Report highights
This report is about
Results of the local government sector financial statement audits for the year ended 30 June 2022.
What we found
Unqualified audit opinions were issued for 83 councils, 11 joint organisations and nine county councils' financial statements.
The financial audits for two councils and two joint organisations are in progress due to accounting issues.
Fifty-seven councils and joint organisations (2021: 41) required extensions to submit their financial statements to the Office of Local Government (OLG), within the Department of Planning and Environment (the department).
The audit opinion on Kiama Municipal Council's 30 June 2021 financial statements was disclaimed due to deficient books and records.
Qualified audit opinions were issued on 43 councils' financial statements due to non-recognition of rural firefighting equipment vested under section 119 (2) of the Rural Fires Act 1997. Forty-seven councils appropriately recognised this equipment.
What we recommended
Consistent with the NSW Government's accounting position and the department's role of assessing councils' compliance with legislative responsibilities, standards or guidelines, the department should intervene where councils do not recognise vested rural firefighting equipment.
The key issues
There were 1,045 audit findings reported to councils in audit management letters, with 52% being unresolved from prior years.
What we recommended
Councils need to track progress of implementing audit recommendations, giving priority to high-risk and repeat issues.
Ninety-three high-risk matters were identified across the sector mainly relating to asset management, information technology, financial accounting and council governance procedures.
Asset valuations
Audit management letters reported 267 findings relating to asset management. Fifty-three councils had deficiencies in processes that ensure assets are fairly stated.
What we recommended
Councils need to complete timely asset valuations (repeat recommendation).
Integrity and completeness of asset source records
Fifty-two councils had weak processes over the integrity of fixed asset registers.
What we recommended
Councils need to improve controls that ensure integrity of asset records (repeat recommendation).
Cybersecurity
Our audits found that 47% of councils did not have a cyber security plan.
What we recommended
All councils need to prioritise creation of a cyber security plan to ensure data and assets are safeguarded.
Fast facts
Key financial information
Auditor General's forward
Pursuant to the Local Government Act 1993 I am pleased to present my Auditor-General's report on Local Government 2022. My report provides the results of the 2021–22 financial audits of 126 councils, 11 joint organisations and nine county councils. The audits for two councils and two joint organisations are in progress due to significant accounting issues.
Unqualified audit opinions were issued for 83 councils, 11 joint organisations and nine county councils' 2021–22 financial statements. The statements for 43 councils were qualified due to non-recognition of rural firefighting equipment vested under section 119 (2) of the Rural Fires Act 1997. And the audit opinion on Kiama Municipal Council's 30 June 2021 financial statements was disclaimed due to deficiencies in books and records.
This year has again been challenging for many New South Wales local councils still recovering from the impact of emergency events and facing cost and resourcing pressures. We appreciate the efforts of council staff and management in meeting their financial reporting obligations. We share a mutual interest in raising the standard of financial management in this sector, and the importance of accurate and transparent reporting.
Disappointingly, accounting for the value of rural firefighting equipment vested in councils continued to be an unnecessary distraction and resulted in 43 councils having their financial statements qualified. We continue to recommend that the Office of Local Government should intervene where councils fail to comply with Australian Accounting Standards by not recognising assets vested to them under section 119(2) of the Rural Fires Act 1997.
Sound financial management is critical to councils' ability to instil trust and properly serve their communities. The recommendations in this report are intended to further improve their financial management and reporting capability, and encourage sound governance arrangements and cyber resilience. I am committed to continuing this work with councils in the 2022–23 year and beyond.
Margaret Crawford PSM
Auditor-General for New South Wales
1. Introduction
1.1 The local government sector
Local government is the third tier of government. It is established under state legislation, which defines the powers and geographical areas each council is responsible for.
At 30 June 2022, there were 128 local councils, 13 joint organisations and nine county councils in New South Wales.
Councils provide a range of services and infrastructure for a geographical area. Services include waste collection, planning, child and family day care, and recreational services. Councils also build and maintain infrastructure, including roads, footpaths and drains, and enforce various laws. While core functions such as waste collection are similar across councils, the range of services each council provides can vary depending on the needs of each community.
County councils are formed for specific purposes, such as to supply water, manage flood plains or eradicate noxious weeds.
Joint organisations (JO) are formed by councils in regional New South Wales. Core activities of JOs include regional strategic planning and priority setting, engaging in shared services with member councils, and regional advocacy and collaboration with the state and federal governments.
1.2 Financial audit
This report provides the results and findings of the completed 2021–22 financial audits of 126 councils, 11 joint organisations and nine county councils. The audits of two councils and two joint organisations are in progress as at the date of this report.
In preparing this report, our observations and analyses were drawn from:
- audited financial statements
- performance audit reports
- data collected from councils
- audit findings reported to councils in audit management letters.
Each local council has unique characteristics such as its size, location and services provided to their communities. To enable comparison, we divided councils into three categories – metropolitan, regional and rural. County councils and joint organisations are separately identified in the report.
Details of councils grouped into categories are provided in Appendix two.
1.3 Performance audit
Our performance audits assess whether the activities of government entities are being carried out effectively, economically, efficiently, and in compliance with relevant laws. Our mandate to conduct these audits is provided under the Local Government Act 1993 (LG Act).
Performance audits relevant to the local government sector in 2022–23 included:
Regulation and monitoring of local government
The Office of Local Government (OLG) within the Department of Planning and Environment (the department) is responsible for strengthening the local government sector, including through its regulatory functions.
Regulation and monitoring of local government assessed whether the OLG is effectively monitoring and regulating the sector under the Local Government Act 1993. The audit covered:
- the effectiveness of departmental arrangements for the OLG to undertake its regulatory functions
- whether the OLG has effective mechanisms to monitor and respond to risks and issues relating to council compliance and performance.
We found that the OLG does not conduct effective, proactive monitoring to enable timely risk-based responses to council performance and compliance issues. The OLG has not clearly defined and communicated its regulatory role to ensure that its priorities are well understood. The OLG does not routinely review the results of its regulatory activities to improve its approaches.
The department lacks an adequate framework to define, measure and report on the OLG’s performance, limiting transparency and its accountability. The OLG’s new strategic plan presents an opportunity for the OLG to better define, communicate, and deliver on its regulatory objectives.
We recommended that the OLG should:
- publish a tool to support councils to self-assess risks and report on their performance and compliance
- ensure its council engagement strategy is consistent with its regulatory approach
- report each year on its regulatory activities and performance
- publish a calendar of its key sector support and monitoring activities
- enhance processes for internally tracking operational activities
- develop and maintain a data management framework
- review and update frameworks and procedures for regulatory responses.
Development applications: assessment and determination stages
Local councils in New South Wales are responsible for assessing local and regional development applications. Most development applications are assessed and determined by council staff under delegated authority. However, some development applications must be referred to independent local planning panels, or Sydney and regional planning panels for determination. Councils provide support to local planning panels. The Department of Planning and Environment provides support to Sydney and regional planning panels.
Development applications: assessment and determination stages assessed whether Byron Shire Council, Northern Beaches Council and The Hills Shire Council had effectively assessed and determined development applications in compliance with legislative and other requirements.
It also assessed whether The Hills Shire Council, Northern Beaches Council and the Department of Planning and Environment had provided effective support to relevant independent planning panels.
All councils had established clear roles, responsibilities and delegations for assessment and determination of development applications and had also established processes to ensure quality of assessment reports.
Northern Beaches Council and The Hills Shire Council have established comprehensive approaches to considering and managing risks related to development assessment.
Northern Beaches Council’s approach to publishing its assessment reports promotes transparency. Across a sample of development applications assessed and determined between 2020–22:
- Northern Beaches Council and The Hills Shire Council had assessed and determined applications in compliance with legislative and other requirements. However, The Hills Shire Council could do more to transparently document any conflicts of interest within assessment reports.
- Byron Shire Council had assessed most applications in compliance with legislative and other requirements. However, we found opportunities for the council to:
- ensure determinations were made in line with delegations
- strengthen its approach to transparent management of conflicts of interest and quality review of assessments.
The Hills Shire Council and Northern Beaches Council had effectively supported their respective local planning panels.
The Department of Planning and Environment had processes that meet requirements for supporting regional planning panels but could do more to promote consistency in approach, share information across panels and measure the effectiveness of its support.
We made four recommendations to Byron Shire Council and four recommendations to the Department of Planning and Environment and one recommendation to The Hills Shire Council to address the gaps identified and improve the transparency of development assessment processes.
Planning and managing bushfire equipment
This Planning and managing bushfire equipment audit assessed the effectiveness of the NSW Rural Fire Service (RFS) and local councils in planning and managing equipment for bushfire prevention, mitigation, and suppression.
We found that the RFS has focused its fleet development activity on modernising and improving the safety of its firefighting fleet, and on the purchase of new firefighting aircraft. There is limited evidence that the RFS has undertaken strategic fleet planning or assessment of the capability of the firefighting fleet to respond to current bushfire events or emerging fire risks. The RFS does not have an overarching strategy to guide its planning, procurement, or distribution of the firefighting fleet. The RFS does not have effective oversight of fleet maintenance activity across the State, and is not ensuring the accuracy of District Service Agreements with local councils, where maintenance responsibilities are described.
We recommended that by December 2023, the Rural Fire Service should:
- develop a fleet enhancement framework and strategy that is informed by an assessment of current fleet capability, and research into appropriate technologies to respond to emerging fire risks
- develop performance measures to assess the performance and capabilities of the fleet in each RFS District by recording and publicly reporting on fire response times, fire response outcomes, and completions of fire hazard reduction works
- report annually on fleet allocations to RFS Districts, and identify the ways in which fleet resources align with district-level fire risks
- develop a strategy to ensure that local brigade volunteers are adequate in numbers and appropriately trained to operate fleet appliances in RFS Districts where they are required
- establish a fleet maintenance framework to ensure regular update of District Service Agreements with local councils
- review and improve processes for timely recording of fleet asset movements, locations, and maintenance status.
Cyber Security NSW: governance, roles and responsibilities
Cyber Security NSW is part of the Department of Customer Service, and aims to provide the NSW Government with an integrated approach to preventing and responding to cyber security threats.
This Cyber Security NSW: governance, roles and responsibilities audit assessed the effectiveness of Cyber Security NSW’s arrangements in contributing to the NSW Government’s commitments under the NSW Cyber Security Strategy, in particular, increasing the NSW Government’s cyber resiliency. The audit asked:
- Are internal planning and governance processes in place to support Cyber Security NSW meet its objectives?
- Are Cyber Security NSW’s roles and responsibilities defined and understood across the public sector?
We recommended the Department of Customer Service, by 30 June 2023, should:
- implement an approach that provides reasonable assurance that NSW government agencies are assessing and reporting their compliance with the NSW Government Cyber Security Policy in a manner that is consistent and accurate
- ensure that Cyber Security NSW has a strategic plan that clearly demonstrates how the functions and services provided by Cyber Security NSW contribute to meeting its purpose and achieving NSW government outcomes
- ensure that Cyber Security NSW has a detailed, complete and accessible catalogue of services available to agencies and councils
- develop a comprehensive engagement strategy and plan for the local government sector, including councils, government bodies, and other relevant stakeholders.
The following local government performance audit reports are either planned or in progress with an expectation to complete them in 2023–24:
Financial management and governance in MidCoast Council
Under the LG Act, councils must apply sound financial management principles that require responsible and sustainable spending and investment and ensure that future decisions consider intergenerational effects and equity. This audit will assess whether MidCoast Council has effective financial management arrangements that support councillors and management to fulfill their financial stewardship responsibilities.Cyber security in local government
The increasing global interconnectivity between computer networks has dramatically increased the risk of cyber security incidents. Such incidents can harm local government service delivery and may include the theft of information, denial of access to critical technology, or even the hijacking of systems for profit or malicious intent. This audit will consider how effectively City of Parramatta Council, Singleton Council and Warrumbungle Shire Council identify and manage cyber security risks.
2. Audit results
Financial reporting is an important element of good governance. Confidence in and transparency of public sector decision-making are enhanced when financial reporting is accurate and timely.
This chapter outlines audit observations related to the financial reporting audit results of councils and joint organisations.
Section highlights
|
2.1 Quality of financial reporting
The Auditor-General is required under the LG Act to issue an audit opinion on the following reports prepared by councils.
Indicators of quality financial reporting include:
- unqualified audit opinions
- the number of errors in financial statements
- timeliness in preparing financial statements.
Audit opinions
Unqualified audit opinions were issued for 103 councils and joint organisations
We issued a total of 146 audit opinions on councils and joint organisations 2021–22 financial statements as at the date of this report. One hundred and three councils and joint organisations received unqualified audit opinions for their 30 June 2022 financial statements audits. For these councils sufficient audit evidence was obtained to conclude the financial statements were free of material misstatement, and were prepared in accordance with Australian Accounting Standards and the LG Act.
A disclaimed audit opinion was issued to Kiama Municipal Council relating to its 30 June 2021 financial statements
A disclaimer of opinion was issued for the 30 June 2021 financial statements of the Kiama Municipal Council.
A disclaimed audit opinion is issued when the auditor is unable to obtain sufficient appropriate audit evidence upon which to form an opinion on the council’s financial statements, and the auditor concludes that the possible effects of undetected misstatements in the financial statements could be both material and pervasive.
Councillors and management declared, in the Statement required by Councillors and Management (the Statement) under Section 413(2)(c) of the LG Act, that they were unable to certify as to the completeness and reliability of the financial statements taken as a whole for the year ended 30 June 2021.
In the period leading up to the preparation of the 30 June 2021 financial statements council implemented a new financial management information system. However, data was lost during the migration from the legacy system to the new system. During the implementation council also experienced high rates of staff turnover. The combination of these factors contributed to the loss of both data and corporate knowledge. As a result, there was insufficient data to support a significant number of financial statement line items, and the staff who might have provided explanations had left council’s employment.
There was an inadequate system of internal control to support accurate financial reporting and to mitigate the risk of fraud. Council’s accounting records were insufficient to support reliable reporting or comply with legislative obligations.
The deficiencies in books and records, which have been acknowledged by councillors and management in their Statement, mean we have been unable to obtain sufficient appropriate audit evidence or perform alternative testing procedures to enable us to conclude on the completeness and accuracy of the council’s financial statements as a whole.
Non-recognition of rural firefighting equipment by councils was the single largest source of error within council financial statements
While 47 (2020–21: 41) councils recognised the rural firefighting equipment vested to them in their financial statements, including 14 councils that recognised the equipment for the first time, inconsistent and non-compliant practices regarding recognition of this equipment persist across the local government sector.
The continued non-recognition of rural firefighting equipment in financial management systems of some councils increases the risk that these assets are not properly maintained and managed.
Councils that have rural firefighting equipment vested under section 119(2) of the Rural Fires Act 1997 (Rural Fires Act), should recognise these assets in their financial management systems, as well as considering their condition and useful life.
As previously reported in Local Government 2021 and Planning and Environment 2022 Auditor-General’s reports (tabled in NSW Parliament on 22 June 2022 and 15 December 2022 respectively), the Audit Office of New South Wales advised councils and the department that any council not recognising this equipment is not complying with the requirements of the Australian Accounting Standards. We further reported in ‘Local Government 2021’ that the non-recognition of this equipment may impact the financial statement audit opinions of those councils.
These assets are controlled by the councils and should be recognised as assets in accordance with AASB 116 ‘Property, Plant and Equipment’. Australian Accounting Standards refer to control of an asset as being the ability to direct the use of, and obtain substantially all of the remaining benefits from, the asset. Control includes the ability to prevent other entities from directing the use of, and obtaining the benefits from an asset.
Rural firefighting equipment is controlled by councils as:
- these assets are vested in the council under Section 119(2) of the Rural Fires Act, giving councils legal ownership
- councils have the ability, outside of emergency events as defined in Section 44 of the Rural Fires Act, to prevent the NSW Rural Fire Service from directing the use of the rural firefighting equipment by either not entering into a service agreement, or cancelling the existing signed service agreements
- councils have specific responsibilities for fire mitigation and safety works and bushfire hazard reduction under Part 4 of the Rural Fires Act. Councils obtain economic benefits from the rural firefighting equipment as these assets are used to fulfil councils’ responsibilities. In the event of the loss of an asset, the insurance proceeds must be paid into the New South Wales Rural Fire Fighting Fund (Section 119(4) of the Rural Fires Act) and be used to reacquire or build a similar asset, which is again vested in the councils as an asset provided free of charge.
Forty-three qualified audit opinions were issued on councils’ financial statements due to non-recognition of vested rural firefighting equipment
Fifty-nine (2020–21: 68) councils did not record rural firefighting equipment in their financial statements, of which 43 of the 146 completed audits of councils received qualified audit opinions on their 2022 financial statements due to non-recognition of rural firefighting equipment as assets within ‘Infrastructure, property, plant and equipment’ in their Statement of Financial Position at 30 June 2022. These qualifications took different forms depending on the circumstances surrounding the non-recognition.
A qualified audit opinion is issued when the auditor:
- having obtained sufficient appropriate audit evidence, concludes that misstatements, individually or in aggregate, are material but not pervasive to the financial statements
- is unable to obtain sufficient appropriate audit evidence on which to base the opinion, but the possible effects of undetected misstatements on the financial statements are material but not pervasive.
Refer to Appendix three for a list of the 43 councils that received qualified audit opinions in 2021–22.
Forty of the 43 qualified audit opinions were modified because these councils imposed a limitation of scope on the audit regarding vested rural firefighting equipment
Forty out of the 43 councils that were issued a qualified audit opinion did not undertake procedures to confirm the completeness, accuracy, existence or condition of these assets. Nor had the councils performed procedures to identify the fair value of assets vested to them during the year.
Consequently, we were unable to determine the carrying values of vested rural firefighting equipment assets and related amounts that should be recorded and recognised in the councils’ 30 June 2022 financial statements.
This resulted in the audit opinions on these councils’ 30 June 2022 financial statements to be qualified, given the limitation on the scope of our audits.
The continued non-recognition of rural firefighting equipment in financial management systems of some councils increases the risk that these assets are not properly maintained and managed.
Councils who have vested rural firefighting equipment should recognise these assets in their financial management systems and consider their condition and useful life.
Three councils’ audit opinions were qualified for material misstatement relating to rural firefighting equipment
Three councils undertook procedures to confirm the fair value of this equipment, including assets vested in it during the year, but did not recognise these assets in their financial statements. This omission was material to their financial statements and we issued a qualified audit opinion on these council’s financial statements.
Two councils‘ audit opinions were qualified for derecognising previously recognised rural firefighting equipment, and their accounting treatment upon derecognition
Two of the 43 councils that received qualified audit opinions, removed previously recognised rural firefighting equipment from their financial statements in 2021–22. These councils derecognised these assets through retained earnings, describing their previous treatment as an error. This treatment resulted in an additional qualification in the audit opinion.
There has been no change in the legal framework since these councils first recognised these assets, nor has there been any change in the relevant accounting standards impacting recognition of these assets. These councils’ previous recognition of these assets complied with the requirements of AASB 116 ‘Property, Plant and Equipment’. The derecognition of these assets and the related disclosures describing past practice as an error does not comply with AASB 108 ‘Accounting Policies, Changes in Accounting Estimates and Errors’.
Sixteen councils that did not record vested rural firefighting equipment did not receive qualified audit opinions. These councils had performed procedures to confirm that the value of these assets was not material to their financial statements
The remaining 16 councils that did not record rural firefighting equipment had performed procedures to determine the value of these assets was not material to the financial statements taken as a whole. While not material to the financial statements, and reported as an uncorrected error, these councils should nonetheless have recognised the equipment in their financial statements, which was vested to these councils under section 119(2) of the Rural Fires Act. There remains a risk that their stance on non-recognition may result in qualifications in the future if the amount becomes material to their financial statements, and raises the risk that these important assets are not being properly maintained and managed for operational purposes.
Forty-seven councils recognised their rural firefighting equipment, 14 of these for the first time
Forty-seven (2020–21: 41) councils recognised this equipment in their financial statements, highlighting the continuing inconsistency in recognition practices across the local government sector.
Fourteen councils recognised vested rural firefighting equipment in their financial statements for the first time in 2021–22.
Recommendation to councils (repeat issue)Councils should perform a full asset stocktake of rural firefighting equipment, including a condition assessment for 30 June 2023 financial reporting purposes. Consistent with the requirements of the Australian Accounting Standards, councils should recognise this equipment as assets in their 30 June 2023 financial statements. |
The department should intervene to assess councils’ compliance with legislative responsibilities, standards and guidelines
The financial statements of the NSW Total State Sector and the NSW Rural Fire Service do not include rural firefighting equipment that has been vested to councils under section 119(2) of the Rural Fires Act. The State Government has reconfirmed its view that rural firefighting equipment vested to councils under Section 119(2) of the Rural Fires Act is not controlled by the State. In reaching this conclusion, the State argued that on balance it would appear the councils control the rural firefighting equipment that has been vested to them. It is important to note that there are only two parties to the agreements that govern the use of vested rural firefighting equipment, leaving only two parties who would be considered to control this equipment – the NSW Rural Fire Service in the State sector, or councils in the local government sector.
Since 2017, the Audit Office has recommended that the Office of Local Government (OLG) and then the Department of Planning and Environment (the department) address the differing practices across the local government sector in accounting for rural firefighting equipment. In doing so, the Audit Office recommended that OLG should work with NSW Treasury to ensure there is a whole-of-government approach.
In 2021, having again considered the accounting position papers prepared by the respective stakeholders, the Audit Office of New South Wales advised councils and the department that any council not recognising this equipment is not complying with the requirements of the Australian Accounting Standards. We recommended that the department intervene when councils do not recognise vested rural firefighting equipment.
The department’s role includes assessing whether intervention is appropriate with respect to councils’ compliance with, and performance against legislative responsibilities, standards or guidelines. Given the law and the State’s clear position, it would appear that any council not recognising this equipment is non-compliant with the relevant Australian Accounting Standards.
Despite these repeated recommendations in our ‘Local Government 2021’ and ‘Planning and Environment 2022’ Auditor-General’s reports, the department has not been effective in resolving this issue. Forty-three of 146 completed audits of councils received qualified audit opinions on their 2022 financial statements. Sufficient time and engagement have been afforded to avoid these qualified audit opinions. This situation is unlikely to be resolved in the absence of regulatory intervention.
The department should now intervene to address this matter as a priority.
Recommendation to the department (repeat issue)Consistent with the NSW Government’s accounting position on control of vested rural firefighting equipment and the department’s role to assess councils’ compliance with legislative responsibilities, standards or guidelines, the department should intervene where councils do not recognise rural firefighting equipment vested to them under section 119(2) of the Rural Fires Act. |
Removal of qualified audit opinion on Central Coast Council’s 2021–22 financial statements
In 2021–22 Central Coast Council addressed the issues that led to a qualified audit opinion in 2020–21 by having sufficient evidence to support the completeness and accuracy of the opening asset balances that were subject to audit qualification.
A qualified audit opinion was issued for the Central Coast Council’s 30 June 2021 financial statements because council was unable to provide sufficient appropriate evidence to support the carrying value of $5.5 billion of roads, bridges, footpaths, bulk earthworks, stormwater drainage, water supply and sewerage network assets. Council had been unable to reconcile the asset data (technical asset register) used to value these assets to its financial records (fixed asset register) prior to the valuation.
Council addressed these issues in 2021–22 by performing a reconciliation of its 30 June 2021 technical asset register to its fixed asset register (pre-2021 valuation) and obtained an updated independent valuation of its roads, bridges, footpaths, bulk earthworks, stormwater drainage, water supply and sewerage network assets at 30 June 2021.
Emphasis of matter paragraphs were included in Gwydir Shire Council and Tenterfield Shire Council’s audit opinions relating to non-compliance with the LG Act
An emphasis of matter paragraph was included in the Independent Auditor’s Report to draw attention to non-compliance with the LG Act which the council self-disclosed in its financial statements.
The councils acknowledge they may have breached Sections 409 and 410 of the LG Act by accessing restricted funds without the required approvals.
Council | Reason |
Gwydir Shire Council |
|
Tenterfield Shire Council |
|
Four audits are still in progress in 2021–22
The following four audits remain outstanding and the outcome will be reported in next year’s report to Parliament.
Council | Reason |
Canberra Region Joint Organisation | Resolving accounting issues, delays in submission of the draft financial statements for audit. |
Hunter Joint Organisation | Resolving issues relating to going concern assessment by seeking financial support agreement with member councils. |
Narrabri Shire Council | Resourcing constraints impacted by high turnover of senior staff. Resolving accounting issues relating to impairment and remediation of flood damage. Delays in providing evidence to support the recognition status of assets including land, intangibles and RFS buildings. |
Kiama Municipal Council | The commencement of the 2021–22 audit was delayed given the late completion of the 2020–21 audit in April 2023. The 2020–21 was delayed due to significant accounting issues and council responding to Performance Improvement Orders issued by the Minister for Local Government. |
Errors identified through audits
Decrease in the number and dollar value of corrected errors identified
Our audits identified fewer corrected errors and the total dollar value of these errors was lower compared to the prior year. Corrected errors decreased from 246 errors in 2020–21, with a total value of $1.7 billion, to 217 errors with a total value of $1.3 billion in 2021–22.
It is important that councils perform robust reviews to minimise errors identified in financial statements. There were 18 councils (2020–21: 18 councils) where no errors were identified in their financial statements.
Corrected errors
A corrected error is an error identified by the auditor or council, which is subsequently corrected by council in the financial statements.
Corrected errors | By council type (2022 only) | ||||||
Year ended 30 June | 2022 | 2021 | Metro | Regional | Rural | County | JO |
Less than $250,000 | 61 | 66 | 3 | 10 | 25 | 12 | 11 |
$250,000 to $500,000 | 22 | 37 | 3 | 5 | 13 | 1 | -- |
$500,000 to $1 million | 31 | 38 | 4 | 12 | 14 | 1 | -- |
$1 million to $5 million | 62 | 69 | 13 | 35 | 12 | 2 | -- |
$5 million to $15 million | 26 | 19 | 4 | 20 | 2 | -- | -- |
$15 million to $30 million | 4 | 4 | 3 | 1 | -- | -- | -- |
$30 million to $50 million | 7 | 6 | 3 | 3 | 1 | -- | -- |
$50 million and greater | 4 | 7 | 1 | 3 | -- | -- | -- |
Total number of errors | 217 | 246 | 34 | 89 | 67 | 16 | 11 |
Total value of errors ($ million) | 1,268 | 1,686 | 355 | 817 | 91 | 5 | -- |
Of the 217 corrected errors identified in the 30 June 2022 financial statements, the common areas are summarised below.
Common areas of corrected errors | Number of errors |
Poor record keeping of asset data, such as:
|
42 |
Asset revaluation errors, such as:
|
42 |
Incorrect accounting for liabilities and accruals. | 48 |
Of the 217 corrected errors identified in the 30 June 2022 financial statements, corrected errors greater than $50 million were:
Council | Description of corrected error |
Inner West Council | Council’s revaluation process identified newly found assets (roads, footpath, kerb, gutter, bulk earthwork and other road assets) of $71.8 million at 1 July 2020, that had not been previously recognised in the financial statements. |
Maitland City Council | Council undertook a revaluation of its infrastructure assets including a condition assessment. The fair value recognised in the financial statements inadvertently did not contain the impact of the condition assessment. This resulted in a $54.2 million increase to the value of the assets. |
Shellharbour City Council | Council’s review of its accounting for the Shell Cove project identified $117.9 million of Marina assets controlled by the council, which had not been recognised in the financial statements. |
Shoalhaven City Council | Management had not reflected the updated revaluation impacts on all infrastructure, property, plant and equipment (IPPE) asset classes within its financial statements. Council subsequently corrected these revaluation adjustments for various asset classes within IPPE, amounting to $288.6 million. |
Fair value assessments highlighted material differences between the carrying values and fair value of infrastructure, property, plant and equipment
Infrastructure, property, plant and equipment (IPPE) represents a significant part of councils’ total assets. The majority of these assets are carried at fair value using current replacement cost as the valuation technique.
Comprehensive revaluations are performed generally over three to five-year cycles for IPPE with fair value assessments undertaken during the intervening years to determine whether the carrying amounts of the assets are materially different to fair value at each reporting date.
This year’s fair value assessments by the councils identified material departures between the carrying value and fair value of their IPPE assets since these assets were last comprehensively valued. This resulted in significant adjustments to the fair value of councils’ IPPE assets amounting to $3.2 billion across 54 councils.
The predominant driver of these valuation uplifts, specifically in buildings, was inflation of construction costs, which affected the Australian domestic economy more broadly over the past 12 months.
In some cases, audit procedures identified material differences between the carrying value and the fair value of councils’ asset, resulting in adjustments to the financial statements after the financial statements were submitted for audit. In some other cases, councils used indices that were less relevant or reliable to assess movements in fair value. These also required adjustments by councils.
Councils are responsible for the asset valuations included in their financial statements and are required to assess annually whether the carrying value of IPPE materially reflects fair value, the reasonableness of the useful lives applied and whether any assets are impaired.
An absence of appropriate evidence to support key judgements/assumptions used in this annual fair value assessment, or a lack of thorough quality assurance processes can delay the outcomes of a valuation and/or cause incorrect or unsupported valuations.
Given the ongoing inflationary environment, councils should bring forward the timing of annual fair value assessments or revaluation exercises. This is to ensure that the carrying values reported in the financial statements more accurately reflect fair value at each balance date.
Uncorrected errors
An uncorrected error is an error identified by the auditor or council in the financial statements, which has not been corrected by council. There are various reasons why errors are not corrected, the most common being it is not material to the financial statements taken as a whole.
Uncorrected errors | By council type (2022 only) | ||||||
Year ended 30 June | 2022 | 2021 | Metro | Regional | Rural | County | JO |
Less than $250,000 | 97 | 88 | 11 | 9 | 65 | 6 | 6 |
$250,000 to $500,000 | 47 | 44 | 5 | 14 | 27 | 1 | -- |
$500,000 to $1 million | 34 | 37 | 12 | 10 | 12 | -- | -- |
$1 million to $5 million | 38 | 68 | 13 | 18 | 6 | -- | 1 |
$5 million to $15 million | 5 | 6 | 3 | 1 | 1 | -- | -- |
Total number of errors | 221 | 243 | 44 | 52 | 111 | 7 | 7 |
Total value of errors ($ million) | 158 | 238 | 72 | 54 | 28 | 1 | 3 |
In 2020–21, 68 councils did not record vested rural firefighting equipment in their financial statements estimated to be $145 million, which were reported as uncorrected errors. In 2021–22, this issue resulted in 43 councils receiving qualified audit opinions on their 2022 financial statements. As previously noted, the uncorrected errors relating to these assets could not be accurately quantified for 40 of the 43 councils that received a qualified audit opinion, given the absence of council procedures to determine the value, condition or existence of these assets. The risk that these assets are not being properly maintained and managed for operational purposes also increases. We have not included the potential misstatements in relation to these unrecorded assets within the 2022 table of uncorrected errors.
Prior period errors
A prior period financial statement error is an error identified in the current year that relates to the previous year’s audited financial statements.
Prior period errors | By council type (2022 only) | ||||||
Year ended 30 June | 2022 | 2021 | Metro | Regional | Rural | County | JO |
Less than $250,000 | 6 | 4 | -- | 3 | 2 | -- | 1 |
$250,000 to $500,000 | 1 | 2 | -- | 1 | -- | -- | -- |
$500,000 to $1 million | 6 | 4 | -- | 1 | 5 | -- | -- |
$1 million to $5 million | 29 | 11 | 11 | 3 | 14 | 1 | -- |
$5 million to $15 million | 12 | 19 | 6 | 4 | 1 | 1 | -- |
$15 million to $30 million | 8 | 6 | 6 | 1 | 1 | -- | -- |
$30 million to $50 million | 2 | 4 | 1 | 1 | -- | -- | -- |
$50 million and greater | 3 | 4 | 2 | 1 | -- | -- | -- |
Total number of errors | 67 | 54 | 26 | 15 | 23 | 2 | 1 |
Total value of errors ($ million) | 627 | 777 | 395 | 163 | 56 | 13 | -- |
Of the 67 prior period errors, five were greater than $30 million. All these errors were asset related.
Council | Description of prior period error |
Lake Macquarie City Council | Council did not recognise $38.2 million non-cash contributions of assets in the year in which they were dedicated to the council. This understated both capital contribution revenue and assets in the prior years. |
Inner West Council | Council’s revaluation of infrastructure assets identified $71.8 million of assets controlled by the council at 1 July 2020, which had not been recognised in the financial statements. |
Shellharbour City Council | Council’s review of its accounting for the Shell Cove project identified assets controlled by the council, which had not been recognised in the financial statements amounting to $54.3 million. |
Central Coast Council | Council’s comprehensive valuation of Community Recreation Services (open space) assets, and reconciliation between technical and fixed asset registers identified assets controlled by the council that had not been recognised in the financial statements amounting to $43.6 million. Council’s updated revaluation process for 2020–21 and internal reconciliation between the technical and fixed asset registers, identified corrections to the valuation of roads, drainage, water and sewer assets amounting to $102 million. |
Of the 67 prior period errors, 50 were assets related that were identified in 31 councils. The common areas where prior period errors were identified are outlined below.
Seventy-nine per cent of the total prior period errors were asset related
Common prior period errors | Number of errors |
Poor record keeping of asset data, such as:
|
42 |
Assets revaluation errors, such as:
|
8 |
2.2 Timeliness of financial reporting
The LG Act requires councils to submit their audited financial reports to OLG by the statutory deadline of 31 October or apply for an extension.
Sixty-two per cent of councils lodged their audited financial statements by the statutory deadline
Of the 146 councils for which we have issued Independent Audit Reports:
- 93 councils (2020–21: 109 councils) met the statutory deadline
- 53 councils (2020–21: 41 councils) received one or more extension to lodge their audited financial statements at a later date.
Refer to Appendix three for further details.
The number of extensions received by councils increased from 41 in 2020–21 to 57 in 2021–22
Fifty-seven councils and joint organisations (2021: 41) applied for, and received an extension to, lodge their audited financial statements at a later date. Twenty-three (2020–21: 15) councils applied for more than one extension.
Fewer councils met the statutory lodgement deadline in 2021–22. Many councils continued to face challenges responding to the impacts of natural disasters (floods and droughts) and resourcing constraints.
The reasons that councils and joint organisations sought extensions to submit their financial statements after the statutory deadline are shown below.
The most common reasons councils cited when applying for extensions related to:
- resourcing issues
- resolving asset valuation issues
- accounting or other matters that required more time to resolve
- impacts from natural disasters including flood recovery.
Refer to Appendix four for details of the names of each council or joint organisation that received extensions.
More councils performed some early financial reporting procedures
Early close procedures allow financial reporting issues and risks to be addressed by management and audit early in the financial statement close process. Such procedures help to confirm that key controls over councils’ balances are carried out and that there is early dialogue with councils and the Audit Office on significant issues. This helps to improve the quality and timeliness of financial reporting.
Councils can work with the Audit Office to agree on key early close procedures and an agreed timetable to complete the procedures that can be audited before 30 June. This process will allow for audit observations and feedback on the early close outcomes in time for them to be considered in the year-end financial reporting process.
The intention of these procedures is to facilitate earlier preparation of councils’ financial statements as well as improve quality and minimise the risk of audit qualifications or errors in financial statements submitted to the Audit Office.
Early close plans should allow sufficient time for management review and involvement of Audit Risk and Improvement Committees.
Some early close procedures that councils should consider include:
- completing proforma financial statements and ensuring management has endorsed the statements and reviewed the supporting working papers
- performing and documenting an annual assessment of the fair value of IPPE, their useful lives, and the reasons why the carrying value was not materially different to the fair value. This assessment is performed between comprehensive revaluations
- completing the comprehensive revaluation of IPPE by an agreed early close date
- explaining all unresolved prior year audit issues, with a proposed action plan to resolve them
- documenting all significant management judgements and assumptions made when estimating transactions and balances
- reconciling all key account balances (including annual leave provisions) and clearing reconciling items
- supporting work papers evidencing how management has considered the requirements of new and updated accounting standards.
Recommendation (repeat)OLG should consider requiring early close procedures across the local government sector. |
It is generally accepted that timely year-end financial reporting is an indicator of sound financial management processes. Accordingly, measures aimed at the earlier finalisation of financial statements to both council and the regulator should be a priority.
Given the continued increase in the number of extensions granted by OLG for councils to lodge their audited financial statements, there is room for more to be done to improve the timeliness of financial reporting by councils. OLG should, after discussing policy changes with the key stakeholders within the sector to ensure benefits can be realised, require early close procedures. Early close procedures should prioritise early completion of infrastructure, property, plant and equipment fair value assessments, impairment assessments and comprehensive valuations before 30 June.
This year, 82% (2020–21: 59%) of councils performed at least some early financial reporting procedures, including:
- completing infrastructure, property, plant and equipment valuations before 30 June (45 councils, 2020–21: 42 councils)
- performing fair value assessments of infrastructure, property, plant and equipment (36 councils, 2020–21: 24 councils)
- preparing proforma financial statements and associated disclosures (46 councils, 2020–21: 25 councils)
- assessing the impact of material, complex and one-off significant transactions (49 councils, 2020–21: 26 councils)
- explaining all unresolved prior year audit issues, with an action plan proposed to resolve them (69 councils, 2020–21: 39 councils)
- assessing the continuing impact of significant new accounting standards adopted in prior years (43 councils, 2020–21: 58 councils).
While more councils performed some early financial reporting procedures prior to 30 June 2022, the number of councils performing early close procedures over infrastructure, property, plant and equipment valuations prior to year-end did not substantially increase. In a year where market forces have inflated the values of both assets and asset inputs, the absence of IPPE early close procedures caused avoidable delays and adjustments to many councils’ financial statements.
3. Key audit findings
A strong system of internal controls enables councils to operate effectively and efficiently, produce reliable financial reports, comply with laws and regulations, and support ethical government.
This chapter outlines the overall trends in governance and internal controls across councils and joint organisations in 2021–22.
Financial audits focus on key governance matters and internal controls supporting the preparation of councils’ financial statements. Breakdowns and weaknesses in internal controls increase the risk of fraud and error. Deficiencies in internal controls, matters of governance interest and unresolved issues are reported to management and those charged with governance through audit management letters. These letters include our observations, related implications, recommendations and risk ratings.
Section highlights
|
Total number of findings reported in audit management letters decreased
The following shows the overall findings of the 2021–22 audits reported in management letters compared with the previous year.
Findings are classified as new, repeat or ongoing, based on:
- new findings first reported in 2021–22 audits
- repeat findings first reported in prior year audits, but remain unresolved in 2021–22
- ongoing findings first reported in prior year audits, but the action due dates to address the findings are after 2021–22.
In rating the risk of audit findings, we assess the likelihood and consequence of the finding having regard to the length of time the issue remains unresolved. The lack of timeliness in resolving issues may indicate systemic issues and/or poor governance practices that warrant an increase in the consequence level. The longer the risk remains unresolved, the greater the chance the weakness could be exploited, or an adverse event or events could occur. As such, unresolved or unaddressed issues from prior periods are reassessed annually. This reassessment may lead to an increase in the risk rating adopted.
Findings are categorised as:
- governance
- financial reporting
- financial accounting
- asset management*
- purchases and payables
- payroll
- cash and banking
- revenue and receivables
- information technology.
The following table shows the breakdown of audit findings of the 2021–22 audits based on the defined categories and risk ratings.
Category | Total findings | High | Moderate | Low |
Governance | 177 | 8 | 112 | 57 |
Financial reporting | 42 | 7 | 27 | 8 |
Financial accounting | 66 | 9 | 37 | 20 |
Asset management | 267 | 55 | 165 | 47 |
Purchases and payables | 77 | 2 | 49 | 26 |
Payroll | 82 | 1 | 40 | 41 |
Cash and banking | 29 | 2 | 12 | 15 |
Revenue and receivables | 69 | -- | 31 | 38 |
Information technology | 236 | 9 | 178 | 49 |
Total | 1,045* | 93* | 651 | 301 |
The high-risk and common audit findings across these areas are explored further in this chapter.
3.1 Sector-wide common audit findings
Status of previous report recommendations
Our previous reports to Parliament focusing on Local Government made recommendations to all councils and to the Department of Planning and Environment. The current status of implementation of our recommendations is summarised as below, as well as relevant audit findings in 2021–22.
Recommendations to councils | Current status | |
Accounting for and full stocktake of rural firefighting equipment | ||
Councils should perform a full asset stocktake of rural firefighting equipment, including a condition assessment for 30 June 2022 financial reporting purposes. Consistent with the requirements of the Australian Accounting Standards, councils should recognise this equipment as assets in their 30 June 2022 financial statements. |
We continue to recommend that councils recognise vested rural firefighting equipment (repeat recommendation) |
Not addressed |
One hundred and six of the 146 completed audits of councils received rural firefighting equipment in 2021–22. Sixty-six councils have performed a full stocktake of these assets and 40 councils did not. Forty-seven councils recognised these assets in their 2021–22 financial statements. As reported in Section 2.1 of this report, 59 councils did not record rural firefighting equipment in their financial statements and 43 of these councils received qualified audit opinions because councils did not recognise rural firefighting equipment or because councils had not performed stocktake procedures to confirm the existence, condition and value of these assets. Sixteen councils did not record rural firefighting equipment, but had performed procedures to support their assertion that the carrying amount was not material to the financial statements. These councils received unqualified audit opinions. |
||
Asset valuations | ||
Councils should have all comprehensive asset revaluations completed by April of the financial year subject to audit. Councils should:
|
We continue to recommend that councils complete asset valuations before financial year-end to help avoid issues with the revaluation process (repeat recommendation) Sixty-nine of the 146 completed audits of councils have at least partially implemented these recommendations in 2021–22 In 2021–22 we identified a total of 267 (2021: 288) findings that related to asset management. Further, we identified that 53 (2021: 58) councils had deficiencies in their annual process to ensure their assets are stated at fair value. Common issues in annual fair value assessments and in comprehensive revaluations include:
Council’s financial statements contained corrected errors relating to asset valuations:
|
Not addressed |
Improvements to controls and processes over asset source records | ||
Councils need to improve controls and processes to ensure integrity and completeness of asset source records. Councils should:
|
We continue to recommend that councils improve controls and processes to ensure integrity and completeness of asset source records (repeat recommendation) |
Not addressed |
One hundred and six of 146 completed audits of councils have at least partially addressed these recommendations in 2021–22. Sixty-six councils have fully addressed our recommendations and 40 councils have partially addressed our recommendations. Fifty-two (2021: 67) councils had weak processes over maintenance, completeness and security of fixed asset registers as reported in Section 3.5 below. Common issues identified include:
As reported in Chapter 2, ‘Audit results’, 28 (2020–21: 19) Forty-two (2020–21: 46) corrected errors from 31 councils, amounting to $243.1 million (2020–21: $102.1 million), relate to poor record keeping of asset data, such as:
|
||
Tracking recommendations | ||
Councils and those charged with governance should track the progress of implementing recommendations from financial audits, performance audits and public inquiries. |
More councils are tracking audit recommendations. Councils should focus on tracking audit recommendations and prioritise high-risk repeat issues |
Not addressed |
One hundred and twenty-two of 146 completed audits of councils have at least partially addressed these recommendations in 2021–22. Ninety-eight councils have fully addressed this recommendation and track progress of implementing recommendations from financial audits, performance audits and public inquiries. Twenty-four councils partially addressed our recommendation by not tracking all recommendations covering financial audits, performance audits and public inquiries. Given 52% (2020–21: 53%) of total findings reported in 2021–22 audit management letters were repeat or partial repeat findings from prior years, councils need to focus on tracking audit recommendations, giving priority to high-risk repeat issues. |
||
The department should intervene where councils do not recognise rural firefighting equipment | ||
Consistent with the department’s role to assess council’s compliance with legislative responsibilities, standards or guidelines, the department should intervene where councils do not recognise rural firefighting equipment. |
We continue to recommend that the department should intervene where councils do not recognise vested rural firefighting equipment (repeat recommendation) |
Not addressed |
Since 2017, the Audit Office has recommended that the OLG and then the department address the different practices across the local government sector in accounting for rural firefighting equipment. In doing so, the Audit Office recommended that OLG should work with NSW Treasury to ensure there is a whole-of-government approach. NSW Treasury has articulated and communicated its clear position. It is the department’s role to assess whether intervention is appropriate with respect to councils’ compliance with and performance against legislative responsibilities, standards or guidelines. Despite these repeated recommendations in our ‘Local Government 2021’ and ‘Planning and Environment 2022’ Auditor-General’s reports, the department has not been effective in resolving this issue. Forty-three of 146 completed audits of councils received qualified audit opinions on their 2022 financial statements in relation to this issue. It is our view that this situation is unlikely to be resolved in the absence of regulatory intervention and the department should now intervene to address this matter as a priority. |
||
Early close procedures | ||
OLG should require early close procedures across the local government sector by 30 April 2023. |
We continue to recommend that OLG consider requiring early close procedures across the local government sector (repeat recommendation) |
Not addressed |
Potential policy requirements requiring early close procedures have not been discussed with key stakeholders, nor have requirements to perform early close procedures been communicated by OLG to councils and joint organisations as at the date of this report. | ||
Legal framework | ||
In our Report on Local Government 2020, we recommended OLG should clarify the legal framework relating to restrictions of water, sewerage and drainage funds (restricted reserves) by either seeking an amendment to the relevant legislation or by issuing a policy instrument to remove ambiguity from the current framework. | This recommendation has not been implemented. | Not addressed |
Cyber security management
Poor management of cyber security can expose councils to a broad range of risks, including financial loss, reputational damage and breaches of data involving the unauthorised release of sensitive data and personally identifiable information.
The NSW Cyber Security Policy states that the term cyber security covers all measures used to protect systems and information processed, stored or communicated on these systems from compromise of confidentiality, integrity and availability.
A lack of cyber security maturity continues to be a sector-wide common audit finding among councils.
Cyber security findings were reported in 63 councils (2020–21: 65 councils) as they did not have at least one of the following basic governance and internal controls to manage cyber security such as having a:
- cyber security framework, policy and procedure
- register of cyber incidents
- simulated cyber attack testing (penetration testing)
- cyber security training and awareness program.
Refer to Section 3.10 ‘Information technology’ for further details on gaps identified in cyber security management.
Forty-seven per cent of councils do not have a formal cyber security strategy/plan in place
Our data collection from 30 June 2022 council audits identified that only 53% of councils have created a formal cyber security strategy/plan.
In response to previous audit recommendations, OLG released Cyber Security Guidelines for NSW local government on 19 December 2022. The guidelines:
- allow councils to assess their cyber security maturity and their maturity uplift
- outline cyber security standards and controls recommended by Cyber Security NSW for NSW local governments
- can be adopted by councils or used to form the basis of an internally developed cyber security policy
- are strongly recommended to councils for adherence but is voluntary with no requirement to report maturity scores to Cyber Security NSW.
Sixty-nine councils (47% of councils) do not have a formal cyber security plan. These councils need to prioritise creation of a cyber security plan, based on the OLG’s Cyber Security Guidelines for NSW Local Government, in order to ensure cyber security risks over key data and IT assets are appropriately managed and key data is safeguarded. All councils should update their cyber security plans based on the guidelines.
The risks associated with poor cyber security maturity are compounded by information technology control weaknesses and poor information systems security hygiene. Our findings in relation to these deficiencies are detailed in Section 3.10 of this report.
Recommendation to councilsAll councils need to prioritise and create a cyber security plan in order to ensure cyber security risks over key data and IT assets are appropriately managed and key data is safeguarded. Councils should refer to the ‘Cyber Security Guidelines for NSW Local Government’ released by the OLG. |
3.2 Governance
Governance is the framework of rules, processes and systems that enables organisations to achieve goals and comply with legal requirements. Good governance promotes public confidence and satisfaction in councils’ operations. Key governance areas include appropriate accountability mechanisms, operational and financial risk management, and fraud prevention.
Governance findings decreased from 214 to 177
Audit management letters reported 177 findings relating to governance (2020–21: 214 findings). Sixty-three per cent (2021: 65%) were repeat or partial repeat findings.
High-risk findings
Seven high-risk findings were reported at the following councils, including one new finding and six repeat findings elevated from moderate risk in 2020–21. All the six 2020–21 high-risk findings were resolved or reclassified to moderate risk in 2021–22 as management has taken action to mitigate the risks. One new high-risk finding related to 2020–21.
Council | Description |
2021–22 findings | |
Coonamble Shire Council (repeat finding, elevated from moderate to high risk in 2021–22) |
Council does not have a documented legislative compliance policy, legislative compliance register, risk management policy, fraud control plan, cyber risk policy or framework. Council’s fraud control policy was last updated in 2005 and council has not undertaken a fraud control risk assessment. |
Lismore City Council (repeat finding, elevated from moderate to high risk in 2021–22) |
Council does not have a centralised legislative compliance register. Council does not have formalised process for allocating compliance responsibility or identifying and monitoring instances of non-compliance. |
Brewarrina Shire Council (repeat finding, elevated from moderate to high risk in 2021–22) |
Council does not have a documented legislative compliance policy, council-wide risk register, fraud control plan, cyber risk policy or framework. Council’s public interest disclosure policy has not been reviewed since 2013. Council did not undertake a fraud control health check, cyber security penetration testing, or fraud awareness and cyber security training. |
Gwydir Shire Council (one repeat finding elevated from moderate to high-risk in 2021–22 and one new finding) |
Council is in the process of completing the fraud control health check and fraud risk assessment. However, there is no fraud control policy or plan and no fraud awareness training has been conducted. Council was unable to determine whether they spent restricted funds for unrestricted purposes during 2021–22, without the appropriate approvals under the LG Act (new finding). |
Cootamundra-Gundagai Regional Council (repeat finding, elevated from moderate to high-risk in 2021–22) |
Council does not have a formal legislative compliance policy or legislative compliance register to capture and report on its compliance with key legislation. |
Tamworth Regional Council (repeat finding, elevated from moderate to high-risk in 2021–22) |
Council does not have a fraud control plan to manage potential fraud risk. However, Council performed a fraud risk assessment in June 2021. |
2020–21 findings* | |
Kiama Municipal Council |
The council should continue to develop strategies to:
|
Common findings
The common governance findings reported in audit management letters related to deficiencies in corporate governance policies, fraud controls and legislative compliance.
Key corporate governance policies were not in place or regularly updated at 62 councils
The common areas where councils were missing governance policies are summarised below.
Area of corporate governance with absent or outdated policies | Number of councils |
Risk management | 15 |
Contract management | 13 |
Business continuity plan | 19 |
Gifts and benefits | 5 |
Public interest disclosures | 7 |
Other policies not formally adopted or subject to timely review | 31 |
Corporate governance policies are essential for ensuring councils operate in accordance with external and internal requirements. It is important that the rules, standards and expectations are clearly outlined, and staff are provided adequate guidance to inform their actions.
Further issues were identified in contract management for 23 (2020–21: 30) councils. While contract management policies were in place for these councils, we identified deficiencies in their contract management practices or contract register management. There is an increased risk of non-compliance with the Government Information (Public Access) Act 2009 or contractual terms.
Deficiencies in fraud control processes at 20 councils
Twenty councils reported deficiencies in fraud control processes, an improvement from 34 councils reported in 2020–21.
The following fraud control deficiencies were reported in audit management letters.
Fraud control deficiencies | Number of councils |
Council did not provide fraud awareness training to staff | 7 |
Council did not perform a fraud risk assessment | 9 |
Council did not have a fraud and corruption prevention policy, or it was outdated | 10 |
Council did not require staff to provide annual attestations to the Code of Conduct | 8 |
Effective fraud controls and ethical frameworks help protect councils from events that risk serious reputational damage and financial loss.
Lack of legislative compliance policies or register at 21 councils
Twenty-one councils did not have a sufficient legislative compliance policy or register. This has decreased from 25 councils reported in 2020–21.
Legislative compliance frameworks assist councils to monitor compliance with key laws and regulations. This is important as councils provide a broad range of services to the community and are subject to many legal requirements. A legislative breach can attract penalties, impact service delivery and cause significant reputational damage.
Councils and joint organisations that do not currently have an ARIC should take action to ensure they comply with legislative requirements
Audit, Risk and Improvement Committees (ARIC) are an important contributor to good governance. They help councils to understand strategic risks and how they can mitigate them. An effective committee helps councils to build community confidence, meet legislative and other requirements, and meet standards of probity, accountability and transparency.
Without an effective ARIC, there is a lack of independent oversight on how council is functioning and managing risk.
The Office of Local Government has issued comprehensive ’Guidelines for Risk Management and Internal Audit for Local Government in NSW’ to assist councils and joint organisations to implement these requirements.
One hundred and nineteen councils have established an Audit, Risk and Improvement Committee as at 4 June 2022, as required under the LG Act
As at 30 June 2022, 31 councils or joint organisations have not established an ARIC at 30 June 2022. These councils have not complied with the requirements of the LG Act, but more importantly, a key governance mechanism is absent.
Under the LG Act, all councils and joint organisations were required to have an ARIC or to have entered into an arrangement with another council or joint organisation to share an ARIC from 4 June 2022.
In August 2021, the OLG issued draft ‘Guidelines for Risk Management and Internal Audit for Local Councils in NSW (the Guidelines)’, which has not been finalised. The Guidelines cover the requirements for ARICs (including membership), risk management framework and internal audit function.
Subsequent to the draft Guidelines, OLG and NSW Treasury agreed that the NSW Government’s Prequalification Scheme for Audit and Risk Committee Chairs and Members will not be suitable for use by councils and joint organisations. On 20 July 2022, OLG issued a Circular 22-21 ‘Update on membership requirements for audit, risk and improvement committees’, to confirm this agreement.
Under the new requirements, councils must ensure ARIC chairs and members meet the eligibility and independence requirements, as set out in the Guidelines, from 1 July 2024.
On 19 December 2022, the OLG issued a further circular to inform the sector that the draft guidelines have been approved but remain in draft until amendments to the supporting Local Government (General) Regulation 2021 (giving statutory force to elements of the Guidelines) come into force in 2023.
ARICs can be more effective in discharging all of their functions
ARICs could be more effective in discharging all of their functions and managing councils’ risks including:
- cyber risk management (refer to Section 3.10) including 25% of councils that have not communicated cyber risk with those charged with governance, including council ARICs
- tracking the progress of implementing recommendations from financial audits, performance audits and public inquires (refer to Section 3.1)
- prioritising tracking of repeat and high-risk audit findings. Fifty-two per cent of total audit findings reported in 2021–22 audit management letters were repeat or partial repeat findings from prior years (refer to Section 3.1)
- ensuring internal certification processes have occurred and reviewing the financial statements for completeness and accuracy. ARICs can play an important role in providing feedback on financial statements before they are submitted to audit as part of management’s quality review process. Sixty-seven (2021: 44) councils’ ARICs reviewed financial statements before submission to the Audit Office. Fifty-two (2021: 67) councils’ ARICs did not review financial statements before submission to the Audit Office. Only 28 (2021:16) ARICs obtained certification of effectiveness of internal controls from management to support the financial statements and information.
As previously reported, there is an opportunity for OLG to issue guidance to councils to develop an internal control certification process as better practice. In the NSW state sector, Chief Financial Officers provide an annual certification as to the effectiveness of its systems, processes and internal controls for ensuring that financial information is relevant and reliable.
As at 30 June 2022, 119 councils have established an ARIC. Of the 119 councils, ten have a shared arrangement with other councils. Opportunities also exist for councils to gain efficiencies by increasing the number of shared ARICs where scale or geographical location makes it practicable to do so.
3.3 Financial reporting
Financial reporting is an important element of good governance. Confidence in and transparency of public sector decision-making is enhanced when financial reporting is accurate and timely.
Financial reporting findings decreased from 83 to 42
Audit management letters reported 42 findings relating to financial reporting (2020–21: 83 findings). Fifty-five per cent (2021: 45%) were repeat or partial repeat findings.
High-risk findings
High-risk findings, including two repeat findings, one new finding and four repeat findings elevated from moderate risk in 2020–21, were reported at the following councils. Four of the six 2020–21 high-risk findings were resolved or reclassified to moderate risk in 2021–22 as management has taken action to mitigate the risks.
Council | Description |
2021–22 findings | |
Central Coast Council (repeat finding) | While noting improvements in the quality and timeliness of the financial statements and supporting work papers provided to audit, the financial statements required amendments to correct material monetary misstatements and disclosure deficiencies. |
Cootamundra-Gundagai Regional Council (repeat finding, elevated from moderate to high risk in 2021–22) |
The supporting work papers for the financial statements provided to audit were significantly delayed and contained errors and omissions causing delays to the audit process. |
Edward River Council (repeat finding, elevated from moderate to high-risk in 2021–22) | Quality and timeliness of financial statements and supporting work papers needs improvement. Several amendments were required which delayed the audit process and required council to seek extensions with OLG. |
Hilltops Council (repeat finding elevated from moderate to high risk in 2021–22) |
While noting improvements in timeliness of responses to most of the audit requests, there were delays with some supporting documentation for the comprehensive valuations of IPPE, the going concern assessment and bank confirmation differences. |
Shoalhaven City Council (repeat finding) | Quality and timeliness of financial statements and supporting work papers needs improvement. The financial statements required amendment to correct misstatements and disclosure deficiencies, and working papers did not satisfactorily reconcile to the financial statements. |
Queanbeyan-Palerang Regional Council (new finding) |
Quality and timeliness of financial statements and supporting work papers needs improvement. The financial statements required amendment to correct misstatements and disclosure deficiencies. |
Murray River Council (repeat finding, elevated from moderate to high risk in 2021–22) | Quality and timeliness of financial statements and supporting work papers needs improvement. The financial statements required amendment to correct misstatements and disclosure deficiencies. These matters led to delays and inefficiencies in the audit process and required council to seek extensions with OLG. |
Common findings
Common findings across councils include:
- Financial statements submitted for audit for 16 (2020–21: 30) councils contained numerous errors and disclosure deficiencies.
- Lack of preparation for the audit, such as having a financial reporting plan, impacted the timeliness of financial reporting at 18 (2020–21: 21) councils.
- Eight (2021: 11) councils had deficiencies in related parties’ policies and disclosure.
Further analysis and insights on financial reporting findings are detailed in Chapter 2 ‘Audit results’.
3.4 Financial accounting
Financial accounting refers to the processes adopted by management to record and review financial information across the business. Councils use a combination of manual and automated processes and digital information systems to process financial information. Effective processes support the accuracy and completeness of information presented in the financial statements.
Financial accounting findings decreased from 79 to 66
Audit management letters reported 66 findings relating to financial accounting (2020–21: 79 findings). Fifty per cent (2021: 38%) were repeat or partial repeat findings.
High-risk findings
Eight high-risk findings, including two new findings, four repeat findings and two repeat findings elevated from moderate risk in 2020–21, were reported at the following councils. One new high-risk finding related to 2020–21.
Council | Description |
2021–22 findings | |
Cootamundra-Gundagai Regional Council (repeat finding, elevated from moderate to high risk in 2021–22) |
Council lacks segregation of duties over the processing of manual journals. Manual journals can be prepared and posted to the system by the same employee without an independent review. |
Hilltops Council (new finding) |
Council’s initial going concern assessment was inadequate and did not sufficiently support cash flow forecasts and management’s modelling assumptions. |
Snowy Monaro Regional Council (three findings - two repeat and one new finding) |
Council continued to face financial sustainability pressure in 2021–22. To meet day-to-day operational requirements, council may have used its internally allocated funds, which are decreasing. Management did not provide a detailed cash flow forecast by 28 February 2022, as agreed in response to our recommendation in the prior year’s management letter. Management used a high-level cash flow forecast to support its going concern assessment. However, it did not assess the appropriateness of the cash flow assumptions it used in that forecast, nor did it proactively monitor the level of restricted and unrestricted cash balances throughout the year. Council’s financial accounting processes and controls had the following deficiencies (new finding):
|
Dungog Shire Council (repeat finding) |
Council lacks segregation of duties over the processing of manual journals. Manual journals can be prepared and posted to the system by the same employee without an independent review. |
MidCoast Council (repeat finding) |
Council did not perform monthly general ledger reconciliations during 2021–22. Management was not able to validate the reasons behind some immaterial unreconciled balances. |
Orange City Council (repeat finding, elevated from moderate to high risk in 2021–22) | Council lacks segregation of duties over the processing of manual journals. Manual journals can be prepared and posted to the system by the same employee without an independent review. There is no automated audit trail showing the preparer and approver of journals. |
2020–21 findings* | |
Kiama Municipal Council |
Councillors and management were unable to attest as to whether the financial statements were a true and fair representation of the council’s financial position and performance. As a result, we issued a Disclaimer of Opinion over the council’s financial statements. The factors that led to this relate primarily to the loss of data and supporting documentation from an earlier migration of the financial management information system and significant staff turnover, which led to a loss of corporate knowledge. |
Common findings
The common financial accounting findings reported in audit management letters related to deficiencies in key account reconciliations and processing of manual journal adjustments.
Lack of segregation of duties with manual journal adjustments at 12 councils
There was a lack of segregation of duties over the posting of manual journal adjustments to financial information at 12 councils. An independent review of manual journal adjustments is important to reduce the risk of fraud or error in the financial statements.
Key account reconciliations were not prepared in a timely manner or independently reviewed at 29 councils
Regular reconciliations of financial information, which are appropriately reviewed ensures timely identification of errors and facilitates a more efficient audit process. It was reported in audit management letters that:
- there was no evidence of independent review of key account reconciliations at 20 councils
- 15 councils did not reconcile all key balances in the financial statements in a timely manner.
3.5 Asset management
Councils own and manage large infrastructure asset portfolios to support the delivery of community services. Asset management involves operational aspects such as maintenance and physical security, as well as accounting procedures such as recording and valuing assets in accordance with Accounting Standards.
Asset management findings decreased from 288 to 267
Audit management letters reported 267 findings relating to asset management (2020–21: 288 findings). Fifty-nine per cent (157 findings) (2020–21: 39%, 112 findings) were repeat or partial repeat findings.
High-risk findings
High-risk findings decreased from 69 to 55 in 2021–22, including 45 (2021: six) repeat findings and eight repeat moderate findings elevated to high risk. The decrease was mainly due to the drop of high-risk findings in relation to the non-recognition of rural firefighting equipment from 60 to 43.
Forty-three councils had a high-risk finding reported in their audit management letter relating to unrecorded vested rural firefighting equipment
Chapter 2 ‘Audit results’ reported 59 councils did not record rural firefighting equipment in their financial statements. This was reported as a high-risk finding for 43 councils in 2021–22. Sixteen councils that had high-risk findings in 2020–21 relating to the non-recognition of rural firefighting equipment addressed the issue in 2021–22 by performing procedures to determine that the value of these assets was not material.
2021–22 councils with high-risk findings on unrecorded rural firefighting equipment | |||
Bathurst Regional Council | Cootamundra-Gundagai Regional Council | Lachlan Shire Council | Tamworth Regional Council |
Bega Valley Shire Council | Dungog Shire Council | Leeton Shire Council | Temora Shire Council |
Bellingen Shire Council | Edward River Council | Lockhart Shire Council | Tenterfield Shire Council |
Bland Shire Council | Federation Council | Mid‑Western Regional Council | Tweed Shire Council |
Blayney Shire Council | Forbes Shire Council | Moree Plains Shire Council | Upper Lachlan Shire Council |
Byron Shire Council | Glen Innes Severn Council | Murray River Council | Wagga Wagga City Council |
Cabonne Council | Greater Hume Shire Council | Murrumbidgee Council | Warrumbungle Shire Council |
Carrathool Shire Council | Griffith City Council | Queanbeyan‑Palerang Regional Council | Weddin Shire Council |
Cessnock City Council | Hilltops Council | Snowy Monaro Regional Council | Wollondilly Shire Council |
Clarence Valley Council | Junee Shire Council | Snowy Valleys Council | Yass Valley Council |
Coolamon Shire Council | Kempsey Shire Council | Sutherland Shire Council |
Chapter 2 ‘Audit results’ includes more information on the recognition of rural firefighting equipment.
Other high-risk findings
Twelve (2020–21: nine) other high-risk findings predominantly related to data integrity of asset registers, fair value assessment of assets, asset valuation process, and provision for rehabilitation landfill sites. These were identified in the following councils.
Council | Description |
2021–22 findings | |
Central Coast Council (repeat issue) | Council’s initial fair value assessment of IPPE did not consider the most relevant data/indices. This resulted in material corrections to the financial statements. |
Cobar Shire Council (repeat finding, elevated from moderate to high risk in 2021–22) | Council did not formally assessed its provision for rehabilitation of landfill sites in prior years and was required to revisit the key assumptions in the estimates including timeframes, costs and type/nature of the landfill cells. Subsequently, council revised the assumptions within the 2019 independent valuation estimate and recognised a provision for rehabilitation of landfill sites in its 30 June 2022 financial statements. |
Dubbo Regional Council (repeat finding, elevated from moderate to high risk in 2021–22) |
Issues identified with asset revaluations and management processes:
|
Leeton Shire Council (repeat finding, elevated from moderate to high risk in 2021–22) | Council’s fixed asset register, which contains the financial records supporting IPPE, is maintained within Microsoft Excel spreadsheets, rather than and IT application. |
Murrumbidgee Council (repeat finding, elevated from moderate to high risk in 2021–22) | Council does not recognise the cost for asset remediation as a provision for the tip sites and quarries. Council disclosed this as a contingency in its financial statements as it was unable to reliably estimate the financial cost of such work and did not have a formal landfill and environmental management plan. |
Gwydir Shire Council (repeat finding, elevated from moderate to high risk in 2021–22) | Council’s fair value and impairment assessment for its IPPE assets is inadequate and resulted in material amendments to the 30 June 2022 financial statements. |
Hilltops Council (repeat finding, elevated from moderate to high risk in 2021–22) |
Council does not have documented evidence of its assessment of the cost estimates and remaining useful life of its tip and quarry sites, used in its rehabilitation provision. |
Orange City Council (repeat finding, elevated from moderate to high risk in 2021–22) | Council’s fair value and impairment assessment for its IPPE assets is inadequate and resulted in material amendments to the 30 June 2022 financial statements. |
Shoalhaven City Council (repeat finding, elevated from moderate to high-risk in 2021–22) |
Council’s fair value and impairment assessment for its IPPE assets is inadequate. Also:
|
Murray River Council (two repeat findings) |
The following weaknesses identified with accounting procedures for IPPE:
|
Inner West Council (repeat finding, elevated from moderate to high risk in 2021–22) |
Council’s comprehensive revaluations process of roads, footpaths, kerb and gutters, bulk earthworks, other road assets and car parks contained the following deficiencies:
|
Common findings
The common asset management findings reported in audit management letters related to deficiencies in asset revaluation processes, maintenance of information in asset management systems and landfill rehabilitation accounting practices.
Weak processes over maintenance, completeness and security of fixed asset registers at 52 councils
Maintaining accurate and up-to-date asset data helps councils to make appropriate decisions around asset management. The common issues reported in audit management letters relating to fixed asset registers are summarised below.
Fixed asset register issues reported in audit management letters | Number of councils |
Council did not maintain an accurate and complete fixed asset register. This included:
|
29 |
Council did not regularly update their fixed asset register for additions and disposals. | 32 |
Asset registers were not maintained in a secure format (for example, use of unlocked spreadsheets or multiple systems). | 13 |
We continue to see weak processes over maintenance and security of fixed asset registers. There continues to be issues with accuracy and completeness of the asset register, duplication or missing assets, and asset registers not being reconciled with the asset management systems.
Prior period errors continue to predominately relate to the quality of asset records and asset revaluation errors such as found and duplicate assets.
Deficiencies in infrastructure asset revaluation processes at 53 councils
Councils manage a significant range and value of infrastructure, property, plant and equipment. These assets are significant to the financial statements of councils and are subject to management judgements and estimates when determining their fair values. These judgements and estimates often require the assistance of a qualified expert valuer.
Deficiencies were identified in infrastructure asset valuations at 53 councils, including:
- inadequate documentation to support key assumptions and judgements applied including:
- useful lives and condition assessments
- unit rates used to value infrastructure assets
- incorrect classification of assets
- incorrect exclusion of some assets from valuations
- management not documenting their quality review over the asset valuation
- errors in annual fair value assessments when applying indices to adjust fair values/deficiencies in the annual fair value assessment process.
Opportunities for councils to improve the valuation process and perform valuations earlier
Performing asset valuations earlier gives time for management and auditors to complete all requirements before the financial statements are prepared and facilitates earlier sign offs. The effective date of the valuation of any asset category can be at any point during the financial year subject to audit. As reported in Chapter 2 ‘Audit results‘:
- 45 (2020–21: 42) councils completed infrastructure, property, plant and equipment valuations before 30 June 2022
- 36 (2020–21: 24) councils performed fair value assessments of infrastructure, property, plant and equipment.
Councils should have a project plan in place to manage the asset valuation process. Suggested deliverables to be included in a timetable for council valuations may include the following:
Improvements to council landfill rehabilitation accounting practices required at 25 councils
Australian Accounting Standards require recognition of a provision for landfill remediation when the obligation to operate landfill sites would result in cash outflows for the council, and when it can be reliably measured. Such provisions should be annually reassessed for changes in assumptions, legal requirements and emergence of new landfill remediation techniques.
Common findings identified in council landfill rehabilitation accounting practices include:
- no formal assessment of obligations to rehabilitate landfill sites
- insufficient documentation of provision calculations to support inputs, assumptions and key data for accounting of the provisions
- costs associated with post-closure, aftercare and monitoring of landfill sites in their provisions not included in the assessment.
3.6 Purchases and payables
Councils spend substantial funds each year to procure goods and services. It is important there is appropriate probity, accountability and transparency in procurement to reduce the risk of unauthorised purchases, corrupt and fraudulent behaviour, and value for money not being achieved.
Purchases and payables findings decreased from 105 to 77
Audit management letters reported 77 findings relating to purchases and payables (2020–21: 105 findings). Forty-nine per cent (2021: 55%) were repeat or partial repeat findings.
High-risk findings
Two high-risk findings, both elevated from moderate risk in 2020–21, were reported at the following councils.
Council | Description |
2021–22 findings | |
Cootamundra-Gundagai Regional Council (repeat finding, elevated from moderate to high risk in 2021–22) |
Council’s creditor Masterfile changes report was not prepared or reviewed. |
Liverpool Plains Shire Council (repeat finding, elevated from moderate to high risk in 2021–22) |
Council’s procurement process contained the following deficiencies:
|
Common findings
The common purchases and payables findings reported in audit management letters related to controls around purchase orders, review of creditor information and deficiencies in credit card management practices.
Increase in number of councils with controls around purchase orders being absent or not enforced
At 35 (2020–21: 12) councils, we identified that employees could approve their own purchase orders. At 44 (2020–21: five) councils, we identified that purchase orders were approved without appropriate delegation. It is important there is segregation of duties and appropriate delegation in procurement to reduce the risk of fraud and misuse of public money.
Purchase orders were approved after the receipt of goods or services at 56 (2020–21: 28) councils. Purchase orders should be issued before requesting goods or services to reduce the risk of unauthorised transactions.
Insufficient review of changes to creditor information at 13 councils
Thirteen (2020–21: 29) councils did not perform sufficient review of changes to creditor information in the supplier master file, including bank account details. This increases the risk of transactions paid to incorrect accounts, resulting in financial losses for councils. Councils should review each change or perform a regular collective review of changes.
3.7 Payroll
Effective payroll processes ensure councils manage their workforce in compliance with legislation, employment agreements and the Local Government Award. Payroll processes and information systems should protect the integrity of employee records and timesheet data to ensure accurate payments to employees and leave entitlement calculations.
Payroll findings decreased from 96 to 82
Audit management letters reported 82 findings relating to payroll processes (2020–21: 96 findings). Sixty-five per cent (2020–21: 60%) were repeat or partial repeat findings.
High-risk findings
One high-risk finding relating to payroll processes in 2021–22 (2020–21: nil) reported at the following council. The high-risk finding was a repeat issue elevated from moderate risk in 2020–21.
Council | Description |
2021–22 findings | |
Cootamundra-Gundagai Regional Council (repeat finding, elevated from moderate to high risk in 2021–22) |
Council’s payroll Masterfile changes report was not prepared or reviewed. |
Common findings
The common payroll findings reported in audit management letters related to deficiencies in the review of employee payroll data and excessive annual leave balances.
Changes to employee payroll data are not reviewed at 16 councils
Sixteen councils did not have adequate processes in place to review changes to employee payroll data. This includes instances where changes are reviewed, but not by an independent person. This increases the risk of unauthorised changes or errors remaining undetected, resulting in financial loss to councils.
3.8 Cash and banking
Councils process a high volume of transactions each year. Effective controls over cash collection, disbursements and reconciliations reduce the risk of fraud and error.
Cash and banking findings decreased from 36 to 29
Audit management letters reported 29 findings relating to cash and banking (2020–21: 36 findings). Forty-one per cent were repeat or partial repeat findings.
High-risk findings
Two high-risk findings, including one new finding and one repeat finding elevated from moderate risk in 2020–21, were reported at the following councils.
Council | Description |
2021–22 findings | |
Hilltops Council (repeat finding, elevated from moderate to high risk in 2021–22) |
Monthly bank and investments reconciliations were not performed for some bank accounts. Misstatements in cash and investments balances were identified in both 2021–22 and 2020–21 audits. |
Penrith City Council (new finding) | Under Section 355 of the LG Act, the council delegated authority to volunteer committees to manage several smaller recreational/community facilities. At 30 June 2022, the council’s cash balance reported in the financial statements included cash relating to these committees. Our audit identified deficiencies in the council’s process for managing the cash balances of the committees. |
Common findings
The common cash and banking findings reported in audit management letters related to outdated bank signatories, the lack of segregation of duties in the cash handling process and the lack of security of payment files.
Outdated bank signatories at ten councils
Bank signatories are not being removed on a timely basis. Ten councils still had their former employees listed as an account signatory for bank accounts. This increases the risk of unauthorised transactions.
Deficiencies in the cash handling processes at six councils
Deficiencies in the cash handling process were identified at six councils, including lack of daily cashier reconciliation and lack of segregation of duty. This increases the risk of undetected balancing errors and misappropriation of cash or cheques.
Lack of security of payment files for pay runs at three councils
Three councils did not encrypt Electronic Funds Transfer payment files from editing or sufficiently restrict access to payment files on the network before they were uploaded to online banking portals. This increases the risk of unauthorised or fraudulent transactions.
3.9 Revenue and receivables
Councils receive revenue from a range of different sources, including rates and annual charges, user charges and fees, operating and capital grants and contributions, and other revenue (such as interest, investments and asset disposals). It is important that councils have appropriate internal controls to accurately record revenue and receivables in compliance with accounting standards and legal requirements.
Revenue and receivable findings decreased from 80 to 69
Audit management letters reported 69 findings relating to revenue and receivables (2020–21: 80 findings). Forty-two per cent were repeat or partial repeat findings.
High-risk findings
There were no high-risk findings related to revenue and receivable processes in 2021–22 (2020–21: nil).
Common findings
The common revenue and receivables findings reported in audit management letters related to deficiencies in the review of changes to fee tables and property data in council rates systems, and inappropriate revenue recognition practices.
Lack of review of changes to fee tables and property data in the rating system at 15 councils
Council systems contain fee tables and property information, which are used to determine rates and annual charges levied on different properties. Fifteen councils do not adequately review changes for accuracy and appropriateness. This increases the risk of errors in recording rates and annual charges in the financial statements.
Inappropriate revenue recognition at 16 councils
Sixteen councils had findings raised relating to their revenue recognition practices, including:
- no effective internal controls to ensure the completeness of revenue activities recorded
- deficiencies in grants recognition that resulted in misstatement in the financial statements
- use of cash accounting basis to recognise some revenue transactions, rather than accruals.
Deficiencies in revenue recognition practices resulted in 38 errors identified in councils’ financial statements, totalling $65.1 million.
3.10 Information technology (IT)
Councils rely on IT to deliver services and manage information. While IT delivers considerable benefits, it also presents risks that councils need to address. IT general controls relate to the procedures and activities designed to ensure confidentiality, and integrity of systems and data. These controls underpin the integrity of financial reporting.
Financial audits involve the review of IT general controls relating to key financial systems supporting the preparation of council financial statements, addressing:
- policies and procedures
- IT risk management
- user access management
- privileged user access restriction and monitoring
- system software acquisition, change and maintenance
- disaster recovery planning
- cyber security and patch management.
IT findings decreased from 296 to 236
Audit management letters reported 236 findings relating to IT (2020–21: 296 findings). Seventy-three per cent were repeat, partial repeat or ongoing findings.
High-risk findings
High-risk findings, including repeat and ongoing findings, were reported at the following councils. Increase in high-risk findings are due to a number of unresolved prior year’s moderate risk findings being reassessed as high risk. These repeat findings need to be resolved as a priority.
Council | Description |
2021–22 findings** | |
Dubbo Regional Council (repeat finding) |
Council had the following information technology (IT) access control issues:
|
Lismore City Council (repeat finding) | No periodic review of users who can purge audit logs. |
Wagga Wagga City Council (repeat finding) |
Council had the following IT access control issues:
|
City of Paramatta Council (repeat finding*) |
Council had the following IT access control issues:
|
Dungog Shire Council (repeat finding*) |
Council had the following IT control issues:
|
Liverpool Plains Shire Council (repeat finding*) |
Council’s key formal IT policies are missing or outdated. |
Coonamble Shire Council (repeat finding*) |
Council had the following IT access control issues:
|
Orange City Council (repeat finding*) | Council did not have formal IT security policy and procedures. |
Uralla Shire Council (repeat finding*) | Council did not have key IT policies, IT business continuity plan or IT disaster recovery plan. |
Common findings
The common IT findings reported in audit management letters related to deficiencies in IT policies and procedures, lack of a cyber security framework, and controls and gaps in user access management processes. This is consistent with what we reported in our ‘Local Government 2021’ report.
IT policies and procedures were outdated or not in place at 43 councils
Forty-three councils (2020–21: 59 councils) did not formalise and/or regularly review their key IT policies and procedures. It is important for key IT policies to be formalised and regularly reviewed to ensure emerging risks are considered and policies are reflective of changes to the IT environment. Lack of formal IT policies and procedures may result in inconsistent and inappropriate practices and an increased likelihood of inappropriate access to key systems.
Lack of periodic user access review at 28 councils and insufficient control over privileged users at 46 councils
The following common access management findings were identified:
- 28 councils (2020–21: 42 councils) did not perform a periodic user access review to ensure users’ access to key IT systems were appropriate and commensurate with their roles and responsibilities.
- 46 councils (2020–21: 73 councils) had gaps in privileged users’ management process. This includes gaps in restriction of privileged users’ access or monitoring of the privileged users’ activity logs.
Where robust access management processes are not in place, inappropriate access may exist. This increases the risk of unauthorised transaction or modification of sensitive data and transactions. The common findings above may be rated high-risk when there are no mitigating controls to prevent or detect any unauthorised transactions.
While the above two findings are considered as common findings across councils, we have noticed a significant improvement compared to last year with a 33% reduction in the number of councils with periodic user access review findings, and a 37% reduction in the number of councils with insufficient control over privileged users.
Cyber security frameworks and related internal controls were not in place at 63 councils
The NSW Cyber Security Policy states that the term cyber security covers all measures used to protect systems and information processed, stored or communicated on these systems from compromise of confidentiality, integrity and availability.
While there is currently no requirement for councils to comply with the NSW Government’s Cyber Security Policy, councils may find it useful to refer to the policy for further guidance.
Cyber security findings were reported in 63 councils (2020–21: 65 councils) as they did not have at least one of the following basic governance and internal controls to manage cyber security such as having a:
- cyber security framework, policy and procedure
- register of cyber incidents
- simulated cyber attack testing (penetrations testing)
- cyber security training and awareness program.
Poor management of cyber security can expose councils to a broad range of risks, including:
- theft of corporate and financial information and intellectual property
- theft of money
- denial of service
- destruction of data
- costs of repairing affected systems, networks and devices
- legal fees and/or legal action from losses arising from denial-of-service attacks causing system downtime in critical systems
- third-party losses when personal information stored on government systems is used for criminal purposes.
Gaps in cyber security management in the local government sector have been continuously highlighted, since our Report on Local Government 2019 first recommended that the Office of Local Government (OLG) within the Department of Planning and Environment should develop a cyber security policy to ensure cyber security risks over key data and IT assets are appropriately managed across councils, and key data is safeguarded.
As of 19 December 2022, OLG has published Cyber Security Guidelines for NSW Local Government. OLG highlighted that councils can adopt the Guidelines or use them to form the basis of an internally developed cyber security policy. Adherence to the Guidelines is strongly recommended by OLG, but voluntary, with no requirement to report maturity scores to the OLG or to Cyber Security NSW.
Given compliance with the guidelines released by OLG is not mandatory, there is an increased risk that councils may not develop an appropriate cyber security plan, which may prevent them from implementing key cyber security controls. With no timeframes set for councils to create a cyber security plan or reporting requirements to the OLG, this further increase the risk that councils may have delays in the implementation of their cyber security controls.
The Cyber Security Guidelines were released by OLG after the 2021–22 financial audit period and hence the full impact of it to councils’ cyber security maturity is yet to be seen. However, the data we collected across all 150 councils and joint organisations, identified that at the time when the guidance from OLG was yet to be published, some councils had started developing their cyber security plans adopting guidance from the following sources:
- Cyber Security NSW
- the Australian Cyber Security Centre (ACSC)
- International Organization for Standardization (ISO standards)
- the National Institute of Standards and Technology (NIST)
- Payment Card Industry Data Security Standard (PCI DSS).
Cyber security management
Cyber security continues to be a sector-wide common audit finding among councils. However, we are seeing some improvements over the implementation of basic cyber security controls that we expect councils to have in place. Whilst our review shown below is limited to the high-level governance of cyber security implementation in local government, the improvements noted indicate that even though there was no formal policy/guidance published for councils at the time of our audit, some councils are working to improve gaps identified in their cyber security management.
Gaps identified | FY2021 | FY2022 | % |
Councils with no formal cyber security policy | 46% | 47% | 1% |
Councils with no formal cyber security roles and responsibilities established | 39% | 33% | 6% |
Councils that have not communicated cyber risk with those charged with governance | 24% | 25% | 1% |
Councils that do not have cyber security identified as a risk in their enterprise risk register | 28% | 23% | 5% |
Councils without a register of cyber attack/incidents | 40% | 30% | 10% |
Councils that are yet to conduct cyber security training and awareness programs to their staff | 51% | 34% | 17% |
Forty-seven per cent of councils do not have a formal cyber security strategy/plan in place
Our data collection from 30 June 2022 council audits identified that only 53% of councils have created a formal cyber security strategy/plan.
In response to previous audit recommendations, OLG released Cyber Security Guidelines for NSW Local Government on 19 December 2022. The guidelines:
- allow councils to assess their cyber security maturity and their maturity uplift
- outline cyber security standards and controls recommended by Cyber Security NSW for NSW local governments
- can be adopted by councils or used to form the basis of an internally developed cyber security policy
- are strongly recommended to councils for adherence but is voluntary with no requirement to report maturity scores to Cyber Security NSW.
We recommended that all councils should create/update a cyber security plan in order to ensure cyber security risks over key data and IT assets are appropriately managed and key data is safeguarded. Councils should refer to the ‘Cyber Security Guidelines for NSW Local Government’ released by the OLG.
Appendices
Appendix two – Status of audits
Appendix three – Councils received qualified audit opinions
Appendix four – Common reasons for council extensions
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.