle was repeated a number of times is of concern. The system is used to manage maintenance contracts and customer interactions and is used by several agencies. We have previously reported that this system has design and functional deficiencies, which in part related to difficulties in providing and restricting access. As a result, the department was at increased risk of inappropriate transactions or system changes in the event this account was misused. We recommended that the department:
All agencies should ensure that staff who perform key control activities, such as managing user access, are aware of the purpose of the control, and that control failures identified through periodic reviews are actively investigated. |
Three agencies failed to effectively restrict user access to current and approved staff
One of the 26 agencies failed to remove a terminated user’s access after two years, and repeated requests to deactivate that access. Automated notifications for terminations at this agency failed for most of the financial year. Two other agencies failed to disable all access once users had left the organisation.
Risk
Weaknesses in user access management controls can result in inappropriate and unauthorised access to business systems. This can impact the completeness and accuracy of financial information by:
|
Agencies should ensure that access is approved before being provided. Evidence of approvals should be retained.
Eight agencies failed to effectively review and revalidate user access
Thirty-one per cent of agencies had deficiencies in their review and revalidation of user access. The deficiencies in these eight agencies impacted others, as three of these were lead agencies managing the systems for another nine agencies. These gaps included:
- not reviewing access for key systems
- not keeping sufficient records to indicate the purpose or approach of the review
- only reviewing access for the validity of accounts, but not validating that access permissions were appropriate
- commencing a process to revalidate user access, but the process remained incomplete as not all business areas had responded to confirm access remained appropriate
- not reviewing access for all key systems, all permissions or for all accounts on those systems
- not reviewing the currency of user access permissions built into the system
- performing reviews that did not identify access permissions in excess of requirements.
Risk
Weaknesses in user access management controls can result in inappropriate and unauthorised access to business systems. This can impact the completeness and accuracy of financial information by:
|
Agencies should regularly perform reviews of user access to ensure the existing access permissions are appropriate, and user accounts are still required. Corrective action should be prompt and evidence of changes retained.
Nine agencies are not effectively restricting and monitoring privileged users’ access
Thirty-five per cent of agencies had deficiencies in their controls over privileged users’ accounts. Nine lead agencies had these deficiencies, with five of these lead agencies managing the systems for another ten agencies.
Deficiencies included:
- using generic accounts with full system access
- failing to identify and restrict privileged user access only to those users who require that level of access
- failing to monitor or review activity performed using privileged user accounts.
Risk
The absence of periodic reviews of privileged user accounts increases the risk that inappropriate and unauthorised activities within the system are not undetected. Privileged user accounts may be misused to:
|
Agencies should restrict the privileged user accounts, granting that level of access only on an ‘as needs’ basis. Agencies should regularly monitor or review activity by privileged users.
Case Study - High Risk issue – System implementation and upgrades One agency had weaknesses in how privileged access was managed during and after two significant system upgrades. One staff member working on a system upgrade project, but not in a security operations role, created an account with full system access to the main finance system used by the agency and other dependent agencies for financial transactions and reporting, and for payroll. This privileged account was not approved and documented, contrary to the agency’s security standards and policy. Management did not identify, during or after completion of the project, that the privileged account had been inappropriately created and used. No review had been performed to ensure that privileged accounts established for use for during the system upgrade were removed after the end of the project. The account was disabled several months after completion of the project and only after its existence was bought to management’s attention. There were similar issues with another system used by one business unit in the same agency, with two privileged accounts being created during a system change project without a documented request or approval, contrary to the agency’s policy and standards. Failing to follow policies and standards, document actions appropriately, identify breaches of security standards, and remove unnecessary privileged access immediately it is no longer required exposes the agency to the risk of unauthorised access and system breaches. We recommended that the agency:
All agencies should ensure that adequate governance is in place during and after major system changes, and that access required for projects is removed once the project is complete. |
Four agencies have not complied with their password policies
Four agencies had not implemented password parameters in line with their own policies through system configuration. These four lead agencies had these deficiencies, with two of these agencies managing the systems for another six agencies.
The deficiencies included:
- password configurations were not enforced
- password login attempts, history and lockout settings did not meet policy requirements.
Risk
Weaknesses in password configuration settings may make it easier for a user account to be compromised, allowing a party with unauthorised access to use and change financial and non-financial information for malicious or fraudulent purposes. |
Agencies should ensure that their password policy and standards are in line with current good practice for the effective use of passwords or passphrases. Agencies should ensure their own standards are enforced through system configuration.
Case Study - High Risk issue – Unauthorised attempts to privileged access One agency had privileged accounts that were locked due to repeated unsuccessful logins, but had not been investigated. These were standard system accounts that are part of the initial system install, with set userIDs and default passwords that can be publicly found or easily determined. The agency had changed the default password to these standard accounts. A security feature had also been configured where five failed access attempts to any account will lock the account, preventing its use even if the right password is known or guessed. It requires a system administrator to reset the account before it can be used again. Failed login attempts can indicate an attempted intrusion, and should be investigated. In response to our audit, management determined that there had been several attempts to log in to these accounts by an unknown source, most likely as part of an automated cyber attack. The attack was not sophisticated, and did not appear to use any information specific to the agency. These attempts were unsuccessful due to effective authentication settings that locked out the accounts after repeated unsuccessful attempts. We identified that four other agencies covered by this report have not consistently implemented that control. Inadequate and limited security event monitoring and cyber security incident management processes exposes the agency to additional financial costs, reputational damage and data breaches. We recommended that the agency:
All agencies should ensure that adequate security event monitoring and cyber security incident management processes cover their systems. |
3.5 Change management
Controls over IT changes ensure that changes to how programs work are in line with requirements, and that unintended or unauthorised changes are not made. These controls, which include management checks and reviews, should be designed and enforced so they cannot be avoided, even when there is excessive access to both make and implement changes.
We evaluated the following as part of all audits for the agencies in the report:
- changes are appropriately tested before implementation to validate that systems operate as intended
- changes are authorised to ensure they are in line with business requirements and expectations, and have been adequately documented and reviewed
- duties are segregated to prevent people from making changes and then implementing them without independent approval.
From the audit work performed, the following themes were identified.
Four agencies did not prevent developers from implementing changes into the production system
Four agencies did not segregate the developer access from the access to migrate the change into the production system. This lack of segregation allows changes to be made without an independent check, and could allow programming errors, unresolved bugs or unauthorised changes to enter the production system. Where agencies allow these practices due to the small size of their specialist teams, additional governance and monitoring processes have not been implemented to mitigate the risk.
Risk
IT Change Management controls address the risk of unauthorised or inappropriate changes being made that undermine the integrity of financial processing or reporting. Failing to segregate access to make and promote changes allows these controls to be bypassed. |
Agencies should ensure that IT changes are appropriately tested, changes are authorised and there is a segregation of duties between those who can make changes and those who can implement changes.
One agency did not keep sufficient records for system changes
The agency did not retain records of the user acceptance testing or the approval of changes.
Risk
Failure to document key decisions undermines controls intended to ensure changes to systems work as intended, and data is transferred accurately and completely. |
Agencies should formally record significant decisions and approvals during system implementations.
3.6 IT operations
Management and control of IT operations ensures that key IT processes operate as expected, and that interfaces between systems are complete and accurate, so there is integrity of the data and information transferred.
We evaluated the following as part of all audits for the agencies in the report:
- key processes are monitored and action is taken to resolve issues identified
- key financial data is backed up, and agencies validate that backed up data can be restored
- disaster recovery plans are documented and tested.
From the audit work performed, the following themes were identified.
Two agencies need to improve monitoring of key interfaces between finance systems
One agency did not review their financial interface to ensure all data has completely and accurately transferred. Accountability and responsibility for the interface was not clear or consistent.
The second agency identified missing data was not recorded in the financial system from four years ago and the cause is discrepancy was still unknown.
Risk
Weaknesses in management and oversight of processing and interfaces risks data or transactions being unrecorded or unreported. |
Agencies should ensure that interfaces are monitored and there are clear responsibilities to identify and resolve discrepancies.
Four agencies do not have current disaster recovery plans (DRPs) or have not tested those plans
Four agencies have deficiencies in their planning for recovering from disasters. Gaps included:
- a DRP that did not reflect current vendor agreements or procedures
- not testing one or more DRPs for a key finance system
- not having a DRP for a key system.
A DRP helps agencies maintain IT services in the event of a service disruption, or restore IT systems and infrastructure in the event of a disaster or similar scenario.
The agency without the DRP had an outage of approximately 34 hours that impacted over 700 users. Backup files could not be used and the agency had to rebuild their system to restore service.
Risk
Failure to effectively plan for recovery can lead to extended system outages and lost data in the event of a disaster. |
Agencies should document plans to recover key systems and data in the event of a disaster and test these plans regularly.
3.7 Payroll and Finance application controls
Some key controls over purchasing and payroll systems are common across most organisations. These controls reduce the risk of unauthorised transactions or payments through those applications.
We evaluated the following as part of all audits for the agencies in this report:
- key transactions such as generating payment files are restricted to staff in appropriate roles
- segregation of duties is enforced, such as separating maintenance of masterfile data (for example, vendor bank details) and entering/approving invoices
- payment files are encrypted.
From the audit work performed, the following themes were identified.
Access is not effectively restricted for all sensitive payroll and finance system functions
Five agencies had not effectively restricted access to sensitive payroll functions only to staff who require that level of access to perform their role. The five agencies had not effectively restricted access to key transactions in their finance system only to those staff who require that level of access to perform their role.
Two lead agencies provide shared payroll and financial services transaction using a single financial system. Though each agency benchmarked access restrictions against best practice before the financial system went live, subsequent changes to access were made and the access restrictions were not consistently enforced in the live system.
Examples of inappropriate or excessive access include user accounts that can change rates of employee pay and bank account details, even though this access is not required in their roles.
Risk
Accounts with excessive access may be able to perform actions that are beyond those required for their role, and which may be inappropriate or inconsistent with their duties. This includes actions such as modifying bank details for employees or vendors and raising or approving invoices. |
Agencies should ensure that access to perform higher risk activities in finance systems is restricted.
4. Cyber security
This chapter outlines our audit observations, conclusions and recommendations arising from our review of agencies' cyber security.
Section highlights
- Eighteen agencies assessed their cyber security risks were above their risk appetites. This was out of 20 agencies that evaluated their cyber security risks.
- Fourteen of the 18 agencies that assessed their cyber security risks above their risk appetite have open ended timeframes to resolve their risks.
- Two agencies do not have funded plans to improve their cyber security.
- Three agencies had not defined their cyber security training requirements or mandated annual cyber security training.
- Four of the 26 agencies do not provide additional cyber security awareness training to high-risk staff.
4.1 Background
Cyber security is an essential element in an agencies’ overall control framework. Risk to the public increases as the systems and data managed by government are subject to higher volumes of increasingly sophisticated cyber attacks.
The Australian Cyber Security Centre (ACSC) in its Annual Cyber Threat Report (2022–23), published in November 2023, noted 94,000 cybercrime reports, an increase of 23% upon 2021–22. The average cost of each reported cybercrime has also increased, by 14% upon 2021–22. That report noted that 12.9% of incidents reported to the ACSC related to State, Territory and Local Government agencies.
This chapter focuses on cyber security risks as they relate to our financial audits and the potential impact of incidents on the financial statements we audit, with a focus in the current year on the application of agency risk management frameworks to cyber risks and agency awareness programs.
Our audit focus on cyber security, as explained in our Annual Work Program (AWP) 2024–27, aims to provide insights into how agencies are mitigating key cyber security challenges faced by government as summarised in the following graphic.
Cyber Security Challenges guiding the focus of our Annual Work Program
* Our Cyber Security Challenges have been adapted from those presented by the United States Government Accountability Office (GAO) — Cybersecurity | U.S. GAO to highlight challenges we have identified in the NSW public sector from our Financial and Performance Audits.
** When we refer to Cyber Resilience, we are aligning with the NSW Government Cyber Security Policy definition, where resilience includes incident detection, response and recovery.
*** Audits provide insights as to agencies’ progress against the six Focus Areas of the NSW Cyber Security Framework, but not assurance in relation to all aspects of the framework.
Source: Audit Office Annual Work Program 2024–27, Audit Office of NSW; 3 August 2024.
4.2 Policy framework
The original NSW Cyber Security Policy took effect from 1 February 2019, replacing the NSW Digital Information Security Policy following the Audit Office’s 2018 performance audit Detecting and responding to cyber security incidents. The NSW Cyber Security Policy is subject to annual review, which includes agency feedback. The current version of the NSW Cyber Security Policy was issued in February 2024.
The updated policy:
outlines the mandatory requirements to which all NSW Government departments and Public Service agencies must adhere to. Each Mandatory Requirement is supported by detailed requirements. These detailed requirements are a baseline of minimum requirements expected of agencies.
Source: NSW Cyber Security Policy, updated February 2024; Policy Statement | Digital.NSW.
The revised NSW Cyber Security Policy requires agencies implement 31 ‘Mandatory Requirements supported by 114 detailed requirements. The ACSC Essential Eight has been incorporated into the ‘Mandatory Requirements’.
Agencies self-report an assessment against these 114 requirements stating whether each requirement is met, partially met, or not met. This replaced the previous ‘Maturity Model’ built into the previous Policy.
The Audit Office’s recommendation to seek an independent assurance review of agencies’ self assessments ,which was made in our Compliance with the NSW Cyber Security Policy report in 2021, remains unaddressed. We also recommended in that report that CSNSW monitor and report compliance with the NSW Cyber Security Policy, requiring agencies to resolve inaccurate or anomalous self-assessments where these are apparent.
Compliance to the updated NSW Cyber Security Policy is not required for 2023–24
The February 2024 update of Department of Customer Service Circular DCS-2021-02 for the NSW Cyber Security Policy states:
Agencies are not expected to have fully met all Mandatory Requirements in the 2023–2024 financial year of NSW Cyber Security Policy reporting. This reporting year is intended to be a transition period and will serve as a baseline only.
Source: DCS 2021-02, updated February 2024 Circular DCS-2021-02.
4.3 Identifying and responding to cyber security risk
We reviewed agency risk assessments for cyber security. This section of the report describes how they identified their cyber security risks and assessed how those risks apply to their IT environment. We assessed whether agencies:
- have identified and recorded cyber risks in their formal risk management processes
- have assessed these risks in relation to their risk appetite
- apply one or more established frameworks to assess the effectiveness of their cyber security
- have defined and funded plans to remediate gaps in their cyber security.
Ineffective identification and assessment of cyber security risks can leave agencies vulnerable to unknown risks. This can result in disruption of services, loss of reputation and loss and damage both to the agency and the public who rely on those services.
Identify and record cyber security risks
The Treasury Policy Paper TPP20-08 Internal Audit and Risk Management Policy for the General Government Sector is a mandatory policy for NSW government agencies for risk management and founded on International Standard ISO 31000: 2018 Risk Management Guidelines and also refers to the NSW Cyber Security Policy in cyber security risk assessment. All 26 agencies are using the industry standard ISO 31000 as their framework for corporate risk management.
AS/NZS ISO 31000:2018 Risk Management – Principles and Guidelines describes a generic process, which might be summarised as:
- identifying risks based on the external environment and factors specific to the entity
- assessing the severity of the risks based on the likelihood and impact should they occur
- determining a risk appetite for the entity; the severity of risks they can accept
- evaluating the effectiveness of controls that are in place to mitigate the risks
- responding to risks outside appetite, typically by treating them to reduce the likelihood or impact to bring them within appetite.
All 26 agencies updated their cyber security risk register, with the frequency of updates ranging from between six monthly to every month.
Agencies do not have a consolidated view of their cyber risks
Despite similar frameworks, agencies have taken different interpretations of how to define and record risks. The number of cyber security risks recorded by agencies ranged from one to 298. While some variance would be expected due to the size and complexity of agencies, risk registers ought to be at a level that informs and supports decision making rather than simply a list of all known vulnerabilities or potential incidents and causes of incidents.
Where several risks share a similar cause, they can often be mitigated by the same control.
Risk appetite
Every organisation faces some level of risk. A risk appetite statement defines the upper threshold for what level of risk an agency is prepared to accept, taking in to account the potential consequences of cyber incidents to its operations and its stakeholders.
Risks which are above this appetite should be regarded as a priority for the agency, and steps taken to mitigate those risks so that they are brought within what the agency can accept.
Some agencies have not defined their risk appetite
Four of 26 agencies have not defined their risk appetite for cyber security. Two of these agencies have drafted their risk appetite statement but it has not been fully developed or endorsed, and a third agency has stated it intends to develop a risk appetite statement in 2025.
These agencies have yet to also assess their current risks against their planned risk appetite and develop remediation strategies to address risks over that yet to be determined appetite.
Of the 22 remaining agencies that have established cyber security risk appetites, all of them revised and reassessed their corporate risk appetite during the 20 months to 30 June 2024. One of the 22 revised their risk appetite to include more detail, but no change occurred on the level of risk for these 22 agencies.
Some agencies have risks which are above their risk appetite
Only 20 of the 26 agencies have assessed their cyber risks against the cyber risk appetite. Of these, 18 of these 20 agencies noted risks above their cyber risk appetites.
The number of agencies who have cyber security risks above risk appetite are as follows:
Source: Audit Office analysis of cyber security risk ratings and agency cyber security risk appetites.
Many agencies have not defined timeframes to remediate their cyber security risks above their risk appetite
Fourteen of the 18 agencies that have noted current cyber security risks are above their appetite have not set timeframes to address these risks. All 14 have open ended dates to resolve these risks.
Frameworks
Assessing compliance with or maturity against an established framework is a standard and common approach to evaluate the effectiveness of existing controls in mitigating the identified cyber risks.
The NSW Cyber Security Policy is mandated for NSW government agencies, and includes the ACSC Essential Eight. Agencies have also adopted the use of other cyber security frameworks with most using more than one framework.
The most common framework used is International Standard ISO/IEC 27001. It provides guidance to establish, implement, maintain and continually improve an information security management system. Twenty-one of the 26 agencies follow this framework with three also obtaining certification.
The second most common is the NIST CSF (National Institute of Standards and Technology - Cybersecurity Framework), This framework was developed and is maintained by United States Department of Commerce, and is broadly applicable and widely used across many industries and in many countries. Fifteen of the 26 agencies use this framework to some extent.
Source: Audit Office analysis of cyber security frameworks for 2024.
The cyber security frameworks used across 26 agencies comprise the following:
- 21 of the 26 agencies follow ISO27001, with three obtaining certification
- 14 of the 26 follow NIST CSF
- five of 26 agencies follow the Commonwealth government’s Information Security Manual
- all 26 agencies follow the Cyber Security Policy from Cyber Security NSW
- all 26 agencies follow the ACSC Essential 8, as this is built into the updated Cyber Security Policy
- one agency used a separate International Electrotechnical Commission standard to address cyber security for their operational technology
- two agencies use only the required Cyber Security Policy and ACSC Essential 8.
Cyber security remediation and uplift programs
At June 2023, none of the in-scope agencies for this report had met their target level of maturity against either the Essential 8 or the mandatory requirements of the CSP (as noted in our Internal controls and governance 2023 report). Every agency required improvements in how they manage cyber security, and a plan to deliver those improvements.
Two agencies do not have funded plans to improve their cyber security
One of these agencies has a plan but has not funded the implement of the plan. This agency has over 20,000 staff and provides important services to the public.
A second agency, which was not in scope for the 2023 report, has stated that they are at their target level of maturity and have no current requirements to improve their cyber security.
Nine agencies have not progressed with remediating known gaps in their security
Nine of 26 agencies have not finalised remediation plans to address their shortcomings against the NSW Cyber Security Policy. Agencies advised planning is occurring based on the revised CSP requirements and noted that Cyber Security NSW’s have stated that
…agencies are not expected to have fully met all Mandatory Requirements in the 2023–2024 financial year of NSW Cyber Security Policy reporting, as this reporting year is intended as a baseline only
Source: NSW-Cyber-Security-Policy-2023–2024.pdf
The remaining 17 agencies have current cyber security remediation plans. Timing to complete remediation plans ranges between December 2024 and June 2027.
Expenditure on cyber security
Funding for the ongoing cyber security function, including governance, operations and investigations, ranged from $250,000 to $47.3 million for individual agencies.
Funding for uplift programs, for those agencies which have funding allocated, ranged from $100,000 to $49 million.
4.4 Cyber security awareness and training
Human error is a common vulnerability that can lead to a cyber incident. Awareness training and exercises aim to make users more conscious of their responsibilities to work in a secure manner, and less susceptible to common cyber attacks such as social engineering (i.e. manipulating people to share sensitive information) and phishing (i.e. scam emails or texts that contain links to malicious websites). This section describes how agencies manage awareness programs to reduce the risk of compromise due to user behaviour.
Mandatory requirement 3.1 of the Cyber Security Policy requires agencies to:
- define cyber security awareness training requirements for all staff and to mandate completion of cyber security awareness training for employees and contractors, both annually and when onboarding,
- define cyber security awareness training for high-risk roles, including privileged users, finance/HR teams, executives, etc., and to mandate completion for employees and contractors in high-risk roles both annually and when onboarding; and
- conduct regular phishing simulations.
The Australian Cyber Security Centre encourages the community to be educated at all levels and understand cyber security risks and issues. This occurs at a basic level for individuals, small business, big business and government. Educated users can help agencies to identify and appropriately respond to cyber security threats and attacks. In our 26 agencies, the following methods were used to help keep teams ready:
- regular awareness campaigns involving emails, intranet
- encouraging workshops, communities of practice especially during October’s cyber security awareness month
- series of podcasts
- focussed training for privileged users
- phishing simulations
- training has been adapted to meet the needs of remote workforces.
Cyber security awareness training programs
One agency had not defined cyber security training requirements
One agency reported ongoing difficulties in establishing the requirement for staff to complete regular cyber security training. Although this agency had required cyber security training since 2021, they had not allocated staff to manage the training, and therefore it had not been effectively delivered. During 2023, management redefined the cyber security training requirements with an aim to make this available from July 2024.
All 26 agencies revised their cyber security training requirements and the content in the 18 months to 30 June 2024. The basis for updating training requirements is driven by government directives, updates to policy (such as the NSW Cyber Security Policy) and risk assessments by cyber security and training teams.
Three agencies do not mandate annual cyber security training or cyber awareness training
Two agencies conducted cyber security training when onboarding staff but had no subsequent annual cyber security or awareness training program.
Another agency had cyber security training available but did not require staff to complete it.
Ensuring staff complete cyber security awareness training has been a requirement of the NSW Cyber Security Policy since 2019.
Four agencies have not provided or mandated additional cyber security awareness training to high-risk staff
Four of the 26 agencies have not established focussed or tailored cyber security training for higher risk users. This includes training for users such as privileged users, executives, finance or human resources who typically have access to more systems and sensitive data. The remaining 22 agencies have tailored training for these high-risk users.
Completion of mandatory training
Some agencies have low levels of completion for their mandated training
Where it has been mandated that staff complete awareness training, agencies reported actual completion rates between 66% and 100% (22 agencies).
One agency could not provide statistics on their rates of completion. We previously noted that three agencies do not mandate annual cyber security training or cyber awareness training.
Source: Audit Office analysis.
Thirteen out of the 22 agencies which measure completion rates, have notifications of non-completion sent to staff managers. The other nine agencies send reminders directly to staff to complete their training.
Performance of regular phishing simulation exercises
Phishing is one way cyber criminals target people to give personal information. Fraudulent emails or messages are received, pretending to be from large trusted organisations, but are aimed to steal login details, passwords or credit card details. The ASD Cyber Threat Report 2022–23 noted 17% of mid range category three incidents started with a phishing attack.
One agency did not perform regular phishing simulation exercises
One agency has not performed phishing simulations. The frequency of phishing simulations varied from none, to twice a year, to every three weeks. Twenty-four of the 25 agencies advised their phishing simulations were successful and productive, though one noting no improvement compared to previous test results.
Source: Audit Office analysis.
One agency uses an artificial intelligence tool to run and analyse their phishing simulations to staff every three weeks. It measures individual simulation results as a ‘behaviour risk score’ and adjusts the complexity of the individual’s next phishing simulation. Regular reporting at the individual and team level occurs and there are some friendly internal team competitions to encourage involvement. Individuals with a low ‘behaviour risk score’ due to a lack of success, are contacted and encouraged to complete the cyber security training.
Measurement criteria for the success of the phishing simulations included:
- number of recipients
- number of recipients who reported the email
- number of recipients who opened attachments
- number of recipients who clicked the phishing link
- number of recipients who provided credentials through the phishing link
- whether the recipient who failed was a high risk user.
Twenty-four of the 25 agencies who reviewed the results of their phishing simulations saw reductions in compromises and increases in staff reporting a phishing attack. One agency saw steady results and no improvement, but another agency saw a reduction in the click rate from phishing simulations from 42% to 11% over nine months.
When individual staff are unsuccessful in the phishing simulations, agencies use the following methods to improve their cyber security awareness:
- 19 out of 25 agencies notify the staff of their result and how they should have responded
- all 25 agencies require staff are enrolled into additional training (some optional, some are required)
- 13 out of 25 agencies required staff to complete additional phishing simulation tests
- 11 out of 25 agencies inform the staff member’s manager of the result
- all 25 agencies did not note repeated phishing test failures to staff during their appraisal process.
Cyber security and training teams are keeping a positive engagement for cyber security education rather than a punitive culture.
Recommendation on identifying cyber incidents In the 2023 Internal controls and governance report we found that 24% of agencies were not able to demonstrate how they had determined that issues did not meet the criteria to be treated as a cyber incident. We recommended that:
In 2023, it was found that one agency had failed to identify any cyber incidents at all, despite having records of issues that appeared to meet the criteria such as malware spreading in the IT environment and a case of ransomware reported by a staff member. This agency provides shared services to other agencies. Failing to correctly identify a cyber incident limits the opportunity to respond appropriately to minimise the impact of those incidents. In 2024, this agency has begun to recognise cyber incidents and apply their cyber incident response plan. At the time of audit, the agency had identified and responded to three cyber incidents. There are still difficulties providing documentation about these incidents, but the ability to identify at least some incidents and respond to those in line with their established procedure is a significant improvement. |
5. Fraud and corruption control
This chapter outlines our audit observations, conclusions and recommendations from our review of agencies' fraud and corruption control framework, policies and practices. Our Internal Controls and Governance 2018 found a number of fraud and corruption control gaps in NSW Government.
The NSW Treasury Circular TC18-02 NSW Fraud and Corruption Control Policy (the Circular) requires NSW government agencies to develop, implement and maintain a fraud and corruption control framework. The Circular sets out minimum standards for a NSW Government agency’s fraud and corruption control framework.
Previous Audit Office report on agency fraud and corruption control
Report on Internal Controls and Governance 2018 (published October 2018) The report found there were gaps in the fraud and corruption controls by some agencies, which increased the risk of reputational damage and financial loss. Where relevant, we have included the results from our 2018 report on Internal Controls and Governance below for comparison purposes. |
Section highlights
- There are gaps in the fraud and controls and in some cases important controls are not working.
- Nine agencies’ fraud and corruption control framework are not reviewed in the past two years by those charge with governance.
- Agencies can strengthen their employment screening processes by observing the NSW Public Service Commission’s Recruitment and selection guide.
- Eighteen agencies use data analytical tools to identify and monitor fraud and corruption.
- Nine agencies use Artificial Intelligence to detect fraud.
5.1 Prevention systems
Fraud prevention systems are the most cost-effective way to minimise fraud in an agency. Prevention strategies should be proportionate to the fraud risks identified by the agency.
We reviewed the adequacy of agency fraud prevention systems.
All agencies have fraud and corruption control framework in place
All agencies have established a fraud and corruption control framework. A fraud and corruption control framework is a tool to help agencies discharge their responsibility for preventing, detecting and properly responding to fraud. Each agency should develop a strategy for implementing this framework that is specific to its own internal and external operating environment and that is proportionate to the fraud risks it faces.
The table below shows the minimum key elements present in the agencies’ frameworks.
Number of agencies | Key elements in a fraud and corruption control framework |
26 | a fraud and corruption control policy |
26 | clearly defined responsibilities for managing fraud and corruption |
24 | risk-based preventative and detective controls |
26 | policies, systems and processes to respond to, investigate and report suspected fraud and corruption |
22 | employee awareness/education measures |
25 | robust third-party management systems |
17 | regular review of the fraud and corruption control framework and reporting |
Agencies should:
- ensure that the fraud and corruption control framework is periodically reviewed by the agency’s Audit and Risk Committee in accordance with TPP 15-03 Internal Audit and Risk Management Policy for the NSW Public Sector
- ensure that relevant fraud and corruption controls are included in the annual internal controls assessment and CFO certification in accordance with TPP17-06 Certification of the effectiveness of internal controls over financial information.
The effectiveness of some agencies’ fraud and corruption control framework is impacted by the absence of timely review and regular fraud risk assessments.
Nine agencies’ fraud and corruption control framework were not reviewed in the past two years
Nine agencies' fraud and corruption control framework have not been reviewed in the past two years. The primary responsibility for the prevention and detection of fraud rests with those charged with governance of the entity and management. It is important that management, with the oversight of those charged with governance, place a strong emphasis on fraud prevention, which may reduce opportunities for fraud to take place, and fraud deterrence, which could persuade individuals not to commit fraud because of the likelihood of detection and punishment. This involves a commitment to creating a culture of honesty and ethical behaviour.
Three agencies are not documenting or regularly reviewing their fraud risks
Fraud risk assessments are a key component of an agencies’ fraud and corruption control framework. Despite this we found three agencies were not performing fraud risk assessments. This area improved since we last examined in our 2018 report.
2024 Report | 2018 Report | |
Agencies not documenting or regularly reviewing their fraud risks | 23 | 23 |
Source: Audit Office analysis.
Fraud risk assessments should be integrated into the enterprise risk management process and performed at a sufficiently granular level so that it is given proper attention at an operational level.
Agencies that do not perform fraud risk assessments or do not perform them at a sufficiently granular level are less likely to have mitigated the risk by implementing appropriate prevention or detection controls that target areas of high or emerging fraud risk.
The Fraud and Corruption Control Standard AS8001-2021 suggests fraud risk assessments should be performed at least every two years.
Nineteen agencies do not have employment screening policies, or have gaps in their policies
Four agencies did not have policies for employment screening either in a dedicated, or a broader hiring policy. Of the fifteen agencies that do have employment screening policies, opportunities exist to make their policies more comprehensive.
Employment application fraud is one of the common forms of corrupt conduct faced by agencies and an indicator of future corrupt conduct and other acts of dishonesty. Without policies and procedures for employment screening, there is an increased risk that:
- inconsistent practices and/or gaps in practices will not be addressed and the extent of employment screening will not proportionately address the role position, leading to either under or over screening potential employees
- an existing employee or contractor with a history of corrupt or criminal conduct being transitioned into a permanent role or higher risk role, without identification or safeguards being put in place.
The table below shows some deficiencies we noted across the 22 agencies that have employment screening policies.
Number of agencies | Employment screening policy deficiency |
13 | do not identify high risk roles |
10 | do not detail circumstance where post-employment screening should be performed |
2 | do not extend the policy to recruitment of casual employees and contractors |
Source: Audit Office analysis.
In the ICAC report Common forms of corrupt conduct: Risks faced by NSW public sector agencies released 11 June 2024, the Commission receives a significant number of matters concerning recruitment, making it a high-risk workplace function. Agencies can strengthen their employment screening processes by observing the NSW Public Service Commission’s Recruitment and selection guide which is designed to help agencies’ recruiters and hiring managers to design consistent and equitable recruitment processes.
5.2 Detection systems
It is important for an agency to implement effective detection systems to mitigate fraud risks. Early detection limits the quantum of frauds by reducing the time the vulnerability can be exploited.
Eighteen agencies’ internal audit programs target fraud risks
Internal audits are also an important part of the fraud control environment. Eighteen agencies have a targeted review of fraud controls on their internal audit plan.
The use of data monitoring programs is used across twenty-three agencies
Eighty-eight per cent of agencies reported they use data monitoring programs to address fraud risks. This compares favourably to the 2018 Report on Internal Controls and Governance, where we found 38% of agencies had implemented a data monitoring program.
2024 Report | 2018 Report | |
Agencies that used data monitoring programs | 88 | 38 |
Source: Audit Office analysis.
A program of detective controls such as data monitoring and review supplements preventive internal controls, such as segregation of duties and line management reviews. Detective controls help agencies identify patterns, irregularities, anomalies and trends in large data sets.
A continuous data monitoring process can:
- detect fraud more quickly
- identify potential control gaps where the agency may be more susceptible to fraud or error
- provide other insights into the business that can help an agency save costs, improve processes, or realise other benefits.
Ideally, agencies should link their data monitoring program to their fraud risk assessment to ensure they are targeting the right fraud risks.
Eighteen agencies use data analytical tools to identify and monitor fraud and corruption
As defined in the NSW Government Data Strategy, data analytics is the process of manipulating data in different ways with the goal of discovering insights. These insights are meaningful and actionable findings emerging from processed data, that can be leveraged to optimise decision-making processes. Data analysis can assist in fraud risk assessment, detection of fraud or fraud indicators, decision-making support and management reporting. We found 18 agencies use data analytical tools to identify and monitor fraud and corruption.
The agencies in this report used automated data analysis tools for:
- fraud detection and risk management
- general ledger reconciliation, management control questionnaires and period end variance analysis
- testing invoice payments and purchase card transactions
- ABN verification for new supplier or changes to existing suppliers prior to accepting changes
- analysing payroll fortnightly master data, and checking for the independent non payroll officer review of exception reports on payroll master data changes
- quality assurance purposes to detect data exceptions such as no cost centre, no TFN, excessive gross and missing information type
- monitoring procurement activities across the whole procurement and payment process to identify potential fraud by identifying spend patterns for review and reporting.
Sixteen agencies that use data analytics train the users on how to use the data analysis tool.
Eleven agencies that use data analytics check the effectiveness of the data analysis tools to ensure the tools are working as intended and designed.
NSW Government provides limited guidance on the use of data to counter fraud and corruption and does not have a framework for implementing fraud and corruption data analytics.
Some other jurisdictions have developed a framework and guidance on the use of data analytics in its fraud and corruption control. For instance, the Commonwealth Government has a Fraud Prevention Centre (the Centre) under the Attorney-General’s Department which assists Commonwealth Government entities deal with fraud. The Centre released a Fraud Data Analytics Leading Practice Guide which provides a framework and principles for implementing leading practice fraud data analytics, a Fraud Data Analytics Catalogue of Techniques which provides helpful direction on the types of analytics techniques to explore, and some examples of when and how to deploy them and a Fraud Data Capability Assessment Tool to identify the entity’s fraud data capability strengths and areas for improvement.
An established framework and improved guidance would help NSW agencies’ use of data analytical tools to more effectively identify and monitor fraud and corruption.
Nine agencies use artificial intelligence to detect fraud
We found that nine agencies within the scope of this report use Artificial Intelligence (AI) to detect fraud. As described by the NSW Government AI Strategy, AI is an intelligent technology, programs and the use of advanced computing algorithms that can augment decision-making by identifying meaningful patterns in data. AI is a tool to assist in decision-making, and service delivery, but any AI-informed decision remains the responsibility of the agency using the technology.
Agencies reported using AI to detect fraud in the following ways:
- to learn from the results of investigation into potential fraudulent transactions and apply those learning to new incoming financial data such as supplier payments, purchase card transactions and employee reimbursements for indications of duplication, or policy non-compliance
- incorporate machine learning using factors including identity profiles, behavioural analysis, email headers, communication patterns, content analysis, payload analysis, threat intelligence, authentication and business context
- to detect linkages between applications and data points for claims for financial support on grants and rebates
- to monitor procurement activities across procurement and payment processes to identify potential fraud
- interrogation of data for fraud detection and risk management
- detection of certain types of fraud conducted via email including social engineering, credential phishing, email account takeover and invoicing and payment fraud.
The table below shows data we noted across the agencies that are using AI.
Number of agencies | Use of artificial intelligence |
7 | agencies provide how to use AI training to the users |
8 | agencies monitors or checks the effectiveness of AI and ensures AI is working in the designed way |
4 | AI technology identified potential fraud factor or weakness in fraud and corruption control |
Source: Audit Office analysis.
The NSW Government released DCS-2024-04 - Use of Artificial Intelligence by NSW Government Agencies in 1 July 2024 to support agencies in its safe and responsible use of AI technology with clear accountability for its design and use. Agencies are required to adhere to the AI Ethics Policy and AI Assessment Framework in their development, procurement, and use of AI systems.
Nine agencies plan to introduce AI technology to detect fraud within the next three years and are currently researching the feasibility of applications.
5.3 Notification systems
Employees and external parties should be encouraged to report unethical behaviour, including fraud. It is important for employees to be able to make such reports without fear of reprisal and with confidence the report will be taken seriously and acted upon. The culture in an organisation is its greatest protection against fraud. Anonymous notifications of actual and suspected fraudulent activity figure prominently in every survey of how organisations in both the private and public sector detect fraud.
Agencies have fraud and corruption notification policies in place, but three agencies’ policies are past their review date
All agencies have policies associated with reporting actual or suspected fraud and corruption. However, three agencies had policies that are past their scheduled review date and many can improve their policies by:
- establishing clearer reporting lines
- allowing anonymous reporting
- clearly setting out the individual’s and the agency’s reporting obligations to ICAC, NSW Police and other oversight bodies.
Up to date policies, clear reporting channels and well-publicised options for reporting fraud are all factors in making staff feel comfortable about reporting unethical behaviour.
Twenty-five agencies offer multiple ways for staff to report actual or suspected fraud and corruption
Twenty-five agencies allow for anonymous reporting and details the agency's reporting obligations and have various reporting lines available to staff, such as whistleblower reporting hotline, email address, through intranet or a specific agency officer. Multiple reporting lines accommodate the circumstances of the reporter and nature of the complaint.
The table below shows data we noted across the agencies’ available reporting lines.
Number of agencies | Available reporting lines |
21 | Whistleblower reporting hotline |
26 | Email address |
22 | Online e.g. through intranet |
26 | Specific agency officer |
12 | Others e.g. written mail, in-person meeting |
The table below details the different ways agencies publicise options for reporting fraud.
Number of agencies | Creating a culture that supports reporting fraud and corruption |
20 | Regular emails to staff |
6 | Posters |
16 | Staff bulletins |
24 | Intranet |
16 | Sign off at induction that the fraud policy has been read and understood |
9 | Others e.g. QR codes, trainings |
There are opportunities for some agencies to improve the culture that supports staff reporting actual or suspected fraud and corruption by increasing the number of reporting lines that are available to staff and publicising these options more widely.
Two agencies do not have a policy or procedure in place for carrying out investigations into actual or suspected frauds
Two agencies do not have a policy or procedure in place on carrying out investigations into actual or suspected frauds. The NSW Treasury Circular TC18-02 NSW Fraud and Corruption Control Policy requires that an agency’s fraud and corruption control framework includes policies, systems and processes to respond to, investigate and report suspected fraud and corruption. This requirement is supported by legislation such as the Public Interest Disclosures Act 2022 and the Independent Commission Against Corruption Act 1988. Agencies should ensure that they adhere to the requirements of the Circular.
Twenty-five agencies report fraud and corruption matters to their audit and risk committees
Twenty-five agencies’ audit and risk committees have a standing item on the agenda for reporting of actual or suspected frauds.
Oversight by an audit and risk committee provides assurance that:
- fraud and corruption matters are being dealt with appropriately in line with agency policies and relevant legislation
- systemic issues are being identified and preventative and/or detective controls implemented to address the issue
- appropriate gravity is given to criminal behaviour, particularly if it is perpetrated by senior management.
Audit and risk committees play an important role in ensuring:
- fraud and corruption risks are being assessed and managed within agency enterprise risk frameworks
- appropriate systems and processes are in place to capture and effectively investigate fraud
- management act on staff reports of actual or suspected fraud.
6. Gifts and benefits
This chapter outlines our audit observations, conclusions and recommendations arising from our review of agencies' managing of gifts and benefits.
Section highlights
- Nine agencies did not include in their gifts and benefits policy timeframes for key activities required by the approval process, such as making a declaration following an offer, and having it assessed by a manager authorised to approve the offer.
- Fifteen agency gifts and benefits registers contained declarations with at least one missing information field, such as details of the officer approving acceptance of the gift or benefit, the value of the gift or benefit and/or details of the reasons for the decision.
- Agencies should demonstrate their commitment to establishing a transparently ethical environment by making their gifts and benefits registers publicly available.
6.1 Background
Accepting or giving a gift or benefit could be perceived by the person to be an inducement or incentive. This is inconsistent with the statement of conduct set out in the Ethical Framework under the Government Sector Employment Act 2013 which require agencies to implement clear policies and practices to support ethical conduct within the organisation. The 2022 Public Service Commission Direction (the Direction) established minimum standards (the minimum standards) to help agencies effectively manage gifts and benefits received by, or offered to public sector employees.
The minimum standards include:
- maintaining a policy for the management of gifts and benefits
- maintaining a register of a gifts and benefits
- providing training and support for employees.
These standards are important as gifts can be offered to agency staff with the intention of inducing them to favour a person or company for reasons other than merit. This can result in decisions that are neither in the agency's nor the public's interest. The Direction defines gifts and benefits as:
any item, service, prize, hospitality or travel, provided by a customer, client, applicant, supplier, potential supplier or external organisation, which has an intrinsic value and/ or a value to the recipient, a member of their family, relation, friend or associate.
Previous Audit Office report on agency gifts and benefits management
Report on Internal Controls and Governance 2019 (published December 2019) The report found that all 40 largest agencies had a gifts and benefits policy, but there were gaps in the management of gifts and benefits by some agencies that increased the risk of unethical conduct. Where relevant, we have included the results from our 2019 report on Internal Controls and Governance below for comparison purposes. |
6.2 Policy and framework
We reviewed the adequacy of the policies agencies have developed and implemented to support the minimum standards.
Agencies have established a policy for the management of gifts and benefits
All agencies have established policies and guidance to help employees in their roles and responsibilities when they are offered or receive a gift. However, ten agencies have not reviewed their gifts and benefits policies by the scheduled review date and there are some key gaps in agency policies:
- one agency’s policy did not specify how breaches should be handled
- two agencies' policies did not specify that it applied to contingent workers.
Up to date and comprehensive policies help ensure there is appropriate management of gifts and benefits. Without appropriate guidance there is a risk that staff may unwittingly accept gifts that influence, or may be perceived to have influenced their decisions.
Twenty agencies’ gift and benefit policies consider family members, relatives, friends or associates of the key management personnel
Twenty agencies’ policies consider family members, relatives, friends or associates of the key management personnel (KMP). These people are responsible for major decisions within agencies and are at greater risk of both being offered and inappropriately accepting gifts and benefits. A KMP’s is defined in the NSW Treasury Circular TC16-12 as:
- Key Management Personnel (KMP) is a person who has the authority and responsibility for planning, directing and controlling the activities of the reporting entity, directly or indirectly, including any director (whether executive or otherwise).
A KMP’s close family members are defined as:
- family members who may be expected to influence or be influenced by that person in their dealings with the entity. Unless estranged, this includes:
- that person’s children and spouse or domestic partner
- children of that person’s spouse or domestic partner
- dependants of that person, or that person’s spouse or domestic partner.
However, some agencies’ policies do not require declaration of gifts and benefits received by or offered to the KMP’s family members, relatives, friends or associates. Such gifts and benefits related or consequential to the official duties of the KMP could, or could be perceived to have influenced the KMP’s decision or advice.
Agencies should ensure their gifts and benefits policy relating to declaration of gifts and benefits consider the KMP’s family members, relatives, close friends or associates.
Most policies clearly outlined employees' obligations in relation to gifts and benefits
All agencies' policies provided guidance outlining obligations for agency staff in relation to gifts and benefits. However, we found a small percentage of agencies' policies contained one or more gaps in their guidance.
Number of agencies providing guidance | Employee's obligation, as set out in the minimum standards |
22 | not to solicit a gift or benefit |
24 | not to accept a gift or benefit as an inducement to act in a certain way |
25 | not to accept a gift or benefit where there could be a perception that it has been offered as an inducement to act in a certain way |
24 | not to accept cash, cheques, money orders or gift vouchers |
25 | not to accept a gift or benefit where it is to be provided to a family member, relation, friend or associate |
23 | not to accept a gift or benefit where the receiver currently, or may in the future, exercise discretion in the making of a decision affecting the giver |
21 | not to accept a gift or benefit when the receiver is unsure whether they should |
26 | read, understand and comply with the gifts and benefits policy |
26 | politely decline a gift or benefit that is not allowed |
23 | seek management approval to accept a gift or benefit that is allowed |
25 | promptly record gifts and benefits in the register |
Source: Audit Office analysis.
Approval processes for gifts and benefits could benefit from defined timeframes
All agencies have policies outlining the approval process for accepting gift and benefits that identify who can approve declarations and who maintains the agency gift and benefit register. However, nine agencies’ policies did not include timeframes for key activities required by the approval process, such as making a declaration following an offer, and having it assessed by a manager authorised to approve the offer.
The table below shows the declaration timeframes agencies have defined within their policies.
Number of agencies | Required timeframe to be met in declaring gifts and benefits |
1 | within 24 hours |
5 | within 5 days |
4 | within 7 days |
5 | within 10 days |
Source: Audit Office analysis.
Agencies should ensure that they set out timeframes within their policies. This reduces the risk that actual or perceived conflicts of interest arising from offers of gifts or benefits will not be made or dealt with in a timely and appropriate manner.
Six agencies do not remind staff to ensure gifts and benefits declarations are completed
All agencies maintain records of the gift and benefit declarations completed by the staff however, six agencies do not send out reminders to staff to complete the gifts and benefits declarations. Some agencies do follow up incomplete declarations with employees. In the Direction, obligations placed on employees by the Ethical framework for the government sector are emphasised in particular, the requirements to:
- place the public interest over the personal interest
- act professionally with honesty, consistency and impartiality
- provide transparency to enable public scrutiny.
Failure to declare gifts and benefits may result in disciplinary action to the staff as outlined in the Government Sector Employment Act 2013 and Government Sector Employment Rules and the agency is not potentially meeting the minimum standards of the Direction.
Seven agencies do not keep data of staff who failed to complete gifts and benefits declarations within their policy timeframes
Of the 15 agencies that have specified a gift and benefit timeframe, seven agencies do not keep data of staff who failed to complete gifts and benefits declaration within the timeframe set in the policy. Agencies should review its policy requirements to include data monitoring on failure or late declaration gifts and benefits to help them assess the effectiveness of staff compliance with policy requirements.
6.3 Managing gifts and benefits
All agencies have implemented a standard process to declare gifts and benefits
All agencies have established a standard gift declaration form for staff to complete when making declarations about offers of gifts and benefits.
Ineffective declaration processes increase the risk that there will be an inadequate assessment over the decision to accept or decline the gift or benefit, the decision will not be authorised, or will not be made on a timely basis.
A standard declaration form ensures that all key information about the offer, and the agency's decision are captured and recorded in the gifts and benefits register.
Despite agencies having declaration procedures in place, only 22 agencies require employees to immediately declare gifts and benefits at the point at which the offer is made.
Fifteen agency gifts and benefits registers do not include all key fields, or contain gaps in recorded information
While all agencies keep a centralised register for declarations of gifts and benefits, they do not contain all key fields suggested by the minimum standards, as set out in the table below. Fifteen agency’s gifts and benefits registers that we reviewed contained declarations with at least one missing information field, such as details of the officer approving acceptance of the gift or benefit, the value of the gift or benefit and/or details of the reasons for the decision.
Gaps in agency gifts and benefits registers make it difficult to determine whether decisions regarding the treatment of each gift and benefit were appropriate in the circumstances and consistently applied. Gaps in information diminish the usefulness of reporting to agency executive teams and/or governance committees on trends in gifts and benefits. It also diminishes the transparency of agency reporting, where agencies make this information public.
The table below outlines whether agency gifts and benefits registers comply with key information requirements specified in the Direction's minimum standards.
Number of agencies requiring this information | Key information requirement for agency gifts and benefits registers |
26 | date of the offer or receipt |
25 | name and business unit of the receiver |
23 | name and organisation of the giver |
24 | description of the gift or benefit |
24 | estimated value of the gift or benefit |
12 | evidence supporting the estimated value |
24 | description of the context in which the gift or benefit was offered and/or received |
18 | disclosure of any relationship |
24 | name of the approving manager or supervisor |
26 | decision |
21 | reasons for the decision |
Source: Audit Office analysis.
Fourteen agencies’ gifts and benefits registers require staff to provide an estimate of 'market value' of the declared gifts and benefits
Fourteen agencies require an estimate of the ‘market value’ of the declared gifts and benefits. Market value may differ to the value the recipient estimates when declaring the gift or benefit. Lack of guidance on how to quantify the declared gifts and benefits increases the risk that values reported in the register are understated to avoid a required approval.
Gifts and benefits registers are not made publicly available by all agencies
Only eight agencies have published their gifts and benefits register on their website. Publishing the gifts and benefits register demonstrates the agency's commitment to establishing a transparently ethical environment. Transparency and openness allow agencies to demonstrate to the public that appropriate decisions are being made in relation to acceptance of gifts, benefits and hospitality, and how the agency manages actual or perceived conflicts of interest.
Not all agencies have published the statement of business ethics on their website
The 88% of agencies that established a statement of business ethics have published it on their website. This compares favourably to data previously published in our 2019 Report on Internal Controls and Governance, where we found 60% of agencies had published their statement of business ethics.
2024 Report | 2019 Report | |
Agencies that have established and published a statement of business ethics | 88 | 60 |
Source: Audit Office analysis.
Without a statement of business ethics, clients, customers, suppliers and contractors may not be aware of an agency’s values, its probity processes and the standard of behaviour the agency expects when a customer, client, applicant, supplier, potential supplier or external organisation deals with the agency and its staff. It also makes it harder for agencies to hold those parties to account for conduct that breaches the ethical standards of the NSW public sector.
There are gaps in agencies’ training and support to staff on gifts and benefits
Twenty-four agencies provide training to new starters on their obligations in regards to gifts and benefits as part of the induction process. Twenty-three agencies have designated a senior officer to advise employees on their obligations, but only 21 agencies provide on-going training to all staff.
Agencies could do more in providing on-going training and awareness programs to communicate to all staff their responsibilities and obligations in relation to gifts and benefits offered or received. It also demonstrates the agency's commitment to maintaining an ethical environment and reduces the risk of inappropriate conduct by employees.
The minimum standards recommend that agencies remind staff of their obligations in managing gifts and benefits at least annually and that formal training is integrated into existing cyclical training or development activities, including performance development programs. The minimum standards also specify that the nature and type of awareness or training should take into account the risk and likelihood of receiving a gift or benefit based on the employee’s role.
Seventeen agencies maintain records of staff completion of gifts and benefits training
Seventeen agencies maintain records of staff completion of gifts and benefits training to assist them in monitoring their compliance with the Direction’s minimum standards. The table below indicates the number of agencies on their staff training completion rate.
Number of agencies | Percentage (%) range of staff training completion |
7 | 90 to 99 |
4 | 80 to 89 |
4 | 70 to 79 |
1 | 60 to 69 |
1 | 50 to 59 |
Source: Audit Office analysis.
We found that all agencies follow up staff who failed to complete the training. The most commonly steps taken by agencies are reporting these to top management and those charge with governance then sending out reminders to complete the training.
6.4 Reporting and monitoring
Monitoring and reporting on gifts and benefits improved
Twenty-one agencies had a designated senior manager who reviewed entries in the gifts and benefits register and helped ensure actions taken complied with the policy. Eighty-one per cent of agencies reported trends in the number and nature of gifts and benefits recorded in their registers to the agency's senior executive management and/or governance committees. This has improved significantly since we last examined this area in our 2019 Internal Controls and Governance report.
| Percentage of agencies reporting trends 2024 | Percentage of agencies reporting trends 2019 |
Trends in the number and nature of gifts and benefits recorded in gifts and benefits complied and reported to the agency's senior executives and/or governance committee | 81 | 35 |
Source: Audit Office analysis.
Of those 21 agencies, 12 agencies report quarterly, eight agencies report annually and one agency report on an ad-hoc basis to the senior management and/or governance committees.
Periodic review of the number, nature and trends in gifts and benefits registers by agency executive management and/or governance committees helps agencies support an ethical culture by:
- highlighting potential compliance issues or conflicts of interest and ensuring safeguards are appropriately and consistently applied to address such issues
- identifying, through trend analysis, where targeted intervention, such as training and awareness activities is required
- providing assurance that actions taken in relation to gifts and benefits offered to staff have been dealt with consistently and in compliance with agency policy.
Reporting and monitoring of this nature also helps reinforce to staff the importance of complying with the agency's gifts and benefits policy.
Of those agencies that reported information on gifts and benefits to senior management and/or governance committees, the areas that were reported included the following:
Number of agencies | Trends in gifts and benefits reported to agency senior executives and/or governance committees |
12 | business units/divisions receiving most gifts and benefits |
10 | particular employees receiving more gifts and benefits |
10 | specific suppliers or parties that are providing gifts and benefits more frequently or of a high value |
13 | comparison of declarations from prior months and year |
5 | any real or perceived conflicts of interest that have arisen during the period |
5 | others such as opportunities for improvements, detailed description of accepted gifts and notable declarations |
Source: Audit Office analysis.
There were five agencies that do not report the gifts and benefits register to the governance committees.
All agencies should report the gifts and benefits register as a standing agenda item to the governance committees, such as audit and risk committees.