Report highlights
What the report is about
Results of the local government sector council financial statement audits for the year ended 30 June 2021.
What we found
Unqualified audit opinions were issued for 126 councils, 13 joint organisation audits and nine county councils in 2020–21.
A qualified audit opinion was issued for Central Coast Council who was unable to provide evidence to support the carrying value of $5.5 billion of roads, bridges, footpaths, bulk earthworks, stormwater drainage, water supply and sewerage network assets.
The audit of Kiama Municipal Council is still in progress as at the date of this report due to significant accounting issues not resolved resulting in corrections to the financial statements and prior period errors.
Forty-one councils and joint organisations (2020: 16) received extensions to submit audited financial statements to the Office of Local Government (OLG).
Councils were impacted by recent emergency events, including bushfires, floods and the COVID-19 pandemic. The financial implications from these events varied across councils. Councils adapted systems, processes and controls to enable staff to work flexibly.
What the key issues were
There were 1,277 audit findings reported to councils in audit management letters.
Ninety-two high-risk matters were identified across the sector:
- 69 high-risk matters relating to asset management (see page 30)
- six high-risk matters relating to information technology (see page 39)
- six high-risk matters relating to financial reporting (see page 26)
- six high-risk matters to council governance procedures (see page 22)
- five high-risk matters relating to financial accounting (see page 28).
More needs to be done to reduce the number of errors identified in financial reports. Twenty-nine councils required material adjustments to correct errors in previous audited financial statements.
Rural firefighting equipment
Sixty-eight councils did not record rural firefighting equipment estimated to be $145 million in their financial statements.
The financial statements of the NSW Total State Sector and the NSW Rural Fire Service do not include these assets, as the State is of the view that rural firefighting equipment that has been vested to councils under the Rural Fires Act 1997 is not controlled by the State. In reaching this conclusion, the State argued that on balance it would appear the councils control rural firefighting equipment that has been vested to them.
The continued non-recording of rural firefighting equipment in financial management systems of some councils increases the risk that these assets are not properly maintained and managed.
What we recommended
Councils should perform a full asset stocktake of rural firefighting equipment, including a condition assessment for 30 June 2022 financial reporting purposes and recognise this equipment as assets in their financial statements.
Consistent with OLG’s role to assess council’s compliance with legislative responsibilities, standards or guidelines, OLG should intervene where councils do not recognise rural firefighting equipment.
Fast facts
- 150 councils and joint organisations in the sector
- 99% unqualified audit opinions issued for the 30 June 2021 financial statements
- 489 monetary misstatements reported in 2020–21
- 54 prior period errors reported
- 92 high-risk management letter findings identified
- 53% of reported issues were repeat issues.
Early financial reporting procedures
Fifty-nine per cent of councils performed some early financial reporting procedures, less than the prior year.
What we recommended
OLG should require early financial reporting procedures across the local government sector by April 2023. Policy requirements should be discussed with key stakeholders to ensure benefits of the procedures are realised.
Asset valuations
Audit management letters reported 288 findings relating to asset management. Fifty-eight councils had deficiencies in their processes to revalue infrastructure assets.
Thirty-five councils corrected errors relating to revaluations amounting to $1 billion and 13 councils had prior period errors relating to asset revaluations that amounted to $253 million.
What we recommended
Councils should have all asset revaluations completed by April of the financial year subject to audit.
Integrity/completeness of asset records
Sixty-seven councils had weak processes over maintenance, completeness and security of fixed asset registers.
Thirty-five councils corrected errors to the financial statements relating to poor record keeping of asset data that amounted to $102.1 million. Nineteen councils had 27 prior period financial statement errors that amounted to $417.1 million relating to the quality of asset records such as found and duplicate assets.
What we recommended
Councils need to improve controls and processes to ensure integrity and completeness of asset source records.
Cybersecurity
Our audits found that cybersecurity frameworks and related controls were not in place at 65 councils.
These councils have yet to implement basic governance and internal controls to manage cybersecurity such as having a cybersecurity framework, policy and procedure, register of cyber incidents, system penetrations testing and training.
What we recommended
OLG needs to develop a cybersecurity policy to be applied by councils as a matter of high priority in order to ensure cybersecurity risks over key data and IT assets are appropriately managed across councils and key data is safeguarded.
Councils should monitor the implementation of recommendations
Fifty-three per cent of total findings reported in 2020–21 audit management letters were repeat or partial repeat findings from prior years.
What we recommended
Councils and those charged with governance should track the progress of implementing recommendations from financial audits, performance audits and public inquiries.
Key financial information
In 2020–21, councils:
- collected $7.6b in rates and annual charges
- received $5.1b in grants and contributions
- incurred $4.8b of employee benefits and on costs
- held $15.3b of cash and investments
- managed $161.7b of infrastructure, property, plant and equipment
- entered into $3.4b of borrowings.
Auditor-General’s foreword
Pursuant to the Local Government Act 1993 I present my report Local Government 2021. My report provides the results of the 2020–21 financial audits of 127 councils, 13 joint organisations and nine county councils.
Unqualified audit opinions were issued for 126 councils, 13 joint organisation and nine county councils in 2020–21. My independent auditor’s opinion was qualified for Central Coast Council who was unable to provide evidence to support the carrying value of $5.5 billion of roads, bridges, footpaths, bulk earthworks, stormwater drainage, water supply and sewerage network assets.
The 2020–21 year was challenging from many perspectives, not least being the continuing impact of and response to the recent emergency events, including bushfires, floods and the COVID-19 pandemic. We appreciate the efforts of council staff and management right across local government and they must be congratulated for their responsiveness and resilience in meeting their financial reporting obligations in such challenging circumstances.
This report makes a number of recommendations to councils and to the regulator, the Office of Local Government within the Department of Planning and Environment. These are intended to support councils to further improve the timeliness, accuracy and strength of financial reporting and their governance arrangements. Arguably, when faced with challenges, it is even more important to prioritise and invest in systems and processes to protect the integrity of councils' operations and promote accurate and transparent reporting.
I look forward to continuing engagement and constructive dialogue with councils in 2022–23 and beyond.
Margaret Crawford
Auditor-General for New South Wales
1. Introduction
1.1 The local government sector
Local government is the third tier of government. It is established under state legislation, which defines the powers and geographical areas each council is responsible for.
At 30 June 2021, there were 128 local councils, 13 joint organisations and nine county councils in New South Wales.
Councils provide a range of services and infrastructure for a geographical area. Services include waste collection, planning, child and family day care, and recreational services. Councils also build and maintain infrastructure, including roads, footpaths and drains, and enforce various laws. While core functions such as waste collection are similar across councils, the range of services each council provides can vary depending on the needs of each community.
County councils are formed for specific purposes, such as to supply water, manage flood plains or eradicate noxious weeds.
Joint organisations (JOs) are formed by councils in regional New South Wales. Core activities of JOs include regional strategic planning and priority setting, engaging in shared services with member councils, and regional advocacy and collaboration with the state and federal governments.
This report provides the results of the 2020–21 financial audits of 127 councils, 13 joint organisations and nine county councils.
In preparing this report, our observations and analyses were drawn from:
- audited financial statements
- performance audit reports
- data collected from councils
- audit findings reported to councils in audit management letters.
Each local council has unique characteristics such as its size, location and services provided to their communities. To enable comparison, we divided councils into three categories – metropolitan, regional and rural. County councils and joint organisations are separately identified in the report. Details of councils grouped into categories are provided in Appendix three.
1.2 Performance audit
Our performance audits assess whether the activities of government entities are being carried out effectively, economically, efficiently and in compliance with relevant laws. Our mandate to conduct these audits is provided under the Local Government Act 1993 (LG Act).
Performance audits relevant to the local government sector in 2021–22 included:
Integrity of grant program administration
The objective of Integrity of grant program administration was to assess the integrity of the assessment and approval processes for NSW Government grant programs. The audit focused on two grant programs:
- Stronger Communities Fund Round 2 (tied grants round), which was administered by the Office of Local Government (OLG) within the Department of Planning and Environment, and provided $252 million to newly amalgamated councils and other councils that had been subject to a merger proposal during 2017–18 and 2018–19.
- Regional Cultural Fund, which was administered by Create NSW (now within the Department of Premier and Cabinet) and awarded $100 million for cultural projects in regional NSW.
We recommended the Department of Premier and Cabinet develop a model to use for all grant program administration in NSW. The Department of Planning and Environment should ensure that guidelines prepared are published and include a governance framework that includes accountabilities and key assessment steps.
Local government business and service continuity arrangements for natural disasters
Local government business and service continuity arrangements for natural disasters followed on from 'Report on Local Government 2020' with a detailed examination of the effectiveness of business and service continuity arrangements for natural disasters in two councils: Bega Valley Shire Council and Snowy Valleys Council.
In making this assessment, we considered whether the selected councils:
- had documented approaches for identifying, mitigating and responding to disaster-related risks to business and service continuity
- effectively implemented strategies to prepare for identified disaster-related impacts
- were effective in managing business and service continuity during their response to selected disasters.
We recommended:
- Bega Valley Shire Council should update and regularly review its business continuity plans, provide business continuity training, and improve its monitoring of risk controls and actions, including for natural disaster impacts.
- Snowy Valleys Council should document and monitor all disruption-related risks and controls, regularly review and update its business continuity plans, and progress planned actions to increase staff awareness of business continuity plans.
- Across both councils, we recommended that record keeping relating to service delivery during natural disasters should be adequate to inform post incident reviews and future updates to business continuity.
Building regulation: combustible external cladding
Building regulation: combustible external cladding focused on how effectively the Department of Customer Service (DCS) and Department of Planning and Environment (DPE) led reforms addressing the unsafe use of combustible external cladding on existing residential and public buildings.
Nine local councils were included in the audit because they have responsibilities and powers needed to implement the NSW Government’s reforms.
We recommended the DCS and DPE should:
- address the confusion surrounding the application of the Commissioner for Fair Trading's product use ban for aluminium composite panels with polyethylene content greater than 30%
- develop an action plan to address buildings assessed as low-risk
- improve information systems to track all buildings from identification through to remediation.
The following local government performance audit reports are either planned or in progress with an expectation to complete them in 2022:
- Development applications: assessment and determination stages
This audit aims to assess whether selected councils are effectively assessing and determining development applications and whether selected councils and the Department of Planning and Environment are effectively supporting independent planning panels to determine development applications in compliance with relevant legislation, regulations and government guidance.
- Effectiveness of financial management and governance in selected council(s)
Under the LG Act, councils must apply sound financial management principles that require responsible and sustainable spending and investment, and ensure that future decisions consider intergenerational effects and equity. This audit will examine how these principles are effectively applied in councils’ financial and asset management, funding decisions and risk management practices, and may examine how councils’ expenditure and investment decisions have complied with legislative requirements.
- The effectiveness of local government regulation and support
This audit aims to assess whether the Office of Local Government within the Department of Planning and Environment is effectively monitoring and regulating the local government sector in NSW.
- Audit Office Insights 2018–2022
This report will analyse the key findings and recommendations from performance and other audits tabled in the New South Wales Parliament between 2018 and 2022, spanning varied areas of government activity, including local government. The report will present common findings and lessons from the past three years of audits with particular focus on issues relating to the integrity and transparency of decision-making and processes, as well as the fundamentals of good governance such as probity controls and record keeping.
2. Audit results
Financial reporting is an important element of good governance. Confidence in and transparency of public sector decision-making are enhanced when financial reporting is accurate and timely.
This chapter outlines audit observations related to the financial reporting of councils and joint organisations.
Highlights
|
2.1 Quality of financial reporting
The Auditor-General is required under the LG Act to issue an audit opinion on the following reports prepared by councils.
Indicators of quality financial reporting include:
- unqualified audit opinions
- the number of errors in financial statements
- timeliness in preparing financial statements.
Audit opinions
Unqualified audit opinions were issued for all but one council
Except for Central Coast Council, unqualified audit opinions were issued for all completed councils and joint organisations' 30 June 2021 financial statements audits. Sufficient audit evidence was obtained to conclude the financial statements were free of material misstatement and were prepared in accordance with Australian Accounting Standards and the LG Act.
Qualified audit opinion issued for Central Coast Council on carrying values of roads, bridges, footpaths, bulk earthworks, stormwater drainage, water supply network and sewerage network assets
A qualified audit opinion was issued for the 30 June 2021 financial statements of Central Coast Council. As disclosed in the financial statements of Central Coast Council, the council recognised $5.5 billion of roads, bridges, footpaths, bulk earthworks, stormwater drainage, water supply network and sewerage network assets within ‘Infrastructure, property, plant and equipment’ in the Statement of Financial Position as at 30 June 2021.
In the 'Statement by the Administrator and Management', Central Coast Council certified that they were unable to provide sufficient evidence to support the carrying values of these assets in the Statement of Financial Position as at 30 June 2021. This is because the asset data used by council to value these assets could not be reconciled by council to its financial records prior to the valuation. The asset data was sourced from a non-financial system that did not include financial information or reference data that could be used to identify assets in council's fixed asset register.
Due to this limitation in scope of our audit, we were also unable to obtain sufficient appropriate audit evidence to support the carrying value of these assets and determine its impact on the Income Statement, Statement of Comprehensive Income and relevant notes to the financial statements for the year ended 30 June 2021.
Emphasis of matter paragraphs were included in Tenterfield Shire Council and Central Coast Council audit opinions relating to non-compliance with the LG Act
An emphasis of matter paragraph was included in the Independent Auditor's Reports to draw attention to non-compliance with the LG Act which both councils self-disclosed in their financial statements.
Both councils breached sections 409 and 410 of the LG Act during the year ended 30 June 2021 by accessing restricted funds without the required approvals.
Council | Reason |
Tenterfield Shire Council |
|
Central Coast Council |
|
Audit is still in progress for one council
The following audit remains outstanding and the outcome will be reported in next year's report to Parliament:
Council | Reason |
Kiama Municipal Council | Resolving issues including:
|
Errors identified through audits
Increase in the dollar value of errors identified
Our audits identified more errors and the total dollar value of these errors was higher compared to the prior year. It is important that councils perform robust reviews to minimise errors identified in financial statements. There were 18 councils (2019–20: 20 councils) where no errors were identified in their financial statements.
Corrected errors
A corrected error is an error identified by the auditor or council, which is subsequently corrected by council in the financial statements.
|
Corrected errors | By council type (2021 only) | |||||
Year ended 30 June | 2020 | 2021 | Metro | Regional | Rural | County | JO |
Less than $250,000 | 60 | 66 | 5 | 9 | 41 | 5 | 6 |
$250,000 to $500,000 | 25 | 37 | 5 | 10 | 20 | 2 | -- |
$500,000 to $1 million | 41 | 38 | 10 | 18 | 10 | -- | -- |
$1 million to $5 million | 69 | 69 | 18 | 32 | 19 | -- | -- |
$5 million to $15 million | 27 | 19 | 9 | 9 | 1 | -- | -- |
$15 million to $30 million | 8 | 4 | 2 | 1 | 1 | -- | -- |
$30 million to $50 million | 5 | 6 | 3 | 3 | -- | -- | -- |
$50 million and greater | 3 | 7 | 3 | 3 | 1 | -- | -- |
Total number of errors | 238 | 246 | 55 | 85 | 93 | 7 | 6 |
Total value of errors ($ million) | 1,070 | 1,686 | 504 | 1,038 | 143 | 1 | -- |
Of the 246 corrected errors identified in the 30 June 2021 financial statements, 13 were greater than $30 million:
Council | Description of corrected error |
Albury City Council |
Council’s financial statements were corrected by management following the commencement of the audit to reflect asset indexation movements amounting to $33.2 million. |
Camden Council |
Council's revaluation of other structures/open space assets was overstated by $37.1 million because incorrect cost unit rates were used to value the assets. This error was identified and corrected by management. |
Carrathool Shire Council |
Council's revaluation of road assets was understated by $58.9 million because accumulated depreciation was incorrectly counted twice in the supporting calculation. |
Central Coast Council |
Council's financial statements were corrected to reflect fair value of its operational land amounting to a $85.8 million increase to its carrying value. |
Coffs Harbour City Council |
Council, as the lessor, had incorrectly assessed the long‑term lease of its airport assets as an operating lease, instead of a finance lease. This resulted in the following amendments:
|
Council of the City of Sydney | Review of council’s revaluation of land assets identified an inaccurate land area for a parcel of Crown land, one that is only partially within council’s care and control, resulting in an overstatement of land revaluation by $73.2 million. |
Cumberland City Council |
Council's roads and stormwater drainage assets decreased in value by $71.6 million. This fair value adjustment was incorrectly adjusted to asset revaluation reserves instead of expenses in the income statement (given the council did not have sufficient reserves to offset against the decrease in value). |
Georges River Council |
Council's revaluation of stormwater drainage, specialised and non‑specialised buildings asset classes was incorrectly overstated by $38.2 million in the financial statements. |
MidCoast Council |
Council's revaluation of community and Crown land was understated by $31.7 million due to a lack of management oversight in recording revaluation adjustments in the trial balance and the financial statements. |
Shoalhaven City Council |
Council's financial statements submitted for audit were not updated for the revaluation adjustments for roads, bridges, bulk earthworks and stormwater drainage amounting to $466 million. |
The Hills Shire Council |
Council incorrectly applied AASB 1058 'Income of Not‑for‑Profit Entities' to certain capital grants, which resulted in revenue being overstated by $31.2 million. |
The common areas where corrected errors were identified are outlined below.
Common corrected errors | Number of errors |
Poor record keeping of asset data, such as:
|
46 |
Asset revaluation errors, such as:
|
45 |
Incorrectly accounting for liabilities and accruals | 20 |
Uncorrected errors
An uncorrected error is an error identified by the auditor or council in the financial statements, which has not been corrected by council. There are various reasons why errors are not corrected, the most common being it is not material to the financial statements taken as a whole.
|
Uncorrected errors | By council type (2021 only) | |||||
Year ended 30 June | 2020 | 2021 | Metro | Regional | Rural | County | JO |
Less than $250,000 | 94 | 88 | 5 | 14 | 62 | 4 | 3 |
$250,000 to $500,000 | 43 | 44 | 8 | 9 | 26 | 1 | -- |
$500,000 to $1 million | 33 | 37 | 8 | 14 | 15 | -- | -- |
$1 million to $5 million | 78 | 68 | 11 | 30 | 26 | -- | 1 |
$5 million to $15 million | 3 | 6 | 2 | 1 | 3 | -- | -- |
$15 million to $30 million | 1 | -- | -- | -- | -- | -- | -- |
Total number of errors | 252 | 243 | 34 | 68 | 132 | 5 | 4 |
Total value of errors ($ million) | 254 | 238 | 46 | 83 | 104 | 1 | 4 |
Sixty-one per cent of the total value of uncorrected errors was due to unrecorded rural firefighting equipment
In 2017, we recommended that OLG should address the different practices across the local government sector in accounting for rural firefighting equipment.
In 2020–21, 68 (2019–20: 68) councils did not record rural firefighting equipment in their financial statements estimated to be $145 million (2019–20: $119 million). Forty-one councils recognise this equipment in their financial statements with a total value of $162.8 million, highlighting the inconsistent recognition practices across the local government sector.
The financial statements of the NSW Total State Sector and the NSW Rural Fire Service do not include these assets, as the State is of the view that rural firefighting equipment that has been vested to councils under section 119(2) of the Rural Fires Act 1997 is not controlled by the State. In reaching this conclusion, the State argued that on balance it would appear the councils control the rural firefighting equipment that has been vested to them. It is important to note that there are only two parties to the agreements that govern the use of vested rural firefighting equipment, leaving only two parties who would be considered to control this equipment – the NSW Rural Fire Service in the State sector, or councils in the local government sector.
The Department of Planning and Environment (inclusive of the Office of Local Government) (the Department) confirmed in the ‘Report on Local Government 2020’ (tabled in Parliament on 27 May 2021) their view that rural firefighting equipment is not controlled by the NSW Rural Fire Service.
The Local Government Code of Accounting Practice and Financial Reporting confirms the State’s view that it does not control these assets but provides that ‘Councils need to assess whether they control any rural firefighting equipment in accordance with Australian Accounting Standards’. It would seem however, given the State’s view that it does not control these assets, that these assets can only be controlled and therefore recognised by councils in the local government sector.
Despite this, many councils do not report these critical assets in their financial statements.
The continued non-recording of rural firefighting equipment in financial management systems of some councils increases the risk that these assets are not properly maintained and managed. Councils who have rural firefighting equipment vested from the NSW Rural Fire Service should recognise these assets in their financial management systems and consider their condition and useful life.
Recommendation to councilsCouncils should perform a full asset stocktake of rural firefighting equipment, including a condition assessment for 30 June 2022 financial reporting purposes. Consistent with the requirements of the Australian Accounting Standards, councils should recognise this equipment as assets in their 30 June 2022 financial statements. |
The Department should intervene where councils do not recognise rural firefighting equipment
The Department, through the Office of Local Government, requires each council to prepare financial statements in accordance with Australian Accounting Standards (accounting standards), as required by the LG Act. The State Government, through NSW Treasury (and in agreement with the Department), has concluded that under accounting standards rural firefighting equipment vested to councils is not controlled by the State, and further on balance that councils in the local government sector control this rural firefighting equipment.
The Department’s role includes assessing whether intervention is appropriate with respect to council's compliance with and performance against legislative responsibilities, standards or guidelines. Given the State's clear position, it would appear that any council not recognising this equipment is non-compliant with the relevant accounting standards.
Having considered the accounting position papers prepared by the respective stakeholders, the Audit Office has advised councils and the Department that any council not recognising this equipment is not complying with the requirements of the Australian Accounting Standards.
The Department should now intervene to address this matter as a priority.
Recommendation to the DepartmentConsistent with the Department’s role to assess council’s compliance with legislative responsibilities, standards or guidelines, the Department should intervene where councils do not recognise rural firefighting equipment. |
We acknowledge that the Department has committed to working closely with NSW Treasury to educate, guide and assist councils to understand the State’s view regarding ownership and recognition of rural firefighting equipment in their financial statements.
Non-recognition of this equipment may impact the financial statements audit opinions of those councils
The NSW Rural Fire Service (NSW RFS), a state government entity, has spent in excess of $1.1 billion over the past ten years on rural firefighting activities and equipment. While confirming the State Government's position that it does not control this equipment, the NSW RFS advised it has a complete listing of the rural firefighting equipment vested to councils under section 119(2) of the Rural Fires Act 1997, and has provided this to the Department. The NSW RFS also confirmed that as it does not control the equipment, it is unable to confirm its value or condition.
This raises two general questions: whether these assets are being properly managed as in some instances they are purportedly not controlled by any government sector and are not recorded in either the State or the local government sector financial records, and whether in these instances there is non-compliance with accounting standards if this equipment is not recorded in the financial statements of councils. This may impact audit opinions on the financial statements of councils.
The Audit Office is conducting performance audits of the NSW Rural Fire Service (Planning and managing bushfire equipment) and the Office of Local Government (The effectiveness of local government regulation and support).
Prior period errors
A prior period financial statement error is an error identified in the current year that relates to the previous year’s audited financial statements.
Prior period errors | By council type (2021 only) | |||||||
Year ended 30 June | 2020 | 2021 | Metro | Regional | Rural | County | JO | |
Less than $250,000 | 2 | 4 | 1 | -- | 3 | -- | -- | |
$250,000 to $500,000 | 4 | 2 | -- | 1 | 1 | -- | -- | |
$500,000 to $1 million | 1 | 4 | 2 | -- | 2 | -- | -- | |
$1 million to $5 million | 18 | 11 | 5 | 1 | 4 | 1 | -- | |
$5 million to $15 million | 21 | 19 | 9 | 8 | 2 | -- | -- | |
$15 million to $30 million | 9 | 6 | 6 | -- | -- | -- | -- | |
$30 million to $50 million | 1 | 4 | 3 | 1 | -- | -- | -- | |
$50 million and greater | 5 | 4 | 2 | 2 | -- | -- | -- | |
Total number of errors | 61 | 54 | 28 | 13 | 12 | 1 | -- | |
Total value of errors ($ million) | 813 | 777 | 500 | 241 | 32 | 4 | -- |
Of the 54 prior period errors, eight were greater than $30 million. All these errors were asset related.
Council | Description of prior period error |
Armidale Regional Council | Council's revaluation of roads, bridges, footpaths, stormwater drainage and transport ancillary assets identified errors relating to prior periods, such as:
|
Blacktown City Council | Council's revaluation of community land identified certain properties amounting to $79.4 million that were no longer in council's ownership since previous years. |
Blue Mountains City Council | Council identified duplicate road shoulder assets amounting to $37.7 million in the asset records in previous years. |
Georges River Council | Council's infrastructure, property, plant and equipment were overstated by $32.1 million due to incorrect fair values used, found and duplicate assets recorded. |
Ku-ring-gai Council | Council's community land was understated by $49.7 million as newly discovered assets were identified but had not been recognised in previous years. |
Penrith City Council | Council's revaluation of land under roads assets identified and corrected an overstatement of $80.7 million due to duplication of certain sections of land and inclusion of assets not controlled by council at the time of the original recognition of the assets. |
Tamworth Regional Council | Council's revaluation of roads identified infrastructure assets controlled by the council that had not been recognised in the financial statements amounting to $53.9 million. |
There were no prior period errors identified at joint organisations.
Of the 54 prior period errors, 45 were asset related that were identified in 28 councils. The common areas where prior period errors were identified are outlined below.
Eighty-three per centre of the total prior period errors were asset related
Common prior period errors | Number of errors |
Poor record keeping of asset data, such as:
|
27 |
Asset revaluation errors, such as:
|
18 |
2.2 Timeliness of financial reporting
The LG Act requires councils to submit their audited financial reports to OLG by the statutory deadline of 31 October or apply for an extension.
Seventy-three per cent of councils lodged their audited financial statements by the statutory deadline
Councils faced significant challenges responding to the impacts of the COVID-19 pandemic and natural disasters. In some cases, this impacted their ability to submit financial statements to OLG by the statutory deadline.
One hundred and nine councils and joint organisations lodged their audited financial statements by the statutory deadline.
Forty-one councils and joint organisations (2020: 16) applied for, and received, an extension to lodge their audited financial statements at a later date. Fifteen councils applied for more than one extension.
The common reasons why councils required extensions are summarised below.
Common reasons for seeking extension | Council or joint organisation |
COVID-19 pandemic impacted council's ability to:
|
|
Revaluation of infrastructure, property, plant and equipment required more time due to complexities involved. |
|
New IT system(s) implemented were not ready for financial reporting purposes. |
|
Resourcing issues impacting council and audit due to staff shortages affecting year-end financial reporting and audit timeframes. |
|
Accounting matters that required more time to resolve. |
|
Councils' meeting times did not align with signing of the statements. |
|
Less councils performed early financial reporting procedures
Early close procedures allow financial reporting issues and risks to be addressed by management and audit early in the financial statement close process. Such procedures help to confirm that key controls over councils' balances are carried out and that there is early dialogue with councils and the Audit Office on significant issues. These procedures form good practice that should in any case be carried out at appropriate points in the financial year. This helps to improve the quality and timeliness of financial reporting.
Councils can work with the Audit Office to agree on key early close procedures and an agreed timetable to complete the procedures that will be audited before 30 June. This process will allow for audit observations and feedback on the early close outcomes in time for them to be considered in the year-end financial reporting process.
The intention of these procedures is to facilitate the earlier preparation of councils' financial statements as well as improve quality and minimise the risk of audit qualifications or errors in financial statements submitted to the Audit Office.
Early close plans should allow sufficient time for management review and involvement of Audit Risk and Improvement Committees.
Some early close procedures that councils should consider include:
- completing proforma financial statements and ensuring management has endorsed the statements and reviewed the supporting working papers
- performing and documenting an annual assessment of the fair value of infrastructure, property, plant and equipment, their useful lives, and the reasons why the carrying value was not materially different to the fair value. This assessment is performed between comprehensive revaluations
- completing the comprehensive revaluation of infrastructure, property, plant and equipment by an agreed early close date
- explaining all unresolved prior year audit issues, with a proposed action plan to resolve them
- documenting all significant management judgements and assumptions made when estimating transactions and balances
- reconciling all key account balances (including annual leave provisions) and clearing reconciling items
- supporting work papers evidencing how management has considered the requirements of new and updated accounting standards.
RecommendationOLG should require early close procedures across the local government sector by 30 April 2023. Policy requirements should be discussed with key stakeholders to ensure benefits of the procedures are realised. |
It is generally accepted that timely year-end financial reporting is an indicator of sound financial management processes. Accordingly, measures aimed at the earlier finalisation of annual reports to both council and the regulator should be a priority.
This year, 59% (2019–20: 76%) of councils performed some early financial reporting procedures, including:
- completing infrastructure, property, plant and equipment valuations before 30 June (42 councils)
- performing fair value assessment of infrastructure, property, plant and equipment (24 councils)
- preparing proforma financial statements and associated disclosures (25 councils)
- assessing the impact of material, complex and one-off significant transactions (26 councils)
- explaining all unresolved prior year audit issues, with a proposed action plan to resolve them (39 councils)
- assessing the impact of new accounting standards (58 councils).
2.3 Implementation of new accounting standards
AASB 1059 became effective for all NSW councils and joint organisations for the 2020–21 financial year. It applies to arrangements which may involve a private sector operator designing, constructing or upgrading assets used to provide public services, and operating and maintaining those assets for a specified period of time. In return, the private sector operator is compensated by the public sector entity (the grantor).
AASB 1059 did not result in councils and joint organisations recognising service concession assets and liabilities in their financial statements.
3. Key audit findings
A strong system of internal controls enables councils to operate effectively and efficiently, produce reliable financial reports, comply with laws and regulations, and support ethical government.
This chapter outlines the overall trends in governance and internal control findings across councils, county councils and joint organisations in 2020–21.
Financial audits focus on key governance matters and internal controls supporting the preparation of councils' financial statements. Audit findings are reported to management and those charged with governance through audit management letters.
Highlights
|
Total number of findings reported in audit management letters decreased
In 2020–21, 1,277 audit findings were reported in audit management letters (2019–20: 1,435 findings). No extreme audit risk findings were identified this year. The extreme risk relating to Central Coast Council's use of externally restricted funds in 2019–20 was partially addressed by management and has been rated as a high-risk for 2020–21. The total number of high-risk findings increased to 92 (2019–20: 53 high-risk findings).
Findings are classified as new, repeat or ongoing, based on:
- new findings were first reported in 2020–21 audits
- repeat findings were first reported in prior year audits, but remain unresolved in 2020–21
- ongoing findings were first reported in prior year audits, but the action due dates to address the findings are after 2020–21.
Findings are categorised as governance, financial reporting, financial accounting, asset management, purchases and payables, payroll, cash and banking, revenue and receivables, or information technology. The high-risk and common audit findings across these areas are explored further in this chapter.
3.1 Sector-wide common audit findings
Councils can complete their asset valuations earlier
Councils manage a significant range and value of infrastructure, property, plant and equipment. These assets are significant to the financial statements of councils and are subject to management judgements and estimates when determining their fair values. These judgements and estimates often require the assistance of a qualified expert valuer.
We identified a total of 288 findings that related to asset management. Further, we identified that 58 councils had deficiencies in their processes to revalue infrastructure assets.
Common issues identified include:
- inadequate documentation to support key assumptions and judgements applied including:
- useful lives and condition assessments
- unit rates used to value infrastructure assets
- incorrect classification of assets
- incorrect exclusion of some assets from valuations
- management not documenting their quality review over the asset valuation
- valuations commencing too late in the financial year and delaying the preparation of the financial statements.
Council's financial statements contained significant corrected errors relating to asset valuations:
- 35 councils corrected 45 errors relating to asset revaluations that amounted to $1 billion
- 13 councils had 18 prior period errors relating to asset revaluations that amounted to $253 million.
Performing asset valuations earlier gives time for management and auditors to complete all requirements before the financial statements are prepared and allows earlier sign offs to be achieved. The effective date of the valuation of any asset category can be at any point during the financial year subject to audit:
- 42 councils (28%) completed infrastructure, property, plant and equipment valuations before 30 June 2021
- 24 councils (16%) performed fair value assessments of infrastructure, property, plant and equipment.
RecommendationCouncils should have all asset revaluations completed by April of the financial year subject to audit. Councils should:
|
Asset management and integrity/completeness of asset records
Asset management systems record key data on councils' infrastructure, property, plant and equipment. Maintaining accurate and up-to-date asset data helps council in making appropriate decisions around asset management.
Sixty-seven councils had weak processes over maintenance, completeness and security of fixed asset registers as reported in section 3.5 (refer to page 33). Common issues identified include:
- inaccurate and incomplete data in asset registers such as duplicate or missing assets
- fixed asset registers for additions and disposals were not regularly updated
- asset registers were not maintained in a secure format.
As reported in section 2.1 (refer to page 14), 19 councils had 27 prior period financial statement errors amounting to $417.1 million. These were related to the quality of asset records, such as found and duplicate assets. In particular, growth councils have increased risk that developer contributed assets are not being recorded timely, resulting in incomplete asset records.
Forty-six corrected errors in the financial statements, amounting to $102.1 million, relate to poor record keeping of asset data, such as:
- unrecorded assets controlled by council
- assets recorded that are no longer controlled by council
- duplicate assets
- assets incorrectly classified.
RecommendationCouncils need to improve controls and processes to ensure integrity and completeness of asset source records. Councils should:
|
OLG should finalise a cybersecurity policy for the local government sector
Poor management of cybersecurity can expose councils to a broad range of risks, including financial loss, reputational damage and data breaches.
Our audits found that cybersecurity security frameworks and related controls were not in place at 65 councils. These councils have yet to implement basic governance and internal controls to manage cybersecurity such as having:
- a cybersecurity framework, policy and procedure
- register of cyber incidents
- system penetrations testing
- cybersecurity training and awareness program.
Refer to section 3.10 'Information technology (IT)' of this chapter for further details.
In 2019 we recommended that OLG should develop a cybersecurity policy by 30 June 2021 to ensure a consistent response to cybersecurity risks across councils. We understand a draft policy is in development.
Repeat recommendationOLG needs to develop a cybersecurity policy to be applied by councils as a matter of high priority in order to ensure cyber security risks over key data and IT assets are appropriately managed across councils and key data is safeguarded. |
Councils should monitor the implementation of recommendations
Fifty-three per cent of total findings reported in 2020–21 audit management letters were repeat or partial repeat findings from prior years.
Councils should establish policies on assigning, tracking and monitoring the progress of implementing recommendations from financial audits, as well as performance audits and public or parliamentary inquiries.
Councils should maintain a register of recommendations from financial audits, performance audits and public inquiries which include features such as:
- risk or priority rating to the issue or recommendation
- expected completion dates
- milestone due dates for larger implementation plans with multiple steps
- record of revisions to due dates
- comments to explain why due dates were changed
- assigned ownership with responsibilities.
Councils should consider performing acquittals and subsequent reviews to ensure the council's response to recommendations effectively address the issue and actions are still in place or operating as intended.
Councils should be reporting the status of recommendations on a regular basis to management and those charged with governance/audit, risk and improvement committee (ARIC).
RecommendationCouncils and those charged with governance should track the progress of implementing recommendations from financial audits, performance audits and public inquiries. |
3.2 Governance
Governance is the framework of rules, processes and systems that enables organisations to achieve goals and comply with legal requirements. Good governance promotes public confidence and satisfaction in councils' operations. Key governance areas include appropriate accountability mechanisms, operational and financial risk management, and fraud prevention.
Governance findings decreased from 239 to 214
Audit management letters reported 214 findings relating to governance (2019–20: 239 findings). Sixty-five per cent were repeat or partial repeat findings.
Extreme risk findings
No extreme risk findings were identified in 2020–21. Last year, one extreme risk finding was reported at Central Coast Council. The council spent restricted funds for unrestricted purposes during 2019–20, without the appropriate approvals under the LG Act. It was reclassified as a high-risk finding in 2020–21.
High-risk findings
Six high-risk findings were reported at the following councils, including three new findings, two repeat findings and one repeat finding reclassified from extreme risk in 2019–20. One of the 2019–20 high-risk findings was resolved and one finding was reclassified to moderate risk in 2020–21 as management has taken action to mitigate the risks.
Council | Description |
2020–21 findings | |
Hunter Joint Organisation (new finding) | Council has not complied with the requirements of section 55 of the Act which requires the council to invite tenders before entering into any contracts as prescribed in the LG Act. |
Tenterfield Shire Council (new finding) | Council spent restricted funds for unrestricted purposes during 2020–21, without the appropriate approvals under the LG Act. |
Central Coast Council (new finding) | A significant number of internal audit findings remained unresolved in 2020–21. Almost a quarter of these were related to calendar years 2018 and 2019. |
Central Coast Council (repeat finding, reclassified from extreme risk in 2019–20 to high-risk in 2020–21) | Similar to last year, the council spent restricted funds for unrestricted purposes, without the appropriate approvals under the LG Act. As council pooled its restricted funds within a common bank account, it was not clear which category of restricted funds has been inappropriately spent. This indicates the council's oversight of the restricted funds was not always effective. |
Central Coast Council (repeat finding) | Council did not have a policy document or framework setting out legislative and operational requirements for each category of externally restricted funds. Council was unable to provide the basis for some externally restricted funds. |
Mid-Western Regional Council (repeat finding) |
Council did not fully comply with its obligations under the Unclaimed Money Act 1995, as funds held by council for more than six years should be assessed for remittance to Revenue NSW. |
Common findings
The common governance findings reported in audit management letters related to deficiencies in corporate governance policies, fraud controls and legislative compliance.
Key corporate governance policies were not in place or regularly updated at 70 councils
The common areas where councils were missing governance policies are summarised below.
Area of corporate governance with absent or outdated policies | Number of councils |
Risk management | 27 |
Contract management | 19 |
Business continuity plan | 21 |
Gifts and benefits | 9 |
Public interest disclosures | 4 |
Other policies not formally adopted or reviewed timely | 29 |
Corporate governance policies are essential for ensuring councils operate in accordance with external and internal requirements. It is important that the rules, standards and expectations are clearly outlined, and staff are provided adequate guidance to inform their actions.
Further issues were identified in contract management for 30 councils. While contract management policies were in place for these councils, we identified deficiencies in their contract management practices or contract register management. There is an increased risk of non-compliance with the Government Information (Public Access) Act or contractual terms.
Deficiencies in fraud control processes at 34 councils
Thirty-four councils reported deficiencies in fraud control processes, reduced from 41 councils reported in 2019–20.
The following fraud control deficiencies were reported in audit management letters.
Fraud control deficiencies | Number of councils |
Council did not provide fraud awareness training to staff | 19 |
Council did not perform a fraud risk assessment | 19 |
Council did not have a fraud and corruption prevention policy, or it was outdated | 14 |
Council did not require staff to provide annual attestations to the Code of Conduct | 12 |
Effective fraud controls and ethical frameworks help protect councils from events that risk serious reputational damage and financial loss.
Lack of legislative compliance policies or register at 25 councils
Twenty-five councils did not have a sufficient legislative compliance policy or register. This has improved from 38 councils reported in 2019–20.
Legislative compliance frameworks assist councils to monitor compliance with key laws and regulations. This is important as councils provide a broad range of services to the community and are subject to many legal requirements. A legislative breach can attract penalties, impact service delivery and cause significant reputational damage.
Twenty-seven councils do not have an internal audit function
Internal audit is an important element of an effective governance framework as it supports a risk and compliance culture. Internal audit provides assurance over council's governance practices and internal control environment, and identifies where performance can improve.
The LG Act also envisages the establishment of an internal audit function in each council to support the work of the audit, risk and improvement committee (ARIC). OLG released a discussion paper in September 2019 'A New Risk Management and Internal Audit Framework for Local Councils in NSW', detailing the proposed new framework.
In August 2021, OLG issued draft 'Guidelines for Risk Management and Internal Audit for Local Councils in NSW' to guide the operations of ARICs and to require councils to have a risk management framework and internal audit function to support and inform their operations. These guidelines are still in draft at the time of writing this report.
Under the proposed OLG guidelines, councils and joint organisations are not required to establish a risk management framework and internal audit function that complies with the guidelines until 30 June 2024.
In 2020–21, 101 councils have established an internal audit function, with majority of these functions outsourced from external providers. Twenty-seven councils do not have an internal audit function.
One hundred and eleven councils have established an audit, risk and improvement committee
The requirement for all councils and joint organisations to establish an audit, risk and improvement committee was further deferred to 4 June 2022 due to the COVID-19 pandemic. Councils and joint organisations are permitted under section 428B of the LG Act to enter into arrangements with other councils or joint organisations to share ARICs.
As at 30 June 2021, 111 councils have established an ARIC. Of the 111 councils, seven have a shared arrangement with other councils.
Councils and joint organisations that do not currently have an ARIC should take action to ensure they comply with legislative requirements
Audit, risk and improvement committees are an important contributor to good governance. They help councils to understand strategic risks and how they can mitigate them. An effective committee helps councils to build community confidence, meet legislative and other requirements, and meet standards of probity, accountability and transparency.
Opportunities could also exist for councils to gain efficiencies by increasing the number of shared ARICs where practical by scale or geographical location to do so.
ARICs can play an important role in providing feedback on financial statements before they are submitted to audit as part of management's quality review process.
Forty-four councils' (40%) ARICs reviewed financial statements before submission to the Audit Office, while 67 councils' (60%) ARICs did not review financial statements before submission to the Audit Office.
Only 16 (14%) ARICs obtained certification of effectiveness of internal controls from management to support the financial statements and information.
There is an opportunity for OLG to issue guidance to councils to develop an internal control certification process as better practice. In the NSW state sector, Chief Financial Officers provide an annual certification as to the effectiveness of its systems, processes and internal controls for ensuring that financial information is relevant and reliable.
3.3 Financial reporting
Financial reporting is an important element of good governance. Confidence in and transparency of public sector decision-making is enhanced when financial reporting is accurate and timely.
Financial reporting findings decreased from 103 to 83
Audit management letters reported 83 findings relating to financial reporting (2019–20: 103 findings). Forty-five per cent were repeat or partial repeat findings.
High-risk findings
High-risk findings, including three repeat findings, one new finding and two repeat findings elevated from moderate risk in 2019–20, were reported at the following councils. Three of the 2019–20 high-risk findings were resolved, and another three were reclassified to moderate risk in 2020–21 as management has taken action to mitigate the risks.
Council | Description |
2020–21 findings | |
Albury City Council (new finding) | The quality and timeliness of council's financial reporting process was significantly impacted by:
The quality of work papers supporting the financial statements requires improvement, as there were numerous misstatements and disclosure changes made to the financial statements. Council made multiple requests for extensions to lodge the audited financial statements. These requests were made before the existing deadlines (being both legislative deadline and approved extensions). The approval of two extension requests was not provided by OLG prior to the existing deadlines. Consequently, on two occasions, council did not submit audited financial statements to OLG within agreed deadlines. This was assessed as non-compliance with the LG Act. The minister backdated her approval of the extension to the date that council submitted the request. |
Armidale Regional Council (repeat finding elevated from moderate to high-risk in 2020–21) |
The financial statements and supporting work papers contained the following issues:
|
Central Coast Council (repeat finding) | The financial statements required significant amendments to correct material misstatements and disclosure deficiencies. The submitted financial statements did not:
|
MidCoast Council (repeat finding) | The financial statements contained numerous misstatements and disclosure deficiencies. The financial statements' quality review processes and the quality of supporting work papers require significant improvements. |
Shoalhaven City Council (repeat finding) |
The financial statements presented for audit contained a significant number of misstatements and disclosure deficiencies. Multiple versions of the financial statements and trial balance were provided to the audit team and working papers did not satisfactorily reconcile to the financial statements. |
Wollondilly Shire Council (repeat finding elevated from moderate to high-risk in 2020–21) |
The quality and timeliness of council's financial reporting process was significantly impacted by the absence of several key staff due to the COVID-19 pandemic, flooding events and resignation of staff involved in the process. This also led to significant delays in the finalisation of infrastructure, property, plant and equipment comprehensive revaluation, resolving prior period errors relating to community land, work in progress and accounts payable, and the preparation of the financial statements. The financial statements contained numerous monetary misstatements and disclosure deficiencies. The council made multiple requests for extensions to lodge the audited financial statements within the extension deadlines. The council was last granted an extension to 27 April 2022. However, the council missed the revised extension deadline without an approved extension from OLG, which is a non-compliance with the LG Act. |
Common findings
Common findings across councils include:
- Financial statements submitted for audit for 30 councils contained numerous errors and disclosure deficiencies.
- Sixteen councils continued to not appropriately apply or adequately assess the impact of the new accounting standards that were effective in 2019–20.
- Lack of preparation for the audit, such as having a financial reporting plan, impacted the timeliness of financial reporting at 21 councils.
- Eleven councils have deficiencies in related parties' policies and disclosure.
Further analysis and insights on financial reporting findings are detailed in Chapter 2 'Audit results'.
3.4 Financial accounting
Financial accounting refers to the processes adopted by management to record and review financial information across the business. Councils use a combination of manual and automated processes and digital information systems to process financial information. Effective processes support the accuracy and completeness of information presented in the financial statements.
Financial accounting findings decreased from 115 to 79
Audit management letters reported 79 findings relating to financial accounting (2019–20: 115 findings). Thirty-eight per cent were repeat or partial repeat findings.
High-risk findings
Five high-risk findings, including one new finding, two repeat findings and two repeat findings elevated from moderate risk in 2019–20, were reported at the following councils. One of the 2019–20 high-risk findings was resolved, and another was reclassified to moderate risk in 2020–21 as management has taken action to mitigate the risks.
Council | Description |
2020–21 findings | |
Central Coast Council (repeat finding) | Some monthly account reconciliations were not prepared and reviewed on a timely basis. Council maintains several information systems for processing revenue transactions. Each day, the sub-ledger systems interface with the general ledger to transfer and update revenue data. Findings identified that:
|
Dungog Shire Council (repeat finding) | Council lacks segregation of duties over the processing of manual journals. Manual journals can be prepared and posted to the system by the same employee without an independent review. |
Hilltops Council (repeat finding elevated from moderate to high-risk in 2020–21) |
Council was unable to identify the original source of unexplained bank reconciliation differences of $0.2 million. In addition, the bank reconciliation contained cut-off errors which resulted in further audit adjustments to ensure cash and investments balance was not materially misstated at 30 June 2021. |
MidCoast Council (repeat finding elevated from moderate to high-risk in 2020–21) |
Since migrating to a single finance system in the second half of 2019, council had not formalised its month-end financial reporting procedures such as the reconciliations of key control accounts in 2020–21. |
Snowy Monaro Regional Council (new finding) | Council continues to face financial pressures in 2020–21. Council reported nil unrestricted cash at 30 June 2021 and 30 June 2020. To meet the day-to-day operational requirements, council has been utilising internally restricted funds, which is decreasing. It was also recommended for management to improve the robustness of cashflows forecasting and to regularly monitor cash balances. |
Common findings
The common financial accounting findings reported in audit management letters related to deficiencies in key account reconciliations and processing of manual journal adjustments.
Lack of segregation of duties with manual journal adjustments at 24 councils
There was a lack of segregation of duties over the posting of manual journal adjustments to financial information at 24 councils. An independent review of manual journal adjustments is important to reduce the risk of fraud or error in the financial statements.
Key account reconciliations were not prepared in a timely manner or independently reviewed at 23 councils
Regular reconciliation of financial information ensures timely identification of errors and facilitates a more efficient audit process. It was reported in audit management letters that:
- there was no evidence of independent review of key account reconciliations at 17 councils
- ten councils did not reconcile all key balances in the financial statements in a timely manner.
3.5 Asset management
Councils own and manage large infrastructure asset portfolios to support the delivery of community services. Asset management involves operational aspects such as maintenance and physical security, as well as accounting procedures such as valuing assets in accordance with accounting standards.
Asset management findings decreased from 304 to 288
Audit management letters reported 288 findings relating to asset management (2019–20: 304 findings). Thirty-nine per cent (112 findings) were repeat or partial repeat findings.
High-risk findings
High-risk findings increased from 21 to 69 in 2020–21, including 61 new findings, six repeat findings and two repeat moderate findings elevated to high-risk. They were reported at the following councils. The increase was mainly due to the 60 new high-risk findings in relation to the unrecorded rural firefighting equipment.
Seven of the 2019–20 high-risk findings were resolved, and eight findings were reclassified to moderate risk in 2020–21 as management has taken action to mitigate the risks.
Sixty councils had a high-risk finding reported in their audit management letter relating to unrecorded rural firefighting equipment
Chapter 2 'Audit results' reported 68 councils did not record rural firefighting equipment in their financial statements. This was reported as a high-risk finding for 60 councils, a moderate risk finding for seven councils, and was not reported for one council where the assets were clearly trivial. A moderate risk was reported when council performed additional procedures to demonstrate that the unrecorded amount was not material to the financial statements.
2020–21 councils with high-risk findings on unrecorded rural firefighting equipment | |||
Albury City Council | Coolamon Shire Council | Lachlan Shire Council | Snowy Valleys Council |
Armidale Regional Council | Coonamble Shire Council | Leeton Shire Council | Sutherland Shire Council |
Balranald Shire Council | Cootamundra-Gundagai Regional Council | Lismore City Council | Tamworth Regional Council |
Bathurst Regional Council | Edward River Council | Lithgow City Council | Temora Shire Council |
Bellingen Shire Council | Federation Council | Liverpool Plains Shire Council | Tenterfield Shire Council |
Berrigan Shire Council | Forbes Shire Council | Lockhart Shire Council | The Hills Shire Council |
Bland Shire Council | Glen Innes Severn Council | Mid-Western Regional Council | Tweed Shire Council |
Bogan Shire Council | Greater Hume Shire Council | Moree Plains Shire Council | Upper Hunter Shire Council |
Bourke Shire Council | Griffith City Council | Murray River Council | Upper Lachlan Shire Council |
Brewarrina Shire Council | Gunnedah Shire Council | Murrumbidgee Council | Wagga Wagga City Council |
Byron Shire Council | Gwydir Shire Council | Narrabri Shire Council | Walgett Shire Council |
Campbelltown City Council | Hilltops Council | Narrandera Shire Council | Warren Shire Council |
Carrathool Shire Council | Junee Shire Council | Orange City Council | Weddin Shire Council |
Central Darling Shire Council | Kempsey Shire Council | Queanbeyan-Palerang Regional Council | Wollondilly Shire Council |
Clarence Valley Council | Kyogle Council | Snowy Monaro Regional Council | Yass Valley Council |
Chapter 2 'Audit results' includes more information on the recognition of rural firefighting equipment.
Other high-risk findings
Nine other high-risk findings that related mainly to data integrity of asset registers, fair value assessments and the asset valuation process, were reported in the following councils.
Council | Description |
2020–21 findings | |
Bellingen Shire Council (repeat finding) |
In 2019–20, council identified a prior period error due to road and bulk earthwork assets not previously recorded in the financial statements. Council's fixed assets register (FAR) is not sufficiently secured from unauthorised changes as it is maintained in an excel spreadsheet. The FAR did not include key information fields such as acquisition date. Errors occur for some asset classes when they are capitalised to the FAR in one year and then componentised in the following year. Various asset registers were not fully integrated and reconciled to the FAR. |
Central Coast Council (two repeat findings) | Two repeat high-risk findings were reported:
|
Kempsey Shire Council (new finding) |
The 2020–21 audit process identified a number of community land, land improvement and recreational assets of $7.6 million that were not previously recorded in the financial statements. Other revaluation errors were also detected and corrected as part of the audit process. Quality control and documentation of management's review on asset revaluation was not sufficient. |
MidCoast Council (repeat finding) | Issues identified throughout the asset valuations process:
|
Murray River Council (two repeat findings) |
|
Queanbeyan-Palerang Regional Council (new finding) |
|
Strathfield Municipal Council (repeat finding elevated from moderate to high-risk in 2020–21) |
Council did not have formal processes to record direct and indirect costs to capital projects in a timely manner. There were no formal procedures governing the direct and indirect costs capitalisation review to ensure they remain appropriate. This issue was raised in the 2019 management letter but remained unresolved by management in 2020–21. |
Common findings
The common asset management findings reported in audit management letters related to deficiencies in asset revaluation processes, maintenance of information in asset management systems and landfill rehabilitation accounting practices.
Weak processes over maintenance, completeness and security of fixed asset registers at 67 councils
Maintaining accurate and up-to-date asset data helps councils to make appropriate decisions around asset management. The common issues reported in audit management letters relating to fixed asset registers are summarised below.
Fixed asset register issues reported in audit management letters | Number of councils |
Council did not maintain an accurate and complete fixed register. This included:
|
46 |
Council did not regularly update their fixed asset register for additions and disposals. | 33 |
Asset registers were not maintained in a secure format (e.g. use of unlocked spreadsheets or multiple systems). | 13 |
We continue to see weak processes over maintenance and security of fixed asset registers. There continues to be issues with accuracy and completeness of the asset register, duplication or missing assets, and asset registers not being reconciled with the asset management system.
Prior period errors continue to predominately relate to the quality of asset records and asset revaluation errors such as found and duplicate assets. In particular, completeness of developer contributions/gifted assets in growth councils needs improvement.
Deficiencies in infrastructure asset revaluation processes at 58 councils
Councils manage a significant range and value of infrastructure, property, plant and equipment. These assets are significant to the financial statements of councils and are subject to management judgements and estimates when determining their fair values. These judgements and estimates often require the assistance of a qualified expert valuer.
Deficiencies were identified in infrastructure asset valuations at 58 councils, including:
- inadequate documentation to support key assumptions and judgements applied including:
- useful lives and condition assessments
- unit rates used to value infrastructure assets
- incorrect classification of assets
- incorrect exclusion of some assets from valuations
- management not documenting their quality review over the asset valuation.
Opportunities for councils to improve the valuation process
Performing asset valuations earlier gives time for management and auditors to complete all requirements before the financial statements are prepared and allows earlier sign offs to be achieved.
Councils should have a project plan in place to manage the asset valuation process. Suggested deliverables to be included in a timetable for council valuations may include the following:
Improvements to council landfill rehabilitation accounting practices required at 26 councils
Australian Accounting Standards require a provision for landfill remediation when the obligation to operate landfill sites would result in cash outflows for the council, and when it can be reliably measured. Such provisions should be annually reassessed for changes in assumptions, legal requirements and emergence of new landfill remediation techniques.
Common findings identified in council landfill rehabilitation accounting practices include:
- no formal assessment of obligations made to rehabilitate landfill sites
- insufficient documentation of provision calculations to support inputs, assumptions and key data for accounting of the provisions
- costs associated with post-closure, aftercare and monitoring of landfill sites in their provisions not included in the assessment.
3.6 Purchases and payables
Councils spend substantial funds each year to procure goods and services. It is important there is appropriate probity, accountability and transparency in procurement to reduce the risk of unauthorised purchases, corrupt and fraudulent behaviour, and value for money not being achieved.
Purchases and payables findings decreased from 118 to 105
Audit management letters reported 105 findings relating to purchases and payables (2019–20: 118 findings). Fifty-five per cent were repeat or partial repeat findings.
High-risk findings
There were no high-risk findings related to purchases and payables processes in 2020–21. Two of the 2019–20 high-risk findings were resolved, and one finding was reclassified to moderate risk in 2020–21 as management has taken action to mitigate the risks.
Common findings
The common purchases and payables findings reported in audit management letters related to controls around purchase orders, review of creditor information and deficiencies in credit card management practices.
Controls around purchase orders were not enforced or absent at 37 councils
At 12 councils, it was identified that employees could approve their own purchase orders. At five councils, it was identified that purchase orders were approved without appropriate delegation. It is important there is segregation of duties and appropriate delegation in procurement to reduce the risk of fraud and misuse of public money.
Purchase orders were approved after the receipt of goods or services at 28 councils. Purchase orders should be issued before requesting goods or services to reduce the risk of unauthorised transactions.
Insufficient review of changes to creditor information at 29 councils
Twenty-nine councils did not perform sufficient review of changes to creditor information in the supplier master file, including bank account details. This increases the risk of transactions paid to incorrect accounts, resulting in financial losses for councils. Councils should review each change or perform regular collective review of changes.
3.7 Payroll
Effective payroll processes ensure councils manage their workforce in compliance with legislation, employment agreements and the Local Government Award. Payroll processes and information systems should protect the integrity of employee records and timesheet data to ensure accurate payments to employees and leave entitlement calculations.
Payroll findings decreased from 112 to 96
Audit management letters reported 96 findings relating to payroll processes (2019–20: 112 findings). Sixty per cent were repeat or partial repeat findings.
High-risk findings
There were no high-risk findings related to payroll processes in 2020–21 (2019–20: Nil).
Common findings
The common payroll findings reported in audit management letters related to deficiencies in the review of employee payroll data and excessive annual leave balances.
Excessive annual leave balances were reported at 49 councils
Managing excess annual leave was a challenge for councils given the recent emergency events. Councils continued to deliver essential services in uncertain times and in a disrupted work environment. Many council employees, particularly in frontline roles, deferred leave plans and have taken little or no annual leave. To support council employees during the COVID-19 pandemic, legislative amendments were made to allow councils and their employees to agree to:
- council making a payment to an employee in lieu of annual leave, provided the employee will still have a balance of at least four weeks of leave remaining
- an employee taking annual leave at double or half pay.
Changes to employee payroll data are not reviewed at 26 councils
Twenty-six councils did not have adequate processes in place to review changes to employee payroll data. This includes instances where changes are reviewed, but not by an independent person. This increases the risk of unauthorised changes or errors remaining undetected, resulting in financial loss to councils.
3.8 Cash and banking
Councils process a high volume of transactions each year. Effective controls over cash collection, disbursements and reconciliations reduce the risk of fraud and error.
Cash and banking findings decreased from 53 to 36
Audit management letters reported 36 findings relating to cash and banking (2019–20: 53 findings). Thirty-six per cent were repeat or partial repeat findings.
High-risk findings
There were no high-risk findings related to cash and banking processes in 2020–21. One high-risk finding was raised in 2019–20 and it was resolved.
Common findings
The common cash and banking findings reported in audit management letters related to the lack of security of payment files and the lack of segregation of duties in the cash handling process.
Outdated bank signatories at 14 councils
Bank signatories are not being removed on a timely basis. Fourteen councils still had their former employees listed as an account signatory for bank accounts. This increases the risk of unauthorised transactions.
Deficiencies in the cash handling processes at 12 councils
Deficiencies in the cash handling process were identified at 12 councils, including lack of daily cashier reconciliation and lack of segregation of duty. This increases the risk of undetected balancing errors and misappropriation of cash or cheques.
Lack of security of payment files for pay runs at nine councils
Nine councils did not encrypt Electronic Funds Transfer (EFT) payment files from editing or sufficiently restrict access to payment files on the network before they were uploaded to online banking portals. This increases the risk of unauthorised or fraudulent transactions.
3.9 Revenue and receivables
Councils receive revenue from a range of different sources, including rates and annual charges, user charges and fees, operating and capital grants and contributions, and other revenue (such as interest, investments and asset disposals). It is important that councils have appropriate internal controls to accurately record revenue and receivables in compliance with accounting standards and legal requirements.
Revenue and receivable findings increased from 55 to 80
Audit management letters reported 80 findings relating to revenue and receivables (2019–20: 55 findings). Forty per cent were repeat or partial repeat findings.
High-risk findings
There were no high-risk findings related to revenue and receivable processes in 2020–21 (2019–20: Nil).
Common findings
The common revenue and receivables findings reported in audit management letters related to deficiencies in the review of changes to fee tables and property data in council rates systems, and inappropriate revenue recognition practices.
Lack of review of changes to fee tables and property data in the rating system at 26 councils
Council systems contain fee tables and property information, which is used to determine rates and annual charges levied on different properties. Twenty-six councils do not adequately review changes for accuracy and appropriateness. This increases the risk of errors in recording rates and annual charges in the financial statements.
Inappropriate revenue recognition at 15 councils
Twelve councils had findings raised relating to their revenue recognition practices, including:
- no effective internal controls to ensure the completeness of revenue activities recorded
- deficiencies in grants recognition that resulted in misstatement in the financial statements
- use of cash accounting basis to recognise some revenue transactions, rather than accruals.
Deficiencies in revenue recognition practices resulted in 57 errors identified in councils' financial statements, totalling $93.4 million.
3.10 Information technology (IT)
Councils rely on IT to deliver services and manage information. While IT delivers considerable benefits, it also presents risks that councils need to address. IT general controls relate to the procedures and activities designed to ensure confidentiality, and integrity of systems and data. These controls underpin the integrity of financial reporting.
Financial audits involve the review of IT general controls relating to key financial systems supporting the preparation of council financial statements, addressing:
- policies and procedures
- IT risk management
- user access management
- privileged user access restriction and monitoring
- system software acquisition, change and maintenance
- disaster recovery planning
- cybersecurity and patch management.
IT findings decreased from 336 to 296
Audit management letters reported 296 findings relating to IT (2020–21: 336 findings). Sixty-seven per cent were repeat, partial repeat or ongoing findings.
High-risk findings
High-risk findings, including repeat and ongoing findings, were reported at the following councils. One 2019–20 high-risk finding was not resolved, and seven findings were reclassified to moderate risk in 2020–21 as management has taken action to mitigate the risks.
High-risk findings detailed below relate to gaps in system implementation and user access controls.
Council | Description |
2020–21 findings | |
Bayside Council (new finding) | One high-risk finding reported for gaps found in council's new financial system implementation process:
|
Dubbo Regional Council (repeat finding*) |
One high-risk finding reported in relation to gaps found in council's information technology access controls:
|
Greater Hume Shire Council (repeat finding) |
Audit logs of privileged users are not maintained and reviewed. |
Lismore City Council (repeat finding*) | One high-risk finding reported in relation to gaps found in council's information technology access controls:
|
Nambucca Valley Council (repeat finding*) |
One high-risk finding reported in relation to gaps found in council's information technology access controls:
|
Wagga Wagga City Council (repeat finding*) |
One high-risk finding reported in relation to gaps found in council's information technology access controls:
|
* The findings identified were previously reported as separated moderate-risk findings and yet to be resolved by management as part of the 30 June 2021 audit. Due to the aggregated risk of the findings, these have been reassessed as a high-risk finding.
Common findings
The common IT findings reported in audit management letters related to deficiencies in IT policies and procedures, lack of a cybersecurity framework, and controls and gaps in user access management processes. This is aligned with what we reported in the prior year's report.
IT policies and procedures were outdated or not in place at 59 councils
Fifty-nine councils did not formalise and/or regularly review their key IT policies and procedures. It is important for key IT policies to be formalised and regularly reviewed to ensure emerging risks are considered and policies are reflective of changes to the IT environment. Lack of formal IT policies and procedures may result in inconsistent and inappropriate practices and an increased likelihood of inappropriate access to key systems.
Lack of periodic user access review at 42 councils and insufficient control over privileged users at 73 councils
The following common access management findings were identified:
- Forty-two councils did not perform a periodic user access review to ensure users’ access to key IT systems were appropriate and commensurate with their roles and responsibilities.
- Seventy-three councils had gaps in privileged users management process. This includes gaps in restriction of privileged users or monitoring of the privileged accounts' activity logs.
Where robust access management processes are not in place, inappropriate access may exist. This increases the risk of unauthorised transaction or modification of sensitive data and transactions. The common findings above may be rated high-risk when there are no mitigating controls to prevent or detect any unauthorised transactions.
Cybersecurity frameworks and related internal controls were not in place at 65 councils
The NSW Cybersecurity Policy states that the term cybersecurity covers all measures used to protect systems and information processed, stored or communicated on these systems from compromise of confidentiality, integrity and availability. Strong cybersecurity is an important component of the NSW Beyond Digital Strategy, enabling the effective use of emerging technologies and ensuring confidence in the services provided by NSW Government.
While there is currently no requirement for councils to comply with the NSW Government’s Cybersecurity Policy, councils may find it useful to refer to the policy for further guidance.
Cybersecurity findings were reported in 65 councils as they did not have at least one of the following governance and internal controls to manage cybersecurity such as having a:
- cybersecurity framework, policy and procedure
- register of cyber incidents
- simulated cyber attack testing (penetration testing)
- cybersecurity training and awareness program.
The Report on Local Government 2019 recommended for the Office of Local Government (OLG) within the Department of Planning and Environment to develop a cybersecurity policy by 30 June 2021 to ensure cybersecurity risks over key data and IT assets are appropriately managed across councils, and key data is safeguarded. As at the date of this report, this policy has not been completed and published. Refer to Appendix two for more information.
OLG needs to develop a cybersecurity policy to be applied by councils as a matter of high priority in order to ensure cybersecurity risks over key data and IT assets are appropriately managed across councils, and key data is safeguarded.
Formal cybersecurity frameworks/policy in place for at 80 councils
A cybersecurity framework consists of threat identification, protection, detection, response and recovery of IT systems.
In the absence of guidance from OLG, our additional data collection identified that 80 councils (54%) have developed a formal cybersecurity policy and/or framework. These councils have adopted guidance from the following sources to aid them in developing their cybersecurity policies/frameworks:
- Cybersecurity NSW
- The Australian Cybersecurity Centre (ACSC)
- International Organization for Standardization (ISO standards)
- The National Institute of Standards and Technology (NIST)
- Payment Card Industry Data Security Standard (PCI DSS)
- councils' internal/external experts' recommendations.
Based on data collected across all 150 councils and JOs:
Poor management of cybersecurity can expose councils to a broad range of risks, including financial loss, reputational damage and data breaches. Furthermore, without a formal policy and framework, formal roles and responsibilities, and involvement of those charged with governance, councils are at risk of inappropriate planning and execution of their cybersecurity responses, which may also lead to inefficient use of their cybersecurity budget.
Fifty-one per cent of councils have yet to roll out cybersecurity training and awareness programs
With 51% of councils yet to roll out cybersecurity training and awareness programs for staff, councils have an increased risk of being exposed to a cyber incident. In addition, of the 51% of councils that have not yet rolled out training and awareness programs, 57% did not cover their third parties who have access to the council's systems, in these training programs (i.e., contractors, consultants, vendors, partners).
Cyber criminals aggressively target certain staff by sending fraudulent emails, stealing credentials and sending malicious attachments, which deploy because they entice people to interact with them. The most targeted staff are those in senior positions and finance roles. Completion of cyber awareness training by all staff, contractors and third-party providers help them recognise potentially malicious emails and avoid inadvertently activating attachments and software designed to infect devices and steal data to be used by cyber criminals.
Twenty-eight per cent of councils advised that they had cyber incidents during the financial year, represented by 41 councils.
The Australian Cybersecurity Centre (ACSC) was established in 2014 to lead the Australian Government's work to improve cybersecurity. ACSC is part of the Australian Signals Directorate within the Defence portfolio. The ACSC reports that:
the focus on cybersecurity is increasing for government agencies as the digital footprint of government expands. Risks have been further amplified by the COVID-19 pandemic as governments increasingly transact and deliver services to citizens through online platforms. Cyber-attacks by criminals and state actors are becoming more sophisticated and complex and the attacks are more likely to be substantial in impact. |
Further, the ACSC, through their 2020–21 Annual Cyber Threat Report, has revealed that they received over 67,500 cybercrime reports, a 13% increase on the previous financial year. ACSC also stated the self-reported losses from cybercrime during the 2021 financial year was totalling more than $33 billion.
It is well known that cyber attacks are increasing, resulting in the need for councils to uplift their cybersecurity plans immediately.
The potential impacts from poor management of cybersecurity include:
- theft of corporate and financial information and intellectual property
- theft of money
- denial of service
- destruction of data
- costs of repairing affected systems, networks and devices
- legal fees and/or legal action from losses arising from denial-of-service attacks causing system downtime in critical systems
- third-party losses when personal information stored on government systems is used for criminal purposes.
4. Looking forward
Audit Office’s annual work program for 2021–22 onwards
Focus on integrity of systems, good governance and good advice
We have a fundamental role in helping the Parliament hold government accountable for the use of public resources. In doing so, we examine whether councils' systems and processes are effective in supporting integrity, accountability and transparency. Key aspects of integrity that we expect to through conduct of our financial and performance audits over the next three years include the integrity of systems, good governance and good advice. These focus areas have arisen from the collation of key findings and recommendations from our past reports.
Focus on local councils' continued response to recent emergencies
The COVID-19 pandemic continues to have a significant impact on the people and the public sector of New South Wales. Local councils are continuing to assist communities in their recovery from the 2019–20 bushfires and subsequent and recent flooding. The full extent of some of these events remain unclear and will likely continue to have an impact into the future.
The Office of Local Government within the Department of Planning and Environment continues to work with other state agencies to assist local councils and their communities to recover from these unprecedented events.
The increasing and changing risk environment presented by these events has meant that we have recalibrated and focused our efforts on providing assurance on how effectively aspects of responses to these emergencies have been delivered.
This includes financial and governance risks arising from the scale and complexity of government responses to these events.
We will take a phased approach to ensure our financial and performance audits address the following elements of the emergencies and the Local Government's responses:
- local councils' planning and preparedness for emergencies
- local councils' initial responses to support people and communities impacted by COVID-19 and the 2019–20 bushfires and recent floods
- governance and oversight risks that arise from the need for quick decision-making and responsiveness to emergencies
- effectiveness and robustness of processes to direct resources toward recovery efforts and ensure good governance and transparency in doing so
- the mid to long-term impact of government responses to the natural disasters and COVID-19
- whether government investment has achieved desired outcomes.
Focus on the effectiveness of cybersecurity in local government
The increasing global interconnectivity between computer networks has dramatically increased the risk of cybersecurity incidents. Such incidents can harm local government service delivery and may include theft of information, denial of access to critical technology, or even hijacking of systems for profit or malicious intent.
Outdated IT systems and capability present risks to government cybersecurity. Local councils need to be alert to the need to update and replace legacy systems, and regularly train and upskill staff in their use. To add to this, cybersecurity risks have been exacerbated by recent emergencies, which have resulted in greater and more diverse use of digital technology.
Our approach to auditing cybersecurity across in the sector involves:
- considering how local councils are responding to the risks associated with cybersecurity across our financial audits
- examining the effectiveness of cybersecurity planning and governance arrangements within local councils
- conducting deep-dive performance audits of the effectiveness of cybersecurity measures in selected councils.
Local government elections
Local government elections took place in 2021–22
The local government elections were deferred for one year due to the COVID-19 pandemic and were held on 4 December 2021.
As part of our audits, we will consider the impact of any significant change on key decisions and activities for councils, county councils and joint organisations following the local government elections.
New rate peg methodology to support growing councils
The Independent Pricing and Regulatory Tribunal (IPART) has completed its review of the local government rate peg methodology to include population growth.
On 10 September 2021, IPART provided the final report on this review to the Minister for Local Government.
The minister has endorsed the new rate peg methodology and has asked IPART to give effect to it in setting the rate peg from the 2022–23 financial year.
As part of our audits, we will consider the impact of these changes on the financial statements and on key decisions and activities for councils, county councils and joint organisations.
Appendices
Appendix two – Status of previous recommendations
Appendix three – Status of audits
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.