Councils provide a range of services and infrastructure for a geographical area. Services include waste collection, planning, child and family day care, and recreational services. Councils also build and maintain infrastructure, including roads, footpaths, stormwater and in many regional and rural areas water and sewer. While core functions, such as waste collection, are similar across councils, the range of services each council provides can vary depending on the needs of each community.

County councils were established for specific purposes, such as to supply water, manage flood plains or eradicate noxious weeds.

Joint organisations were formed in regional New South Wales to improve infrastructure and service delivery in regional communities.

Indicators of quality financial reporting include:

• unqualified audit opinions
• low number of errors, including disclosure deficiencies, in financial statements.

Audit opinions

Unqualified audit opinions were issued for 105 councils and joint organisations

At the date of this report, we issued unqualified audit opinions for the 2022–23 financial statements of 85 councils, eight county councils and 12 joint organisations. This means sufficient audit evidence was obtained to conclude the financial statements were free of material misstatement and were prepared in accordance with Australian Accounting Standards and the LG Act.

Unqualified audit opinions were issued for the 2021–22 financial statements of Canberra Region Joint Organisation and Hunter Joint Organisation, after tabling of the ‘Local Government 2022’ report.

Disclaimer of opinion for Kiama Municipal Council’s 30 June 2022 financial statements

Councillors and management declared, in the Statement required by Councillors and Management under Section 413(2)(c) of the LG Act, that they were unable to:

• rely on the prior year comparative information presented, which represent the opening balances for the 2021–22 financial statements
• warrant the completeness, accuracy and valuation of the net carrying values of infrastructure, property, plant and equipment (IPPE), excluding buildings and operational land
• attest to the completeness, accuracy and valuation of disclosures related to IPPE
• verify the accuracy of restricted cash, cash equivalents and investments
• certify the financial statements as a whole due to these issues.

A disclaimer of opinion was issued for the 30 June 2022 financial statements of the Kiama Municipal Council.

A disclaimed audit opinion is issued when the auditor is unable to obtain sufficient appropriate audit evidence upon which to form an opinion on the council’s financial statements, and the auditor concludes that the possible effects of undetected misstatements in the financial statements could be both material and pervasive.

An emphasis of matter was also included to draw attention to externally restricted funds being used for a purpose other than their intended use without Ministerial approval.

In November 2022, the former Minister issued a performance improvement order setting out actions to be taken to improve Council’s financial management.

Disclaimer of opinion for Narrabri Shire Council’s 30 June 2022 financial statements

Councillors and management declared, in the Statement required by Councillors and Management under Section 413(2)(c) of the LG Act, that the underlying books and records were insufficient to support significant balances impacted by multiple flood events and disclosures. These included:

• carrying value of capital work in progress
• carrying value of road assets
• validity of prior period errors recorded in the financial statements.

A disclaimer of opinion was issued for the 30 June 2022 financial statements of Narrabri Shire Council.

Non-recognition of vested rural firefighting equipment by councils led to 36 qualified audit opinions

Thirty-six councils (2021–22: 43) received qualified audit opinions on their 2022–23 financial statements due to non-recognition of vested rural firefighting equipment as assets within their financial statements at 30 June 2023. These qualified audit opinions took different forms depending on the circumstances surrounding the non-recognition, as follows:

• 34 councils imposed a limitation of scope on the audit by not undertaking procedures to confirm the completeness, accuracy, existence or condition of the equipment
• 2 councils for omitting material assets in their financial statements, despite undertaking procedures to confirm the completeness, accuracy, existence, and condition of the equipment.

A qualified audit opinion is issued when the auditor:

• having obtained sufficient appropriate audit evidence, concludes that misstatements, individually or in aggregate, are material but not pervasive to the financial statements, or
• is unable to obtain sufficient appropriate audit evidence on which to base the opinion, but the possible effects of undetected misstatements on the financial statements are material but not pervasive.

The 2022 qualified opinions on six councils were removed as they addressed audit recommendations. The remaining council has an extension and is not reported in this chapter.

Refer to Appendix five for a list of councils with qualified audit opinions in 2022–23 relating to rural firefighting equipment.

The continued non-recognition of vested rural firefighting equipment in financial management systems of some councils increases the risk that these assets are not properly maintained and managed. Councils that have rural firefighting equipment vested under section 119(2) of the Rural Fires Act 1997 (Rural Fires Act), should recognise these assets in their financial management systems and maintain the assets to the required standards in readiness for fire mitigation and prevention activities.

Councils have specific responsibilities for fire mitigation and safety works and bush fire hazard reduction under Part 4 of the Rural Fires Act. The Council obtains economic benefits from the rural firefighting equipment as these assets are used to fulfil Council’s responsibilities. 

In accordance with the Australian Accounting Standards, vested rural firefighting equipment is recorded as an asset and contribution revenue for assets acquired free of charge so there is no cash impact. Over the useful life of the asset, the revenue is offset by the depreciation charge. There is no impact on cash or net assets at the end of the asset’s useful life.

Twenty councils performed sufficient procedures to confirm the value of these assets was not material to their financial statements and received unqualified audit opinions

Twenty councils do not record rural firefighting equipment in their financial statements, but performed sufficient procedures to demonstrate the value of unrecorded assets was not material to the financial statements taken as a whole. These omissions were reported as an uncorrected error. The risk of future qualifications remains as the value may become material to the financial statements as further firefighting equipment is vested to them in future years. There is also a heightened risk that these important assets are not being properly maintained and managed for operational purposes.

Forty-nine councils recognised their rural firefighting equipment, two of these for the first time

Forty-nine (2021–22: 47) councils recognised vested rural firefighting equipment in their financial statements, with two councils recognising the equipment in their financial statements for the first time in 2022–23.

The continuing inconsistency in the recognition and management practices for rural firefighting equipment across the local government sector puts at risk the operational capability for the deployment of these assets.

The Office of Local Government has updated the ‘Local Government Code of Accounting Practice for 2023–24’ to require councils to recognise material rural firefighting equipment in the financial statements.

Two councils received qualified audit opinions

In addition to receiving qualified audit opinions for non-recognition of vested rural firefighting equipment, two councils received other qualifications in the Independent Auditor’s Reports for the 2022–23 financial statements. The table below includes the reasons for these qualified audit opinions.

Emphasis of matter paragraphs were included in four audit opinions

An emphasis of matter paragraph is included in the Independent Auditor’s Report to refer to a matter presented or disclosed in the financial statement that we deem is fundamental to the understanding of the financial statements. The table below details the emphasis of matter paragraphs reported in the Independent Auditor’s Reports for the 2022–23 financial statements.

Other matter paragraphs were included in two audit opinions

An other matter paragraph is included in the Independent Auditor’s Report to refer to a matter not presented in the financial statements that we deem relevant to the understanding of the audit, the auditor’s responsibilities or the auditor’s report.

The table below details the other matter paragraph reported in the Independent Auditor’s Report for the 2022–23 financial statements.

The audit of the City of Ryde was delayed while we considered a significant audit matter relating to the use and management of restricted cash and investments

On 26 May 2023, Council wrote to the Auditor-General for NSW, highlighting several matters concerning the management of funds held in restricted cash and investments. The letter highlighted several potential breaches of legislation in relation to the movement and expenditure of funds collected under developer contribution plans, voluntary planning agreements and for domestic waste management, and set out the main steps Council was taking to address the matters noted. The matters raised ultimately did not impact our opinion on Council’s 2023 financial statements, which was issued on 28 February 2024, but did require significant analysis as to interpretation of the legal view and the requirements of the accounting framework.

In 2020–21, Council moved $88 million from its externally restricted cash and investments

Council adopted a new developer contributions plan (referred to as the 2020 Plan), effective 1 July 2020, and repealed its old plan (referred to as the 2014 Plan). Following the repeal of the 2014 Plan, Council moved $88 million of funds collected under the 2014 Plan from its externally restricted cash and investments from developer contributions. Council moved:

• $35.5 million to the Ryde Central Reserve, as an internal allocation, which was not spent
• $52.5 million to the Asset Expansion Reserve, as an internal allocation. Council identified that the funds were largely spent on projects identified in the 2014 or 2020 Plans. However, $11.6 million of these funds was spent on projects not identified in either of these plans, but provided amenities or services to the community in accordance with Council’s Delivery Program.

In 2021–22, Council also transferred $1.1 million from its externally restricted cash and investments to the employee leave entitlement reserve, as an internal allocation, which was not spent.

In 2020–21, Council provided the Audit Office with a piece of legal advice as evidence to support its disclosures within its 2020–21 and 2021–22 financial statements. This advice, from 2016, dealt with certain matters around expenditure of what were then section 94 contributions under the Environmental Planning and Assessment Act 1979 (EPA Act). While this advice was on another matter, it specifically discusses the principles and case law that might apply to the future use of funds once a contributions plan has been repealed.

Council has received subsequent legal advice on the movement and expenditure of externally restricted cash and investments

Council obtained legal advice on the movements and use of the funds from a legal firm in 2022–23. Council's most recent legal advice, upon which it relied to inform the movements and disclosures within its 2023 financial statements, identified that the transfer of the developer contributions collected under the 2014 Plan and certain expenditures from prior years, noted above, were potential breaches of the EPA Act.

The advice also identified breaches of legislation relating to expenditure in 2020–21:

• $3.7 million from voluntary planning agreement contributions to fund Council’s operations in response to COVID-19 income reductions and software related purchases. This expenditure breached section 7.3 of the EPA Act and section 409(3) of the Act.
• $1 million of domestic waste management funds to fund COVID-19 hardship rates. This expenditure breached sections 504 and 409(3) of the Act.

The Audit Office obtained advice from the Crown Solicitor

We concurred that the expenditure in prior years of the voluntary planning agreement contributions and domestic waste management funds for COVID-19 related purposes was inconsistent with relevant legislation. However, due to the lack of case law precedent and explicit guidance in the EPA Act or Regulation, the movement and use of repealed developer contribution funds is a more complex legal matter.

The Audit Office sought legal advice from the Crown Solicitor about the general application of the law on the use and management of funds collected under repealed development contributions plans (DCPs), and for domestic waste management.

In relation to the use and management of funds collected under repealed DCPs, the Crown Solicitor advised that:

Neither the EPA Act and the EPA regulation, nor present authorities, provide explicit or substantial guidance as to the extent to which a DCP may enable the carrying-over and application of contributions previously collected under a repealed plan. Nor by extension, do they provide significant assistance in determining whether a specific DCP is to be interpreted as permitting this practice.

Some of the principles expressed by the Crown Solicitor differed from those of Council. As a result of these differences and feedback from Council, we sought further advice from the Crown Solicitor on Council's specific circumstances.

Council's movement of these funds back to externally restricted reserves in 2023 is in accordance with its most recent legal advice

We note that to address the potential breaches in prior years detailed above, on 27 June 2023, Council resolved to return:

• $35.5 million from the Ryde Central Reserve to the s7.11 Externally Restricted Reserves
• $1.1 million from Employee Leave Entitlements Reserve to s7.11 Externally Restricted Reserves
• $1.1 million from interest earned in prior years from the Accommodation Reserve to the s7.11 Externally Restricted Reserves.

The same resolution also reimbursed Council's externally restricted reserves for the following amounts:

• $3.7 million related to funds collected under voluntary planning agreements from the Accommodation Reserve to the Voluntary Planning Agreement Reserve
• $1 million of domestic waste management funds from the Accommodation Reserve to the Domestic Waste Management Reserve.

In consideration of Council’s most recent legal advice and the Crown Solicitor’s advice, we supported the transfers of the funds back to externally restricted reserves in 2022–23.

As noted above, we sought and received further specific advice from the Crown Solicitor, to inform our view on whether Council breached legislation in prior years. That advice confirmed the Crown Solicitor’s previous general advice that merely transferring funds to council’s internal reserves did not breach Council’s legal obligations under s7.3(1) of the EPA Act. The Crown Solicitor’s general advice is at Appendix two to this report.

The potential for any breach of legislation did not impact the 2022–23 financial statement disclosures, namely Note C 1-3 ‘Restricted and allocated cash, cash equivalents and investments’, Note F 3-1 ‘Summary of developer contributions’, Note F 3-2 ‘Developer contributions by plan’ and Note F 3-3 ‘Contributions not under plans’, nor did it impact our Independent Auditor’s Report thereon.

The legislative requirements regarding the use of funds from repealed contributions plans would benefit from clarification

One of the key issues highlighted by the matters above, is that there is no specific guidance in the EPA Act or the EPA Regulation that provides for how funds collected under one DCP are to be treated if a contributions plan is repealed, or repealed and replaced by a new contributions DCP. Council's legal advice noted a lack of clarity in the Local Government Code of Accounting Practice and Financial Reporting (the Code). The Crown Solicitor noted a lack of clarity in the legislation:

I nonetheless note that the question would benefit greatly from clarification by way of amendment of the EPA and/or its sundry regulations.

Our recommendations arise from the issues noted by the legal counsel engaged by Council and by the Crown Solicitor.

Errors identified through audits

Uncorrected errors

An uncorrected error is an error identified by the auditor or council in the financial statements, which has not been corrected by council. In our view, errors should be corrected. They are reported to management for this purpose. Management has determined not to correct some errors because they are not material, either individually or in aggregate.

The table below shows the number and value of uncorrected errors by council type for the past two years.

Source: Engagement Closing Reports issued by the Audit Office.

In 2022–23, 46 councils had no uncorrected errors in their financial statements (2021–22: 49).

Of the 242 uncorrected errors, 52 across 48 councils were related to non-financial assets. The common areas where errors were identified are outlined below.

Prior period errors

A prior period error is a misstatement made by council in previous financial years, identified by the auditor or council in the current financial year, which was corrected retrospectively by restating the opening balances in the financial statements.

The table below shows the number and value of prior period errors by council type for the past two years.

Source: Engagement Closing Reports issued by the Audit Office.

Of the 75 prior period errors, ten were greater than $30 million and were asset related. These are detailed in the table below.

Of the 75 prior period errors, 54 across 39 councils were related to non-financial assets. The common causes of prior period errors were similar to those causing current year uncorrected errors, which are reported on the previous page, namely revaluation errors and poor record keeping of asset data. Refer also to Section 3.2, which details our findings in relation to asset management. Unresolved internal control deficiencies can lead to errors in the financial statements.

The graph below shows the submission of audited financial reports by month and type of council. Across all types of councils most were submitting in October 2023.

Refer to Appendix four for further details.

This report does not include the nine incomplete audits

The following audits remain outstanding and the outcomes will be reported in next year’s report to Parliament.

The reasons that councils, county councils and joint organisations sought extensions to submit their financial statements after the statutory deadline are shown below.

Source: Council extension letters submitted to OLG.

The most common reasons councils cited when applying for extensions related to:

• accounting or other matters that required more time to resolve
• resolving asset valuation issues
• council resourcing issues including turnover of key staff.

Refer to Appendix four for the names of each council or joint organisation that received extensions.

Some councils performed early financial reporting procedures

This year, 54% (2021–22: 82%) of councils performed at least some early financial reporting procedures, including:

• completing infrastructure, property, plant and equipment valuations before 30 June (43 councils, 2021–22: 45)
• completing fair value assessments of infrastructure, property, plant and equipment (22 councils, 2021–22: 36)
• assessing the impact of material, complex and one-off significant transactions (23 councils, 2021–22: 49)
• working through unresolved prior year audit issues, with an action plan to resolve them (37 councils, 2021–22: 69)
• documenting significant management judgements and assumptions for estimating transactions and balances (19 councils)
• preparing proforma financial statements and associated disclosures (27 councils, 2021–22: 46).

Early financial reporting procedures can assist councils to meet the statutory deadline and submit audited financial statements to OLG by 31 October. These procedures also help to improve quality of financial reporting by identifying and addressing significant risks, and resolving accounting issues before submitting the financial statements for audit.

Councils can work with the Audit Office to select financial reporting procedures to complete and have audited before 30 June. The planned approach should allow sufficient time for management review and involvement of Audit, Risk and Improvement Committees. This process will allow for audit observations and feedback in time for them to be considered in the year-end financial reporting process.

In addition to the procedures listed above, councils should consider the following early financial reporting procedures:

• quality review of the proforma financial statements and the supporting working papers
• reconciling all key account balances and clearing reconciling items
• assessing accounting implications of significant contracts
• assessing the impact of new and updated accounting standards and preparing supporting working papers.

It is generally accepted that timely year-end financial reporting is an indicator of sound financial management processes. Accordingly, measures aimed at earlier financial reporting should be a priority for both councils and the regulator.

For the past two years, about a third of councils, county councils and joint organisations have not lodged their audited financial statements with OLG by the statutory deadline. To assist with improving timeliness of financial reporting OLG should, after discussing policy changes with the key stakeholders within the sector to ensure benefits can be realised, require early financial reporting procedures.

Fewer councils performed early financial reporting procedures prior to 30 June 2023. Forty-three councils performed procedures over infrastructure, property, plant and equipment (IPPE) valuations. As IPPE is the largest financial statement balance and a significant estimate, coupled with the inflationary environment, early valuation procedures can improve quality and timeliness of financial reporting.

* Includes three findings relating to the 2021–22 audit finalised after the ‘Local Government 2022’ was published.
Source: Audit management letters for 30 June 2022 and 30 June 2023 audits.

High-risk findings

Thirteen high-risk findings were reported across the control deficiency areas as detailed in the table below.

* Additional audit procedures were performed to respond to and address the weakness identified.

Common findings

The common governance findings reported in audit management letters were deficiencies in corporate governance policies, fraud controls and legislative compliance.

Key governance policies were not in place or regularly updated

The common areas where councils and joint organisations had missing or out-dated governance policies are summarised below.

Corporate governance policies are essential for ensuring councils operate in accordance with external and internal requirements. It is important that the rules, standards and expectations are clearly outlined, and staff are provided adequate guidance to inform their actions.

Further issues were identified in contract management for 30 councils (2021–22: 23). While councils had contract management policies in place, we identified deficiencies in contract management practices and contract register management. These increase the risk of non-compliance with the Government Information (Public Access) Act 2009 (GIPA Act) or contractual terms.

The Information and Privacy Commission issued its report on local government GIPA compliance report in June 2023. The Commission found most councils had improved compliance with mandatory reporting requirements, such as making returns of interest by councillors and designated persons publicly available and easy to access. However, it was reported six councils have wilful disregard for duties and the public’s right to know.

Thirty-one councils have outdated or no business continuity plan

Thirty-one councils and joint organisations do not have a business continuity plan (BCP), or have an outdated business continuity plan. Ninety-five councils with BCPs in place recently tested the plans. However, testing at 17 councils was limited to testing information and technology elements of the BCPs. Twenty-three councils have not recently tested their BCPs.

Business continuity plans are a widespread mechanism used by organisations to ensure they are prepared to respond effectively to disruptions, such as natural disasters. Business continuity management involves developing, implementing and maintaining policies, frameworks and programs to assist an organisation to manage business disruptions. Plans should be tested regularly to provide confidence they will be reliable during an actual event, and to provide feedback for continuous improvement.

All councils are required to appropriately assess and manage risks under the Local Government Act 1993. The Department of Planning, Housing and Infrastructure published ‘Risk Management and Internal Audit for Local Government in NSW’ in December 2022. These guidelines are mandatory from 1 July 2024 and will require:

• the Audit Risk and Improvement Committee and internal audit to be responsible for the review of the effectiveness of business continuity arrangements, including business continuity plans, disaster recovery plans and the periodic testing of these plans
• risk management be a core responsibility of all senior management of council.

Forty councils do not have a crisis management plan in place

Forty councils and joint organisations do not have a separate crisis management plan in place or a BCP which covers crisis management.

A crisis management plan outlines how your business will react if a crisis occurs. The plan should identify who will act and what their roles will be. The goal of a crisis management plan is to minimise damage and restore business operations as quickly as possible. A crisis management plan can be within the business continuity plan or a separate plan.

Deficiencies in fraud control processes at councils and joint organisations

Deficiencies in fraud control processes identified at councils are summarised in the table below.

Effective fraud controls and ethical frameworks help protect councils from events that risk serious reputational damage and financial loss.

One hundred and twenty-seven councils have an ARIC

Four councils, two county councils and eight joint organisations did not have an Audit, Risk and Improvement Committee (ARIC) in place at 30 June 2023. ARICs are an important contributor to good governance. They help councils to manage and mitigate their strategic risks. An effective committee helps councils to build community confidence, meet legislative and other requirements, and meet standards of probity, accountability and transparency.

Without an effective ARIC, there is a lack of independent oversight on how a council is functioning and managing risk.

The Office of Local Government has issued comprehensive ‘Guidelines for Risk Management and Internal Audit for Local Government in NSW’ to assist councils and joint organisations to implement these requirements by 1 July 2024. Joint organisations can apply for an exemption from requirements.

ARICs can be more effective in discharging their functions

Whilst the guidelines are not mandatory till 1 July 2024 they provide a framework for ARICs to work towards so they are more effective in discharging their functions and managing councils’ risks including:

• cyber risk management (refer to Section 3.3) including 18% of councils that have not communicated cyber risk with those charged with governance or ARICs
• tracking the progress of implementing recommendations from financial audits, performance audits and public inquires
• prioritising tracking of repeat and high-risk audit findings. The 2022–23 audit management letters highlighted that 40% of total audit findings from prior years had not been actioned
• ensuring management appropriately certify the effectiveness of internal controls supporting the financial statements. Only 49 ARICs obtained this certification
• reviewing the financial statements for quality prior to submission for audit. This was performed by 80 ARICs.

Source: Audit management letters for 30 June 2022 and 30 June 2023 audits.

High-risk findings

High-risk findings decreased from 55 to 48 in 2022–23. There were 33 (2021: 45) repeat findings with no repeat moderate findings elevated to high risk.

Thirty-six councils with unrecorded vested rural firefighting equipment had a high-risk finding

Councils with unrecorded statutorily vested rural firefighting equipment, where insufficient procedures have been undertaken to verify the value, had a high-risk finding reported in their management letters. Six councils with high-risk findings in 2021–22 relating to the non-recognition of rural firefighting equipment either recognised the assets or addressed the issue in 2022–23 by performing sufficient procedures to verify that the value of these assets was not material to the financial statements taken as a whole.

Other high-risk findings

Twelve (2021–22: 12) other high-risk findings across the control deficiency areas are detailed in the table below.

* Additional audit procedures were performed to respond to and address the weakness identified.
** Finding resolved post 30 June 2023.

Common findings

The common asset management findings reported in audit management letters were deficiencies in asset revaluation processes, maintenance of information in asset management systems and landfill rehabilitation accounting practices.

Fixed asset register issues at 43 councils

Maintaining accurate and up-to-date asset data helps councils to make appropriate decisions around asset management. The common issues reported in audit management letters relating to fixed asset registers are summarised below.

We continue to identify weak processes over updating, maintaining and securing fixed asset registers. Asset registers are not accurate and complete, there are duplicate or missing assets, and asset registers are not being reconciled with the asset management systems.

Prior period errors continue to predominately relate to the quality of asset records and asset valuation errors such as found and duplicate assets.

Deficiencies in infrastructure asset revaluation processes at 48 councils

Councils manage a significant range and value of infrastructure, property, plant and equipment. These assets are significant to the financial statements of councils and are subject to management judgements and estimates when determining their fair values. These judgements and estimates often require the assistance of a qualified expert valuer.

Deficiencies were identified in infrastructure asset valuations at 48 councils, including:

• not annually assessing useful lives, condition and possible impairment, and fair value for all asset classes
• inadequate documentation to support key assumptions and judgements applied including:
  • useful life assessments
  • condition and impairment assessments
  • fair value assessments
  • unit rates
• incorrect classification of assets
• incorrect exclusion of some assets from valuations
• management not documenting their quality review over the asset valuation
• errors in annual fair value assessments when applying indices to adjust fair values
• deficiencies in the annual fair value assessment process.

Councils need to improve their valuation process and perform valuations earlier

Performing asset valuations earlier gives time for management and auditors to complete procedures and identify potential issues before the financial statements are prepared, and can improve timeliness of financial reporting. The effective date of the valuation of any asset category can be at any point during the financial year subject to audit. As reported in Chapter 2 ‘Audit results’:

• 43 (2021–22: 45) councils completed infrastructure, property, plant and equipment valuations before 30 June 2023
• 22 (2021–22: 36) councils performed fair value assessments of infrastructure, property, plant and equipment before 30 June 2023.

Councils should have a project plan in place to manage the asset valuation process. Suggested deliverables to be included in a timetable for council valuations may include the following:

Improvements to council landfill rehabilitation accounting practices required at 27 councils

Australian Accounting Standards require recognition of a provision for landfill remediation when the obligation to operate landfill sites would result in cash outflows for the council, and when those outflows can be reliably measured. Such provisions should be assessed annually for changes in assumptions, legal requirements and emergence of new landfill remediation techniques.

Common findings identified in council landfill rehabilitation accounting practices include:

• no formal assessment of legal and other obligations to rehabilitate landfill sites
• insufficient documentation of liability calculations to support inputs, assumptions and key data for accounting for rehabilitation provisions
• costs associated with post closure, aftercare and monitoring of landfill sites excluded from the assessment.

Source: Audit management letters for 30 June 2022 and 30 June 2023 audits.

High-risk findings

Seventeen high-risk findings were reported across the control deficiency areas as detailed in the table below.

* Additional audit procedures were performed to respond to and address the weakness identified.

Common findings

The common IT findings reported in audit management letters were deficiencies in IT policies and procedures, lack of a cyber security framework, and missing controls and gaps in user access management processes.

IT policies and procedures were outdated or not in place at 53 councils

Fifty-three councils (2021–22: 43) did not formalise and/or regularly review their key IT policies and procedures. It is important for key IT policies to be formalised and regularly reviewed to ensure emerging risks are considered and policies are reflective of changes to the IT environment. Lack of formal IT policies and procedures may result in inconsistent and inappropriate practices and an increased likelihood of inappropriate access to key systems.

Lack of periodic user access review at 55 councils and insufficient control over privileged users at 38 councils

The following common access management findings were identified:

• 55 councils (2021–22: 28) did not perform a periodic user access review to ensure users’ access to key IT systems was appropriate and commensurate with their roles and responsibilities
• 38 councils (2021–22: 46) had gaps in privileged users’ management process. This includes gaps in restricting privileged users’ access and monitoring logs of privileged users’ activity.

The number of councils with insufficient control over privileged users reduced by 17% as councils addressed previously reported matters.

Where robust access management processes are not in place, inappropriate access may exist. This increases the risk of the unauthorised processing or modifying of transactions, or of sensitive data being stolen. These common findings may be rated high-risk when there are no mitigating controls to prevent or detect unauthorised activity.

Cyber security frameworks and related internal controls were not in place at 50 councils

The NSW Cyber Security Policy states that the term ‘cyber security’ covers all measures used to protect systems and information processed, stored or communicated on systems from compromise of confidentiality, integrity and availability.

The Office of Local Government (OLG) issued ‘Cyber Security Guidelines – Local Government’ referencing the cyber security standards recommended by Cyber Security NSW. OLG strongly encourages compliance with the guidelines, but has not made compliance mandatory. Unlike state sector agencies, there is no requirement to annually report maturity assessments to Cyber Security NSW or to another regulatory body such as the OLG.

As part the Audit Office’s financial audits, cyber security findings were reported for 50 councils (2022–23: 63). Councils should implement the following basic governance and internal controls to help identify and manage cyber security risks:

• having in place a cyber security framework, policy and procedures
• performing regular cyber maturity assessments and gap analysis
• maintaining a register of cyber incidents
• conducting simulated cyber-attack testing (penetration testing)
• having an ongoing cyber security training and awareness program for all staff.

Poor management of cyber security can expose councils to a broad range of risks, including:

• theft of corporate and financial information and intellectual property or money
• service interruptions from a denial-of-service attack
• destruction of data
• costs of repairing affected systems, networks and devices
• legal fees and/or legal action from losses arising from denial-of-service attacks causing system downtime in critical systems
• third-party losses when personal information stored on councils’ government systems is used for criminal purposes
• reputational damage.

Our audits have been reporting cyber security findings in management letters since 2019. The table below is limited to the high-level gaps in cyber security controls where we have focussed our audit procedures. While it does not mean all risks are mitigated, it is encouraging that councils have focussed on these gaps and improved cyber security management in these areas. Around two thirds of councils have implemented some of these key cyber security controls since 2019.

Source: Data collection from 30 June 2023 audits.

Fifty councils do not have in place any formal cyber security planning and governance. These councils need to prioritise planning and governing cyber security, based on the OLG’s ‘Cyber Security Guidelines – Local Government’, to ensure cyber security risks over key data and IT assets are appropriately managed and key data is safeguarded.

The risks associated with poor cyber security maturity are compounded where councils also have deficiencies in their information technology controls and poor information systems security hygiene.

Source: Audit management letters for 30 June 2022 and 30 June 2023 audits.

High-risk findings

Seven high-risk findings were reported at the following councils.

* Additional audit procedures were performed to respond to and address the weakness identified.

Common findings

Common findings across councils include:

• Financial statements submitted for audit contained numerous errors and disclosure deficiencies.
• Lack of preparation for the audit, such as not having a financial reporting plan, impacted the timeliness of financial reporting at 15 (2021–22: 18) councils.
• Two (2021–22: 8) councils had deficiencies in related parties’ policies and disclosures.
• Five (2021–22: 2) councils had deficiencies in infrastructure, property, plant and equipment note disclosure.

Further analysis and insights on financial reporting findings are detailed in Chapter 2 ‘Audit results’.

Source: Audit management letters for 30 June 2022 and 30 June 2023 audits.

High-risk findings

One repeat high-risk finding was reported at the following council.

Common findings

The common financial accounting findings reported in audit management letters were control deficiencies performing key account reconciliations and processing manual journal adjustments.

Lack of segregation of duties with manual journal adjustments at 12 councils

There was a lack of segregation of duties over the posting of manual journal adjustments to financial ledgers at 12 councils. An independent review and authorisation of manual journal adjustments is important to reduce the risk of fraud or error in the financial statements.

Key account reconciliations were not prepared in a timely manner or independently reviewed

Regular reconciliations of financial information, with appropriate review processes help to identity and resolve discrepancies between different systems and records, preserves integrity of financial statements and can identify fraud. Our audits identified:

• There was no evidence of independent review of key account reconciliations at 18 councils.
• Twenty-eight councils did not perform timely reconciliations of all key balances in the financial statements.

Source: Audit management letters for 30 June 2022 and 30 June 2023 audits.

High-risk findings

Four high-risk findings as detailed in the table below.

Common findings

The common purchases and payables findings reported in audit management letters were weak purchase order controls and a lack of review of vendor master file changes.

At three councils (2021–22: 35), employees could approve their own purchase orders. At four councils (2021–22: 44), purchase orders were approved without appropriate delegation. Segregation of duties and appropriate delegation in procurement help to reduce the risk of fraud and misuse of public money.

Purchase orders were approved after the receipt of goods or services at 19 councils (2021–22: 56). Purchase orders should be generated and approved before staff order goods or services to reduce the risk of unauthorised or fraudulent transactions.

Insufficient review of changes to creditor information at six councils

Six (2021–22: 13) councils did not perform sufficient review of changes to creditor information in the supplier master file, including bank account details. This increases the risk of transactions paid to incorrect accounts, resulting in financial losses for councils. Cyber-crime is on the rise increasing the risk of control weaknesses being exploited.

Source: Audit management letters for 30 June 2022 and 30 June 2023 audits.

High-risk findings

There were no high-risk findings related to payroll in 2022–23 (2021–22: nil).

Common findings

The common payroll findings reported in audit management letters were deficiencies in the review of employee payroll data.

Twelve councils are not reviewing changes to employee payroll data

Twelve councils did not have adequate processes in place to review changes to employee payroll data. This includes instances where changes are reviewed, but not by an independent person. This increases the risk of unauthorised changes or errors remaining undetected, resulting in financial loss to councils. Cyber criminals are increasingly attempting to exploit vulnerabilities in payroll processes and controls.

Source: Audit management letters for 30 June 2022 and 30 June 2023 audits.

High-risk findings

There were no high-risk findings related to cash and banking in 2022–23 (2021–22: 2).

Common findings

The common cash and banking findings reported in audit management letters were outdated bank signatories, the lack of segregation of duties in the cash handling process and the lack of security of payment files.

Outdated bank signatories at eight councils

Expired bank signatories are not being removed on a timely basis. Eight councils had former employees listed as an account signatory for bank accounts. This increases the risk of unauthorised transactions.

Deficiencies in the cash handling processes at five councils

Deficiencies in the cash handling process were identified at five councils, including lack of daily cashier reconciliation and lack of segregation of duties. This increases the risk of undetected balancing errors and misappropriation of cash or cheques.

Lack of security of payment files for pay runs at one council

One council did not encrypt Electronic Funds Transfer payment files from editing or sufficiently restrict access to payment files on the network before they were uploaded to online banking portals. This increases the risk of unauthorised or fraudulent transactions.

Source: Audit management letters for 30 June 2022 and 30 June 2023 audits.

High-risk findings

One high-risk finding was reported at the following joint organisation.

Common findings

The common revenue and receivables findings reported in audit management letters were deficiencies in revenue recognition, weak revenue processes such as lack of review when updating of fees and charges resulting in undercharging customers and ratepayers, and not reconciling subsidiary and general ledgers.

Inappropriate revenue recognition at 35 councils

Thirty-five councils (2021–22: 16) had gaps in revenue recognition practices, including:

• not formally assessing grant funding against measurement criteria under AASB 15 ‘Revenue from Contracts with Customers’ and AASB 1058 ‘Income of Not-for-Profit-Entities’ leading to errors in the financial statements
• not reconciling the grant register and not keeping it up to date
• errors in applying AASB 16 ‘Leases’ for rental income recognition.

Deficiencies in revenue recognition practices resulted in 25 errors identified in councils’ financial statements, totalling $22 million.