Local Government 2022

Report highights

This report is about

Results of the local government sector financial statement audits for the year ended 30 June 2022.

What we found

Unqualified audit opinions were issued for 83 councils, 11 joint organisations and nine county councils' financial statements.

The financial audits for two councils and two joint organisations are in progress due to accounting issues.

Fifty-seven councils and joint organisations (2021: 41) required extensions to submit their financial statements to the Office of Local Government (OLG), within the Department of Planning and Environment (the department).

The audit opinion on Kiama Municipal Council's 30 June 2021 financial statements was disclaimed due to deficient books and records.

Qualified audit opinions were issued on 43 councils' financial statements due to non-recognition of rural firefighting equipment vested under section 119 (2) of the Rural Fires Act 1997. Forty-seven councils appropriately recognised this equipment.

What we recommended

Consistent with the NSW Government's accounting position and the department's role of assessing councils' compliance with legislative responsibilities, standards or guidelines, the department should intervene where councils do not recognise vested rural firefighting equipment.

The key issues

There were 1,045 audit findings reported to councils in audit management letters, with 52% being unresolved from prior years.

What we recommended

Councils need to track progress of implementing audit recommendations, giving priority to high-risk and repeat issues.

Ninety-three high-risk matters were identified across the sector mainly relating to asset management, information technology, financial accounting and council governance procedures.

Asset valuations

Audit management letters reported 267 findings relating to asset management. Fifty-three councils had deficiencies in processes that ensure assets are fairly stated.

What we recommended

Councils need to complete timely asset valuations (repeat recommendation).

Integrity and completeness of asset source records

Fifty-two councils had weak processes over the integrity of fixed asset registers.

What we recommended

Councils need to improve controls that ensure integrity of asset records (repeat recommendation).

Cybersecurity

Our audits found that 47% of councils did not have a cyber security plan.

What we recommended

All councils need to prioritise creation of a cyber security plan to ensure data and assets are safeguarded.

Fast facts

Key financial information

Auditor General's forward

Pursuant to the Local Government Act 1993 I am pleased to present my Auditor-General's report on Local Government 2022. My report provides the results of the 2021–22 financial audits of 126 councils, 11 joint organisations and nine county councils. The audits for two councils and two joint organisations are in progress due to significant accounting issues.

Unqualified audit opinions were issued for 83 councils, 11 joint organisations and nine county councils' 2021–22 financial statements. The statements for 43 councils were qualified due to non-recognition of rural firefighting equipment vested under section 119 (2) of the Rural Fires Act 1997. And the audit opinion on Kiama Municipal Council's 30 June 2021 financial statements was disclaimed due to deficiencies in books and records.

This year has again been challenging for many New South Wales local councils still recovering from the impact of emergency events and facing cost and resourcing pressures. We appreciate the efforts of council staff and management in meeting their financial reporting obligations. We share a mutual interest in raising the standard of financial management in this sector, and the importance of accurate and transparent reporting.

Disappointingly, accounting for the value of rural firefighting equipment vested in councils continued to be an unnecessary distraction and resulted in 43 councils having their financial statements qualified. We continue to recommend that the Office of Local Government should intervene where councils fail to comply with Australian Accounting Standards by not recognising assets vested to them under section 119(2) of the Rural Fires Act 1997.

Sound financial management is critical to councils' ability to instil trust and properly serve their communities. The recommendations in this report are intended to further improve their financial management and reporting capability, and encourage sound governance arrangements and cyber resilience. I am committed to continuing this work with councils in the 2022–23 year and beyond.

 

Margaret Crawford PSM

Auditor-General for New South Wales

1. Introduction

1.1 The local government sector

Local government is the third tier of government. It is established under state legislation, which defines the powers and geographical areas each council is responsible for.

At 30 June 2022, there were 128 local councils, 13 joint organisations and nine county councils in New South Wales.

Councils provide a range of services and infrastructure for a geographical area. Services include waste collection, planning, child and family day care, and recreational services. Councils also build and maintain infrastructure, including roads, footpaths and drains, and enforce various laws. While core functions such as waste collection are similar across councils, the range of services each council provides can vary depending on the needs of each community.

County councils are formed for specific purposes, such as to supply water, manage flood plains or eradicate noxious weeds.

Joint organisations (JO) are formed by councils in regional New South Wales. Core activities of JOs include regional strategic planning and priority setting, engaging in shared services with member councils, and regional advocacy and collaboration with the state and federal governments.

1.2 Financial audit

This report provides the results and findings of the completed 2021–22 financial audits of 126 councils, 11 joint organisations and nine county councils. The audits of two councils and two joint organisations are in progress as at the date of this report.

In preparing this report, our observations and analyses were drawn from:

  • audited financial statements
  • performance audit reports
  • data collected from councils
  • audit findings reported to councils in audit management letters.

Each local council has unique characteristics such as its size, location and services provided to their communities. To enable comparison, we divided councils into three categories – metropolitan, regional and rural. County councils and joint organisations are separately identified in the report.

Details of councils grouped into categories are provided in Appendix two.

1.3 Performance audit

Our performance audits assess whether the activities of government entities are being carried out effectively, economically, efficiently, and in compliance with relevant laws. Our mandate to conduct these audits is provided under the Local Government Act 1993 (LG Act).

Performance audits relevant to the local government sector in 2022–23 included:

Regulation and monitoring of local government

The Office of Local Government (OLG) within the Department of Planning and Environment (the department) is responsible for strengthening the local government sector, including through its regulatory functions.

Regulation and monitoring of local government assessed whether the OLG is effectively monitoring and regulating the sector under the Local Government Act 1993. The audit covered:

  • the effectiveness of departmental arrangements for the OLG to undertake its regulatory functions
  • whether the OLG has effective mechanisms to monitor and respond to risks and issues relating to council compliance and performance.

We found that the OLG does not conduct effective, proactive monitoring to enable timely risk-based responses to council performance and compliance issues. The OLG has not clearly defined and communicated its regulatory role to ensure that its priorities are well understood. The OLG does not routinely review the results of its regulatory activities to improve its approaches.

The department lacks an adequate framework to define, measure and report on the OLG’s performance, limiting transparency and its accountability. The OLG’s new strategic plan presents an opportunity for the OLG to better define, communicate, and deliver on its regulatory objectives.

We recommended that the OLG should:

  • publish a tool to support councils to self-assess risks and report on their performance and compliance
  • ensure its council engagement strategy is consistent with its regulatory approach
  • report each year on its regulatory activities and performance
  • publish a calendar of its key sector support and monitoring activities
  • enhance processes for internally tracking operational activities
  • develop and maintain a data management framework
  • review and update frameworks and procedures for regulatory responses.

Development applications: assessment and determination stages

Local councils in New South Wales are responsible for assessing local and regional development applications. Most development applications are assessed and determined by council staff under delegated authority. However, some development applications must be referred to independent local planning panels, or Sydney and regional planning panels for determination. Councils provide support to local planning panels. The Department of Planning and Environment provides support to Sydney and regional planning panels.

Development applications: assessment and determination stages assessed whether Byron Shire Council, Northern Beaches Council and The Hills Shire Council had effectively assessed and determined development applications in compliance with legislative and other requirements.

It also assessed whether The Hills Shire Council, Northern Beaches Council and the Department of Planning and Environment had provided effective support to relevant independent planning panels.

All councils had established clear roles, responsibilities and delegations for assessment and determination of development applications and had also established processes to ensure quality of assessment reports.

Northern Beaches Council and The Hills Shire Council have established comprehensive approaches to considering and managing risks related to development assessment.

Northern Beaches Council’s approach to publishing its assessment reports promotes transparency. Across a sample of development applications assessed and determined between 2020–22:

  • Northern Beaches Council and The Hills Shire Council had assessed and determined applications in compliance with legislative and other requirements. However, The Hills Shire Council could do more to transparently document any conflicts of interest within assessment reports.
  • Byron Shire Council had assessed most applications in compliance with legislative and other requirements. However, we found opportunities for the council to:
    • ensure determinations were made in line with delegations
    • strengthen its approach to transparent management of conflicts of interest and quality review of assessments.

The Hills Shire Council and Northern Beaches Council had effectively supported their respective local planning panels.

The Department of Planning and Environment had processes that meet requirements for supporting regional planning panels but could do more to promote consistency in approach, share information across panels and measure the effectiveness of its support.

We made four recommendations to Byron Shire Council and four recommendations to the Department of Planning and Environment and one recommendation to The Hills Shire Council to address the gaps identified and improve the transparency of development assessment processes.

Planning and managing bushfire equipment

This Planning and managing bushfire equipment audit assessed the effectiveness of the NSW Rural Fire Service (RFS) and local councils in planning and managing equipment for bushfire prevention, mitigation, and suppression.

We found that the RFS has focused its fleet development activity on modernising and improving the safety of its firefighting fleet, and on the purchase of new firefighting aircraft. There is limited evidence that the RFS has undertaken strategic fleet planning or assessment of the capability of the firefighting fleet to respond to current bushfire events or emerging fire risks. The RFS does not have an overarching strategy to guide its planning, procurement, or distribution of the firefighting fleet. The RFS does not have effective oversight of fleet maintenance activity across the State, and is not ensuring the accuracy of District Service Agreements with local councils, where maintenance responsibilities are described.

We recommended that by December 2023, the Rural Fire Service should:

  • develop a fleet enhancement framework and strategy that is informed by an assessment of current fleet capability, and research into appropriate technologies to respond to emerging fire risks
  • develop performance measures to assess the performance and capabilities of the fleet in each RFS District by recording and publicly reporting on fire response times, fire response outcomes, and completions of fire hazard reduction works
  • report annually on fleet allocations to RFS Districts, and identify the ways in which fleet resources align with district-level fire risks
  • develop a strategy to ensure that local brigade volunteers are adequate in numbers and appropriately trained to operate fleet appliances in RFS Districts where they are required
  • establish a fleet maintenance framework to ensure regular update of District Service Agreements with local councils
  • review and improve processes for timely recording of fleet asset movements, locations, and maintenance status.

Cyber Security NSW: governance, roles and responsibilities

Cyber Security NSW is part of the Department of Customer Service, and aims to provide the NSW Government with an integrated approach to preventing and responding to cyber security threats.

This Cyber Security NSW: governance, roles and responsibilities audit assessed the effectiveness of Cyber Security NSW’s arrangements in contributing to the NSW Government’s commitments under the NSW Cyber Security Strategy, in particular, increasing the NSW Government’s cyber resiliency. The audit asked:

  • Are internal planning and governance processes in place to support Cyber Security NSW meet its objectives?
  • Are Cyber Security NSW’s roles and responsibilities defined and understood across the public sector?

We recommended the Department of Customer Service, by 30 June 2023, should:

  • implement an approach that provides reasonable assurance that NSW government agencies are assessing and reporting their compliance with the NSW Government Cyber Security Policy in a manner that is consistent and accurate
  • ensure that Cyber Security NSW has a strategic plan that clearly demonstrates how the functions and services provided by Cyber Security NSW contribute to meeting its purpose and achieving NSW government outcomes
  • ensure that Cyber Security NSW has a detailed, complete and accessible catalogue of services available to agencies and councils
  • develop a comprehensive engagement strategy and plan for the local government sector, including councils, government bodies, and other relevant stakeholders.

The following local government performance audit reports are either planned or in progress with an expectation to complete them in 2023–24:

  • Financial management and governance in MidCoast Council
    Under the LG Act, councils must apply sound financial management principles that require responsible and sustainable spending and investment and ensure that future decisions consider intergenerational effects and equity. This audit will assess whether MidCoast Council has effective financial management arrangements that support councillors and management to fulfill their financial stewardship responsibilities.
  • Cyber security in local government
    The increasing global interconnectivity between computer networks has dramatically increased the risk of cyber security incidents. Such incidents can harm local government service delivery and may include the theft of information, denial of access to critical technology, or even the hijacking of systems for profit or malicious intent. This audit will consider how effectively City of Parramatta Council, Singleton Council and Warrumbungle Shire Council identify and manage cyber security risks.

2. Audit results

Financial reporting is an important element of good governance. Confidence in and transparency of public sector decision-making are enhanced when financial reporting is accurate and timely.

This chapter outlines audit observations related to the financial reporting audit results of councils and joint organisations.

Section highlights

  • Ninety-three councils and joint organisations (2020–21: 109) lodged audited financial statements with OLG by the statutory deadline of 31 October.
  • More councils received extensions. Fifty-seven councils and joint organisations (2020–21: 41) received extensions to submit audited financial statements to OLG.
  • Unqualified audit opinions were issued for 83 councils, 11 joint organisations and nine county councils 2021–22 financial statements.
  • A disclaimer of audit opinion was issued to Kiama Municipal Council relating to the 30 June 2021 financial statements.
  • The audits of two councils and two joint organisations are still in progress as at the date of this report due to significant accounting issues.
  • Qualified audit opinions were issued for 43 councils (2020–21: one) due to non-recognition of rural firefighting equipment vested to councils under the Rural Fires Act 1997 in their financial statements. Forty-seven councils appropriately recognised this equipment.
  • Since 2017, the Audit Office of New South Wales has recommended that OLG address the different practices across the local government sector in accounting for the rural firefighting equipment. Despite repeated recommendations, the OLG has not been effective in resolving this issue.
  • The OLG within the department should now intervene where councils do not recognise rural firefighting equipment.
  • The total number of errors and total dollar values (including corrected and uncorrected) in the financial statements decreased compared to prior year.
  • Eighty-two per cent of councils performed some early financial reporting procedures (2020–21: 59%). We continue to recommend that OLG should require early close procedures across the local government sector.

2.1 Quality of financial reporting

The Auditor-General is required under the LG Act to issue an audit opinion on the following reports prepared by councils.

Indicators of quality financial reporting include:

  • unqualified audit opinions
  • the number of errors in financial statements
  • timeliness in preparing financial statements.

Audit opinions

Unqualified audit opinions were issued for 103 councils and joint organisations

We issued a total of 146 audit opinions on councils and joint organisations 2021–22 financial statements as at the date of this report. One hundred and three councils and joint organisations received unqualified audit opinions for their 30 June 2022 financial statements audits. For these councils sufficient audit evidence was obtained to conclude the financial statements were free of material misstatement, and were prepared in accordance with Australian Accounting Standards and the LG Act.

A disclaimed audit opinion was issued to Kiama Municipal Council relating to its 30 June 2021 financial statements

A disclaimer of opinion was issued for the 30 June 2021 financial statements of the Kiama Municipal Council.

A disclaimed audit opinion is issued when the auditor is unable to obtain sufficient appropriate audit evidence upon which to form an opinion on the council’s financial statements, and the auditor concludes that the possible effects of undetected misstatements in the financial statements could be both material and pervasive.

Councillors and management declared, in the Statement required by Councillors and Management (the Statement) under Section 413(2)(c) of the LG Act, that they were unable to certify as to the completeness and reliability of the financial statements taken as a whole for the year ended 30 June 2021.

In the period leading up to the preparation of the 30 June 2021 financial statements council implemented a new financial management information system. However, data was lost during the migration from the legacy system to the new system. During the implementation council also experienced high rates of staff turnover. The combination of these factors contributed to the loss of both data and corporate knowledge. As a result, there was insufficient data to support a significant number of financial statement line items, and the staff who might have provided explanations had left council’s employment.

There was an inadequate system of internal control to support accurate financial reporting and to mitigate the risk of fraud. Council’s accounting records were insufficient to support reliable reporting or comply with legislative obligations.

The deficiencies in books and records, which have been acknowledged by councillors and management in their Statement, mean we have been unable to obtain sufficient appropriate audit evidence or perform alternative testing procedures to enable us to conclude on the completeness and accuracy of the council’s financial statements as a whole.

Non-recognition of rural firefighting equipment by councils was the single largest source of error within council financial statements

While 47 (2020–21: 41) councils recognised the rural firefighting equipment vested to them in their financial statements, including 14 councils that recognised the equipment for the first time, inconsistent and non-compliant practices regarding recognition of this equipment persist across the local government sector.

The continued non-recognition of rural firefighting equipment in financial management systems of some councils increases the risk that these assets are not properly maintained and managed.

Councils that have rural firefighting equipment vested under section 119(2) of the Rural Fires Act 1997 (Rural Fires Act), should recognise these assets in their financial management systems, as well as considering their condition and useful life.

As previously reported in Local Government 2021 and Planning and Environment 2022 Auditor-General’s reports (tabled in NSW Parliament on 22 June 2022 and 15 December 2022 respectively), the Audit Office of New South Wales advised councils and the department that any council not recognising this equipment is not complying with the requirements of the Australian Accounting Standards. We further reported in ‘Local Government 2021’ that the non-recognition of this equipment may impact the financial statement audit opinions of those councils.

These assets are controlled by the councils and should be recognised as assets in accordance with AASB 116 ‘Property, Plant and Equipment’. Australian Accounting Standards refer to control of an asset as being the ability to direct the use of, and obtain substantially all of the remaining benefits from, the asset. Control includes the ability to prevent other entities from directing the use of, and obtaining the benefits from an asset.

Rural firefighting equipment is controlled by councils as:

  • these assets are vested in the council under Section 119(2) of the Rural Fires Act, giving councils legal ownership
  • councils have the ability, outside of emergency events as defined in Section 44 of the Rural Fires Act, to prevent the NSW Rural Fire Service from directing the use of the rural firefighting equipment by either not entering into a service agreement, or cancelling the existing signed service agreements
  • councils have specific responsibilities for fire mitigation and safety works and bushfire hazard reduction under Part 4 of the Rural Fires Act. Councils obtain economic benefits from the rural firefighting equipment as these assets are used to fulfil councils’ responsibilities. In the event of the loss of an asset, the insurance proceeds must be paid into the New South Wales Rural Fire Fighting Fund (Section 119(4) of the Rural Fires Act) and be used to reacquire or build a similar asset, which is again vested in the councils as an asset provided free of charge.

Forty-three qualified audit opinions were issued on councils’ financial statements due to non-recognition of vested rural firefighting equipment

Fifty-nine (2020–21: 68) councils did not record rural firefighting equipment in their financial statements, of which 43 of the 146 completed audits of councils received qualified audit opinions on their 2022 financial statements due to non-recognition of rural firefighting equipment as assets within ‘Infrastructure, property, plant and equipment’ in their Statement of Financial Position at 30 June 2022. These qualifications took different forms depending on the circumstances surrounding the non-recognition.

A qualified audit opinion is issued when the auditor:

  • having obtained sufficient appropriate audit evidence, concludes that misstatements, individually or in aggregate, are material but not pervasive to the financial statements
  • is unable to obtain sufficient appropriate audit evidence on which to base the opinion, but the possible effects of undetected misstatements on the financial statements are material but not pervasive.

Refer to Appendix three for a list of the 43 councils that received qualified audit opinions in 2021–22.

Forty of the 43 qualified audit opinions were modified because these councils imposed a limitation of scope on the audit regarding vested rural firefighting equipment

Forty out of the 43 councils that were issued a qualified audit opinion did not undertake procedures to confirm the completeness, accuracy, existence or condition of these assets. Nor had the councils performed procedures to identify the fair value of assets vested to them during the year.

Consequently, we were unable to determine the carrying values of vested rural firefighting equipment assets and related amounts that should be recorded and recognised in the councils’ 30 June 2022 financial statements.

This resulted in the audit opinions on these councils’ 30 June 2022 financial statements to be qualified, given the limitation on the scope of our audits.

The continued non-recognition of rural firefighting equipment in financial management systems of some councils increases the risk that these assets are not properly maintained and managed.

Councils who have vested rural firefighting equipment should recognise these assets in their financial management systems and consider their condition and useful life.

Three councils’ audit opinions were qualified for material misstatement relating to rural firefighting equipment

Three councils undertook procedures to confirm the fair value of this equipment, including assets vested in it during the year, but did not recognise these assets in their financial statements. This omission was material to their financial statements and we issued a qualified audit opinion on these council’s financial statements.

Two councils‘ audit opinions were qualified for derecognising previously recognised rural firefighting equipment, and their accounting treatment upon derecognition

Two of the 43 councils that received qualified audit opinions, removed previously recognised rural firefighting equipment from their financial statements in 2021–22. These councils derecognised these assets through retained earnings, describing their previous treatment as an error. This treatment resulted in an additional qualification in the audit opinion.

There has been no change in the legal framework since these councils first recognised these assets, nor has there been any change in the relevant accounting standards impacting recognition of these assets. These councils’ previous recognition of these assets complied with the requirements of AASB 116 ‘Property, Plant and Equipment’. The derecognition of these assets and the related disclosures describing past practice as an error does not comply with AASB 108 ‘Accounting Policies, Changes in Accounting Estimates and Errors’.

Sixteen councils that did not record vested rural firefighting equipment did not receive qualified audit opinions. These councils had performed procedures to confirm that the value of these assets was not material to their financial statements

The remaining 16 councils that did not record rural firefighting equipment had performed procedures to determine the value of these assets was not material to the financial statements taken as a whole. While not material to the financial statements, and reported as an uncorrected error, these councils should nonetheless have recognised the equipment in their financial statements, which was vested to these councils under section 119(2) of the Rural Fires Act. There remains a risk that their stance on non-recognition may result in qualifications in the future if the amount becomes material to their financial statements, and raises the risk that these important assets are not being properly maintained and managed for operational purposes.

Forty-seven councils recognised their rural firefighting equipment, 14 of these for the first time

Forty-seven (2020–21: 41) councils recognised this equipment in their financial statements, highlighting the continuing inconsistency in recognition practices across the local government sector.

Fourteen councils recognised vested rural firefighting equipment in their financial statements for the first time in 2021–22.

Recommendation to councils (repeat issue)

Councils should perform a full asset stocktake of rural firefighting equipment, including a condition assessment for 30 June 2023 financial reporting purposes.

Consistent with the requirements of the Australian Accounting Standards, councils should recognise this equipment as assets in their 30 June 2023 financial statements.

The department should intervene to assess councils’ compliance with legislative responsibilities, standards and guidelines

The financial statements of the NSW Total State Sector and the NSW Rural Fire Service do not include rural firefighting equipment that has been vested to councils under section 119(2) of the Rural Fires Act. The State Government has reconfirmed its view that rural firefighting equipment vested to councils under Section 119(2) of the Rural Fires Act is not controlled by the State. In reaching this conclusion, the State argued that on balance it would appear the councils control the rural firefighting equipment that has been vested to them. It is important to note that there are only two parties to the agreements that govern the use of vested rural firefighting equipment, leaving only two parties who would be considered to control this equipment – the NSW Rural Fire Service in the State sector, or councils in the local government sector.

Since 2017, the Audit Office has recommended that the Office of Local Government (OLG) and then the Department of Planning and Environment (the department) address the differing practices across the local government sector in accounting for rural firefighting equipment. In doing so, the Audit Office recommended that OLG should work with NSW Treasury to ensure there is a whole-of-government approach.

In 2021, having again considered the accounting position papers prepared by the respective stakeholders, the Audit Office of New South Wales advised councils and the department that any council not recognising this equipment is not complying with the requirements of the Australian Accounting Standards. We recommended that the department intervene when councils do not recognise vested rural firefighting equipment.

The department’s role includes assessing whether intervention is appropriate with respect to councils’ compliance with, and performance against legislative responsibilities, standards or guidelines. Given the law and the State’s clear position, it would appear that any council not recognising this equipment is non-compliant with the relevant Australian Accounting Standards.

Despite these repeated recommendations in our ‘Local Government 2021’ and ‘Planning and Environment 2022’ Auditor-General’s reports, the department has not been effective in resolving this issue. Forty-three of 146 completed audits of councils received qualified audit opinions on their 2022 financial statements. Sufficient time and engagement have been afforded to avoid these qualified audit opinions. This situation is unlikely to be resolved in the absence of regulatory intervention.

The department should now intervene to address this matter as a priority.

Recommendation to the department (repeat issue)

Consistent with the NSW Government’s accounting position on control of vested rural firefighting equipment and the department’s role to assess councils’ compliance with legislative responsibilities, standards or guidelines, the department should intervene where councils do not recognise rural firefighting equipment vested to them under section 119(2) of the Rural Fires Act.

Removal of qualified audit opinion on Central Coast Council’s 2021–22 financial statements

In 2021–22 Central Coast Council addressed the issues that led to a qualified audit opinion in 2020–21 by having sufficient evidence to support the completeness and accuracy of the opening asset balances that were subject to audit qualification.

A qualified audit opinion was issued for the Central Coast Council’s 30 June 2021 financial statements because council was unable to provide sufficient appropriate evidence to support the carrying value of $5.5 billion of roads, bridges, footpaths, bulk earthworks, stormwater drainage, water supply and sewerage network assets. Council had been unable to reconcile the asset data (technical asset register) used to value these assets to its financial records (fixed asset register) prior to the valuation.

Council addressed these issues in 2021–22 by performing a reconciliation of its 30 June 2021 technical asset register to its fixed asset register (pre-2021 valuation) and obtained an updated independent valuation of its roads, bridges, footpaths, bulk earthworks, stormwater drainage, water supply and sewerage network assets at 30 June 2021.

Emphasis of matter paragraphs were included in Gwydir Shire Council and Tenterfield Shire Council’s audit opinions relating to non-compliance with the LG Act

An emphasis of matter paragraph was included in the Independent Auditor’s Report to draw attention to non-compliance with the LG Act which the council self-disclosed in its financial statements.

The councils acknowledge they may have breached Sections 409 and 410 of the LG Act by accessing restricted funds without the required approvals.

Council Reason
Gwydir Shire Council
  • Council’s inability to determine whether they had a negative unrestricted cash position between 1 July 2022 to 30 September 2022 represents a breach of Section 409(3) of the LG Act.
  • Council is unable to verify that funds raised by special rates or charges were not used to pay for general fund expenses between 1 July 2022 to 30 September 2022.
  • Council acknowledges it may have used restricted special rates and charges funds for purposes other than their intended use, without ministerial approval. Such unapproved use would not comply with Section 410(3) of the LG Act.
Tenterfield Shire Council
  • Council’s negative unrestricted cash balance from 1 July 2021 to March 2022 represents a breach of Section 409(3) of the LG Act.
  • Council is unable to verify that funds raised by special rates or charges were not used to pay for general fund expenses during the year ended 30 June 2022.
  • Council acknowledges it may have used restricted special rates and charges funds for purposes other than their intended use, without ministerial approval. Such unapproved use would not comply with Section 410(3) of the LG Act.

Four audits are still in progress in 2021–22

The following four audits remain outstanding and the outcome will be reported in next year’s report to Parliament.

Council Reason
Canberra Region Joint Organisation Resolving accounting issues, delays in submission of the draft financial statements for audit.
Hunter Joint Organisation Resolving issues relating to going concern assessment by seeking financial support agreement with member councils.
Narrabri Shire Council Resourcing constraints impacted by high turnover of senior staff.
Resolving accounting issues relating to impairment and remediation of flood damage. Delays in providing evidence to support the recognition status of assets including land, intangibles and RFS buildings.
Kiama Municipal Council The commencement of the 2021–22 audit was delayed given the late completion of the 2020–21 audit in April 2023. The 2020–21 was delayed due to significant accounting issues and council responding to Performance Improvement Orders issued by the Minister for Local Government.

Errors identified through audits

Decrease in the number and dollar value of corrected errors identified

Our audits identified fewer corrected errors and the total dollar value of these errors was lower compared to the prior year. Corrected errors decreased from 246 errors in 2020–21, with a total value of $1.7 billion, to 217 errors with a total value of $1.3 billion in 2021–22.

It is important that councils perform robust reviews to minimise errors identified in financial statements. There were 18 councils (2020–21: 18 councils) where no errors were identified in their financial statements.

Corrected errors

A corrected error is an error identified by the auditor or council, which is subsequently corrected by council in the financial statements.

Corrected errors By council type (2022 only)
Year ended 30 June 2022 2021 Metro Regional Rural County JO
Less than $250,000 61 66 3 10 25 12 11
$250,000 to $500,000 22 37 3 5 13 1 --
$500,000 to $1 million 31 38 4 12 14 1 --
$1 million to $5 million 62 69 13 35 12 2 --
$5 million to $15 million 26 19 4 20 2 -- --
$15 million to $30 million 4 4 3 1 -- -- --
$30 million to $50 million 7 6 3 3 1 -- --
$50 million and greater 4 7 1 3 -- -- --
Total number of errors 217 246 34 89 67 16 11
Total value of errors ($ million) 1,268 1,686 355 817 91 5 --

Source: Engagement Closing Reports issued by the Audit Office.

Of the 217 corrected errors identified in the 30 June 2022 financial statements, the common areas are summarised below.

Common areas of corrected errors Number of errors
Poor record keeping of asset data, such as:
  • unrecorded assets controlled by council (including found assets)
  • assets recorded that are no longer controlled by council
  • duplicate assets
  • assets incorrectly classified.
42
Asset revaluation errors, such as:
  • incorrect data provided to the valuer
  • inappropriate valuation assumptions applied (for example, inappropriate unit rates, valuations did not reflect the physical and legislative restrictions on these assets, or impairment indicators not assessed)
  • inaccurate calculations derived from the revaluation work paper
  • incorrect recording of revaluation or impairment adjustments.
42
Incorrect accounting for liabilities and accruals. 48

Of the 217 corrected errors identified in the 30 June 2022 financial statements, corrected errors greater than $50 million were:

Council Description of corrected error
Inner West Council Council’s revaluation process identified newly found assets (roads, footpath, kerb, gutter, bulk earthwork and other road assets) of $71.8 million at 1 July 2020, that had not been previously recognised in the financial statements.
Maitland City Council Council undertook a revaluation of its infrastructure assets including a condition assessment. The fair value recognised in the financial statements inadvertently did not contain the impact of the condition assessment. This resulted in a $54.2 million increase to the value of the assets.
Shellharbour City Council Council’s review of its accounting for the Shell Cove project identified $117.9 million of Marina assets controlled by the council, which had not been recognised in the financial statements.
Shoalhaven City Council Management had not reflected the updated revaluation impacts on all infrastructure, property, plant and equipment (IPPE) asset classes within its financial statements. Council subsequently corrected these revaluation adjustments for various asset classes within IPPE, amounting to $288.6 million.

Fair value assessments highlighted material differences between the carrying values and fair value of infrastructure, property, plant and equipment

Infrastructure, property, plant and equipment (IPPE) represents a significant part of councils’ total assets. The majority of these assets are carried at fair value using current replacement cost as the valuation technique.

Comprehensive revaluations are performed generally over three to five-year cycles for IPPE with fair value assessments undertaken during the intervening years to determine whether the carrying amounts of the assets are materially different to fair value at each reporting date.

This year’s fair value assessments by the councils identified material departures between the carrying value and fair value of their IPPE assets since these assets were last comprehensively valued. This resulted in significant adjustments to the fair value of councils’ IPPE assets amounting to $3.2 billion across 54 councils.

The predominant driver of these valuation uplifts, specifically in buildings, was inflation of construction costs, which affected the Australian domestic economy more broadly over the past 12 months.

In some cases, audit procedures identified material differences between the carrying value and the fair value of councils’ asset, resulting in adjustments to the financial statements after the financial statements were submitted for audit. In some other cases, councils used indices that were less relevant or reliable to assess movements in fair value. These also required adjustments by councils.

Councils are responsible for the asset valuations included in their financial statements and are required to assess annually whether the carrying value of IPPE materially reflects fair value, the reasonableness of the useful lives applied and whether any assets are impaired.

An absence of appropriate evidence to support key judgements/assumptions used in this annual fair value assessment, or a lack of thorough quality assurance processes can delay the outcomes of a valuation and/or cause incorrect or unsupported valuations.

Given the ongoing inflationary environment, councils should bring forward the timing of annual fair value assessments or revaluation exercises. This is to ensure that the carrying values reported in the financial statements more accurately reflect fair value at each balance date.

Uncorrected errors

An uncorrected error is an error identified by the auditor or council in the financial statements, which has not been corrected by council. There are various reasons why errors are not corrected, the most common being it is not material to the financial statements taken as a whole.

Uncorrected errors By council type (2022 only)
Year ended 30 June 2022 2021 Metro Regional Rural County JO
Less than $250,000 97 88 11 9 65 6 6
$250,000 to $500,000 47 44 5 14 27 1 --
$500,000 to $1 million 34 37 12 10 12 -- --
$1 million to $5 million 38 68 13 18 6 -- 1
$5 million to $15 million 5 6 3 1 1 -- --
Total number of errors 221 243 44 52 111 7 7
Total value of errors ($ million) 158 238 72 54 28 1 3

Source: Engagement Closing Reports issued by the Audit Office.

In 2020–21, 68 councils did not record vested rural firefighting equipment in their financial statements estimated to be $145 million, which were reported as uncorrected errors. In 2021–22, this issue resulted in 43 councils receiving qualified audit opinions on their 2022 financial statements. As previously noted, the uncorrected errors relating to these assets could not be accurately quantified for 40 of the 43 councils that received a qualified audit opinion, given the absence of council procedures to determine the value, condition or existence of these assets. The risk that these assets are not being properly maintained and managed for operational purposes also increases. We have not included the potential misstatements in relation to these unrecorded assets within the 2022 table of uncorrected errors.

Prior period errors

A prior period financial statement error is an error identified in the current year that relates to the previous year’s audited financial statements.

Prior period errors By council type (2022 only)
Year ended 30 June 2022 2021 Metro Regional Rural County JO
Less than $250,000 6 4 -- 3 2 -- 1
$250,000 to $500,000 1 2 -- 1 -- -- --
$500,000 to $1 million 6 4 -- 1 5 -- --
$1 million to $5 million 29 11 11 3 14 1 --
$5 million to $15 million 12 19 6 4 1 1 --
$15 million to $30 million 8 6 6 1 1 -- --
$30 million to $50 million 2 4 1 1 -- -- --
$50 million and greater 3 4 2 1 -- -- --
Total number of errors 67 54 26 15 23 2 1
Total value of errors ($ million) 627 777 395 163 56 13 --

Source: Engagement Closing Reports issued by the Audit Office.

Of the 67 prior period errors, five were greater than $30 million. All these errors were asset related.

Council Description of prior period error
Lake Macquarie City Council Council did not recognise $38.2 million non-cash contributions of assets in the year in which they were dedicated to the council. This understated both capital contribution revenue and assets in the prior years.
Inner West Council Council’s revaluation of infrastructure assets identified $71.8 million of assets controlled by the council at 1 July 2020, which had not been recognised in the financial statements.
Shellharbour City Council Council’s review of its accounting for the Shell Cove project identified assets controlled by the council, which had not been recognised in the financial statements amounting to $54.3 million.
Central Coast Council Council’s comprehensive valuation of Community Recreation Services (open space) assets, and reconciliation between technical and fixed asset registers identified assets controlled by the council that had not been recognised in the financial statements amounting to $43.6 million.
Council’s updated revaluation process for 2020–21 and internal reconciliation between the technical and fixed asset registers, identified corrections to the valuation of roads, drainage, water and sewer assets amounting to $102 million.

Of the 67 prior period errors, 50 were assets related that were identified in 31 councils. The common areas where prior period errors were identified are outlined below.

Seventy-nine per cent of the total prior period errors were asset related

Common prior period errors Number of errors
Poor record keeping of asset data, such as:
  • unrecorded assets controlled by council
  • assets recorded that are no longer controlled by council
  • duplicate assets
  • assets incorrectly classified.
42
Assets revaluation errors, such as:
  • incorrect data provided to the valuer
  • valuation assumptions that were not appropriate (for example, inappropriate unit rates applied, valuations did not reflect the physical and legislative restrictions on these assets, or impairment indicators not assessed)
  • inaccurate calculations derived from the revaluation work paper
  • incorrect recording of revaluation or impairment adjustments.
8

 

2.2 Timeliness of financial reporting

The LG Act requires councils to submit their audited financial reports to OLG by the statutory deadline of 31 October or apply for an extension.

Sixty-two per cent of councils lodged their audited financial statements by the statutory deadline

Of the 146 councils for which we have issued Independent Audit Reports:

  • 93 councils (2020–21: 109 councils) met the statutory deadline
  • 53 councils (2020–21: 41 councils) received one or more extension to lodge their audited financial statements at a later date.

Refer to Appendix three for further details.

The number of extensions received by councils increased from 41 in 2020–21 to 57 in 2021–22

Fifty-seven councils and joint organisations (2021: 41) applied for, and received an extension to, lodge their audited financial statements at a later date. Twenty-three (2020–21: 15) councils applied for more than one extension.

Fewer councils met the statutory lodgement deadline in 2021–22. Many councils continued to face challenges responding to the impacts of natural disasters (floods and droughts) and resourcing constraints.

The reasons that councils and joint organisations sought extensions to submit their financial statements after the statutory deadline are shown below.

Source: Council extension letters submitted to OLG.

The most common reasons councils cited when applying for extensions related to:

  • resourcing issues
  • resolving asset valuation issues
  • accounting or other matters that required more time to resolve
  • impacts from natural disasters including flood recovery.

Refer to Appendix four for details of the names of each council or joint organisation that received extensions.

More councils performed some early financial reporting procedures

Early close procedures allow financial reporting issues and risks to be addressed by management and audit early in the financial statement close process. Such procedures help to confirm that key controls over councils’ balances are carried out and that there is early dialogue with councils and the Audit Office on significant issues. This helps to improve the quality and timeliness of financial reporting.

Councils can work with the Audit Office to agree on key early close procedures and an agreed timetable to complete the procedures that can be audited before 30 June. This process will allow for audit observations and feedback on the early close outcomes in time for them to be considered in the year-end financial reporting process.

The intention of these procedures is to facilitate earlier preparation of councils’ financial statements as well as improve quality and minimise the risk of audit qualifications or errors in financial statements submitted to the Audit Office.

Early close plans should allow sufficient time for management review and involvement of Audit Risk and Improvement Committees.

Some early close procedures that councils should consider include:

  • completing proforma financial statements and ensuring management has endorsed the statements and reviewed the supporting working papers
  • performing and documenting an annual assessment of the fair value of IPPE, their useful lives, and the reasons why the carrying value was not materially different to the fair value. This assessment is performed between comprehensive revaluations
  • completing the comprehensive revaluation of IPPE by an agreed early close date
  • explaining all unresolved prior year audit issues, with a proposed action plan to resolve them
  • documenting all significant management judgements and assumptions made when estimating transactions and balances
  • reconciling all key account balances (including annual leave provisions) and clearing reconciling items
  • supporting work papers evidencing how management has considered the requirements of new and updated accounting standards.

Recommendation (repeat)

OLG should consider requiring early close procedures across the local government sector.

It is generally accepted that timely year-end financial reporting is an indicator of sound financial management processes. Accordingly, measures aimed at the earlier finalisation of financial statements to both council and the regulator should be a priority.

Given the continued increase in the number of extensions granted by OLG for councils to lodge their audited financial statements, there is room for more to be done to improve the timeliness of financial reporting by councils. OLG should, after discussing policy changes with the key stakeholders within the sector to ensure benefits can be realised, require early close procedures. Early close procedures should prioritise early completion of infrastructure, property, plant and equipment fair value assessments, impairment assessments and comprehensive valuations before 30 June.

This year, 82% (2020–21: 59%) of councils performed at least some early financial reporting procedures, including:

  • completing infrastructure, property, plant and equipment valuations before 30 June (45 councils, 2020–21: 42 councils)
  • performing fair value assessments of infrastructure, property, plant and equipment (36 councils, 2020–21: 24 councils)
  • preparing proforma financial statements and associated disclosures (46 councils, 2020–21: 25 councils)
  • assessing the impact of material, complex and one-off significant transactions (49 councils, 2020–21: 26 councils)
  • explaining all unresolved prior year audit issues, with an action plan proposed to resolve them (69 councils, 2020–21: 39 councils)
  • assessing the continuing impact of significant new accounting standards adopted in prior years (43 councils, 2020–21: 58 councils).

While more councils performed some early financial reporting procedures prior to 30 June 2022, the number of councils performing early close procedures over infrastructure, property, plant and equipment valuations prior to year-end did not substantially increase. In a year where market forces have inflated the values of both assets and asset inputs, the absence of IPPE early close procedures caused avoidable delays and adjustments to many councils’ financial statements.

3. Key audit findings

A strong system of internal controls enables councils to operate effectively and efficiently, produce reliable financial reports, comply with laws and regulations, and support ethical government.

This chapter outlines the overall trends in governance and internal controls across councils and joint organisations in 2021–22.

Financial audits focus on key governance matters and internal controls supporting the preparation of councils’ financial statements. Breakdowns and weaknesses in internal controls increase the risk of fraud and error. Deficiencies in internal controls, matters of governance interest and unresolved issues are reported to management and those charged with governance through audit management letters. These letters include our observations, related implications, recommendations and risk ratings.

Section highlights

  • Total number of audit findings reported in audit management letters decreased from 1,277 in 2020–21 to 1,045 in 2021–22.
  • Total number of high-risk audit findings increased from 92 in 2021–21 to 93 in 2021–22. Forty-three (2020–21: 60) of the high-risk findings in 2021–22 related to the non-recognition of vested rural firefighting equipment in councils’ financial statements.
  • Ninety per cent of total high-risk findings in 2021–22 were repeat findings. Thirty-two per cent of these high-risk findings were escalated from unactioned moderate risk findings in 2020–21.
  • Fifty-two per cent (2020–21: 53%) of findings reported in audit management letters were repeat or partial repeat findings. We continue to recommend councils and those charged with governance track progress of implementing recommendations from our audits.
  • Governance, asset management and information technology comprise over 65% (2020–21: 62%) of findings and continue to be key areas requiring improvement. Eleven per cent of these findings were high risk in 2021–22.
  • A number of repeat recommendations were made relating to asset valuations and integrity of asset data records, in response to the findings that:
    • 52 (2021: 67) councils had weak processes over maintenance, completeness and security of fixed asset registers
    • 53 (2021: 58) councils had deficiencies in their processes to revalue infrastructure assets.
  • Sixty-three (2021: 65) councils have yet to implement basic governance and internal controls to manage cyber security. We recommended that all councils should create a cyber security plan in order to ensure cyber security risks over key data and IT assets are appropriately managed and key data is safeguarded. Councils should refer to the ‘Cyber Security Guidelines for NSW Local Government’ released by the OLG.

Total number of findings reported in audit management letters decreased

The following shows the overall findings of the 2021–22 audits reported in management letters compared with the previous year.

* Includes two findings relating to the 2020–21 audit finalised after ‘Local Government 2021’ was published.

Findings are classified as new, repeat or ongoing, based on:

  • new findings first reported in 2021–22 audits
  • repeat findings first reported in prior year audits, but remain unresolved in 2021–22
  • ongoing findings first reported in prior year audits, but the action due dates to address the findings are after 2021–22.

In rating the risk of audit findings, we assess the likelihood and consequence of the finding having regard to the length of time the issue remains unresolved. The lack of timeliness in resolving issues may indicate systemic issues and/or poor governance practices that warrant an increase in the consequence level. The longer the risk remains unresolved, the greater the chance the weakness could be exploited, or an adverse event or events could occur. As such, unresolved or unaddressed issues from prior periods are reassessed annually. This reassessment may lead to an increase in the risk rating adopted.

Findings are categorised as:

  • governance
  • financial reporting
  • financial accounting
  • asset management*
  • purchases and payables
  • payroll
  • cash and banking
  • revenue and receivables
  • information technology.
* Accounting for the recording and valuation of assets in accordance with Accounting Standards.

The following table shows the breakdown of audit findings of the 2021–22 audits based on the defined categories and risk ratings.

Category Total findings High Moderate Low
Governance 177 8 112 57
Financial reporting 42 7 27 8
Financial accounting 66 9 37 20
Asset management 267 55 165 47
Purchases and payables 77 2 49 26
Payroll 82 1 40 41
Cash and banking 29 2 12 15
Revenue and receivables 69 -- 31 38
Information technology 236 9 178 49
Total 1,045* 93* 651 301

* Includes two findings relating to the 2020–21 audit finalised after the ‘Local Government 2021’ was published.

The high-risk and common audit findings across these areas are explored further in this chapter.

3.1 Sector-wide common audit findings

Status of previous report recommendations

Our previous reports to Parliament focusing on Local Government made recommendations to all councils and to the Department of Planning and Environment. The current status of implementation of our recommendations is summarised as below, as well as relevant audit findings in 2021–22.

Recommendations to councils Current status  
Accounting for and full stocktake of rural firefighting equipment

Councils should perform a full asset stocktake of rural firefighting equipment, including a condition assessment for 30 June 2022 financial reporting purposes.

Consistent with the requirements of the Australian Accounting Standards, councils should recognise this equipment as assets in their 30 June 2022 financial statements.

We continue to recommend that councils recognise vested rural firefighting equipment (repeat recommendation)

Not addressed

One hundred and six of the 146 completed audits of councils received rural firefighting equipment in 2021–22. Sixty-six councils have performed a full stocktake of these assets and 40 councils did not. Forty-seven councils recognised these assets in their 2021–22 financial statements.

As reported in Section 2.1 of this report, 59 councils did not record rural firefighting equipment in their financial statements and 43 of these councils received qualified audit opinions because councils did not recognise rural firefighting equipment or because councils had not performed stocktake procedures to confirm the existence, condition and value of these assets.

Sixteen councils did not record rural firefighting equipment, but had performed procedures to support their assertion that the carrying amount was not material to the financial statements. These councils received unqualified audit opinions.
Three councils’ stocktakes of rural firefighting equipment confirmed that the unrecognised balance of this equipment was material resulting in a qualified audit opinion.

Asset valuations
Councils should have all comprehensive asset revaluations completed
by April of the financial year subject to audit.
Councils should:
  • have a project plan in place to manage the asset valuation process
  • include in the plan a timetable with deliverables and dates
  • consider in the plan the scope of asset valuations, timing and engagement with internal and external stakeholders (for example, using an expert) managing the timing of deliverables and quality review of the outputs.

We continue to recommend that councils complete asset valuations before financial year-end to help avoid issues with the revaluation process (repeat recommendation)

Sixty-nine of the 146 completed audits of councils have at least partially implemented these recommendations in 2021–22
(35 councils have fully implemented our recommendation and 34 councils have partially addressed our recommendation).

In 2021–22 we identified a total of 267 (2021: 288) findings that related to asset management. Further, we identified that 53 (2021: 58) councils had deficiencies in their annual process to ensure their assets are stated at fair value.

Common issues in annual fair value assessments and in comprehensive revaluations include:

  • inadequate documentation to support key assumptions and judgements applied including useful lives and condition assessments and unit rates used to value infrastructure assets
  • indexation adjustments to fair value/deficiencies in the annual fair value assessment process
  • inaccurate calculations derived from the revaluation work paper
  • incorrect classification of assets
  • incorrect exclusion of some assets from valuations    
  • management not documenting their quality review over asset valuations 
  • valuations commencing too late in the financial year and delaying the preparation of the financial statements.    

Council’s financial statements contained corrected errors relating to asset valuations:    

  • 28 (2020–21: 35) councils corrected 42 (2020–21: 45) errors relating to asset valuations that amounted to $832 million (2021: $1 billion)    
  • 6 (2020–21: 13) councils had 8 (2020–21: 18) prior period errors relating to asset revaluations that amounted to $140 million ($253 million).    
Not addressed
Improvements to controls and processes over asset source records

Councils need to improve controls and processes to ensure integrity and completeness of asset source records.

Councils should:

  • perform timely and regular reconciliations of the fixed asset register to source data records to the general ledger
  • perform regular review of capital works in progress to identify assets ready for use and capitalise these timely
  • improve communication and processes between finance and asset/engineering units as this will improve the accuracy and completeness of asset data and the understanding of asset movements required to be updated to councils’ source records
  • implement processes to ensure developer contributed assets are recorded and valued in a timely manner once controlled by the council.

We continue to recommend that councils improve controls and processes to ensure integrity and completeness of asset source records (repeat recommendation)

Not addressed

One hundred and six of 146 completed audits of councils have at least partially addressed these recommendations in 2021–22. Sixty-six councils have fully addressed our recommendations and 40 councils have partially addressed our recommendations.

Fifty-two (2021: 67) councils had weak processes over maintenance, completeness and security of fixed asset registers as reported in Section 3.5 below.

Common issues identified include:

  • inaccurate and incomplete data in asset registers such as duplicate or missing assets
  • fixed asset registers for additions and disposals were not regularly updated
  • asset registers were not maintained in a secure format.

As reported in Chapter 2, ‘Audit results’, 28 (2020–21: 19)
councils had 42 (2020–21: 27) prior period financial statement errors amounting to $439.1 million (2020–21: $417.1 million). These were related to the accuracy and completeness of asset records, such as found and duplicate assets.

Forty-two (2020–21: 46) corrected errors from 31 councils, amounting to $243.1 million (2020–21: $102.1 million), relate to poor record keeping of asset data, such as:

  • unrecorded assets controlled by council
  • assets recorded that are no longer controlled by council
  • duplicate assets
  • assets incorrectly classified.
Tracking recommendations
Councils and those charged with governance should track the progress of implementing recommendations from financial audits, performance audits and public inquiries.

More councils are tracking audit recommendations. Councils should focus on tracking audit recommendations and prioritise high-risk repeat issues

Not addressed

One hundred and twenty-two of 146 completed audits of councils have at least partially addressed these recommendations in 2021–22. Ninety-eight councils have fully addressed this recommendation and track progress of implementing recommendations from financial audits, performance audits and public inquiries. Twenty-four councils partially addressed our recommendation by not tracking all recommendations covering financial audits, performance audits and public inquiries.

Given 52% (2020–21: 53%) of total findings reported in 2021–22 audit management letters were repeat or partial repeat findings from prior years, councils need to focus on tracking audit recommendations, giving priority to high-risk repeat issues. 

The department should intervene where councils do not recognise rural firefighting equipment
Consistent with the department’s role to assess council’s compliance with legislative responsibilities, standards or guidelines, the department should intervene where councils do not recognise rural firefighting equipment.

We continue to recommend that the department should intervene where councils do not recognise vested rural firefighting equipment (repeat recommendation)

Not addressed

Since 2017, the Audit Office has recommended that the OLG and then the department address the different practices across the local government sector in accounting for rural firefighting equipment. In doing so, the Audit Office recommended that OLG should work with NSW Treasury to ensure there is a whole-of-government approach. NSW Treasury has articulated and communicated its clear position.
In 2021, the Audit Office of New South Wales advised councils and the department that not recognising this equipment is
non-compliant with the Australian Accounting Standards. We recommended that the department should intervene when councils do not recognise rural firefighting equipment.

It is the department’s role to assess whether intervention is appropriate with respect to councils’ compliance with and performance against legislative responsibilities, standards or guidelines.

Despite these repeated recommendations in our ‘Local Government 2021’ and ‘Planning and Environment 2022’ Auditor-General’s reports, the department has not been effective in resolving this issue. Forty-three of 146 completed audits of councils received qualified audit opinions on their 2022 financial statements in relation to this issue.

It is our view that this situation is unlikely to be resolved in the absence of regulatory intervention and the department should now intervene to address this matter as a priority.
Refer to Section 2.1 for further information on this issue.

Early close procedures
OLG should require early close procedures across the local government sector by 30 April 2023.

We continue to recommend that OLG consider requiring early close procedures across the local government sector (repeat recommendation)

Not addressed
Potential policy requirements requiring early close procedures have not been discussed with key stakeholders, nor have requirements to perform early close procedures been communicated by OLG to councils and joint organisations as at the date of this report.
Legal framework
In our Report on Local Government 2020, we recommended OLG should clarify the legal framework relating to restrictions of water, sewerage and drainage funds (restricted reserves) by either seeking an amendment to the relevant legislation or by issuing a policy instrument to remove ambiguity from the current framework. This recommendation has not been implemented. Not addressed

Cyber security management

Poor management of cyber security can expose councils to a broad range of risks, including financial loss, reputational damage and breaches of data involving the unauthorised release of sensitive data and personally identifiable information.

The NSW Cyber Security Policy states that the term cyber security covers all measures used to protect systems and information processed, stored or communicated on these systems from compromise of confidentiality, integrity and availability.

A lack of cyber security maturity continues to be a sector-wide common audit finding among councils.

Cyber security findings were reported in 63 councils (2020–21: 65 councils) as they did not have at least one of the following basic governance and internal controls to manage cyber security such as having a:

  • cyber security framework, policy and procedure
  • register of cyber incidents
  • simulated cyber attack testing (penetration testing)
  • cyber security training and awareness program.

Refer to Section 3.10 ‘Information technology’ for further details on gaps identified in cyber security management.

Forty-seven per cent of councils do not have a formal cyber security strategy/plan in place

Our data collection from 30 June 2022 council audits identified that only 53% of councils have created a formal cyber security strategy/plan.

In response to previous audit recommendations, OLG released Cyber Security Guidelines for NSW local government on 19 December 2022. The guidelines:

  • allow councils to assess their cyber security maturity and their maturity uplift
  • outline cyber security standards and controls recommended by Cyber Security NSW for NSW local governments
  • can be adopted by councils or used to form the basis of an internally developed cyber security policy
  • are strongly recommended to councils for adherence but is voluntary with no requirement to report maturity scores to Cyber Security NSW.

Sixty-nine councils (47% of councils) do not have a formal cyber security plan. These councils need to prioritise creation of a cyber security plan, based on the OLG’s Cyber Security Guidelines for NSW Local Government, in order to ensure cyber security risks over key data and IT assets are appropriately managed and key data is safeguarded. All councils should update their cyber security plans based on the guidelines.

The risks associated with poor cyber security maturity are compounded by information technology control weaknesses and poor information systems security hygiene. Our findings in relation to these deficiencies are detailed in Section 3.10 of this report.

Recommendation to councils

All councils need to prioritise and create a cyber security plan in order to ensure cyber security risks over key data and IT assets are appropriately managed and key data is safeguarded.

Councils should refer to the ‘Cyber Security Guidelines for NSW Local Government’ released by the OLG.

3.2 Governance

Governance is the framework of rules, processes and systems that enables organisations to achieve goals and comply with legal requirements. Good governance promotes public confidence and satisfaction in councils’ operations. Key governance areas include appropriate accountability mechanisms, operational and financial risk management, and fraud prevention.

Governance findings decreased from 214 to 177

Audit management letters reported 177 findings relating to governance (2020–21: 214 findings). Sixty-three per cent (2021: 65%) were repeat or partial repeat findings.

Source: Audit management letters for 30 June 2021 and 30 June 2022 audits.

High-risk findings

Seven high-risk findings were reported at the following councils, including one new finding and six repeat findings elevated from moderate risk in 2020–21. All the six 2020–21 high-risk findings were resolved or reclassified to moderate risk in 2021–22 as management has taken action to mitigate the risks. One new high-risk finding related to 2020–21.

Council Description
2021–22 findings
Coonamble Shire Council (repeat finding, elevated from moderate to high risk in 2021–22)

Council does not have a documented legislative compliance policy, legislative compliance register, risk management policy, fraud control plan, cyber risk policy or framework. Council’s fraud control policy was last updated in 2005 and council has not undertaken a fraud control risk assessment.

Lismore City Council (repeat finding, elevated
from moderate to high risk in 2021–22)
Council does not have a centralised legislative compliance register. Council does not have formalised process for allocating compliance responsibility or identifying and monitoring instances of non-compliance.
Brewarrina Shire Council (repeat finding, elevated from moderate to high risk in 2021–22)

Council does not have a documented legislative compliance policy, council-wide risk register, fraud control plan, cyber risk policy or framework. Council’s public interest disclosure policy has not been reviewed since 2013.

Council did not undertake a fraud control health check, cyber security penetration testing, or fraud awareness and cyber security training.

Gwydir Shire Council
(one repeat finding elevated from moderate to high-risk in 2021–22 and one new finding)

Council is in the process of completing the fraud control health check and fraud risk assessment. However, there is no fraud control policy or plan and no fraud awareness training has been conducted.

Council was unable to determine whether they spent restricted funds for unrestricted purposes during 2021–22, without the appropriate approvals under the LG Act (new finding).

Cootamundra-Gundagai Regional Council (repeat finding, elevated
from moderate to high-risk in 2021–22)
Council does not have a formal legislative compliance policy or legislative compliance register to capture and report on its compliance with key legislation.
Tamworth Regional Council (repeat finding, elevated from moderate to high-risk in
2021–22)
Council does not have a fraud control plan to manage potential fraud risk. However, Council performed a fraud risk assessment in June 2021.
2020–21 findings*
Kiama Municipal Council

The council should continue to develop strategies to:

  • ensure it maintains sufficient liquidity
  • regularly review and update cash flow projections using the best available data and relevant assumptions
  • avoid using externally restricted cash for other purposes, or seek the Minister’s permission, where required
  • regularly report its cash flow position and projections to those charged with governance.

* This audit was finalised on 20 April 2023 after the ‘Local Government 2021’ report was published.

Common findings

The common governance findings reported in audit management letters related to deficiencies in corporate governance policies, fraud controls and legislative compliance.

Key corporate governance policies were not in place or regularly updated at 62 councils

The common areas where councils were missing governance policies are summarised below.

Area of corporate governance with absent or outdated policies Number of councils
Risk management 15
Contract management 13
Business continuity plan 19
Gifts and benefits 5
Public interest disclosures 7
Other policies not formally adopted or subject to timely review 31

Corporate governance policies are essential for ensuring councils operate in accordance with external and internal requirements. It is important that the rules, standards and expectations are clearly outlined, and staff are provided adequate guidance to inform their actions.

Further issues were identified in contract management for 23 (2020–21: 30) councils. While contract management policies were in place for these councils, we identified deficiencies in their contract management practices or contract register management. There is an increased risk of non-compliance with the Government Information (Public Access) Act 2009 or contractual terms.

Deficiencies in fraud control processes at 20 councils

Twenty councils reported deficiencies in fraud control processes, an improvement from 34 councils reported in 2020–21.

The following fraud control deficiencies were reported in audit management letters.

Fraud control deficiencies Number of councils
Council did not provide fraud awareness training to staff 7
Council did not perform a fraud risk assessment 9
Council did not have a fraud and corruption prevention policy, or it was outdated 10
Council did not require staff to provide annual attestations to the Code of Conduct 8

Effective fraud controls and ethical frameworks help protect councils from events that risk serious reputational damage and financial loss.

Lack of legislative compliance policies or register at 21 councils

Twenty-one councils did not have a sufficient legislative compliance policy or register. This has decreased from 25 councils reported in 2020–21.

Legislative compliance frameworks assist councils to monitor compliance with key laws and regulations. This is important as councils provide a broad range of services to the community and are subject to many legal requirements. A legislative breach can attract penalties, impact service delivery and cause significant reputational damage.

Councils and joint organisations that do not currently have an ARIC should take action to ensure they comply with legislative requirements

Audit, Risk and Improvement Committees (ARIC) are an important contributor to good governance. They help councils to understand strategic risks and how they can mitigate them. An effective committee helps councils to build community confidence, meet legislative and other requirements, and meet standards of probity, accountability and transparency.

Without an effective ARIC, there is a lack of independent oversight on how council is functioning and managing risk.

The Office of Local Government has issued comprehensive ’Guidelines for Risk Management and Internal Audit for Local Government in NSW’ to assist councils and joint organisations to implement these requirements.

One hundred and nineteen councils have established an Audit, Risk and Improvement Committee as at 4 June 2022, as required under the LG Act

As at 30 June 2022, 31 councils or joint organisations have not established an ARIC at 30 June 2022. These councils have not complied with the requirements of the LG Act, but more importantly, a key governance mechanism is absent.

Under the LG Act, all councils and joint organisations were required to have an ARIC or to have entered into an arrangement with another council or joint organisation to share an ARIC from 4 June 2022.

In August 2021, the OLG issued draft ‘Guidelines for Risk Management and Internal Audit for Local Councils in NSW (the Guidelines)’, which has not been finalised. The Guidelines cover the requirements for ARICs (including membership), risk management framework and internal audit function.

Subsequent to the draft Guidelines, OLG and NSW Treasury agreed that the NSW Government’s Prequalification Scheme for Audit and Risk Committee Chairs and Members will not be suitable for use by councils and joint organisations. On 20 July 2022, OLG issued a Circular 22-21 ‘Update on membership requirements for audit, risk and improvement committees’, to confirm this agreement.

Under the new requirements, councils must ensure ARIC chairs and members meet the eligibility and independence requirements, as set out in the Guidelines, from 1 July 2024.

On 19 December 2022, the OLG issued a further circular to inform the sector that the draft guidelines have been approved but remain in draft until amendments to the supporting Local Government (General) Regulation 2021 (giving statutory force to elements of the Guidelines) come into force in 2023.

ARICs can be more effective in discharging all of their functions

ARICs could be more effective in discharging all of their functions and managing councils’ risks including:

  • cyber risk management (refer to Section 3.10) including 25% of councils that have not communicated cyber risk with those charged with governance, including council ARICs
  • tracking the progress of implementing recommendations from financial audits, performance audits and public inquires (refer to Section 3.1)
  • prioritising tracking of repeat and high-risk audit findings. Fifty-two per cent of total audit findings reported in 2021–22 audit management letters were repeat or partial repeat findings from prior years (refer to Section 3.1)
  • ensuring internal certification processes have occurred and reviewing the financial statements for completeness and accuracy. ARICs can play an important role in providing feedback on financial statements before they are submitted to audit as part of management’s quality review process. Sixty-seven (2021: 44) councils’ ARICs reviewed financial statements before submission to the Audit Office. Fifty-two (2021: 67) councils’ ARICs did not review financial statements before submission to the Audit Office. Only 28 (2021:16) ARICs obtained certification of effectiveness of internal controls from management to support the financial statements and information.

    As previously reported, there is an opportunity for OLG to issue guidance to councils to develop an internal control certification process as better practice. In the NSW state sector, Chief Financial Officers provide an annual certification as to the effectiveness of its systems, processes and internal controls for ensuring that financial information is relevant and reliable.

As at 30 June 2022, 119 councils have established an ARIC. Of the 119 councils, ten have a shared arrangement with other councils. Opportunities also exist for councils to gain efficiencies by increasing the number of shared ARICs where scale or geographical location makes it practicable to do so.

3.3 Financial reporting

Financial reporting is an important element of good governance. Confidence in and transparency of public sector decision-making is enhanced when financial reporting is accurate and timely.

Financial reporting findings decreased from 83 to 42

Audit management letters reported 42 findings relating to financial reporting (2020–21: 83 findings). Fifty-five per cent (2021: 45%) were repeat or partial repeat findings.

Source: Audit management letters for 30 June 2021 and 30 June 2022 audits.

High-risk findings

High-risk findings, including two repeat findings, one new finding and four repeat findings elevated from moderate risk in 2020–21, were reported at the following councils. Four of the six 2020–21 high-risk findings were resolved or reclassified to moderate risk in 2021–22 as management has taken action to mitigate the risks.

Council Description
2021–22 findings  
Central Coast Council (repeat finding) While noting improvements in the quality and timeliness of the financial statements and supporting work papers provided to audit, the financial statements required amendments to correct material monetary misstatements and disclosure deficiencies.
Cootamundra-Gundagai Regional Council (repeat finding, elevated
from moderate to high risk in 2021–22)
The supporting work papers for the financial statements provided to audit were significantly delayed and contained errors and omissions causing delays to the audit process.
Edward River Council (repeat finding, elevated from moderate to high-risk in 2021–22) Quality and timeliness of financial statements and supporting work papers needs improvement. Several amendments were required which delayed the audit process and required council to seek extensions with OLG.
Hilltops Council
(repeat finding elevated from moderate to high risk in 2021–22)
While noting improvements in timeliness of responses to most of the audit requests, there were delays with some supporting documentation for the comprehensive valuations of IPPE, the going concern assessment and bank confirmation differences.
Shoalhaven City Council (repeat finding) Quality and timeliness of financial statements and supporting work papers needs improvement. The financial statements required amendment to correct misstatements and disclosure deficiencies, and working papers did not satisfactorily reconcile to the financial statements.
Queanbeyan-Palerang Regional Council
(new finding)
Quality and timeliness of financial statements and supporting work papers needs improvement. The financial statements required amendment to correct misstatements and disclosure deficiencies.
Murray River Council  (repeat finding, elevated from moderate to high risk in 2021–22) Quality and timeliness of financial statements and supporting work papers needs improvement. The financial statements required amendment to correct misstatements and disclosure deficiencies. These matters led to delays and inefficiencies in the audit process and required council to seek extensions with OLG.

Common findings

Common findings across councils include:

  • Financial statements submitted for audit for 16 (2020–21: 30) councils contained numerous errors and disclosure deficiencies.
  • Lack of preparation for the audit, such as having a financial reporting plan, impacted the timeliness of financial reporting at 18 (2020–21: 21) councils.
  • Eight (2021: 11) councils had deficiencies in related parties’ policies and disclosure.

Further analysis and insights on financial reporting findings are detailed in Chapter 2 ‘Audit results’.

3.4 Financial accounting

Financial accounting refers to the processes adopted by management to record and review financial information across the business. Councils use a combination of manual and automated processes and digital information systems to process financial information. Effective processes support the accuracy and completeness of information presented in the financial statements.

Financial accounting findings decreased from 79 to 66

Audit management letters reported 66 findings relating to financial accounting (2020–21: 79 findings). Fifty per cent (2021: 38%) were repeat or partial repeat findings.

Source: Audit management letters for 30 June 2021 and 30 June 2022 audits.

High-risk findings

Eight high-risk findings, including two new findings, four repeat findings and two repeat findings elevated from moderate risk in 2020–21, were reported at the following councils. One new high-risk finding related to 2020–21.

Council Description
2021–22 findings  
Cootamundra-Gundagai Regional Council (repeat finding, elevated
from moderate to high risk in 2021–22)
Council lacks segregation of duties over the processing of manual journals. Manual journals can be prepared and posted to the system by the same employee without an independent review.
Hilltops Council (new finding)

Council’s initial going concern assessment was inadequate and did not sufficiently support cash flow forecasts and management’s modelling assumptions.

Snowy Monaro Regional Council
(three findings - two repeat and one new finding)

Council continued to face financial sustainability pressure in 2021–22.

To meet day-to-day operational requirements, council may have used its internally allocated funds, which are decreasing. Management did not provide a detailed cash flow forecast by 28 February 2022, as agreed in response to our recommendation in the prior year’s management letter.

Management used a high-level cash flow forecast to support its going concern assessment. However, it did not assess the appropriateness of the cash flow assumptions it used in that forecast, nor did it proactively monitor the level of restricted and unrestricted cash balances throughout the year.

Council’s financial accounting processes and controls had the following deficiencies (new finding):

  • month-end procedural checklist was not followed and reviewed
  • lack of segregation of duties in processing manual journals
  • reconciliations were not always prepared and reviewed in a timely manner
  • status and analysis of balance sheet items were not included in the monthly management reports or the quarterly business review statement
  • monthly reports on capital projects was not prepared
  • 2020–21 trial balance was not rolled forward to 2021–22 in a timely manner due to discrepancies.
Dungog Shire Council (repeat finding)

Council lacks segregation of duties over the processing of manual journals. Manual journals can be prepared and posted to the system by the same employee without an independent review.

MidCoast Council (repeat finding)

 

Council did not perform monthly general ledger reconciliations during 2021–22. Management was not able to validate the reasons behind some immaterial unreconciled balances.

Orange City Council (repeat finding, elevated from moderate to high risk in 2021–22) Council lacks segregation of duties over the processing of manual journals. Manual journals can be prepared and posted to the system by the same employee without an independent review. There is no automated audit trail showing the preparer and approver of journals.
2020–21 findings*  
Kiama Municipal Council

Councillors and management were unable to attest as to whether the financial statements were a true and fair representation of the council’s financial position and performance. As a result, we issued a Disclaimer of Opinion over the council’s financial statements. The factors that led to this relate primarily to the loss of data and supporting documentation from an earlier migration of the financial management information system and significant staff turnover, which led to a loss of corporate knowledge.


* This audit was finalised on 20 April 2023 after the ‘Local Government 2021’ report was published.

Common findings

The common financial accounting findings reported in audit management letters related to deficiencies in key account reconciliations and processing of manual journal adjustments.

Lack of segregation of duties with manual journal adjustments at 12 councils

There was a lack of segregation of duties over the posting of manual journal adjustments to financial information at 12 councils. An independent review of manual journal adjustments is important to reduce the risk of fraud or error in the financial statements.

Key account reconciliations were not prepared in a timely manner or independently reviewed at 29 councils

Regular reconciliations of financial information, which are appropriately reviewed ensures timely identification of errors and facilitates a more efficient audit process. It was reported in audit management letters that:

  • there was no evidence of independent review of key account reconciliations at 20 councils
  • 15 councils did not reconcile all key balances in the financial statements in a timely manner.

3.5 Asset management

Councils own and manage large infrastructure asset portfolios to support the delivery of community services. Asset management involves operational aspects such as maintenance and physical security, as well as accounting procedures such as recording and valuing assets in accordance with Accounting Standards.

Asset management findings decreased from 288 to 267

Audit management letters reported 267 findings relating to asset management (2020–21: 288 findings). Fifty-nine per cent (157 findings) (2020–21: 39%, 112 findings) were repeat or partial repeat findings.

Source: Audit management letters for 30 June 2021 and 30 June 2022 audits.

High-risk findings

High-risk findings decreased from 69 to 55 in 2021–22, including 45 (2021: six) repeat findings and eight repeat moderate findings elevated to high risk. The decrease was mainly due to the drop of high-risk findings in relation to the non-recognition of rural firefighting equipment from 60 to 43.

Forty-three councils had a high-risk finding reported in their audit management letter relating to unrecorded vested rural firefighting equipment

Chapter 2 ‘Audit results’ reported 59 councils did not record rural firefighting equipment in their financial statements. This was reported as a high-risk finding for 43 councils in 2021–22. Sixteen councils that had high-risk findings in 2020–21 relating to the non-recognition of rural firefighting equipment addressed the issue in 2021–22 by performing procedures to determine that the value of these assets was not material.

2021–22 councils with high-risk findings on unrecorded rural firefighting equipment
Bathurst Regional Council Cootamundra-Gundagai Regional Council Lachlan Shire Council Tamworth Regional Council
Bega Valley Shire Council Dungog Shire Council Leeton Shire Council Temora Shire Council
Bellingen Shire Council Edward River Council Lockhart Shire Council Tenterfield Shire Council
Bland Shire Council Federation Council Mid‑Western Regional Council Tweed Shire Council
Blayney Shire Council Forbes Shire Council Moree Plains Shire Council Upper Lachlan Shire Council
Byron Shire Council Glen Innes Severn Council Murray River Council Wagga Wagga City Council
Cabonne Council Greater Hume Shire Council Murrumbidgee Council Warrumbungle Shire Council
Carrathool Shire Council Griffith City Council Queanbeyan‑Palerang Regional Council Weddin Shire Council
Cessnock City Council Hilltops Council Snowy Monaro Regional Council Wollondilly Shire Council
Clarence Valley Council Junee Shire Council Snowy Valleys Council Yass Valley Council
Coolamon Shire Council Kempsey Shire Council Sutherland Shire Council  

Chapter 2 ‘Audit results’ includes more information on the recognition of rural firefighting equipment.

Other high-risk findings

Twelve (2020–21: nine) other high-risk findings predominantly related to data integrity of asset registers, fair value assessment of assets, asset valuation process, and provision for rehabilitation landfill sites. These were identified in the following councils.

Council Description
2021–22 findings  
Central Coast Council (repeat issue) Council’s initial fair value assessment of IPPE did not consider the most relevant data/indices. This resulted in material corrections to the financial statements.
Cobar Shire Council (repeat finding, elevated from moderate to high risk in 2021–22) Council did not formally assessed its provision for rehabilitation of landfill sites in prior years and was required to revisit the key assumptions in the estimates including timeframes, costs and type/nature of the landfill cells.
Subsequently, council revised the assumptions within the 2019 independent valuation estimate and recognised a provision for rehabilitation of landfill sites in its 30 June 2022 financial statements.
Dubbo Regional Council (repeat finding, elevated from moderate to high risk in 2021–22)

Issues identified with asset revaluations and management processes:

  • Comprehensive revaluations for some asset classes (land improvement depreciable and non-depreciable and other assets) have not been performed since 2010. Subsequently, corrections were made to reflect current replacement cost in the 2021–22 financial statements.
  • Fair value assessment requires improvements and more robust quality review.
  • Accounting records for many asset classes include capital work in progress balances, requiring manual intervention to disaggregate, reconcile, and review asset movements for purposes of disclosure in the financial statements.
Leeton Shire Council (repeat finding, elevated from moderate to high risk in 2021–22) Council’s fixed asset register, which contains the financial records supporting IPPE, is maintained within Microsoft Excel spreadsheets, rather than and IT application.
Murrumbidgee Council (repeat finding, elevated from moderate to high risk in 2021–22) Council does not recognise the cost for asset remediation as a provision for the tip sites and quarries. Council disclosed this as a contingency in its financial statements as it was unable to reliably estimate the financial cost of such work and did not have a formal landfill and environmental management plan.
Gwydir Shire Council (repeat finding, elevated from moderate to high risk in 2021–22) Council’s fair value and impairment assessment for its IPPE assets is inadequate and resulted in material amendments to the 30 June 2022 financial statements.
Hilltops Council
(repeat finding, elevated from moderate to high risk in 2021–22)
Council does not have documented evidence of its assessment of the cost estimates and remaining useful life of its tip and quarry sites, used in its rehabilitation provision.
Orange City Council (repeat finding, elevated from moderate to high risk in 2021–22) Council’s fair value and impairment assessment for its IPPE assets is inadequate and resulted in material amendments to the 30 June 2022 financial statements.
Shoalhaven City Council (repeat finding, elevated from moderate to
high-risk in 2021–22)

Council’s fair value and impairment assessment for its IPPE assets is inadequate. Also:

  • Comprehensive valuations for land improvements and other infrastructure were not completed timely.
  • Prior period errors were identified for unrecorded Crown Land and ‘found’ assets.
  • Fully depreciated assets were still in use.
  • Comprehensive revaluation of other structures, swimming pools and open space/recreational asset classes not performed for more than five years.
Murray River Council (two repeat findings)

The following weaknesses identified with accounting procedures for IPPE:

  • the asset register is not reconciled to the general ledger
  • difficulties in reconciling capital work-in-progress (WIP) from the asset register to general ledger.
Inner West Council (repeat finding, elevated from moderate to high risk in 2021–22)

Council’s comprehensive revaluations process of roads, footpaths, kerb and gutters, bulk earthworks, other road assets and car parks contained the following deficiencies:

  • information used to recognise the revaluation movements in the financial statements did not reconcile to the valuer’s report resulting in material corrections to the financial statements.
  • prior period errors for ‘found’ assets of $71.8 million at 1 July 2020, required corrections to disclosures
  • lack of appropriate quality review procedures on revaluation results, draft financial statements and their supporting information.

Common findings

The common asset management findings reported in audit management letters related to deficiencies in asset revaluation processes, maintenance of information in asset management systems and landfill rehabilitation accounting practices.

Weak processes over maintenance, completeness and security of fixed asset registers at 52 councils

Maintaining accurate and up-to-date asset data helps councils to make appropriate decisions around asset management. The common issues reported in audit management letters relating to fixed asset registers are summarised below.

Fixed asset register issues reported in audit management letters Number of councils

Council did not maintain an accurate and complete fixed asset register. This included:

  • issues with duplicate or missing assets
  • incorrect categorisation of assets
  • incorrect componentisation of assets.
29
Council did not regularly update their fixed asset register for additions and disposals. 32
Asset registers were not maintained in a secure format (for example, use of unlocked spreadsheets or multiple systems). 13

We continue to see weak processes over maintenance and security of fixed asset registers. There continues to be issues with accuracy and completeness of the asset register, duplication or missing assets, and asset registers not being reconciled with the asset management systems.

Prior period errors continue to predominately relate to the quality of asset records and asset revaluation errors such as found and duplicate assets.

Deficiencies in infrastructure asset revaluation processes at 53 councils

Councils manage a significant range and value of infrastructure, property, plant and equipment. These assets are significant to the financial statements of councils and are subject to management judgements and estimates when determining their fair values. These judgements and estimates often require the assistance of a qualified expert valuer.

Deficiencies were identified in infrastructure asset valuations at 53 councils, including:

  • inadequate documentation to support key assumptions and judgements applied including:
    • useful lives and condition assessments
    • unit rates used to value infrastructure assets
  • incorrect classification of assets
  • incorrect exclusion of some assets from valuations
  • management not documenting their quality review over the asset valuation
  • errors in annual fair value assessments when applying indices to adjust fair values/deficiencies in the annual fair value assessment process.

Opportunities for councils to improve the valuation process and perform valuations earlier

Performing asset valuations earlier gives time for management and auditors to complete all requirements before the financial statements are prepared and facilitates earlier sign offs. The effective date of the valuation of any asset category can be at any point during the financial year subject to audit. As reported in Chapter 2 ‘Audit results‘:

  • 45 (2020–21: 42) councils completed infrastructure, property, plant and equipment valuations before 30 June 2022
  • 36 (2020–21: 24) councils performed fair value assessments of infrastructure, property, plant and equipment.

Councils should have a project plan in place to manage the asset valuation process. Suggested deliverables to be included in a timetable for council valuations may include the following:

For an accessible image, please email communications@audit.nsw.gov.au
Project plan asset valuations

Improvements to council landfill rehabilitation accounting practices required at 25 councils

Australian Accounting Standards require recognition of a provision for landfill remediation when the obligation to operate landfill sites would result in cash outflows for the council, and when it can be reliably measured. Such provisions should be annually reassessed for changes in assumptions, legal requirements and emergence of new landfill remediation techniques.

Common findings identified in council landfill rehabilitation accounting practices include:

  • no formal assessment of obligations to rehabilitate landfill sites
  • insufficient documentation of provision calculations to support inputs, assumptions and key data for accounting of the provisions
  • costs associated with post-closure, aftercare and monitoring of landfill sites in their provisions not included in the assessment.

3.6 Purchases and payables

Councils spend substantial funds each year to procure goods and services. It is important there is appropriate probity, accountability and transparency in procurement to reduce the risk of unauthorised purchases, corrupt and fraudulent behaviour, and value for money not being achieved.

Purchases and payables findings decreased from 105 to 77

Audit management letters reported 77 findings relating to purchases and payables (2020–21: 105 findings). Forty-nine per cent (2021: 55%) were repeat or partial repeat findings.

Source:Audit management letters for 30 June 2021 and 30 June 2022 audits.

High-risk findings

Two high-risk findings, both elevated from moderate risk in 2020–21, were reported at the following councils.

Council Description
2021–22 findings  
Cootamundra-Gundagai Regional Council (repeat finding, elevated
from moderate to high risk in 2021–22)
Council’s creditor Masterfile changes report was not prepared or reviewed.
Liverpool Plains Shire Council
(repeat finding, elevated from moderate to high risk in 2021–22)

Council’s procurement process contained the following deficiencies:

  • 62% of purchase orders had the same employee raising and authorising a purchase order before receipting the goods
  • 46% of purchase orders were raised on receipt of the invoice.

Common findings

The common purchases and payables findings reported in audit management letters related to controls around purchase orders, review of creditor information and deficiencies in credit card management practices.

Increase in number of councils with controls around purchase orders being absent or not enforced

At 35 (2020–21: 12) councils, we identified that employees could approve their own purchase orders. At 44 (2020–21: five) councils, we identified that purchase orders were approved without appropriate delegation. It is important there is segregation of duties and appropriate delegation in procurement to reduce the risk of fraud and misuse of public money.

Purchase orders were approved after the receipt of goods or services at 56 (2020–21: 28) councils. Purchase orders should be issued before requesting goods or services to reduce the risk of unauthorised transactions.

Insufficient review of changes to creditor information at 13 councils

Thirteen (2020–21: 29) councils did not perform sufficient review of changes to creditor information in the supplier master file, including bank account details. This increases the risk of transactions paid to incorrect accounts, resulting in financial losses for councils. Councils should review each change or perform a regular collective review of changes.

3.7 Payroll

Effective payroll processes ensure councils manage their workforce in compliance with legislation, employment agreements and the Local Government Award. Payroll processes and information systems should protect the integrity of employee records and timesheet data to ensure accurate payments to employees and leave entitlement calculations.

Payroll findings decreased from 96 to 82

Audit management letters reported 82 findings relating to payroll processes (2020–21: 96 findings). Sixty-five per cent (2020–21: 60%) were repeat or partial repeat findings.

Source: Audit management letters for 30 June 2021 and 30 June 2022 audits.

High-risk findings

One high-risk finding relating to payroll processes in 2021–22 (2020–21: nil) reported at the following council. The high-risk finding was a repeat issue elevated from moderate risk in 2020–21.

Council Description
2021–22 findings  
Cootamundra-Gundagai Regional Council (repeat finding, elevated from moderate to
high risk in 2021–22)
Council’s payroll Masterfile changes report was not prepared or reviewed.

Common findings

The common payroll findings reported in audit management letters related to deficiencies in the review of employee payroll data and excessive annual leave balances.

Changes to employee payroll data are not reviewed at 16 councils

Sixteen councils did not have adequate processes in place to review changes to employee payroll data. This includes instances where changes are reviewed, but not by an independent person. This increases the risk of unauthorised changes or errors remaining undetected, resulting in financial loss to councils.

 

3.8 Cash and banking

Councils process a high volume of transactions each year. Effective controls over cash collection, disbursements and reconciliations reduce the risk of fraud and error.

Cash and banking findings decreased from 36 to 29

Audit management letters reported 29 findings relating to cash and banking (2020–21: 36 findings). Forty-one per cent were repeat or partial repeat findings.

Source:Audit management letters for 30 June 2021 and 30 June 2022 audits.

High-risk findings

Two high-risk findings, including one new finding and one repeat finding elevated from moderate risk in 2020–21, were reported at the following councils.

Council Description
2021–22 findings  
Hilltops Council
(repeat finding, elevated from moderate to high risk in 2021–22)
Monthly bank and investments reconciliations were not performed for some bank accounts. Misstatements in cash and investments balances were identified in both 2021–22 and 2020–21 audits.
Penrith City Council (new finding) Under Section 355 of the LG Act, the council delegated authority to volunteer committees to manage several smaller recreational/community facilities. At 30 June 2022, the council’s cash balance reported in the financial statements included cash relating to these committees. Our audit identified deficiencies
in the council’s process for managing the cash balances of the committees.

Common findings

The common cash and banking findings reported in audit management letters related to outdated bank signatories, the lack of segregation of duties in the cash handling process and the lack of security of payment files.

Outdated bank signatories at ten councils

Bank signatories are not being removed on a timely basis. Ten councils still had their former employees listed as an account signatory for bank accounts. This increases the risk of unauthorised transactions.

Deficiencies in the cash handling processes at six councils

Deficiencies in the cash handling process were identified at six councils, including lack of daily cashier reconciliation and lack of segregation of duty. This increases the risk of undetected balancing errors and misappropriation of cash or cheques.

Lack of security of payment files for pay runs at three councils

Three councils did not encrypt Electronic Funds Transfer payment files from editing or sufficiently restrict access to payment files on the network before they were uploaded to online banking portals. This increases the risk of unauthorised or fraudulent transactions.

3.9 Revenue and receivables

Councils receive revenue from a range of different sources, including rates and annual charges, user charges and fees, operating and capital grants and contributions, and other revenue (such as interest, investments and asset disposals). It is important that councils have appropriate internal controls to accurately record revenue and receivables in compliance with accounting standards and legal requirements.

Revenue and receivable findings decreased from 80 to 69

Audit management letters reported 69 findings relating to revenue and receivables (2020–21: 80 findings). Forty-two per cent were repeat or partial repeat findings.

 

Source: Audit management letters for 30 June 2021 and 30 June 2022 audits.

High-risk findings

There were no high-risk findings related to revenue and receivable processes in 2021–22 (2020–21: nil).

Common findings

The common revenue and receivables findings reported in audit management letters related to deficiencies in the review of changes to fee tables and property data in council rates systems, and inappropriate revenue recognition practices.

Lack of review of changes to fee tables and property data in the rating system at 15 councils

Council systems contain fee tables and property information, which are used to determine rates and annual charges levied on different properties. Fifteen councils do not adequately review changes for accuracy and appropriateness. This increases the risk of errors in recording rates and annual charges in the financial statements.

Inappropriate revenue recognition at 16 councils

Sixteen councils had findings raised relating to their revenue recognition practices, including:

  • no effective internal controls to ensure the completeness of revenue activities recorded
  • deficiencies in grants recognition that resulted in misstatement in the financial statements
  • use of cash accounting basis to recognise some revenue transactions, rather than accruals.

Deficiencies in revenue recognition practices resulted in 38 errors identified in councils’ financial statements, totalling $65.1 million.

3.10 Information technology (IT)

Councils rely on IT to deliver services and manage information. While IT delivers considerable benefits, it also presents risks that councils need to address. IT general controls relate to the procedures and activities designed to ensure confidentiality, and integrity of systems and data. These controls underpin the integrity of financial reporting.

Financial audits involve the review of IT general controls relating to key financial systems supporting the preparation of council financial statements, addressing:

  • policies and procedures
  • IT risk management
  • user access management
  • privileged user access restriction and monitoring
  • system software acquisition, change and maintenance
  • disaster recovery planning
  • cyber security and patch management.

IT findings decreased from 296 to 236

Audit management letters reported 236 findings relating to IT (2020–21: 296 findings). Seventy-three per cent were repeat, partial repeat or ongoing findings.

 

Source:Audit management letters for 30 June 2021 and 30 June 2022 audits.

High-risk findings

High-risk findings, including repeat and ongoing findings, were reported at the following councils. Increase in high-risk findings are due to a number of unresolved prior year’s moderate risk findings being reassessed as high risk. These repeat findings need to be resolved as a priority.

Council Description
2021–22 findings**  
Dubbo Regional Council
(repeat finding)

Council had the following information technology (IT) access control issues:

  • Audit logs of privileged account activity can be amended or deleted.
  • Lack of evidence on monitoring of privileged user activity.
  • Inadequate password configuration.
Lismore City Council (repeat finding) No periodic review of users who can purge audit logs.
Wagga Wagga City Council
(repeat finding)

Council had the following IT access control issues:

  • No formal policies and procedures for monitoring and managing privileged users.
  • Due to system limitations, audit logs or privileged access activities cannot be generated in the asset management system.
  • Audit logs of privileged users are not reviewed for the payroll system.
  • No formal periodic review of user access rights for payroll and asset management systems. Periodic user access review for finance system was conducted incompletely.
  • Generic accounts are being used in finance system.
City of Paramatta Council
(repeat finding*)

Council had the following IT access control issues:

  • Audit logs of privileged users are not periodically reviewed.
  • No periodic review of users who have direct access to the databases of finance, revenue and payroll systems.
Dungog Shire Council (repeat finding*)

Council had the following IT control issues:

  • missing key IT policies
  • no IT risk register
  • audit logs of privileged users are not periodically reviewed
  • gaps in cyber security management and password configuration.
Liverpool Plains Shire Council
(repeat finding*)
Council’s key formal IT policies are missing or outdated.
Coonamble Shire Council
(repeat finding*)

Council had the following IT access control issues:

  • Privileged users’ activity monitoring only started in June 2022 and hence audit logs of privileged users were not reviewed throughout the financial year.
  • Lack of segregation of duties as the finance officer has the system administrator role, granting full access to all major modules including general ledger, accounts payable, banking software and bank reconciliations. This officer is also an Electronic Fund Transfer (EFT) transferor.
Orange City Council (repeat finding*) Council did not have formal IT security policy and procedures.
Uralla Shire Council (repeat finding*) Council did not have key IT policies, IT business continuity plan or IT disaster recovery plan.

* The findings identified were previously reported as separated moderate-risk findings and yet to be resolved by management as part of the 30 June 2022 audit. Due to the aggregated risk of the findings, these have been reassessed as a high-risk finding.
** Additional audit procedures were performed to respond to and address the weakness identified.

Common findings

The common IT findings reported in audit management letters related to deficiencies in IT policies and procedures, lack of a cyber security framework, and controls and gaps in user access management processes. This is consistent with what we reported in our ‘Local Government 2021’ report.

IT policies and procedures were outdated or not in place at 43 councils

Forty-three councils (2020–21: 59 councils) did not formalise and/or regularly review their key IT policies and procedures. It is important for key IT policies to be formalised and regularly reviewed to ensure emerging risks are considered and policies are reflective of changes to the IT environment. Lack of formal IT policies and procedures may result in inconsistent and inappropriate practices and an increased likelihood of inappropriate access to key systems.

Lack of periodic user access review at 28 councils and insufficient control over privileged users at 46 councils

The following common access management findings were identified:

  • 28 councils (2020–21: 42 councils) did not perform a periodic user access review to ensure users’ access to key IT systems were appropriate and commensurate with their roles and responsibilities.
  • 46 councils (2020–21: 73 councils) had gaps in privileged users’ management process. This includes gaps in restriction of privileged users’ access or monitoring of the privileged users’ activity logs.

Where robust access management processes are not in place, inappropriate access may exist. This increases the risk of unauthorised transaction or modification of sensitive data and transactions. The common findings above may be rated high-risk when there are no mitigating controls to prevent or detect any unauthorised transactions.

While the above two findings are considered as common findings across councils, we have noticed a significant improvement compared to last year with a 33% reduction in the number of councils with periodic user access review findings, and a 37% reduction in the number of councils with insufficient control over privileged users.

Cyber security frameworks and related internal controls were not in place at 63 councils

The NSW Cyber Security Policy states that the term cyber security covers all measures used to protect systems and information processed, stored or communicated on these systems from compromise of confidentiality, integrity and availability.

While there is currently no requirement for councils to comply with the NSW Government’s Cyber Security Policy, councils may find it useful to refer to the policy for further guidance.

Cyber security findings were reported in 63 councils (2020–21: 65 councils) as they did not have at least one of the following basic governance and internal controls to manage cyber security such as having a:

  • cyber security framework, policy and procedure
  • register of cyber incidents
  • simulated cyber attack testing (penetrations testing)
  • cyber security training and awareness program.

Poor management of cyber security can expose councils to a broad range of risks, including:

  • theft of corporate and financial information and intellectual property
  • theft of money
  • denial of service
  • destruction of data
  • costs of repairing affected systems, networks and devices
  • legal fees and/or legal action from losses arising from denial-of-service attacks causing system downtime in critical systems
  • third-party losses when personal information stored on government systems is used for criminal purposes.

Gaps in cyber security management in the local government sector have been continuously highlighted, since our Report on Local Government 2019 first recommended that the Office of Local Government (OLG) within the Department of Planning and Environment should develop a cyber security policy to ensure cyber security risks over key data and IT assets are appropriately managed across councils, and key data is safeguarded.

As of 19 December 2022, OLG has published Cyber Security Guidelines for NSW Local Government. OLG highlighted that councils can adopt the Guidelines or use them to form the basis of an internally developed cyber security policy. Adherence to the Guidelines is strongly recommended by OLG, but voluntary, with no requirement to report maturity scores to the OLG or to Cyber Security NSW.

Given compliance with the guidelines released by OLG is not mandatory, there is an increased risk that councils may not develop an appropriate cyber security plan, which may prevent them from implementing key cyber security controls. With no timeframes set for councils to create a cyber security plan or reporting requirements to the OLG, this further increase the risk that councils may have delays in the implementation of their cyber security controls.

The Cyber Security Guidelines were released by OLG after the 2021–22 financial audit period and hence the full impact of it to councils’ cyber security maturity is yet to be seen. However, the data we collected across all 150 councils and joint organisations, identified that at the time when the guidance from OLG was yet to be published, some councils had started developing their cyber security plans adopting guidance from the following sources:

  • Cyber Security NSW
  • the Australian Cyber Security Centre (ACSC)
  • International Organization for Standardization (ISO standards)
  • the National Institute of Standards and Technology (NIST)
  • Payment Card Industry Data Security Standard (PCI DSS).

Cyber security management

Cyber security continues to be a sector-wide common audit finding among councils. However, we are seeing some improvements over the implementation of basic cyber security controls that we expect councils to have in place. Whilst our review shown below is limited to the high-level governance of cyber security implementation in local government, the improvements noted indicate that even though there was no formal policy/guidance published for councils at the time of our audit, some councils are working to improve gaps identified in their cyber security management.

Gaps identified FY2021 FY2022 %
Councils with no formal cyber security policy 46% 47% 1%
Councils with no formal cyber security roles and responsibilities established 39% 33% 6%
Councils that have not communicated cyber risk with those charged with governance 24% 25% 1%
Councils that do not have cyber security identified as a risk in their enterprise risk register 28% 23% 5%
Councils without a register of cyber attack/incidents 40% 30% 10%
Councils that are yet to conduct cyber security training and awareness programs to their staff 51% 34% 17%

Source:Additional data collection from 30 June 2022 audits of councils and joint organisations.

Forty-seven per cent of councils do not have a formal cyber security strategy/plan in place

Our data collection from 30 June 2022 council audits identified that only 53% of councils have created a formal cyber security strategy/plan.

In response to previous audit recommendations, OLG released Cyber Security Guidelines for NSW Local Government on 19 December 2022. The guidelines:

  • allow councils to assess their cyber security maturity and their maturity uplift
  • outline cyber security standards and controls recommended by Cyber Security NSW for NSW local governments
  • can be adopted by councils or used to form the basis of an internally developed cyber security policy
  • are strongly recommended to councils for adherence but is voluntary with no requirement to report maturity scores to Cyber Security NSW.

We recommended that all councils should create/update a cyber security plan in order to ensure cyber security risks over key data and IT assets are appropriately managed and key data is safeguarded. Councils should refer to the ‘Cyber Security Guidelines for NSW Local Government’ released by the OLG.

Appendices

Appendix one – Response from the Office of Local Government within the Department of Planning and Environment

Appendix two – Status of audits

Appendix three – Councils received qualified audit opinions

Appendix four – Common reasons for council extensions

 

 

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.