Report highlights
What this report is about
Results of the local government sector financial statement audits for the year ended 30 June 2023.
Findings
Unqualified audit opinions were issued for 85 councils, eight county councils and 12 joint organisations.
Qualified audit opinions were issued for 36 councils due to non-recognition of rural firefighting equipment vested under section 119(2) of the Rural Fires Act 1997.
The audits of seven councils, one county council and one joint organisation remain in progress at the date of this report due to significant accounting issues.
Fifty councils, county councils and joint organisations missed the statutory deadline of submitting their financial statements to the Office of Local Government, within the Department of Planning, Housing and Infrastructure, by 31 October.
Audit management letters included 1,131 findings with 40% being repeat findings and 91 findings being high-risk. Governance, asset management and information technology continue to represent 65% of the key areas for improvement.
Fifty councils do not have basic governance and internal controls to manage cyber security.
Recommendations
To improve quality and timeliness of financial reporting, councils should:
- adopt early financial reporting procedures, including asset valuations
- ensure integrity and completeness of asset source records
- perform procedures to confirm completeness, accuracy and condition of vested rural firefighting equipment.
To improve internal controls, councils should:
- track progress of implementing audit recommendations, and prioritise high-risk repeat issues
- continue to focus on cyber security governance and controls.
Fast facts
Auditor-General’s foreword
Pursuant to the Local Government Act 1993 I am pleased to present my Auditor-General’s report on Local Government 2023. My report provides the results of the 2022–23 financial audits of 121 councils, eight county councils and 12 joint organisations. It also includes the results of the 2021–22 audits for two councils and two joint organisations which were completed after tabling of the Auditor-General’s report on Local Government 2022. The 2022–23 audits for eight councils, one county council and one joint organisation remain in progress due to significant accounting issues.
This will be my last consolidated report on local councils in NSW as my term as Auditor-General ends in April. Without a doubt, the change in mandate to make me the auditor of the local government sector has been the biggest challenge in my term. Challenging for councils as they adjust to consistent audit arrangements and for the staff of the Audit Office of NSW as they learn about the issues facing NSW councils.
The change in mandate aimed to improve the quality of financial management and reporting across the sector. This will take time. But this report does show some ‘green shoots’ with more councils submitting financial reports to the Office of Local Government by 31 October and more councils having Audit, Risk and Improvement Committees.
I also want to acknowledge that councils face significant challenges responding to and recovering from emergency events whilst cost and resourcing pressures have been persistent.
The findings from our audits identify opportunities to further improve timeliness and quality of financial reporting and integrity of systems and processes. The recommendations in this report are also intended to improve financial management and reporting capability, encourage sound governance, and boost cyber resilience.
Margaret Crawford PSM
Auditor-General for New South Wales
1. Introduction
1.1 The local government sector
Local government is the third tier of government. It is established under state legislation, which defines the powers and geographical areas each council is responsible for.
At 30 June 2023, there were 128 local councils, 13 joint organisations and nine county councils in New South Wales.
Councils provide a range of services and infrastructure for a geographical area. Services include waste collection, planning, child and family day care, and recreational services. Councils also build and maintain infrastructure, including roads, footpaths, stormwater and in many regional and rural areas water and sewer. While core functions, such as waste collection, are similar across councils, the range of services each council provides can vary depending on the needs of each community.
County councils were established for specific purposes, such as to supply water, manage flood plains or eradicate noxious weeds.
Joint organisations were formed in regional New South Wales to improve infrastructure and service delivery in regional communities.
1.2 Financial audit
This report provides the results and findings of the completed 2022–23 financial audits of 121 councils, eight county councils and 12 joint organisations, and the completed 2021–22 financial audits of two councils and two joint organisations.
The audits for seven councils, one county council and one joint organisation remain in progress as at the date of this report.
In preparing this report, our observations and analyses were drawn from:
- audited financial statements
- performance audit reports
- data collected from councils
- audit findings reported to councils in audit management letters.
Each local council has unique characteristics such as its size, location and services provided to their communities. To enable comparison, we divided councils into three categories – metropolitan, regional and rural. County councils and joint organisations are separately identified in the report.
1.3 Performance audit
Our performance audits assess whether the activities of government entities are being carried out effectively, economically, efficiently, and in compliance with relevant laws. Our mandate to conduct these audits is provided under the Local Government Act 1993 (LG Act).
The recent performance audits relevant to the local government sector included:
Financial management and governance in MidCoast Council
The Local Government Act 1993 requires councils to apply sound financial management principles, including sustainable expenditure, effective financial management and regard to intergenerational equity.
This audit assessed whether MidCoast Council had effective financial management arrangements that support councillors and management to fulfill their responsibilities as financial stewards.
MidCoast Council did not meet all legislative and policy requirements for long-term financial planning.
From 2019–20 to 2020–21 financial years, the Council had financial management and governance gaps. Some gaps were addressed throughout 2021–22.
MidCoast Council experienced significant challenges in its implementation of a consolidated financial management system following amalgamation in 2016 and the merging of MidCoast Water in 2017. This led to gaps in finance processes and data quality.
We recommended MidCoast Council to:
- ensure its long-term financial plan meets legislative and policy requirements
- undertake service reviews to better understand net costs to inform budget and financial planning decisions
- improve the quality of asset management information to inform budget and financial planning decisions
- use the financial management components of the MC1 system to its full potential
- address control and process gaps identified in audits and reviews
- ensure competency of those responsible for finance and budget
- ensure financial sustainability initiatives account for the cost of services and asset management information.
Findings and recommendations around the effectiveness of long-term financial planning, comprehensive and timely financial reporting and financial management governance arrangements are relevant for all councils.
Cyber security in local government
Councils use various information systems and software to manage significant amounts of information and data relevant to their corporate functions, infrastructure and service delivery. This may include sensitive information about residents, customers and staff.
The threat from cyber security incidents continues to rise. Such incidents can harm local government service delivery and may include theft of information, denial of access to critical technology, of even the hijacking of systems for profit or malicious intent.
This audit assessed how effectively the City of Parramatta Council, Singleton Council and Warrumbungle Shire Council identified and managed cyber security risks. The audit considered whether the councils:
- effectively identify and plan for cyber security risks
- have controls in place to effectively manage identified cyber security risk
- have processes in place to detect, respond to, and recover from cyber security incidents.
Refer to Cyber security in local government for the findings and recommendations, which are relevant for all councils.
Performance audits planned or in progress
The following local government performance audit reports are either planned or in progress:
- Road asset management
New South Wales has over 180,000 km of roads across its network. Local councils manage over 85% of these roads.
This audit will consider how effectively three councils are managing their road assets. The audit will examine whether the selected councils have a strategic framework in place for road assets, have effective data and systems for managing road assets and whether they manager their road assets in line with planned service levels and quality outcomes.
The councils selected for this audit are Gwydir Shire Council, Wollondilly Shire Council and Clarence Valley Council. - Coastal management reforms
The coast is one of our greatest assets in New South Wales and is home to nearly 85% of the state’s population. The NSW Government has established a framework to manage the coastal environment in a sustainable way for the wellbeing of the people of New South Wales. This includes the Coastal Management Act 2016, which requires certain local councils to prepare a coastal management program, and the State Environmental Planning Policy (Resilience and Hazards) 2021. The Department of Planning, Housing and Infrastructure (the Department) is responsible for the Act and assists local councils in the coastal zone (‘coastal councils’) by administering grant funding and offering technical support and coordination for their coastal management programs.
This audit could assess how effectively the Department has overseen and implemented key elements of this reform package, and how effectively coastal councils have progressed coastal management planning and delivered coastal management programs.
2. Audit results
Financial reporting is an important element of good governance. Confidence in and transparency of public sector decision-making are enhanced when financial reporting is accurate and timely.
This chapter outlines audit observations related to the financial reporting audit results of councils, county councils and joint organisations.
Section highlights
- Unqualified audit opinions were issued for 85 councils, eight county councils and 12 joint organisation’s 2022–23 financial statements.
- Disclaimers of opinion were issued to Kiama Municipal Council and Narrabri Shire Council for their 30 June 2022 financial statements.
- Qualified audit opinions were issued for 36 councils due to their financial statements not recognising rural firefighting equipment vested to councils under the Rural Fires Act 1997.
- The audits for seven councils, one county council and one joint organisation remain in progress at the date of this report due to significant accounting issues.
- Council financial statements include 242 uncorrected errors and 75 retrospective correction of prior period errors.
- One hundred councils, county councils and joint organisations (2021–22: 93) lodged audited financial statements with the Office of Local Government (OLG) by the statutory deadline of 31 October. Fifty councils, county councils and joint organisations missed the 31 October deadline.
- Three joint organisations and one council breached the Local Government Act 1993 as they did not seek extensions from the OLG and missed the statutory deadline.
- Fifty-four per cent of councils performed some early financial reporting procedures, such as revaluing assets before the 30 June (2021–22: 82%).
2.1 Quality of financial reporting
The Auditor-General is required, under the Local Government Act 1993 (LG Act), to issue an audit opinion on each of the following reports prepared by councils. The information in this chapter focusses on general purpose financial statements.
Indicators of quality financial reporting include:
- unqualified audit opinions
- low number of errors, including disclosure deficiencies, in financial statements.
Audit opinions
Unqualified audit opinions were issued for 105 councils and joint organisations
At the date of this report, we issued unqualified audit opinions for the 2022–23 financial statements of 85 councils, eight county councils and 12 joint organisations. This means sufficient audit evidence was obtained to conclude the financial statements were free of material misstatement and were prepared in accordance with Australian Accounting Standards and the LG Act.
Unqualified audit opinions were issued for the 2021–22 financial statements of Canberra Region Joint Organisation and Hunter Joint Organisation, after tabling of the ‘Local Government 2022’ report.
Disclaimer of opinion for Kiama Municipal Council’s 30 June 2022 financial statements
Councillors and management declared, in the Statement required by Councillors and Management under Section 413(2)(c) of the LG Act, that they were unable to:
- rely on the prior year comparative information presented, which represent the opening balances for the 2021–22 financial statements
- warrant the completeness, accuracy and valuation of the net carrying values of infrastructure, property, plant and equipment (IPPE), excluding buildings and operational land
- attest to the completeness, accuracy and valuation of disclosures related to IPPE
- verify the accuracy of restricted cash, cash equivalents and investments
- certify the financial statements as a whole due to these issues.
A disclaimer of opinion was issued for the 30 June 2022 financial statements of the Kiama Municipal Council.
A disclaimed audit opinion is issued when the auditor is unable to obtain sufficient appropriate audit evidence upon which to form an opinion on the council’s financial statements, and the auditor concludes that the possible effects of undetected misstatements in the financial statements could be both material and pervasive.
An emphasis of matter was also included to draw attention to externally restricted funds being used for a purpose other than their intended use without Ministerial approval.
In November 2022, the former Minister issued a performance improvement order setting out actions to be taken to improve Council’s financial management.
Disclaimer of opinion for Narrabri Shire Council’s 30 June 2022 financial statements
Councillors and management declared, in the Statement required by Councillors and Management under Section 413(2)(c) of the LG Act, that the underlying books and records were insufficient to support significant balances impacted by multiple flood events and disclosures. These included:
- carrying value of capital work in progress
- carrying value of road assets
- validity of prior period errors recorded in the financial statements.
A disclaimer of opinion was issued for the 30 June 2022 financial statements of Narrabri Shire Council.
Non-recognition of vested rural firefighting equipment by councils led to 36 qualified audit opinions
Thirty-six councils (2021–22: 43) received qualified audit opinions on their 2022–23 financial statements due to non-recognition of vested rural firefighting equipment as assets within their financial statements at 30 June 2023. These qualified audit opinions took different forms depending on the circumstances surrounding the non-recognition, as follows:
- 34 councils imposed a limitation of scope on the audit by not undertaking procedures to confirm the completeness, accuracy, existence or condition of the equipment
- 2 councils for omitting material assets in their financial statements, despite undertaking procedures to confirm the completeness, accuracy, existence, and condition of the equipment.
A qualified audit opinion is issued when the auditor:
- having obtained sufficient appropriate audit evidence, concludes that misstatements, individually or in aggregate, are material but not pervasive to the financial statements, or
- is unable to obtain sufficient appropriate audit evidence on which to base the opinion, but the possible effects of undetected misstatements on the financial statements are material but not pervasive.
The 2022 qualified opinions on six councils were removed as they addressed audit recommendations. The remaining council has an extension and is not reported in this chapter.
Refer to Appendix five for a list of councils with qualified audit opinions in 2022–23 relating to rural firefighting equipment.
The continued non-recognition of vested rural firefighting equipment in financial management systems of some councils increases the risk that these assets are not properly maintained and managed. Councils that have rural firefighting equipment vested under section 119(2) of the Rural Fires Act 1997 (Rural Fires Act), should recognise these assets in their financial management systems and maintain the assets to the required standards in readiness for fire mitigation and prevention activities.
Councils have specific responsibilities for fire mitigation and safety works and bush fire hazard reduction under Part 4 of the Rural Fires Act. The Council obtains economic benefits from the rural firefighting equipment as these assets are used to fulfil Council’s responsibilities.
In accordance with the Australian Accounting Standards, vested rural firefighting equipment is recorded as an asset and contribution revenue for assets acquired free of charge so there is no cash impact. Over the useful life of the asset, the revenue is offset by the depreciation charge. There is no impact on cash or net assets at the end of the asset’s useful life.
Twenty councils performed sufficient procedures to confirm the value of these assets was not material to their financial statements and received unqualified audit opinions
Twenty councils do not record rural firefighting equipment in their financial statements, but performed sufficient procedures to demonstrate the value of unrecorded assets was not material to the financial statements taken as a whole. These omissions were reported as an uncorrected error. The risk of future qualifications remains as the value may become material to the financial statements as further firefighting equipment is vested to them in future years. There is also a heightened risk that these important assets are not being properly maintained and managed for operational purposes.
Forty-nine councils recognised their rural firefighting equipment, two of these for the first time
Forty-nine (2021–22: 47) councils recognised vested rural firefighting equipment in their financial statements, with two councils recognising the equipment in their financial statements for the first time in 2022–23.
The continuing inconsistency in the recognition and management practices for rural firefighting equipment across the local government sector puts at risk the operational capability for the deployment of these assets.
The Office of Local Government has updated the ‘Local Government Code of Accounting Practice for 2023–24’ to require councils to recognise material rural firefighting equipment in the financial statements.
Two councils received qualified audit opinions
In addition to receiving qualified audit opinions for non-recognition of vested rural firefighting equipment, two councils received other qualifications in the Independent Auditor’s Reports for the 2022–23 financial statements. The table below includes the reasons for these qualified audit opinions.
Council | Reason |
Snowy Monaro Regional | Council certified it was unable to provide sufficient and appropriate audit evidence to support completeness and accuracy of road assets within its infrastructure, property, plant and equipment balance as at 30 June 2023. |
Moree Plains Shire | Council certified it was unable to provide sufficient and appropriate audit evidence to support the carrying values of roads, water supply network and sewerage network assets within its infrastructure, property, plant and equipment balance as at 30 June 2023. |
Emphasis of matter paragraphs were included in four audit opinions
An emphasis of matter paragraph is included in the Independent Auditor’s Report to refer to a matter presented or disclosed in the financial statement that we deem is fundamental to the understanding of the financial statements. The table below details the emphasis of matter paragraphs reported in the Independent Auditor’s Reports for the 2022–23 financial statements.
Council/Joint Organisation | Reason |
Weddin Shire | Council acknowledged it had used the following funds for purposes other than their intended use during the year ended 30 June 2023:
|
Gwydir Shire | Council acknowledged it had used externally restricted funds for purposes other than their intended use between 1 July 2022 and 31 August 2022 (non-compliance with s.409 of the LG Act). Council is also unable to verify that special rates or charges funds were not used to pay for general expenses between 1 July 2022 and 31 August 2022 (non-compliance with s.410 of the LG Act). |
New England | The financial statements were prepared on a non-going concern basis as the joint organisation intends to cease operations within the next 12 months. |
Other matter paragraphs were included in two audit opinions
An other matter paragraph is included in the Independent Auditor’s Report to refer to a matter not presented in the financial statements that we deem relevant to the understanding of the audit, the auditor’s responsibilities or the auditor’s report.
The table below details the other matter paragraph reported in the Independent Auditor’s Report for the 2022–23 financial statements.
Joint Organisation | Reason |
New England | The joint organisation did not comply with the following requirements of the LG Act and LG Regulation:
|
The audit of the City of Ryde was delayed while we considered a significant audit matter relating to the use and management of restricted cash and investments
On 26 May 2023, Council wrote to the Auditor-General for NSW, highlighting several matters concerning the management of funds held in restricted cash and investments. The letter highlighted several potential breaches of legislation in relation to the movement and expenditure of funds collected under developer contribution plans, voluntary planning agreements and for domestic waste management, and set out the main steps Council was taking to address the matters noted. The matters raised ultimately did not impact our opinion on Council’s 2023 financial statements, which was issued on 28 February 2024, but did require significant analysis as to interpretation of the legal view and the requirements of the accounting framework.
In 2020–21, Council moved $88 million from its externally restricted cash and investments
Council adopted a new developer contributions plan (referred to as the 2020 Plan), effective 1 July 2020, and repealed its old plan (referred to as the 2014 Plan). Following the repeal of the 2014 Plan, Council moved $88 million of funds collected under the 2014 Plan from its externally restricted cash and investments from developer contributions. Council moved:
- $35.5 million to the Ryde Central Reserve, as an internal allocation, which was not spent
- $52.5 million to the Asset Expansion Reserve, as an internal allocation. Council identified that the funds were largely spent on projects identified in the 2014 or 2020 Plans. However, $11.6 million of these funds was spent on projects not identified in either of these plans, but provided amenities or services to the community in accordance with Council’s Delivery Program.
In 2021–22, Council also transferred $1.1 million from its externally restricted cash and investments to the employee leave entitlement reserve, as an internal allocation, which was not spent.
In 2020–21, Council provided the Audit Office with a piece of legal advice as evidence to support its disclosures within its 2020–21 and 2021–22 financial statements. This advice, from 2016, dealt with certain matters around expenditure of what were then section 94 contributions under the Environmental Planning and Assessment Act 1979 (EPA Act). While this advice was on another matter, it specifically discusses the principles and case law that might apply to the future use of funds once a contributions plan has been repealed.
Council has received subsequent legal advice on the movement and expenditure of externally restricted cash and investments
Council obtained legal advice on the movements and use of the funds from a legal firm in 2022–23. Council's most recent legal advice, upon which it relied to inform the movements and disclosures within its 2023 financial statements, identified that the transfer of the developer contributions collected under the 2014 Plan and certain expenditures from prior years, noted above, were potential breaches of the EPA Act.
The advice also identified breaches of legislation relating to expenditure in 2020–21:
- $3.7 million from voluntary planning agreement contributions to fund Council’s operations in response to COVID-19 income reductions and software related purchases. This expenditure breached section 7.3 of the EPA Act and section 409(3) of the Act.
- $1 million of domestic waste management funds to fund COVID-19 hardship rates. This expenditure breached sections 504 and 409(3) of the Act.
The Audit Office obtained advice from the Crown Solicitor
We concurred that the expenditure in prior years of the voluntary planning agreement contributions and domestic waste management funds for COVID-19 related purposes was inconsistent with relevant legislation. However, due to the lack of case law precedent and explicit guidance in the EPA Act or Regulation, the movement and use of repealed developer contribution funds is a more complex legal matter.
The Audit Office sought legal advice from the Crown Solicitor about the general application of the law on the use and management of funds collected under repealed development contributions plans (DCPs), and for domestic waste management.
In relation to the use and management of funds collected under repealed DCPs, the Crown Solicitor advised that:
Neither the EPA Act and the EPA regulation, nor present authorities, provide explicit or substantial guidance as to the extent to which a DCP may enable the carrying-over and application of contributions previously collected under a repealed plan. Nor by extension, do they provide significant assistance in determining whether a specific DCP is to be interpreted as permitting this practice.
Some of the principles expressed by the Crown Solicitor differed from those of Council. As a result of these differences and feedback from Council, we sought further advice from the Crown Solicitor on Council's specific circumstances.
Council's movement of these funds back to externally restricted reserves in 2023 is in accordance with its most recent legal advice
We note that to address the potential breaches in prior years detailed above, on 27 June 2023, Council resolved to return:
- $35.5 million from the Ryde Central Reserve to the s7.11 Externally Restricted Reserves
- $1.1 million from Employee Leave Entitlements Reserve to s7.11 Externally Restricted Reserves
- $1.1 million from interest earned in prior years from the Accommodation Reserve to the s7.11 Externally Restricted Reserves.
The same resolution also reimbursed Council's externally restricted reserves for the following amounts:
- $3.7 million related to funds collected under voluntary planning agreements from the Accommodation Reserve to the Voluntary Planning Agreement Reserve
- $1 million of domestic waste management funds from the Accommodation Reserve to the Domestic Waste Management Reserve.
In consideration of Council’s most recent legal advice and the Crown Solicitor’s advice, we supported the transfers of the funds back to externally restricted reserves in 2022–23.
As noted above, we sought and received further specific advice from the Crown Solicitor, to inform our view on whether Council breached legislation in prior years. That advice confirmed the Crown Solicitor’s previous general advice that merely transferring funds to council’s internal reserves did not breach Council’s legal obligations under s7.3(1) of the EPA Act. The Crown Solicitor’s general advice is at Appendix two to this report.
The potential for any breach of legislation did not impact the 2022–23 financial statement disclosures, namely Note C 1-3 ‘Restricted and allocated cash, cash equivalents and investments’, Note F 3-1 ‘Summary of developer contributions’, Note F 3-2 ‘Developer contributions by plan’ and Note F 3-3 ‘Contributions not under plans’, nor did it impact our Independent Auditor’s Report thereon.
The legislative requirements regarding the use of funds from repealed contributions plans would benefit from clarification
One of the key issues highlighted by the matters above, is that there is no specific guidance in the EPA Act or the EPA Regulation that provides for how funds collected under one DCP are to be treated if a contributions plan is repealed, or repealed and replaced by a new contributions DCP. Council's legal advice noted a lack of clarity in the Local Government Code of Accounting Practice and Financial Reporting (the Code). The Crown Solicitor noted a lack of clarity in the legislation:
I nonetheless note that the question would benefit greatly from clarification by way of amendment of the EPA and/or its sundry regulations.
Our recommendations arise from the issues noted by the legal counsel engaged by Council and by the Crown Solicitor.
Recommendation to the DepartmentThe Department of Planning, Housing and Infrastructure, as the principal department primarily responsible for administration of the EPA Act, specifically address how funds collected under one plan are to be treated if a contributions plan is repealed, or repealed and replaced by a new contributions plan. The Department, through the Office of Local Government make more explicit in the Code how funds from Developer Contribution Plans are to be disclosed in councils’ financial statements. |
Errors identified through audits
Uncorrected errors
An uncorrected error is an error identified by the auditor or council in the financial statements, which has not been corrected by council. In our view, errors should be corrected. They are reported to management for this purpose. Management has determined not to correct some errors because they are not material, either individually or in aggregate.
The table below shows the number and value of uncorrected errors by council type for the past two years.
Uncorrected errors | By council type (2023 only) | ||||||
Year ended 30 June | 2023 | 2022 | Metro | Regional | Rural | County | JO |
Less than $250,000 | 106 | 97 | 6 | 16 | 72 | 7 | 5 |
$250,000 to $500,000 | 59 | 47 | 6 | 25 | 27 | -- | 1 |
$500,000 to $1 million | 38 | 34 | 8 | 24 | 6 | -- | -- |
$1 million to $5 million | 37 | 38 | 7 | 25 | 5 | -- | -- |
$5 million to $15 million | 2 | 5 | 1 | -- | 1 | -- | -- |
Total number of errors | 242 | 221 | 28 | 90 | 111 | 7 | 6 |
Total value of errors ($ million) | 151 | 158 | 33.3 | 76.9 | 40.0 | 0.4 | 0.6 |
Source: Engagement Closing Reports issued by the Audit Office.
In 2022–23, 46 councils had no uncorrected errors in their financial statements (2021–22: 49).
Of the 242 uncorrected errors, 52 across 48 councils were related to non-financial assets. The common areas where errors were identified are outlined below.
Common errors | Number of errors |
Councils making assets revaluation errors, such as:
| 26 |
Council’s poor record keeping of asset data, such as:
| 26 |
Prior period errors
A prior period error is a misstatement made by council in previous financial years, identified by the auditor or council in the current financial year, which was corrected retrospectively by restating the opening balances in the financial statements.
The table below shows the number and value of prior period errors by council type for the past two years.
Prior period errors | By council type (2023 only) | ||||||
Year ended 30 June | 2023 | 2022 | Metro | Regional | Rural | County | JO |
Less than $250,000 | 4 | 6 | 1 | -- | 1 | 1 | 1 |
$250,000 to $500,000 | 1 | 1 | 1 | -- | -- | -- | -- |
$500,000 to $1 million | 11 | 6 | 1 | 3 | 7 | -- | -- |
$1 million to $5 million | 24 | 29 | 10 | 7 | 6 | 1 | -- |
$5 million to $15 million | 19 | 12 | 10 | 6 | 3 | -- | -- |
$15 million to $30 million | 6 | 8 | 1 | 2 | 3 | -- | -- |
$30 million to $50 million | 6 | 2 | 6 | -- | -- | -- | -- |
$50 million and greater | 4 | 3 | 3 | 1 | -- | -- | -- |
Total number of errors | 75 | 67 | 33 | 19 | 20 | 2 | 1 |
Total value of errors ($ million) | 894 | 627 | 597 | 201 | 95.3 | 1.3 | 0.1 |
Source: Engagement Closing Reports issued by the Audit Office.
Of the 75 prior period errors, ten were greater than $30 million and were asset related. These are detailed in the table below.
Council | Description of prior period error |
Blacktown City | Incorrectly classified operational land as inventories – real estate ($32.5 million). |
Camden | Applied incorrect unit rates to sandstone retaining walls ($35.4 million). |
Cumberland | Found assets and incorrectly classified community land as operational land ($35 million). |
Liverpool City | Error in indexing of infrastructure, property, plant and equipment ($33.9 million). |
North Sydney | Omission of service concession assets for affordable housing portfolio ($77.4 million). |
Shellharbour City | Applied incorrect valuation methodology for land under roads ($64.9 million). |
Sutherland Shire | Incorrectly capitalised operating expense as stormwater drainage assets ($34.4 million), omission and incorrect index applied for operational land assets ($33.4 million) and error in indexing of water quality devices ($73.7 million). |
Willoughby City | Applied incorrect unit rates to community land assets ($77.7 million). |
Of the 75 prior period errors, 54 across 39 councils were related to non-financial assets. The common causes of prior period errors were similar to those causing current year uncorrected errors, which are reported on the previous page, namely revaluation errors and poor record keeping of asset data. Refer also to Section 3.2, which details our findings in relation to asset management. Unresolved internal control deficiencies can lead to errors in the financial statements.
2.2 Timeliness of financial reporting
The LG Act requires councils to submit their audited financial reports to OLG by the statutory deadline of 31 October or apply for an extension from OLG.
Sixty-seven per cent of councils lodged their audited financial statements by the statutory deadline
Of the 141 councils, county councils and joint organisations for which we have issued independent
audit reports:
- 100 councils, county councils and joint organisations (2021–22: 93) met the statutory deadline
- 38 councils received one or more extension to lodge their audited financial statements at a later date
- 2 joint organisations and one council breached the LG Act by not requesting an extension and missing the statutory deadline.
The graph below breaks down the timeliness of financial reporting for 30 June 2023 by type of council. Eighty-eight per cent of metropolitan councils submitted their financial statements to OLG by 31 October 2023. Rural and regional councils had more challenges meeting the 31 October deadline achieving 61% and 51% respectively.
The graph below shows the submission of audited financial reports by month and type of council. Across all types of councils most were submitting in October 2023.
Refer to Appendix four for further details.
This report does not include the nine incomplete audits
The following audits remain outstanding and the outcomes will be reported in next year’s report to Parliament.
Council/Joint Organisation | Reasons for delay |
Canberra Region | Delays with preparing quality financial statements. |
Glen Innes Severn | Ongoing system implementation issues and council resourcing issues. |
Kiama Municipal | The commencement of the 2022–23 audit was delayed given the council signed its 2021–22 financial statements on 26 September 2023. We concluded on the 2021–22 audit in September 2023. The 2021–22 and 2020–21 audits were delayed due to significant accounting issues. |
Liverpool Plains Shire | Outstanding valuation for a significant water infrastructure asset. |
Narrabri Shire | The commencement of the 2022–23 audit was delayed given the council signed its 2021–22 financial statements on 22 August 2023. We concluded the audit in August 2023. The 2021–22 audit was delayed due to significant accounting issues. |
New England Weeds Authority | Internal control issues have delayed the preparation of the financial statements. |
Orange City | Accounting matters taking time to resolve along with council resourcing issues. |
Singleton | Delay in valuations and council resourcing issues. |
Upper Hunter Shire | Delay in valuations and council resourcing issues. |
The reasons that councils, county councils and joint organisations sought extensions to submit their financial statements after the statutory deadline are shown below.
Source: Council extension letters submitted to OLG.
The most common reasons councils cited when applying for extensions related to:
- accounting or other matters that required more time to resolve
- resolving asset valuation issues
- council resourcing issues including turnover of key staff.
Refer to Appendix four for the names of each council or joint organisation that received extensions.
Some councils performed early financial reporting procedures
This year, 54% (2021–22: 82%) of councils performed at least some early financial reporting procedures, including:
- completing infrastructure, property, plant and equipment valuations before 30 June (43 councils, 2021–22: 45)
- completing fair value assessments of infrastructure, property, plant and equipment (22 councils, 2021–22: 36)
- assessing the impact of material, complex and one-off significant transactions (23 councils, 2021–22: 49)
- working through unresolved prior year audit issues, with an action plan to resolve them (37 councils, 2021–22: 69)
- documenting significant management judgements and assumptions for estimating transactions and balances (19 councils)
- preparing proforma financial statements and associated disclosures (27 councils, 2021–22: 46).
Early financial reporting procedures can assist councils to meet the statutory deadline and submit audited financial statements to OLG by 31 October. These procedures also help to improve quality of financial reporting by identifying and addressing significant risks, and resolving accounting issues before submitting the financial statements for audit.
Councils can work with the Audit Office to select financial reporting procedures to complete and have audited before 30 June. The planned approach should allow sufficient time for management review and involvement of Audit, Risk and Improvement Committees. This process will allow for audit observations and feedback in time for them to be considered in the year-end financial reporting process.
In addition to the procedures listed above, councils should consider the following early financial reporting procedures:
- quality review of the proforma financial statements and the supporting working papers
- reconciling all key account balances and clearing reconciling items
- assessing accounting implications of significant contracts
- assessing the impact of new and updated accounting standards and preparing supporting working papers.
Recommendation to the Department (repeat)The Department of Planning, Housing and Infrastructure should consider requiring early financial reporting procedures across the local government sector. |
It is generally accepted that timely year-end financial reporting is an indicator of sound financial management processes. Accordingly, measures aimed at earlier financial reporting should be a priority for both councils and the regulator.
For the past two years, about a third of councils, county councils and joint organisations have not lodged their audited financial statements with OLG by the statutory deadline. To assist with improving timeliness of financial reporting OLG should, after discussing policy changes with the key stakeholders within the sector to ensure benefits can be realised, require early financial reporting procedures.
Fewer councils performed early financial reporting procedures prior to 30 June 2023. Forty-three councils performed procedures over infrastructure, property, plant and equipment (IPPE) valuations. As IPPE is the largest financial statement balance and a significant estimate, coupled with the inflationary environment, early valuation procedures can improve quality and timeliness of financial reporting.
3. Key audit findings
A strong system of internal controls enables councils to operate effectively and efficiently, produce reliable financial reports, comply with laws and regulations, and support ethical government.
This chapter outlines the overall trends in governance and internal controls across councils, county councils and joint organisations in 2022–23.
Financial audits focus on key governance matters and internal controls supporting the preparation of councils’ financial statements. Breakdowns and weaknesses in internal controls increase the risk of fraud and error. Deficiencies in internal controls, matters of governance interest and unresolved issues are reported to management and those charged with governance through audit management letters. These letters include our observations with risk ratings, related implications, and recommendations.
Section highlights
- Total number of audit findings reported in audit management letters increased from 1,045 in 2021–22 to 1,131 in 2022–23.
- Governance, asset management and information technology comprise of 65% (2021–22: 65%) of findings and continue to be key areas requiring improvement.
- Total number of high-risk audit findings decreased from 94 in 2021–22 to 91 in 2022–23.
- Fifty-nine per cent of total high-risk findings in 2022–23 were repeat findings. Fourteen per cent of these high-risk findings were escalated from unactioned moderate risk findings in 2021–22. We continue to recommend councils and those charged with governance track progress of implementing recommendations from our audits.
- Fifty (2021–22: 63) councils do not have basic governance and internal controls to manage cyber security. We continue to recommend all councils create a cyber security plan to ensure cyber security risks over key data and IT assets are appropriately managed and key data is safeguarded. Councils should refer to the ‘Cyber Security Guidelines – Local Government’ released by the Office of Local Government.
Total number of findings reported in audit management letters increased
The following shows the overall findings of the 2022–23 audits reported in management letters compared with the previous year.
* Includes three findings relating to prior year audits finalised after ‘Local Government 2021’ was published.
** Includes three findings relating to prior year audits finalised after ‘Local Government 2022’ was published.
Source: Audit management letters for 30 June 2022 and 30 June 2023 audits.
Findings are classified as new, repeat or ongoing, based on:
- new findings first reported in 2022–23 audits
- repeat findings are those first reported in prior year audits, but remain unresolved in 2022–23
- ongoing findings first reported in prior year audits, but the dates to address the findings are after 2022–23.
In rating the risk of audit findings, we assess the likelihood and consequence of the finding having regard to the length of time the issue remains unresolved. The likelihood a weakness will be exploited increases the longer it remains unresolved. Additionally, the lack of timeliness in resolving issues may indicate systemic issues and/or poor governance practices that warrant an increase in the consequence level. Accordingly, unresolved issues from prior periods are reassessed annually. This reassessment may lead to an increase in the risk rating of audit findings.
Findings are categorised as:
- governance
- asset management*
- information technology
- financial reporting
- financial accounting
- purchases and payables
- payroll
- cash and banking
- revenue and receivables.
* Accounting for the recording and valuation of assets in accordance with Accounting Standards.
The following table shows the breakdown of audit findings for the 2022–23 audits based on the defined categories and risk ratings.
Category | Total findings | High | Moderate | Low |
Governance* | 210 | 13 | 125 | 72 |
Asset management | 266 | 48 | 183 | 35 |
Information technology | 262 | 17 | 204 | 41 |
Financial reporting | 62 | 7 | 38 | 17 |
Financial accounting | 76 | 1 | 51 | 24 |
Purchases and payables | 71 | 4 | 44 | 23 |
Payroll | 77 | -- | 43 | 34 |
Cash and banking | 42 | -- | 24 | 18 |
Revenue and receivables | 65 | 1 | 33 | 31 |
Total | 1,131 | 91 | 745 | 295 |
* Includes three findings relating to the 2021–22 audit finalised after the ‘Local Government 2022’ was published.
The high-risk and common audit findings across these areas are explored further in this chapter.
3.1 Governance
Governance is the framework of rules, processes and systems to enable organisations to achieve goals and comply with legal requirements. Good governance promotes public confidence in the integrity and effectiveness of councils’ systems and operations. The Annual Work Program 2023–26 highlights the following aspects of integrity expected in systems and processes to support good governance:
- maintain accurate and complete records, especially records of key decisions
- identify, manage and escalate risks
- manage conflicts of interest and implement fraud and corruption controls
- apply and document authorisations and delegations
- implement effective information technology controls including cyber security controls
- track and implement recommendations.
Governance findings increased from 177 to 210
Audit management letters reported 210 findings relating to governance (2021–22: 177 findings). Thirty-seven per cent were repeat findings (2021–22: 63%).
* Includes three findings relating to the 2021–22 audit finalised after the ‘Local Government 2022’ was published.
Source: Audit management letters for 30 June 2022 and 30 June 2023 audits.
High-risk findings
Thirteen high-risk findings were reported across the control deficiency areas as detailed in the table below.
Control deficiency* | Council/Joint Organisation | Status |
Business continuity plan | ||
Lack of formal business continuity plan | Weddin | Ongoing – prior year finding with due date after 30 June 2023 |
Compliance with legislation/policy | ||
Missed statutory deadline/approved extension date | Cessnock City | New – first reported in current year. |
Non-compliance with the LG Act and LG Regulation | New England | Ongoing – prior year finding with due date after 30 June 2023 |
Inappropriate use of externally restricted cash | Kiama | New – first reported in current year. |
Weddin | New – first reported in current year. | |
Gwydir Shire | Repeat – prior year finding not fully addressed. | |
Breach of policy by not externally restricting enough of the residential aged care bond | Kiama | New – first reported in current year. |
Conflicts of interest | ||
Inappropriate conflicts of interest disclosure | Kiama | New – first reported in current year. |
Fraud and corruption | ||
No fraud control policy and plan | Gwydir Shire | Repeat – prior year finding not fully addressed. |
Moree Plains | Repeat – prior year finding not fully addressed. | |
No fraud health checks/risk assessments | Moree Plains | Repeat – prior year finding not fully addressed. |
Warren Shire | New – first reported in current year. | |
Staff not required to annually attest to compliance with the code of conduct | Moree Plains | Repeat – prior year finding not fully addressed. |
Warren Shire | New – first reported in current year. | |
Gifts and benefits | ||
Weak gifts and benefits policy | Warren Shire | Repeat – prior year finding not fully addressed. |
Legislative compliance register | ||
No centralised register of compliance obligations | Lismore | Repeat – prior year finding not fully addressed. |
Risk management framework/policy | ||
No robust risk and compliance processes and framework | Hunter | Repeat – prior year finding not fully addressed. |
Warren Shire | Repeat – prior year finding not fully addressed. |
* Additional audit procedures were performed to respond to and address the weakness identified.
Common findings
The common governance findings reported in audit management letters were deficiencies in corporate governance policies, fraud controls and legislative compliance.
Key governance policies were not in place or regularly updated
The common areas where councils and joint organisations had missing or out-dated governance policies are summarised below.
Governance policy areas (absent or out-dated) | Number of councils/joint organisations |
Risk management | 15 |
Contract management | 58 |
Legislative compliance policy | 47 |
Business continuity plan | 31 |
Crisis management plan | 38 |
Gifts and benefits | 17 |
Public interest disclosures | 12 |
Policies not reviewed and updated | 50 |
Corporate governance policies are essential for ensuring councils operate in accordance with external and internal requirements. It is important that the rules, standards and expectations are clearly outlined, and staff are provided adequate guidance to inform their actions.
Further issues were identified in contract management for 30 councils (2021–22: 23). While councils had contract management policies in place, we identified deficiencies in contract management practices and contract register management. These increase the risk of non-compliance with the Government Information (Public Access) Act 2009 (GIPA Act) or contractual terms.
The Information and Privacy Commission issued its report on local government GIPA compliance report in June 2023. The Commission found most councils had improved compliance with mandatory reporting requirements, such as making returns of interest by councillors and designated persons publicly available and easy to access. However, it was reported six councils have wilful disregard for duties and the public’s right to know.
Thirty-one councils have outdated or no business continuity plan
Thirty-one councils and joint organisations do not have a business continuity plan (BCP), or have an outdated business continuity plan. Ninety-five councils with BCPs in place recently tested the plans. However, testing at 17 councils was limited to testing information and technology elements of the BCPs. Twenty-three councils have not recently tested their BCPs.
Business continuity plans are a widespread mechanism used by organisations to ensure they are prepared to respond effectively to disruptions, such as natural disasters. Business continuity management involves developing, implementing and maintaining policies, frameworks and programs to assist an organisation to manage business disruptions. Plans should be tested regularly to provide confidence they will be reliable during an actual event, and to provide feedback for continuous improvement.
All councils are required to appropriately assess and manage risks under the Local Government Act 1993. The Department of Planning, Housing and Infrastructure published ‘Risk Management and Internal Audit for Local Government in NSW’ in December 2022. These guidelines are mandatory from 1 July 2024 and will require:
- the Audit Risk and Improvement Committee and internal audit to be responsible for the review of the effectiveness of business continuity arrangements, including business continuity plans, disaster recovery plans and the periodic testing of these plans
- risk management be a core responsibility of all senior management of council.
Forty councils do not have a crisis management plan in place
Forty councils and joint organisations do not have a separate crisis management plan in place or a BCP which covers crisis management.
A crisis management plan outlines how your business will react if a crisis occurs. The plan should identify who will act and what their roles will be. The goal of a crisis management plan is to minimise damage and restore business operations as quickly as possible. A crisis management plan can be within the business continuity plan or a separate plan.
Deficiencies in fraud control processes at councils and joint organisations
Deficiencies in fraud control processes identified at councils are summarised in the table below.
Fraud control deficiencies | Number of councils/joint organisations |
No fraud awareness training | 44 |
No fraud risk assessment | 46 |
No fraud and corruption prevention policy, or it was outdated | 21 |
Staff not required to annually attest to compliance with the code of conduct | 85 |
Effective fraud controls and ethical frameworks help protect councils from events that risk serious reputational damage and financial loss.
One hundred and twenty-seven councils have an ARIC
Four councils, two county councils and eight joint organisations did not have an Audit, Risk and Improvement Committee (ARIC) in place at 30 June 2023. ARICs are an important contributor to good governance. They help councils to manage and mitigate their strategic risks. An effective committee helps councils to build community confidence, meet legislative and other requirements, and meet standards of probity, accountability and transparency.
Without an effective ARIC, there is a lack of independent oversight on how a council is functioning and managing risk.
The Office of Local Government has issued comprehensive ‘Guidelines for Risk Management and Internal Audit for Local Government in NSW’ to assist councils and joint organisations to implement these requirements by 1 July 2024. Joint organisations can apply for an exemption from requirements.
ARICs can be more effective in discharging their functions
Whilst the guidelines are not mandatory till 1 July 2024 they provide a framework for ARICs to work towards so they are more effective in discharging their functions and managing councils’ risks including:
- cyber risk management (refer to Section 3.3) including 18% of councils that have not communicated cyber risk with those charged with governance or ARICs
- tracking the progress of implementing recommendations from financial audits, performance audits and public inquires
- prioritising tracking of repeat and high-risk audit findings. The 2022–23 audit management letters highlighted that 40% of total audit findings from prior years had not been actioned
- ensuring management appropriately certify the effectiveness of internal controls supporting the financial statements. Only 49 ARICs obtained this certification
- reviewing the financial statements for quality prior to submission for audit. This was performed by 80 ARICs.
3.2 Asset management
Councils own and manage large infrastructure asset portfolios to support the delivery of community services. Asset management involves operational aspects such as maintenance and physical security, as well as accounting procedures such as recording and valuing assets in accordance with Australian Accounting Standards.
Asset management findings decreased from 267 to 266
Audit management letters reported 266 findings relating to asset management (2021–22: 267). Forty-three per cent (113 findings) were repeat findings, (2021–22: 52%, 157 repeat findings).
Source: Audit management letters for 30 June 2022 and 30 June 2023 audits.
High-risk findings
High-risk findings decreased from 55 to 48 in 2022–23. There were 33 (2021: 45) repeat findings with no repeat moderate findings elevated to high risk.
Thirty-six councils with unrecorded vested rural firefighting equipment had a high-risk finding
Councils with unrecorded statutorily vested rural firefighting equipment, where insufficient procedures have been undertaken to verify the value, had a high-risk finding reported in their management letters. Six councils with high-risk findings in 2021–22 relating to the non-recognition of rural firefighting equipment either recognised the assets or addressed the issue in 2022–23 by performing sufficient procedures to verify that the value of these assets was not material to the financial statements taken as a whole.
2022–23 councils with high-risk findings for unrecorded rural firefighting equipment | |||
Bathurst Regional | Cootamundra-Gundagai Regional | Lachlan Shire | Snowy Valleys |
Bega Valley Shire | Dungog Shire | Leeton Shire | Tamworth Regional |
Bellingen Shire | Edward River | Lockhart Shire | Temora Shire |
Bland Shire | Federation | Mid‑Western Regional | Tenterfield Shire |
Cabonne | Greater Hume Shire | Moree Plains Shire | Upper Lachlan Shire |
Carrathool Shire | Griffith City | Murray River | Wagga Wagga City |
Cessnock City | Hilltops | Murrumbidgee | Warrumbungle Shire |
Clarence Valley | Junee Shire | Queanbeyan‑Palerang Regional | Weddin Shire |
Coolamon Shire | Kempsey Shire | Snowy Monaro Regional | Yass Valley |
Other high-risk findings
Twelve (2021–22: 12) other high-risk findings across the control deficiency areas are detailed in the table below.
Control deficiency* | Council | Status |
Asset management | ||
Untimely capitalisation of completed projects and no work-in-progress additions listing could be produced. | Shoalhaven City | New – first reported in current year |
Insufficient evidence to support the completeness and accuracy of road assets | Snowy Monaro | New – first reported in current year |
Infrastructure, property, plant and equipment valuation | ||
Incomplete fair value assessment | Bega Valley Shire | New – first reported in current year |
Incorrect fair value calculation | Armidale Regional | New – first reported in current year |
Outdated comprehensive valuation exercise | Bega Valley Shire | Repeat – prior year finding not fully addressed |
Cessnock City | New – first reported in current year | |
Insufficient evidence to support valuation key inputs (e.g. asset useful lives) | Cessnock City | New – first reported in current year |
Insufficient management oversight of valuer’s work, including lack of documentation to support key assumptions and judgements | Cessnock City | Repeat – prior year finding not fully addressed |
Shoalhaven City | New – first reported in current year | |
Inaccurate and incomplete asset records | Armidale Regional | New – first reported in current year |
Shoalhaven City | New – first reported in current year | |
Strathfield Municipal** | New – first reported in current year | |
Inadequate impairment assessment for natural disaster | Tenterfield Shire | New – first reported in current year |
Valuation of landfill/remediation provision | ||
Outdated key inputs to value the landfill remediation provision | Cobar Shire | Repeat – prior year finding not fully addressed |
Singleton | New – first reported in current year |
* Additional audit procedures were performed to respond to and address the weakness identified.
** Finding resolved post 30 June 2023.
Common findings
The common asset management findings reported in audit management letters were deficiencies in asset revaluation processes, maintenance of information in asset management systems and landfill rehabilitation accounting practices.
Fixed asset register issues at 43 councils
Maintaining accurate and up-to-date asset data helps councils to make appropriate decisions around asset management. The common issues reported in audit management letters relating to fixed asset registers are summarised below.
Fixed asset register issues reported in audit management letters | Number of council |
Council did not maintain an accurate and complete fixed asset register. This included:
| 26 |
Council did not regularly update the fixed asset register for additions and disposals. | 23 |
Asset registers were not maintained in a secure format (for example, use of unlocked spreadsheets or multiple unreconciled systems). | 10 |
We continue to identify weak processes over updating, maintaining and securing fixed asset registers. Asset registers are not accurate and complete, there are duplicate or missing assets, and asset registers are not being reconciled with the asset management systems.
Prior period errors continue to predominately relate to the quality of asset records and asset valuation errors such as found and duplicate assets.
Deficiencies in infrastructure asset revaluation processes at 48 councils
Councils manage a significant range and value of infrastructure, property, plant and equipment. These assets are significant to the financial statements of councils and are subject to management judgements and estimates when determining their fair values. These judgements and estimates often require the assistance of a qualified expert valuer.
Deficiencies were identified in infrastructure asset valuations at 48 councils, including:
- not annually assessing useful lives, condition and possible impairment, and fair value for all asset classes
- inadequate documentation to support key assumptions and judgements applied including:
- useful life assessments
- condition and impairment assessments
- fair value assessments
- unit rates
- incorrect classification of assets
- incorrect exclusion of some assets from valuations
- management not documenting their quality review over the asset valuation
- errors in annual fair value assessments when applying indices to adjust fair values
- deficiencies in the annual fair value assessment process.
Councils need to improve their valuation process and perform valuations earlier
Performing asset valuations earlier gives time for management and auditors to complete procedures and identify potential issues before the financial statements are prepared, and can improve timeliness of financial reporting. The effective date of the valuation of any asset category can be at any point during the financial year subject to audit. As reported in Chapter 2 ‘Audit results’:
- 43 (2021–22: 45) councils completed infrastructure, property, plant and equipment valuations before 30 June 2023
- 22 (2021–22: 36) councils performed fair value assessments of infrastructure, property, plant and equipment before 30 June 2023.
Councils should have a project plan in place to manage the asset valuation process. Suggested deliverables to be included in a timetable for council valuations may include the following:
Improvements to council landfill rehabilitation accounting practices required at 27 councils
Australian Accounting Standards require recognition of a provision for landfill remediation when the obligation to operate landfill sites would result in cash outflows for the council, and when those outflows can be reliably measured. Such provisions should be assessed annually for changes in assumptions, legal requirements and emergence of new landfill remediation techniques.
Common findings identified in council landfill rehabilitation accounting practices include:
- no formal assessment of legal and other obligations to rehabilitate landfill sites
- insufficient documentation of liability calculations to support inputs, assumptions and key data for accounting for rehabilitation provisions
- costs associated with post closure, aftercare and monitoring of landfill sites excluded from the assessment.
3.3 Information technology (IT)
Councils rely on IT to deliver services and manage information. While IT delivers considerable benefits, it also presents risks that councils need to address. IT general controls relate to the procedures and activities designed to ensure confidentiality, and integrity of systems and data. These controls underpin the integrity of financial reporting.
Financial audits involve the review of IT general controls relating to key financial systems supporting the preparation of council financial statements, addressing:
- policies and procedures
- IT risk management
- privileged user access restriction and monitoring
- user access management
- system software acquisition, change and maintenance
- disaster recovery planning
- cyber security and patch management.
IT findings increased from 236 to 262
Audit management letters reported 262 findings relating to IT (2021–22: 236). Fifty-one per cent (134 findings) were repeat or ongoing findings (2021–22: 73%)
Source: Audit management letters for 30 June 2022 and 30 June 2023 audits.
High-risk findings
Seventeen high-risk findings were reported across the control deficiency areas as detailed in the table below.
Control deficiency* | Council/Joint Organisation | Status |
Policies and procedures | ||
Absence of or outdated policies and procedures | Dungog Shire | Repeat – prior year finding not fully addressed |
Hunter | Repeat – prior year finding not fully addressed | |
Liverpool Plains Shire | Repeat – prior year finding not fully addressed | |
Uralla Shire | Repeat – prior year finding not fully addressed | |
Walcha | Repeat – prior year finding not fully addressed | |
Warren Shire | Repeat – prior year finding not fully addressed | |
Cootamundra-Gundagai Regional | New – first reported in current year | |
Eurobodalla Shire | New – first reported in current year | |
Upper Lachlan Shire | New – first reported in current year | |
Yass Valley | New – first reported in current year | |
Privileged user restriction and monitoring | ||
No formal privileged user activity review | Bayside | Repeat – prior year finding not fully addressed |
City of Parramatta | Repeat – prior year finding not fully addressed | |
Dubbo Regional | Repeat – prior year finding not fully addressed | |
Dungog Shire | Repeat – prior year finding not fully addressed | |
Mid-Coast | Repeat – prior year finding not fully addressed | |
Sutherland Shire | Repeat – prior year finding not fully addressed | |
Wagga Wagga City | Repeat – prior year finding not fully addressed | |
Warren Shire | Repeat – prior year finding not fully addressed | |
Cootamundra-Gundagai Regional | New – first reported in current year | |
Eurobodalla Shire | New – first reported in current year | |
Upper Lachlan Shire | New – first reported in current year | |
User access management | ||
No periodic review of user access rights to ensure access levels are commensurate with job responsibilities | Dungog Shire | Repeat – prior year finding not fully addressed |
Mid-Coast | Repeat – prior year finding not fully addressed | |
Sutherland Shire | Repeat – prior year finding not fully addressed | |
Warren Shire | Repeat – prior year finding not fully addressed | |
Cootamundra-Gundagai Regional | New – first reported in current year | |
Eurobodalla Shire | New – first reported in current year | |
Upper Lachlan Shire | New – first reported in current year | |
Yass Valley | New – first reported in current year | |
Password | ||
Inappropriate parameters and account lockout configurations | Dungog Shire | Repeat – prior year finding not fully addressed |
Warren Shire | Repeat – prior year finding not fully addressed | |
Cootamundra-Gundagai Regional | New – first reported in current year | |
Backup and restoration | ||
Backups are performed but no formal periodic checking if they can be restored | Maitland City | Repeat – prior year finding not fully addressed |
Disaster recovery planning | ||
Absence of or outdated disaster recovery planning policies and procedures | Cootamundra-Gundagai Regional | New – first reported in current year |
Eurobodalla Shire | New – first reported in current year | |
Maitland City | Repeat – prior year finding not fully addressed | |
Cybersecurity | ||
Absence of or outdated cyber risk policy or framework | Dungog Shire | Repeat – prior year finding not fully addressed |
Hunter | Repeat – prior year finding not fully addressed | |
Uralla Shire | Repeat – prior year finding not fully addressed | |
Warren Shire | Repeat – prior year finding not fully addressed | |
Walcha | Repeat – prior year finding not fully addressed | |
No established formal roles and responsibility over cyber security | Dungog Shire | Repeat – prior year finding not fully addressed |
Warren Shire | Repeat – prior year finding not fully addressed | |
Cyberattack not included in risk register | Warren Shire | Repeat – prior year finding not fully addressed |
Eurobodalla Shire | New – first reported in current year | |
No cyber incidents register | Dungog Shire | Repeat – prior year finding not fully addressed |
No cybersecurity penetration testing | Warren Shire | Repeat – prior year finding not fully addressed |
No training provided to staff | Warren Shire | Repeat – prior year finding not fully addressed |
* Additional audit procedures were performed to respond to and address the weakness identified.
Common findings
The common IT findings reported in audit management letters were deficiencies in IT policies and procedures, lack of a cyber security framework, and missing controls and gaps in user access management processes.
IT policies and procedures were outdated or not in place at 53 councils
Fifty-three councils (2021–22: 43) did not formalise and/or regularly review their key IT policies and procedures. It is important for key IT policies to be formalised and regularly reviewed to ensure emerging risks are considered and policies are reflective of changes to the IT environment. Lack of formal IT policies and procedures may result in inconsistent and inappropriate practices and an increased likelihood of inappropriate access to key systems.
Lack of periodic user access review at 55 councils and insufficient control over privileged users at 38 councils
The following common access management findings were identified:
- 55 councils (2021–22: 28) did not perform a periodic user access review to ensure users’ access to key IT systems was appropriate and commensurate with their roles and responsibilities
- 38 councils (2021–22: 46) had gaps in privileged users’ management process. This includes gaps in restricting privileged users’ access and monitoring logs of privileged users’ activity.
The number of councils with insufficient control over privileged users reduced by 17% as councils addressed previously reported matters.
Where robust access management processes are not in place, inappropriate access may exist. This increases the risk of the unauthorised processing or modifying of transactions, or of sensitive data being stolen. These common findings may be rated high-risk when there are no mitigating controls to prevent or detect unauthorised activity.
Cyber security frameworks and related internal controls were not in place at 50 councils
The NSW Cyber Security Policy states that the term ‘cyber security’ covers all measures used to protect systems and information processed, stored or communicated on systems from compromise of confidentiality, integrity and availability.
The Office of Local Government (OLG) issued ‘Cyber Security Guidelines – Local Government’ referencing the cyber security standards recommended by Cyber Security NSW. OLG strongly encourages compliance with the guidelines, but has not made compliance mandatory. Unlike state sector agencies, there is no requirement to annually report maturity assessments to Cyber Security NSW or to another regulatory body such as the OLG.
As part the Audit Office’s financial audits, cyber security findings were reported for 50 councils (2022–23: 63). Councils should implement the following basic governance and internal controls to help identify and manage cyber security risks:
- having in place a cyber security framework, policy and procedures
- performing regular cyber maturity assessments and gap analysis
- maintaining a register of cyber incidents
- conducting simulated cyber-attack testing (penetration testing)
- having an ongoing cyber security training and awareness program for all staff.
Poor management of cyber security can expose councils to a broad range of risks, including:
- theft of corporate and financial information and intellectual property or money
- service interruptions from a denial-of-service attack
- destruction of data
- costs of repairing affected systems, networks and devices
- legal fees and/or legal action from losses arising from denial-of-service attacks causing system downtime in critical systems
- third-party losses when personal information stored on councils’ government systems is used for criminal purposes
- reputational damage.
Our audits have been reporting cyber security findings in management letters since 2019. The table below is limited to the high-level gaps in cyber security controls where we have focussed our audit procedures. While it does not mean all risks are mitigated, it is encouraging that councils have focussed on these gaps and improved cyber security management in these areas. Around two thirds of councils have implemented some of these key cyber security controls since 2019.
Source: Data collection from 30 June 2023 audits.
Fifty councils do not have in place any formal cyber security planning and governance. These councils need to prioritise planning and governing cyber security, based on the OLG’s ‘Cyber Security Guidelines – Local Government’, to ensure cyber security risks over key data and IT assets are appropriately managed and key data is safeguarded.
The risks associated with poor cyber security maturity are compounded where councils also have deficiencies in their information technology controls and poor information systems security hygiene.
Recommendation to councils (repeat issue)Councils should prioritise planning and governing cyber security to ensure cyber security risks over key data and IT assets are appropriately managed and key data is safeguarded. Councils should refer to the ‘Cyber Security Guidelines – Local Government’ released by the OLG. |
3.4 Financial reporting
Financial reporting is an important element of good governance. Confidence in, and transparency of public sector decision-making is enhanced when financial reporting is accurate and timely.
Financial reporting findings increase from 42 to 62
Audit management letters reported 62 findings relating to financial reporting (2021–22: 42). Thirty-five per cent were repeat findings (2021–22: 55%).
Source: Audit management letters for 30 June 2022 and 30 June 2023 audits.
High-risk findings
Seven high-risk findings were reported at the following councils.
Control deficiency* | Council/Joint Organisation | Status |
Poor quality financial statements submitted for audit | Cessnock City | Repeat – prior year finding not fully addressed |
Clarence Valley | Repeat – prior year finding not fully addressed | |
Kempsey Shire | Repeat – prior year finding not fully addressed | |
Shoalhaven City | Repeat – prior year finding not fully addressed | |
Snowy Monaro | Repeat – prior year finding not fully addressed | |
Canberra Region | New – first reported in current year | |
Lack of documentation and management review of judgements and assumptions used in financial reporting | Hilltops | New – first reported in current year |
* Additional audit procedures were performed to respond to and address the weakness identified.
Common findings
Common findings across councils include:
- Financial statements submitted for audit contained numerous errors and disclosure deficiencies.
- Lack of preparation for the audit, such as not having a financial reporting plan, impacted the timeliness of financial reporting at 15 (2021–22: 18) councils.
- Two (2021–22: 8) councils had deficiencies in related parties’ policies and disclosures.
- Five (2021–22: 2) councils had deficiencies in infrastructure, property, plant and equipment note disclosure.
Further analysis and insights on financial reporting findings are detailed in Chapter 2 ‘Audit results’.
3.5 Financial accounting
Financial accounting refers to the processes adopted by management to record and review financial information across the business. Councils use a combination of manual and automated processes and digital information systems to process financial information. Effective processes support the accuracy and completeness of information presented in the financial statements.
Financial accounting findings increased from 66 to 76
Audit management letters reported 76 findings relating to financial accounting (2021–22: 66). Thirty per cent were repeat findings (2021–22: 50%).
Source: Audit management letters for 30 June 2022 and 30 June 2023 audits.
High-risk findings
One repeat high-risk finding was reported at the following council.
Control deficiency | Council | Status |
Segregation of duties over the preparation and review of manual journals | Dungog Shire | Repeat – prior year finding not fully addressed |
Common findings
The common financial accounting findings reported in audit management letters were control deficiencies performing key account reconciliations and processing manual journal adjustments.
Lack of segregation of duties with manual journal adjustments at 12 councils
There was a lack of segregation of duties over the posting of manual journal adjustments to financial ledgers at 12 councils. An independent review and authorisation of manual journal adjustments is important to reduce the risk of fraud or error in the financial statements.
Key account reconciliations were not prepared in a timely manner or independently reviewed
Regular reconciliations of financial information, with appropriate review processes help to identity and resolve discrepancies between different systems and records, preserves integrity of financial statements and can identify fraud. Our audits identified:
- There was no evidence of independent review of key account reconciliations at 18 councils.
- Twenty-eight councils did not perform timely reconciliations of all key balances in the financial statements.
3.6 Purchases and payables
Councils spend substantial funds each year to procure goods and services. It is important there is appropriate probity, accountability and transparency in procurement to reduce the risk of unauthorised purchases, corrupt and fraudulent behaviour, and value for money not being achieved.
Purchases and payables findings decreased from 77 to 71
Audit management letters reported 71 findings relating to purchases and payables (2021–22: 77). Forty-seven per cent were repeat findings (2021–22: 49%).
Source: Audit management letters for 30 June 2022 and 30 June 2023 audits.
High-risk findings
Four high-risk findings as detailed in the table below.
Control deficiency | Council/Joint Organisation | Status |
Lack of segregation of duties | Liverpool Plains Shire | Repeat – prior year finding not fully addressed |
Approved transactions above delegation limit | Albury City | New – first reported in current year |
Lack of robust controls and governance in procurement | Hunter | New – first reported in current year |
Non-compliance with the LGA Act tendering requirements | Hunter | Repeat – prior year finding not fully addressed |
Common findings
The common purchases and payables findings reported in audit management letters were weak purchase order controls and a lack of review of vendor master file changes.
At three councils (2021–22: 35), employees could approve their own purchase orders. At four councils (2021–22: 44), purchase orders were approved without appropriate delegation. Segregation of duties and appropriate delegation in procurement help to reduce the risk of fraud and misuse of public money.
Purchase orders were approved after the receipt of goods or services at 19 councils (2021–22: 56). Purchase orders should be generated and approved before staff order goods or services to reduce the risk of unauthorised or fraudulent transactions.
Insufficient review of changes to creditor information at six councils
Six (2021–22: 13) councils did not perform sufficient review of changes to creditor information in the supplier master file, including bank account details. This increases the risk of transactions paid to incorrect accounts, resulting in financial losses for councils. Cyber-crime is on the rise increasing the risk of control weaknesses being exploited.
3.7 Payroll
Effective payroll processes ensure councils manage their workforce in compliance with legislation, employment agreements and the Local Government Award. Payroll processes and information systems should protect the integrity of employee records and timesheet data to ensure accurate payments to employees and leave entitlement calculations.
Payroll findings decreased from 82 to 77
Audit management letters reported 77 findings relating to payroll processes (2021–22: 82). Forty-seven per cent were repeat findings (2021–22: 65%).
Source: Audit management letters for 30 June 2022 and 30 June 2023 audits.
High-risk findings
There were no high-risk findings related to payroll in 2022–23 (2021–22: nil).
Common findings
The common payroll findings reported in audit management letters were deficiencies in the review of employee payroll data.
Twelve councils are not reviewing changes to employee payroll data
Twelve councils did not have adequate processes in place to review changes to employee payroll data. This includes instances where changes are reviewed, but not by an independent person. This increases the risk of unauthorised changes or errors remaining undetected, resulting in financial loss to councils. Cyber criminals are increasingly attempting to exploit vulnerabilities in payroll processes and controls.
3.8 Cash and banking
Councils process a high volume of transactions each year. Effective controls over cash collection, disbursements and reconciliations reduce the risk of fraud and error.
Audit management letters reported 42 findings relating to cash and banking (2021–22: 29). Twenty-four per cent were repeat findings (2021–22: 41%).
Source: Audit management letters for 30 June 2022 and 30 June 2023 audits.
High-risk findings
There were no high-risk findings related to cash and banking in 2022–23 (2021–22: 2).
Common findings
The common cash and banking findings reported in audit management letters were outdated bank signatories, the lack of segregation of duties in the cash handling process and the lack of security of payment files.
Outdated bank signatories at eight councils
Expired bank signatories are not being removed on a timely basis. Eight councils had former employees listed as an account signatory for bank accounts. This increases the risk of unauthorised transactions.
Deficiencies in the cash handling processes at five councils
Deficiencies in the cash handling process were identified at five councils, including lack of daily cashier reconciliation and lack of segregation of duties. This increases the risk of undetected balancing errors and misappropriation of cash or cheques.
Lack of security of payment files for pay runs at one council
One council did not encrypt Electronic Funds Transfer payment files from editing or sufficiently restrict access to payment files on the network before they were uploaded to online banking portals. This increases the risk of unauthorised or fraudulent transactions.
3.9 Revenue and receivables
Councils receive revenue from a range of different sources, including rates and annual charges, user charges and fees, operating and capital grants and contributions, and other revenue (such as interest, investments and asset disposals). Councils require appropriate internal controls to accurately record revenue and receivables in compliance with accounting standards and legal requirements.
Revenue and receivable findings decreased from 69 to 65
Audit management letters reported 65 findings relating to revenue and receivables (2021–22: 69). Thirty per cent were repeat findings (2021–22: 42%).
Source: Audit management letters for 30 June 2022 and 30 June 2023 audits.
High-risk findings
One high-risk finding was reported at the following joint organisation.
Control deficiency | Joint Organisation | Status |
Lack of assessment of revenue recognition for each significant grant | Illawarra Shoalhaven | New – first reported in current year |
Common findings
The common revenue and receivables findings reported in audit management letters were deficiencies in revenue recognition, weak revenue processes such as lack of review when updating of fees and charges resulting in undercharging customers and ratepayers, and not reconciling subsidiary and general ledgers.
Inappropriate revenue recognition at 35 councils
Thirty-five councils (2021–22: 16) had gaps in revenue recognition practices, including:
- not formally assessing grant funding against measurement criteria under AASB 15 ‘Revenue from Contracts with Customers’ and AASB 1058 ‘Income of Not-for-Profit-Entities’ leading to errors in the financial statements
- not reconciling the grant register and not keeping it up to date
- errors in applying AASB 16 ‘Leases’ for rental income recognition.
Deficiencies in revenue recognition practices resulted in 25 errors identified in councils’ financial statements, totalling $22 million.
Appendices
Appendix two – NSW Crown Solicitor’s advice
Appendix three – Status of previous recommendations
Appendix four – Status of audits
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.