Councils provide a range of services and infrastructure for a geographical area. Services include waste collection, planning, child and family day care, and recreational services. Councils also build and maintain infrastructure, including roads, footpaths and drains, and enforce various laws. While core functions such as waste collection are similar across councils, the range of services each council provides can vary depending on the needs of each community.

County councils are formed for specific purposes, such as to supply water, manage flood plains or eradicate noxious weeds.

Joint organisations (JO) are formed by councils in regional New South Wales. Core activities of JOs include regional strategic planning and priority setting, engaging in shared services with member councils, and regional advocacy and collaboration with the state and federal governments.

Indicators of quality financial reporting include:

• unqualified audit opinions
• the number of errors in financial statements
• timeliness in preparing financial statements.

Audit opinions

Unqualified audit opinions were issued for 103 councils and joint organisations

We issued a total of 146 audit opinions on councils and joint organisations 2021–22 financial statements as at the date of this report. One hundred and three councils and joint organisations received unqualified audit opinions for their 30 June 2022 financial statements audits. For these councils sufficient audit evidence was obtained to conclude the financial statements were free of material misstatement, and were prepared in accordance with Australian Accounting Standards and the LG Act.

A disclaimed audit opinion was issued to Kiama Municipal Council relating to its 30 June 2021 financial statements

A disclaimer of opinion was issued for the 30 June 2021 financial statements of the Kiama Municipal Council.

A disclaimed audit opinion is issued when the auditor is unable to obtain sufficient appropriate audit evidence upon which to form an opinion on the council’s financial statements, and the auditor concludes that the possible effects of undetected misstatements in the financial statements could be both material and pervasive.

Councillors and management declared, in the Statement required by Councillors and Management (the Statement) under Section 413(2)(c) of the LG Act, that they were unable to certify as to the completeness and reliability of the financial statements taken as a whole for the year ended 30 June 2021.

In the period leading up to the preparation of the 30 June 2021 financial statements council implemented a new financial management information system. However, data was lost during the migration from the legacy system to the new system. During the implementation council also experienced high rates of staff turnover. The combination of these factors contributed to the loss of both data and corporate knowledge. As a result, there was insufficient data to support a significant number of financial statement line items, and the staff who might have provided explanations had left council’s employment.

There was an inadequate system of internal control to support accurate financial reporting and to mitigate the risk of fraud. Council’s accounting records were insufficient to support reliable reporting or comply with legislative obligations.

The deficiencies in books and records, which have been acknowledged by councillors and management in their Statement, mean we have been unable to obtain sufficient appropriate audit evidence or perform alternative testing procedures to enable us to conclude on the completeness and accuracy of the council’s financial statements as a whole.

Non-recognition of rural firefighting equipment by councils was the single largest source of error within council financial statements

While 47 (2020–21: 41) councils recognised the rural firefighting equipment vested to them in their financial statements, including 14 councils that recognised the equipment for the first time, inconsistent and non-compliant practices regarding recognition of this equipment persist across the local government sector.

The continued non-recognition of rural firefighting equipment in financial management systems of some councils increases the risk that these assets are not properly maintained and managed.

Councils that have rural firefighting equipment vested under section 119(2) of the Rural Fires Act 1997 (Rural Fires Act), should recognise these assets in their financial management systems, as well as considering their condition and useful life.

As previously reported in Local Government 2021 and Planning and Environment 2022 Auditor-General’s reports (tabled in NSW Parliament on 22 June 2022 and 15 December 2022 respectively), the Audit Office of New South Wales advised councils and the department that any council not recognising this equipment is not complying with the requirements of the Australian Accounting Standards. We further reported in ‘Local Government 2021’ that the non-recognition of this equipment may impact the financial statement audit opinions of those councils.

These assets are controlled by the councils and should be recognised as assets in accordance with AASB 116 ‘Property, Plant and Equipment’. Australian Accounting Standards refer to control of an asset as being the ability to direct the use of, and obtain substantially all of the remaining benefits from, the asset. Control includes the ability to prevent other entities from directing the use of, and obtaining the benefits from an asset.

Rural firefighting equipment is controlled by councils as:

• these assets are vested in the council under Section 119(2) of the Rural Fires Act, giving councils legal ownership
• councils have the ability, outside of emergency events as defined in Section 44 of the Rural Fires Act, to prevent the NSW Rural Fire Service from directing the use of the rural firefighting equipment by either not entering into a service agreement, or cancelling the existing signed service agreements
• councils have specific responsibilities for fire mitigation and safety works and bushfire hazard reduction under Part 4 of the Rural Fires Act. Councils obtain economic benefits from the rural firefighting equipment as these assets are used to fulfil councils’ responsibilities. In the event of the loss of an asset, the insurance proceeds must be paid into the New South Wales Rural Fire Fighting Fund (Section 119(4) of the Rural Fires Act) and be used to reacquire or build a similar asset, which is again vested in the councils as an asset provided free of charge.

Forty-three qualified audit opinions were issued on councils’ financial statements due to non-recognition of vested rural firefighting equipment

Fifty-nine (2020–21: 68) councils did not record rural firefighting equipment in their financial statements, of which 43 of the 146 completed audits of councils received qualified audit opinions on their 2022 financial statements due to non-recognition of rural firefighting equipment as assets within ‘Infrastructure, property, plant and equipment’ in their Statement of Financial Position at 30 June 2022. These qualifications took different forms depending on the circumstances surrounding the non-recognition.

A qualified audit opinion is issued when the auditor:

• having obtained sufficient appropriate audit evidence, concludes that misstatements, individually or in aggregate, are material but not pervasive to the financial statements
• is unable to obtain sufficient appropriate audit evidence on which to base the opinion, but the possible effects of undetected misstatements on the financial statements are material but not pervasive.

Refer to Appendix three for a list of the 43 councils that received qualified audit opinions in 2021–22.

Forty of the 43 qualified audit opinions were modified because these councils imposed a limitation of scope on the audit regarding vested rural firefighting equipment

Forty out of the 43 councils that were issued a qualified audit opinion did not undertake procedures to confirm the completeness, accuracy, existence or condition of these assets. Nor had the councils performed procedures to identify the fair value of assets vested to them during the year.

Consequently, we were unable to determine the carrying values of vested rural firefighting equipment assets and related amounts that should be recorded and recognised in the councils’ 30 June 2022 financial statements.

This resulted in the audit opinions on these councils’ 30 June 2022 financial statements to be qualified, given the limitation on the scope of our audits.

The continued non-recognition of rural firefighting equipment in financial management systems of some councils increases the risk that these assets are not properly maintained and managed.

Councils who have vested rural firefighting equipment should recognise these assets in their financial management systems and consider their condition and useful life.

Three councils’ audit opinions were qualified for material misstatement relating to rural firefighting equipment

Three councils undertook procedures to confirm the fair value of this equipment, including assets vested in it during the year, but did not recognise these assets in their financial statements. This omission was material to their financial statements and we issued a qualified audit opinion on these council’s financial statements.

Two councils‘ audit opinions were qualified for derecognising previously recognised rural firefighting equipment, and their accounting treatment upon derecognition

Two of the 43 councils that received qualified audit opinions, removed previously recognised rural firefighting equipment from their financial statements in 2021–22. These councils derecognised these assets through retained earnings, describing their previous treatment as an error. This treatment resulted in an additional qualification in the audit opinion.

There has been no change in the legal framework since these councils first recognised these assets, nor has there been any change in the relevant accounting standards impacting recognition of these assets. These councils’ previous recognition of these assets complied with the requirements of AASB 116 ‘Property, Plant and Equipment’. The derecognition of these assets and the related disclosures describing past practice as an error does not comply with AASB 108 ‘Accounting Policies, Changes in Accounting Estimates and Errors’.

Sixteen councils that did not record vested rural firefighting equipment did not receive qualified audit opinions. These councils had performed procedures to confirm that the value of these assets was not material to their financial statements

The remaining 16 councils that did not record rural firefighting equipment had performed procedures to determine the value of these assets was not material to the financial statements taken as a whole. While not material to the financial statements, and reported as an uncorrected error, these councils should nonetheless have recognised the equipment in their financial statements, which was vested to these councils under section 119(2) of the Rural Fires Act. There remains a risk that their stance on non-recognition may result in qualifications in the future if the amount becomes material to their financial statements, and raises the risk that these important assets are not being properly maintained and managed for operational purposes.

Forty-seven councils recognised their rural firefighting equipment, 14 of these for the first time

Forty-seven (2020–21: 41) councils recognised this equipment in their financial statements, highlighting the continuing inconsistency in recognition practices across the local government sector.

Fourteen councils recognised vested rural firefighting equipment in their financial statements for the first time in 2021–22.

The department should intervene to assess councils’ compliance with legislative responsibilities, standards and guidelines

The financial statements of the NSW Total State Sector and the NSW Rural Fire Service do not include rural firefighting equipment that has been vested to councils under section 119(2) of the Rural Fires Act. The State Government has reconfirmed its view that rural firefighting equipment vested to councils under Section 119(2) of the Rural Fires Act is not controlled by the State. In reaching this conclusion, the State argued that on balance it would appear the councils control the rural firefighting equipment that has been vested to them. It is important to note that there are only two parties to the agreements that govern the use of vested rural firefighting equipment, leaving only two parties who would be considered to control this equipment – the NSW Rural Fire Service in the State sector, or councils in the local government sector.

Since 2017, the Audit Office has recommended that the Office of Local Government (OLG) and then the Department of Planning and Environment (the department) address the differing practices across the local government sector in accounting for rural firefighting equipment. In doing so, the Audit Office recommended that OLG should work with NSW Treasury to ensure there is a whole-of-government approach.

In 2021, having again considered the accounting position papers prepared by the respective stakeholders, the Audit Office of New South Wales advised councils and the department that any council not recognising this equipment is not complying with the requirements of the Australian Accounting Standards. We recommended that the department intervene when councils do not recognise vested rural firefighting equipment.

The department’s role includes assessing whether intervention is appropriate with respect to councils’ compliance with, and performance against legislative responsibilities, standards or guidelines. Given the law and the State’s clear position, it would appear that any council not recognising this equipment is non-compliant with the relevant Australian Accounting Standards.

Despite these repeated recommendations in our ‘Local Government 2021’ and ‘Planning and Environment 2022’ Auditor-General’s reports, the department has not been effective in resolving this issue. Forty-three of 146 completed audits of councils received qualified audit opinions on their 2022 financial statements. Sufficient time and engagement have been afforded to avoid these qualified audit opinions. This situation is unlikely to be resolved in the absence of regulatory intervention.

The department should now intervene to address this matter as a priority.

Removal of qualified audit opinion on Central Coast Council’s 2021–22 financial statements

In 2021–22 Central Coast Council addressed the issues that led to a qualified audit opinion in 2020–21 by having sufficient evidence to support the completeness and accuracy of the opening asset balances that were subject to audit qualification.

A qualified audit opinion was issued for the Central Coast Council’s 30 June 2021 financial statements because council was unable to provide sufficient appropriate evidence to support the carrying value of $5.5 billion of roads, bridges, footpaths, bulk earthworks, stormwater drainage, water supply and sewerage network assets. Council had been unable to reconcile the asset data (technical asset register) used to value these assets to its financial records (fixed asset register) prior to the valuation.

Council addressed these issues in 2021–22 by performing a reconciliation of its 30 June 2021 technical asset register to its fixed asset register (pre-2021 valuation) and obtained an updated independent valuation of its roads, bridges, footpaths, bulk earthworks, stormwater drainage, water supply and sewerage network assets at 30 June 2021.

Emphasis of matter paragraphs were included in Gwydir Shire Council and Tenterfield Shire Council’s audit opinions relating to non-compliance with the LG Act

An emphasis of matter paragraph was included in the Independent Auditor’s Report to draw attention to non-compliance with the LG Act which the council self-disclosed in its financial statements.

The councils acknowledge they may have breached Sections 409 and 410 of the LG Act by accessing restricted funds without the required approvals.

Four audits are still in progress in 2021–22

The following four audits remain outstanding and the outcome will be reported in next year’s report to Parliament.

Errors identified through audits

Decrease in the number and dollar value of corrected errors identified

Our audits identified fewer corrected errors and the total dollar value of these errors was lower compared to the prior year. Corrected errors decreased from 246 errors in 2020–21, with a total value of $1.7 billion, to 217 errors with a total value of $1.3 billion in 2021–22.

It is important that councils perform robust reviews to minimise errors identified in financial statements. There were 18 councils (2020–21: 18 councils) where no errors were identified in their financial statements.

Corrected errors

A corrected error is an error identified by the auditor or council, which is subsequently corrected by council in the financial statements.

Of the 217 corrected errors identified in the 30 June 2022 financial statements, the common areas are summarised below.

Of the 217 corrected errors identified in the 30 June 2022 financial statements, corrected errors greater than $50 million were:

Fair value assessments highlighted material differences between the carrying values and fair value of infrastructure, property, plant and equipment

Infrastructure, property, plant and equipment (IPPE) represents a significant part of councils’ total assets. The majority of these assets are carried at fair value using current replacement cost as the valuation technique.

Comprehensive revaluations are performed generally over three to five-year cycles for IPPE with fair value assessments undertaken during the intervening years to determine whether the carrying amounts of the assets are materially different to fair value at each reporting date.

This year’s fair value assessments by the councils identified material departures between the carrying value and fair value of their IPPE assets since these assets were last comprehensively valued. This resulted in significant adjustments to the fair value of councils’ IPPE assets amounting to $3.2 billion across 54 councils.

The predominant driver of these valuation uplifts, specifically in buildings, was inflation of construction costs, which affected the Australian domestic economy more broadly over the past 12 months.

In some cases, audit procedures identified material differences between the carrying value and the fair value of councils’ asset, resulting in adjustments to the financial statements after the financial statements were submitted for audit. In some other cases, councils used indices that were less relevant or reliable to assess movements in fair value. These also required adjustments by councils.

Councils are responsible for the asset valuations included in their financial statements and are required to assess annually whether the carrying value of IPPE materially reflects fair value, the reasonableness of the useful lives applied and whether any assets are impaired.

An absence of appropriate evidence to support key judgements/assumptions used in this annual fair value assessment, or a lack of thorough quality assurance processes can delay the outcomes of a valuation and/or cause incorrect or unsupported valuations.

Given the ongoing inflationary environment, councils should bring forward the timing of annual fair value assessments or revaluation exercises. This is to ensure that the carrying values reported in the financial statements more accurately reflect fair value at each balance date.

Uncorrected errors

An uncorrected error is an error identified by the auditor or council in the financial statements, which has not been corrected by council. There are various reasons why errors are not corrected, the most common being it is not material to the financial statements taken as a whole.

In 2020–21, 68 councils did not record vested rural firefighting equipment in their financial statements estimated to be $145 million, which were reported as uncorrected errors. In 2021–22, this issue resulted in 43 councils receiving qualified audit opinions on their 2022 financial statements. As previously noted, the uncorrected errors relating to these assets could not be accurately quantified for 40 of the 43 councils that received a qualified audit opinion, given the absence of council procedures to determine the value, condition or existence of these assets. The risk that these assets are not being properly maintained and managed for operational purposes also increases. We have not included the potential misstatements in relation to these unrecorded assets within the 2022 table of uncorrected errors.

Prior period errors

A prior period financial statement error is an error identified in the current year that relates to the previous year’s audited financial statements.

Of the 67 prior period errors, five were greater than $30 million. All these errors were asset related.

Of the 67 prior period errors, 50 were assets related that were identified in 31 councils. The common areas where prior period errors were identified are outlined below.

Seventy-nine per cent of the total prior period errors were asset related

The most common reasons councils cited when applying for extensions related to:

• resourcing issues
• resolving asset valuation issues
• accounting or other matters that required more time to resolve
• impacts from natural disasters including flood recovery.

Refer to Appendix four for details of the names of each council or joint organisation that received extensions.

More councils performed some early financial reporting procedures

Early close procedures allow financial reporting issues and risks to be addressed by management and audit early in the financial statement close process. Such procedures help to confirm that key controls over councils’ balances are carried out and that there is early dialogue with councils and the Audit Office on significant issues. This helps to improve the quality and timeliness of financial reporting.

Councils can work with the Audit Office to agree on key early close procedures and an agreed timetable to complete the procedures that can be audited before 30 June. This process will allow for audit observations and feedback on the early close outcomes in time for them to be considered in the year-end financial reporting process.

The intention of these procedures is to facilitate earlier preparation of councils’ financial statements as well as improve quality and minimise the risk of audit qualifications or errors in financial statements submitted to the Audit Office.

Early close plans should allow sufficient time for management review and involvement of Audit Risk and Improvement Committees.

Some early close procedures that councils should consider include:

• completing proforma financial statements and ensuring management has endorsed the statements and reviewed the supporting working papers
• performing and documenting an annual assessment of the fair value of IPPE, their useful lives, and the reasons why the carrying value was not materially different to the fair value. This assessment is performed between comprehensive revaluations
• completing the comprehensive revaluation of IPPE by an agreed early close date
• explaining all unresolved prior year audit issues, with a proposed action plan to resolve them
• documenting all significant management judgements and assumptions made when estimating transactions and balances
• reconciling all key account balances (including annual leave provisions) and clearing reconciling items
• supporting work papers evidencing how management has considered the requirements of new and updated accounting standards.

It is generally accepted that timely year-end financial reporting is an indicator of sound financial management processes. Accordingly, measures aimed at the earlier finalisation of financial statements to both council and the regulator should be a priority.

Given the continued increase in the number of extensions granted by OLG for councils to lodge their audited financial statements, there is room for more to be done to improve the timeliness of financial reporting by councils. OLG should, after discussing policy changes with the key stakeholders within the sector to ensure benefits can be realised, require early close procedures. Early close procedures should prioritise early completion of infrastructure, property, plant and equipment fair value assessments, impairment assessments and comprehensive valuations before 30 June.

This year, 82% (2020–21: 59%) of councils performed at least some early financial reporting procedures, including:

• completing infrastructure, property, plant and equipment valuations before 30 June (45 councils, 2020–21: 42 councils)
• performing fair value assessments of infrastructure, property, plant and equipment (36 councils, 2020–21: 24 councils)
• preparing proforma financial statements and associated disclosures (46 councils, 2020–21: 25 councils)
• assessing the impact of material, complex and one-off significant transactions (49 councils, 2020–21: 26 councils)
• explaining all unresolved prior year audit issues, with an action plan proposed to resolve them (69 councils, 2020–21: 39 councils)
• assessing the continuing impact of significant new accounting standards adopted in prior years (43 councils, 2020–21: 58 councils).

While more councils performed some early financial reporting procedures prior to 30 June 2022, the number of councils performing early close procedures over infrastructure, property, plant and equipment valuations prior to year-end did not substantially increase. In a year where market forces have inflated the values of both assets and asset inputs, the absence of IPPE early close procedures caused avoidable delays and adjustments to many councils’ financial statements.

High-risk findings

Seven high-risk findings were reported at the following councils, including one new finding and six repeat findings elevated from moderate risk in 2020–21. All the six 2020–21 high-risk findings were resolved or reclassified to moderate risk in 2021–22 as management has taken action to mitigate the risks. One new high-risk finding related to 2020–21.

Common findings

The common governance findings reported in audit management letters related to deficiencies in corporate governance policies, fraud controls and legislative compliance.

Key corporate governance policies were not in place or regularly updated at 62 councils

The common areas where councils were missing governance policies are summarised below.

Corporate governance policies are essential for ensuring councils operate in accordance with external and internal requirements. It is important that the rules, standards and expectations are clearly outlined, and staff are provided adequate guidance to inform their actions.

Further issues were identified in contract management for 23 (2020–21: 30) councils. While contract management policies were in place for these councils, we identified deficiencies in their contract management practices or contract register management. There is an increased risk of non-compliance with the Government Information (Public Access) Act 2009 or contractual terms.

Deficiencies in fraud control processes at 20 councils

Twenty councils reported deficiencies in fraud control processes, an improvement from 34 councils reported in 2020–21.

The following fraud control deficiencies were reported in audit management letters.

Effective fraud controls and ethical frameworks help protect councils from events that risk serious reputational damage and financial loss.

Lack of legislative compliance policies or register at 21 councils

Twenty-one councils did not have a sufficient legislative compliance policy or register. This has decreased from 25 councils reported in 2020–21.

Legislative compliance frameworks assist councils to monitor compliance with key laws and regulations. This is important as councils provide a broad range of services to the community and are subject to many legal requirements. A legislative breach can attract penalties, impact service delivery and cause significant reputational damage.

Councils and joint organisations that do not currently have an ARIC should take action to ensure they comply with legislative requirements

Audit, Risk and Improvement Committees (ARIC) are an important contributor to good governance. They help councils to understand strategic risks and how they can mitigate them. An effective committee helps councils to build community confidence, meet legislative and other requirements, and meet standards of probity, accountability and transparency.

Without an effective ARIC, there is a lack of independent oversight on how council is functioning and managing risk.

The Office of Local Government has issued comprehensive ’Guidelines for Risk Management and Internal Audit for Local Government in NSW’ to assist councils and joint organisations to implement these requirements.

One hundred and nineteen councils have established an Audit, Risk and Improvement Committee as at 4 June 2022, as required under the LG Act

As at 30 June 2022, 31 councils or joint organisations have not established an ARIC at 30 June 2022. These councils have not complied with the requirements of the LG Act, but more importantly, a key governance mechanism is absent.

Under the LG Act, all councils and joint organisations were required to have an ARIC or to have entered into an arrangement with another council or joint organisation to share an ARIC from 4 June 2022.

In August 2021, the OLG issued draft ‘Guidelines for Risk Management and Internal Audit for Local Councils in NSW (the Guidelines)’, which has not been finalised. The Guidelines cover the requirements for ARICs (including membership), risk management framework and internal audit function.

Subsequent to the draft Guidelines, OLG and NSW Treasury agreed that the NSW Government’s Prequalification Scheme for Audit and Risk Committee Chairs and Members will not be suitable for use by councils and joint organisations. On 20 July 2022, OLG issued a Circular 22-21 ‘Update on membership requirements for audit, risk and improvement committees’, to confirm this agreement.

Under the new requirements, councils must ensure ARIC chairs and members meet the eligibility and independence requirements, as set out in the Guidelines, from 1 July 2024.

On 19 December 2022, the OLG issued a further circular to inform the sector that the draft guidelines have been approved but remain in draft until amendments to the supporting Local Government (General) Regulation 2021 (giving statutory force to elements of the Guidelines) come into force in 2023.

ARICs can be more effective in discharging all of their functions

ARICs could be more effective in discharging all of their functions and managing councils’ risks including:

• cyber risk management (refer to Section 3.10) including 25% of councils that have not communicated cyber risk with those charged with governance, including council ARICs
• tracking the progress of implementing recommendations from financial audits, performance audits and public inquires (refer to Section 3.1)
• prioritising tracking of repeat and high-risk audit findings. Fifty-two per cent of total audit findings reported in 2021–22 audit management letters were repeat or partial repeat findings from prior years (refer to Section 3.1)
• ensuring internal certification processes have occurred and reviewing the financial statements for completeness and accuracy. ARICs can play an important role in providing feedback on financial statements before they are submitted to audit as part of management’s quality review process. Sixty-seven (2021: 44) councils’ ARICs reviewed financial statements before submission to the Audit Office. Fifty-two (2021: 67) councils’ ARICs did not review financial statements before submission to the Audit Office. Only 28 (2021:16) ARICs obtained certification of effectiveness of internal controls from management to support the financial statements and information.
  
  As previously reported, there is an opportunity for OLG to issue guidance to councils to develop an internal control certification process as better practice. In the NSW state sector, Chief Financial Officers provide an annual certification as to the effectiveness of its systems, processes and internal controls for ensuring that financial information is relevant and reliable.

As at 30 June 2022, 119 councils have established an ARIC. Of the 119 councils, ten have a shared arrangement with other councils. Opportunities also exist for councils to gain efficiencies by increasing the number of shared ARICs where scale or geographical location makes it practicable to do so.

High-risk findings

High-risk findings, including two repeat findings, one new finding and four repeat findings elevated from moderate risk in 2020–21, were reported at the following councils. Four of the six 2020–21 high-risk findings were resolved or reclassified to moderate risk in 2021–22 as management has taken action to mitigate the risks.

Common findings

Common findings across councils include:

• Financial statements submitted for audit for 16 (2020–21: 30) councils contained numerous errors and disclosure deficiencies.
• Lack of preparation for the audit, such as having a financial reporting plan, impacted the timeliness of financial reporting at 18 (2020–21: 21) councils.
• Eight (2021: 11) councils had deficiencies in related parties’ policies and disclosure.

Further analysis and insights on financial reporting findings are detailed in Chapter 2 ‘Audit results’.

High-risk findings

Eight high-risk findings, including two new findings, four repeat findings and two repeat findings elevated from moderate risk in 2020–21, were reported at the following councils. One new high-risk finding related to 2020–21.

Common findings

The common financial accounting findings reported in audit management letters related to deficiencies in key account reconciliations and processing of manual journal adjustments.

Lack of segregation of duties with manual journal adjustments at 12 councils

There was a lack of segregation of duties over the posting of manual journal adjustments to financial information at 12 councils. An independent review of manual journal adjustments is important to reduce the risk of fraud or error in the financial statements.

Key account reconciliations were not prepared in a timely manner or independently reviewed at 29 councils

Regular reconciliations of financial information, which are appropriately reviewed ensures timely identification of errors and facilitates a more efficient audit process. It was reported in audit management letters that:

• there was no evidence of independent review of key account reconciliations at 20 councils
• 15 councils did not reconcile all key balances in the financial statements in a timely manner.

High-risk findings

High-risk findings decreased from 69 to 55 in 2021–22, including 45 (2021: six) repeat findings and eight repeat moderate findings elevated to high risk. The decrease was mainly due to the drop of high-risk findings in relation to the non-recognition of rural firefighting equipment from 60 to 43.

Forty-three councils had a high-risk finding reported in their audit management letter relating to unrecorded vested rural firefighting equipment

Chapter 2 ‘Audit results’ reported 59 councils did not record rural firefighting equipment in their financial statements. This was reported as a high-risk finding for 43 councils in 2021–22. Sixteen councils that had high-risk findings in 2020–21 relating to the non-recognition of rural firefighting equipment addressed the issue in 2021–22 by performing procedures to determine that the value of these assets was not material.

Chapter 2 ‘Audit results’ includes more information on the recognition of rural firefighting equipment.

Other high-risk findings

Twelve (2020–21: nine) other high-risk findings predominantly related to data integrity of asset registers, fair value assessment of assets, asset valuation process, and provision for rehabilitation landfill sites. These were identified in the following councils.

Common findings

The common asset management findings reported in audit management letters related to deficiencies in asset revaluation processes, maintenance of information in asset management systems and landfill rehabilitation accounting practices.

Weak processes over maintenance, completeness and security of fixed asset registers at 52 councils

Maintaining accurate and up-to-date asset data helps councils to make appropriate decisions around asset management. The common issues reported in audit management letters relating to fixed asset registers are summarised below.

We continue to see weak processes over maintenance and security of fixed asset registers. There continues to be issues with accuracy and completeness of the asset register, duplication or missing assets, and asset registers not being reconciled with the asset management systems.

Prior period errors continue to predominately relate to the quality of asset records and asset revaluation errors such as found and duplicate assets.

Deficiencies in infrastructure asset revaluation processes at 53 councils

Councils manage a significant range and value of infrastructure, property, plant and equipment. These assets are significant to the financial statements of councils and are subject to management judgements and estimates when determining their fair values. These judgements and estimates often require the assistance of a qualified expert valuer.

Deficiencies were identified in infrastructure asset valuations at 53 councils, including:

• inadequate documentation to support key assumptions and judgements applied including:
  • useful lives and condition assessments
  • unit rates used to value infrastructure assets
• incorrect classification of assets
• incorrect exclusion of some assets from valuations
• management not documenting their quality review over the asset valuation
• errors in annual fair value assessments when applying indices to adjust fair values/deficiencies in the annual fair value assessment process.

Opportunities for councils to improve the valuation process and perform valuations earlier

Performing asset valuations earlier gives time for management and auditors to complete all requirements before the financial statements are prepared and facilitates earlier sign offs. The effective date of the valuation of any asset category can be at any point during the financial year subject to audit. As reported in Chapter 2 ‘Audit results‘:

• 45 (2020–21: 42) councils completed infrastructure, property, plant and equipment valuations before 30 June 2022
• 36 (2020–21: 24) councils performed fair value assessments of infrastructure, property, plant and equipment.

Councils should have a project plan in place to manage the asset valuation process. Suggested deliverables to be included in a timetable for council valuations may include the following:

Improvements to council landfill rehabilitation accounting practices required at 25 councils

Australian Accounting Standards require recognition of a provision for landfill remediation when the obligation to operate landfill sites would result in cash outflows for the council, and when it can be reliably measured. Such provisions should be annually reassessed for changes in assumptions, legal requirements and emergence of new landfill remediation techniques.

Common findings identified in council landfill rehabilitation accounting practices include:

• no formal assessment of obligations to rehabilitate landfill sites
• insufficient documentation of provision calculations to support inputs, assumptions and key data for accounting of the provisions
• costs associated with post-closure, aftercare and monitoring of landfill sites in their provisions not included in the assessment.

High-risk findings

Two high-risk findings, both elevated from moderate risk in 2020–21, were reported at the following councils.

Common findings

The common purchases and payables findings reported in audit management letters related to controls around purchase orders, review of creditor information and deficiencies in credit card management practices.

Increase in number of councils with controls around purchase orders being absent or not enforced

At 35 (2020–21: 12) councils, we identified that employees could approve their own purchase orders. At 44 (2020–21: five) councils, we identified that purchase orders were approved without appropriate delegation. It is important there is segregation of duties and appropriate delegation in procurement to reduce the risk of fraud and misuse of public money.

Purchase orders were approved after the receipt of goods or services at 56 (2020–21: 28) councils. Purchase orders should be issued before requesting goods or services to reduce the risk of unauthorised transactions.

Insufficient review of changes to creditor information at 13 councils

Thirteen (2020–21: 29) councils did not perform sufficient review of changes to creditor information in the supplier master file, including bank account details. This increases the risk of transactions paid to incorrect accounts, resulting in financial losses for councils. Councils should review each change or perform a regular collective review of changes.

High-risk findings

One high-risk finding relating to payroll processes in 2021–22 (2020–21: nil) reported at the following council. The high-risk finding was a repeat issue elevated from moderate risk in 2020–21.

Common findings

The common payroll findings reported in audit management letters related to deficiencies in the review of employee payroll data and excessive annual leave balances.

Changes to employee payroll data are not reviewed at 16 councils

Sixteen councils did not have adequate processes in place to review changes to employee payroll data. This includes instances where changes are reviewed, but not by an independent person. This increases the risk of unauthorised changes or errors remaining undetected, resulting in financial loss to councils.

High-risk findings

Two high-risk findings, including one new finding and one repeat finding elevated from moderate risk in 2020–21, were reported at the following councils.

Common findings

The common cash and banking findings reported in audit management letters related to outdated bank signatories, the lack of segregation of duties in the cash handling process and the lack of security of payment files.

Outdated bank signatories at ten councils

Bank signatories are not being removed on a timely basis. Ten councils still had their former employees listed as an account signatory for bank accounts. This increases the risk of unauthorised transactions.

Deficiencies in the cash handling processes at six councils

Deficiencies in the cash handling process were identified at six councils, including lack of daily cashier reconciliation and lack of segregation of duty. This increases the risk of undetected balancing errors and misappropriation of cash or cheques.

Lack of security of payment files for pay runs at three councils

Three councils did not encrypt Electronic Funds Transfer payment files from editing or sufficiently restrict access to payment files on the network before they were uploaded to online banking portals. This increases the risk of unauthorised or fraudulent transactions.

High-risk findings

There were no high-risk findings related to revenue and receivable processes in 2021–22 (2020–21: nil).

Common findings

The common revenue and receivables findings reported in audit management letters related to deficiencies in the review of changes to fee tables and property data in council rates systems, and inappropriate revenue recognition practices.

Lack of review of changes to fee tables and property data in the rating system at 15 councils

Council systems contain fee tables and property information, which are used to determine rates and annual charges levied on different properties. Fifteen councils do not adequately review changes for accuracy and appropriateness. This increases the risk of errors in recording rates and annual charges in the financial statements.

Inappropriate revenue recognition at 16 councils

Sixteen councils had findings raised relating to their revenue recognition practices, including:

• no effective internal controls to ensure the completeness of revenue activities recorded
• deficiencies in grants recognition that resulted in misstatement in the financial statements
• use of cash accounting basis to recognise some revenue transactions, rather than accruals.

Deficiencies in revenue recognition practices resulted in 38 errors identified in councils’ financial statements, totalling $65.1 million.

High-risk findings

High-risk findings, including repeat and ongoing findings, were reported at the following councils. Increase in high-risk findings are due to a number of unresolved prior year’s moderate risk findings being reassessed as high risk. These repeat findings need to be resolved as a priority.

Common findings

The common IT findings reported in audit management letters related to deficiencies in IT policies and procedures, lack of a cyber security framework, and controls and gaps in user access management processes. This is consistent with what we reported in our ‘Local Government 2021’ report.

IT policies and procedures were outdated or not in place at 43 councils

Forty-three councils (2020–21: 59 councils) did not formalise and/or regularly review their key IT policies and procedures. It is important for key IT policies to be formalised and regularly reviewed to ensure emerging risks are considered and policies are reflective of changes to the IT environment. Lack of formal IT policies and procedures may result in inconsistent and inappropriate practices and an increased likelihood of inappropriate access to key systems.

Lack of periodic user access review at 28 councils and insufficient control over privileged users at 46 councils

The following common access management findings were identified:

• 28 councils (2020–21: 42 councils) did not perform a periodic user access review to ensure users’ access to key IT systems were appropriate and commensurate with their roles and responsibilities.
• 46 councils (2020–21: 73 councils) had gaps in privileged users’ management process. This includes gaps in restriction of privileged users’ access or monitoring of the privileged users’ activity logs.

Where robust access management processes are not in place, inappropriate access may exist. This increases the risk of unauthorised transaction or modification of sensitive data and transactions. The common findings above may be rated high-risk when there are no mitigating controls to prevent or detect any unauthorised transactions.

While the above two findings are considered as common findings across councils, we have noticed a significant improvement compared to last year with a 33% reduction in the number of councils with periodic user access review findings, and a 37% reduction in the number of councils with insufficient control over privileged users.

Cyber security frameworks and related internal controls were not in place at 63 councils

The NSW Cyber Security Policy states that the term cyber security covers all measures used to protect systems and information processed, stored or communicated on these systems from compromise of confidentiality, integrity and availability.

While there is currently no requirement for councils to comply with the NSW Government’s Cyber Security Policy, councils may find it useful to refer to the policy for further guidance.

Cyber security findings were reported in 63 councils (2020–21: 65 councils) as they did not have at least one of the following basic governance and internal controls to manage cyber security such as having a:

• cyber security framework, policy and procedure
• register of cyber incidents
• simulated cyber attack testing (penetrations testing)
• cyber security training and awareness program.

Poor management of cyber security can expose councils to a broad range of risks, including:

• theft of corporate and financial information and intellectual property
• theft of money
• denial of service
• destruction of data
• costs of repairing affected systems, networks and devices
• legal fees and/or legal action from losses arising from denial-of-service attacks causing system downtime in critical systems
• third-party losses when personal information stored on government systems is used for criminal purposes.

Gaps in cyber security management in the local government sector have been continuously highlighted, since our Report on Local Government 2019 first recommended that the Office of Local Government (OLG) within the Department of Planning and Environment should develop a cyber security policy to ensure cyber security risks over key data and IT assets are appropriately managed across councils, and key data is safeguarded.

As of 19 December 2022, OLG has published Cyber Security Guidelines for NSW Local Government. OLG highlighted that councils can adopt the Guidelines or use them to form the basis of an internally developed cyber security policy. Adherence to the Guidelines is strongly recommended by OLG, but voluntary, with no requirement to report maturity scores to the OLG or to Cyber Security NSW.

Given compliance with the guidelines released by OLG is not mandatory, there is an increased risk that councils may not develop an appropriate cyber security plan, which may prevent them from implementing key cyber security controls. With no timeframes set for councils to create a cyber security plan or reporting requirements to the OLG, this further increase the risk that councils may have delays in the implementation of their cyber security controls.

The Cyber Security Guidelines were released by OLG after the 2021–22 financial audit period and hence the full impact of it to councils’ cyber security maturity is yet to be seen. However, the data we collected across all 150 councils and joint organisations, identified that at the time when the guidance from OLG was yet to be published, some councils had started developing their cyber security plans adopting guidance from the following sources:

• Cyber Security NSW
• the Australian Cyber Security Centre (ACSC)
• International Organization for Standardization (ISO standards)
• the National Institute of Standards and Technology (NIST)
• Payment Card Industry Data Security Standard (PCI DSS).

Cyber security management

Cyber security continues to be a sector-wide common audit finding among councils. However, we are seeing some improvements over the implementation of basic cyber security controls that we expect councils to have in place. Whilst our review shown below is limited to the high-level governance of cyber security implementation in local government, the improvements noted indicate that even though there was no formal policy/guidance published for councils at the time of our audit, some councils are working to improve gaps identified in their cyber security management.

Forty-seven per cent of councils do not have a formal cyber security strategy/plan in place

Our data collection from 30 June 2022 council audits identified that only 53% of councils have created a formal cyber security strategy/plan.

In response to previous audit recommendations, OLG released Cyber Security Guidelines for NSW Local Government on 19 December 2022. The guidelines:

• allow councils to assess their cyber security maturity and their maturity uplift
• outline cyber security standards and controls recommended by Cyber Security NSW for NSW local governments
• can be adopted by councils or used to form the basis of an internally developed cyber security policy
• are strongly recommended to councils for adherence but is voluntary with no requirement to report maturity scores to Cyber Security NSW.

We recommended that all councils should create/update a cyber security plan in order to ensure cyber security risks over key data and IT assets are appropriately managed and key data is safeguarded. Councils should refer to the ‘Cyber Security Guidelines for NSW Local Government’ released by the OLG.