At 30 June 2024, 35 councils (10 metropolitan, 10 regional and 15 rural) met just one or none of the three key financial sustainability benchmarks. Fifty-two councils (40%) did not meet the operating performance benchmark, and 59 councils (46%) did not meet the infrastructure renewal benchmark. Two councils – Bathurst Regional and Shoalhaven City – have not met any of the benchmarks for at least three years. In addition, the cash and investments of these two councils (not subject to external restrictions) were insufficient to meet three months of their expenses¹ (excluding depreciation and borrowing costs). This indicates more serious risks to their continued financial sustainability.

A further 14 councils did not have cash and investments (not subject to external restrictions) to meet three months of their expenses (excluding depreciation and borrowing costs). See Appendix 4.

Revenue growth lags expenditure growth after adjusting for inflation, resulting in negative growth in real terms

Revenue and expenses across the councils from 2014 to 2023 have been relatively consistent with inflation. However, expenses indexed by CPI are $0.2 billion higher than indexed revenue, indicating negative growth in real terms.

In 2023–24, total revenue, excluding capital grants and contributions, was $16.1 billion, which is lower than total expenses of $16.3 billion, an overall $0.2 billion shortfall.

About 40% of councils did not break even in 2023–24.

Inadequate long-term financial planning at many councils has contributed to poor financial sustainability

Not all councils were fully compliant with the legislative requirements for long-term financial planning (LTFP). This undermines the effectiveness of these plans and increases the risk that future operating results are insufficient to sustain investments in capital works and meet the ongoing maintenance costs.

Forty-five councils (36%) did not have methods to monitor their financial performance, with rural councils having the most gaps in LTFP. Rural councils receive over 50% of their revenue from grants and contributions, much of which is tied to delivery of capital projects. This reliance on grant funding, for which timing and amounts are uncertain, adds complexity to the development of long-term plans. However, data regarding the operational inflows and outflows is available and should underpin the 10-year rolling plan. Without sufficient net operational cash flows, a council will not remain financially viable in the longer term.

Our performance audit on Financial Management and Governance in MidCoast Council includes recommendations on LTFPs and related practices, which are relevant to all councils.

¹ From the general fund only.

Councils provide a range of services and infrastructure for their local government area. Services include waste collection, planning and building approvals, animal management, libraries and recreational services. Councils build and maintain infrastructure, including roads, footpaths and stormwater. In many regional and rural areas councils also provide the infrastructure for water supply and sewerage services. The range of services provided, and infrastructure built and maintained, varies between councils and depends on the location, size, demographics, resources and needs of the community.

County councils were established for specific purposes, such as to supply water, manage flood plains or eradicate noxious weeds.

Joint organisations were formed in regional NSW to improve the way local councils and other stakeholders work together to deliver regional priorities.

Note: In addition to the statements above and the special schedule, at least three types of audit opinions are issued for other grant acquittals required by the state and Commonwealth departments each year.

The content of the general and special purpose financial statements and the special schedule –permissible income is guided by the ‘Local Government Code of Accounting Practice and Financial Reporting’, which is updated annually by the OLG. The OLG is within the Department of Planning, Housing and Infrastructure (DPHI). The OLG has taken steps to declutter the financial reporting requirements within the Code and reduce the number of additional assurance engagements, but progress is slow. NSW councils continue to have a higher regulatory financial reporting burden compared to councils in other Australian states and territories.

This report provides the results and findings of the:

• 2023–24 general purpose financial audits of 127 councils, nine county councils and 13 joint organisations
• 2022–23 general purpose financial audits of seven councils, one county council and one joint organisation.

The audit of Lachlan Shire Council remains in progress as at the date of this report. Three joint organisations are in the process of dissolving, and two of these did not prepare 2023–24 financial statements.

In preparing this report, our observations and analyses were drawn from:

• audited general purpose financial statements
• performance audit reports
• data collected from councils
• audit findings reported to councils.

Each local council has unique characteristics. Its size, location and population, and the nature of the services it provides to its communities impact its financial sustainability and the risks it faces. To enable meaningful comparison, we classify the NSW councils as ‘metropolitan’, ‘regional’ or ‘rural’ throughout this report for the purposes of analysing their financial results. We identify county councils and joint organisations separately. See Appendix 3 for classifications.

Source: OLG time series data for population and land area.

Refer to Appendix 3 for further details.

More councils performed early financial reporting procedures, which helped meet the statutory deadline

This year, 61% of councils (54% in 2022–23) performed at least some early financial reporting procedures, including:

• completing IPPE valuations before 30 June (37 councils, 2022–23: 43)
• completing fair value assessments of IPPE (36 councils, 2022–23: 22)
• assessing the impact of material, complex and one-off significant transactions and preparing position papers supporting their accounting treatment (30 councils, 2022–23: 23)
• working through unresolved prior-year audit issues, and developing an action plan to resolve them (63 councils, 2022–23: 37)
• documenting significant management judgements and assumptions for estimating transactions and balances (29 councils, 2022–23: 19)
• preparing proforma financial statements and associated disclosures (34 councils, 2022–23: 27).

Early financial reporting procedures help councils meet the statutory deadline of 31 October. They also help to improve the quality of financial reporting by identifying and addressing significant risks and resolving accounting issues before the financial statements are submitted for audit.

Councils can work with the Audit Office to select financial reporting procedures to complete and have audited before 30 June. The planned approach should allow sufficient time for management review and involvement of Audit, Risk and Improvement Committees. This process will allow for audit observations and feedback to be considered prior to the year-end financial reporting process.

In addition to the procedures listed above, councils should consider the following early financial reporting procedures:

• preparing proforma financial statements, and removing boilerplate financial statement disclosures, and immaterial and irrelevant information
• reconciling all key account balances and clearing reconciling items
• assessing the accounting implications of significant contracts and grant agreements
• assessing the impact of new and updated accounting standards and preparing supporting working papers.

Source: Councils’ financial statements (audited).

The analysis for 2023–24 shows that 48 councils met all three of the financial sustainability benchmarks, an improvement on previous years. These councils are therefore controlling expenses within revenue, can renew infrastructure and pay debts as they fall due. A further 45 councils met two of the benchmarks. However, three councils – Bathurst Regional Council, Liverpool City Council and Shoalhaven City Council – did not meet any of the benchmarks. Two of these – Bathurst Regional Council and Shoalhaven City Council – have not met any of the benchmarks for at least three years. This indicates more serious concerns regarding their continued financial sustainability.

We also calculated whether councils’ available cash and investments (not subject to external restrictions) were sufficient to meet three months of expenses³ (excluding depreciation and borrowing costs). At 30 June 2024, 16 councils (four metropolitan, seven regional and five rural) had liquidity constraints and will need to increase sources of cash inflows and control expenditure to fund these short-term cash requirements. Only 17 councils had sufficient cash and investments at 30 June 2024 to meet more than 12 months of expenses⁴ (excluding depreciation and borrowing costs). Due to regular inflow of cash from rates and annual charges, all councils remain going concerns for financial reporting purposes. See Appendix 4 for further details on liquidity.

It is crucial that all councils have effective long-term financial plans that aim to ensure they meet key financial sustainability benchmarks.

In November 2024, the Standing Committee on State Development released its report on ‘Ability of local governments to fund infrastructure and services’. This report highlighted challenges councils face in maintaining and improving assets and infrastructure, along with the growing cost of providing required community services. Many of the Committee’s 17 recommendations relate to the sufficiency of revenue, with the aim for income to keep pace with the cost of services.

A significant proportion of councils did not meet the operating performance benchmark

The graph below shows the percentage of councils, by classification, meeting or not meeting the operating performance benchmark (>0) for the past three financial years.

Source: Councils’ financial statements (audited).

In 2023–24, 41% of metropolitan, 43% of regional and 39% of rural councils did not meet the operating performance benchmark. This has deteriorated since the previous year (38% of metropolitan, 35% of regional and 26% of rural councils in 2022–23). Not meeting this benchmark means that these councils’ expenses are growing at a faster rate than the revenue they collect, which is not sustainable.

Most councils met the unrestricted current ratio benchmark

The graph below shows the percentage of councils, by classification, that met or did not meet the unrestricted current ratio benchmark (>1.5 times) for the past three financial years. This ratio measures councils’ short-term liquidity. This measure shows the current assets available to meet current liabilities.

Source: Councils’ financial statements (audited).

All but one metropolitan council are meeting this benchmark. Regional councils have improved since 2021–22, when 86% of these council met the benchmark. In 2023–24, 95% met benchmark. The percentage of rural councils meeting the benchmark has remained stable over the same period, at about 95%.

Increasing proportion of councils met the infrastructure renewals benchmark in 2023–24

The graph below shows the percentage of councils, by classification, meeting or not meeting the infrastructure renewals performance benchmark (>100%) for the past three financial years.

Source: 2021–22, 2022–23 and 2023–24 schedules (unaudited).

The performance of metropolitan councils has improved since 2021–22, when 68% did not meet the benchmark. The proportion of metropolitan councils meeting the benchmark in 2023–24 increased to 53%. Over the same period regional councils improved from 59% not meeting the benchmark to 49%, however, the situation for rural councils deteriorated from 40% not meeting the benchmark to 44%.

Several factors impact the ability of councils to meet this benchmark, including rising inflation and resource constraints driving up cost of capital projects and timing of natural disasters. Higher costs of constructing assets may require funding from other sources to complete projects already planned. This is compounded by lack of appropriate budgeting for ongoing operational costs to maintain these assets.

In addition, growth councils that appropriately focus on building new infrastructure and renewing existing assets will not meet this benchmark during the growth phase.

Regional and rural councils with large infrastructure balances have the least own-source revenue and rely on grants and contributions to renew assets.

³ From the general fund only.
⁴ From the general fund only.

Source: ABS Government Finance Statistics.

The increases in total revenue for NSW councils for the financial years between 2014 and 2023 is consistent with movements in the CPI. Without real growth in revenue, councils’ financial sustainability will continue to be at risk.

The composition of revenue types for each council classification has been relatively consistent over the past three financial years. The following analysis focuses on the 2023–24 financial year.

The graph below shows 2023–24 revenue totals by type and council classification.

Source: 2023–24 financial statements (audited).

Metropolitan councils derive half of their revenue from rates and annual charges

Metropolitan councils tend to have larger populations and higher property values, which contributes to 50% of their revenue coming from rates and annual charges. The next highest component is grants and contributions (24%), which includes developer contributions, and then user charges (12%). These steady, reliable and predictable sources of revenue contribute to councils’ medium and longer term financial sustainability.

Regional councils derive almost 40% of their revenue from rates and annual charges

Regional councils’ largest source of revenue are rates and annual charges from ratepayers. However, these comprise only 40% of their total revenue, with further income received from grants and contributions (36%) and user charges (17%).

Regional councils tend to cover larger land areas but have fewer ratepayers than metropolitan councils. They rely on grants and contributions from other levels of government more than metropolitan councils, but not as much as rural councils. Regional councils rely on grant income to supplement their own resources to renew and maintain infrastructure assets, including roads.

More than half the revenue of rural councils comes from grants and contributions

Rural councils only receive 24% of their revenue from rates and annual charges. Of the three council classifications in this report, rural local government areas typically have the lowest populations, larger land holdings and lower ratable property values. These factors limit the ability of these councils to generate revenue from rates and annual charges, with negative consequences for their financial sustainability over the medium to longer term. They are highly dependent on grants and contributions from other levels of government, which account for 54% of their total annual revenue.

Rural councils have proportionately greater road lengths, more bridges, and often maintain their own water and sewerage infrastructure. They receive a higher proportion of grant funding, which they rely upon for the renewal and maintenance of their infrastructure.

Lack of alternative revenue sources puts pressure on budgets and creates a dependency on grant funding. Rural councils’ ability to make and realise long-term plans is diminished, as the timing and amounts of receipts from Commonwealth and state grants are uncertain. Yet the range of services communities expect of their rural councils continues to grow.⁵ Rural councils often become the provider of last resort (such as in the provision of childcare and aged care) when private sector providers find it uneconomic to enter or remain in markets.

Strategic initiatives, technological advances, infrastructure projects and major maintenance projects can be delayed until funding and other resources are available as these councils prioritise day-to-day operational necessities.

Total expenses of $16.3 billion exceeded total revenue of $16.1 billion (excluding $4.6 billion in capital grants and contributions)

In 2023–24, across the NSW local government sector, total expenses were less than total revenue for all council classifications. When capital grants and contributions are excluded, expenses exceeded revenue by $0.2 billion. About 40% of councils did not break even in 2023–24.

The graph below shows the total revenue, expenses and net result by council classification for 2023–24.

Source: 2023–24 financial statements (audited).

Our analysis highlights that, on average, rural councils face the biggest challenge. Rural councils had the lowest differential between revenue and expenses of $810 million, compared to metropolitan ($1.78 billion) and regional ($1.85 billion) councils.

Revenue growth lags expenditure growth after adjusting for inflation, resulting in negative growth in real terms

The graph below shows actual expenses compared to expenses if indexed for the CPI from the 2014 to 2023 financial years.

Source: ABS Government Finance Statistics.

The total expenses for NSW councils for the financial years between 2014 and 2023 are consistent with the base year’s expenses indexed for annual CPI movements. In the 2023 financial year, expenses increased by more than CPI. Expenses were $1 billion higher (15.2 billion) than those indicated by the CPI movement ($14.2 billion). Over the longer term, spending exceeded CPI.

With reference to the revenue analysis presented previously, revenue growth lags expenditure growth after adjusting for inflation, resulting in negative growth in real terms. Expenses indexed by CPI are $0.2 billion higher than indexed revenue.

While the composition of expense types for each council classification has been relatively consistent over the past three financial years, our analysis focuses on the 2023–24 financial year.

Source: 2023–24 financial statements (audited).

Employee benefits expenses accounted for 38% of total expenses for metropolitan councils

Employee benefits expenses represented around a third of total expenses across all council classifications, with metropolitan councils having the highest (38%) and rural councils the lowest (30%).

Material and services expenses accounted for 40% of total expenses for rural councils

Material and services expenses ranged from 34% in regional councils to 40% in rural councils, with metropolitan councils sitting between the two at 37%. Effective procurement and contract management can help contain these costs, but inflation has proved to be a challenge in this area.

Rural councils face particular challenges in containing costs because they access a smaller pool of suppliers and resources, which limits price competition. Given their heavy reliance on grant funding and limited sources of other revenue, rural councils will continue to face challenges controlling costs within revenue.

Depreciation accounted for a higher proportion of expenses for regional and rural councils

Depreciation, amortisation and impairment expenses are non-cash items and accounted for 24% of total expenses in regional and rural councils. In metropolitan councils these expenses represented 18% of total expenses. For regional and rural councils, many cover large areas and have greater lengths of road to maintain. Many rural and regional councils also maintain their own water and sewerage infrastructure assets. All of these capital assets are subject to depreciation.

Depreciation is a requirement of the Code, which reflects the requirements of the Australian Accounting Standards. It is a concept that is common to both historical cost and fair value accounting conventions. Instead of writing off the entire cost of an asset in its year of acquisition, depreciation allocates the value of an asset as an annual non-cash expense over its useful life.

Many councils find depreciation challenging as the non-cash charge accounts for a significant proportion of the net result, reducing the funds that might otherwise have been available to provide goods and services. It is not ‘controllable’ by management, yet it factors into how their performance is measured.

However, while depreciation does not necessarily provide for an asset’s replacement and is not a substitute for long-term financial planning, it does serve to preserve some cash from each year’s net result that might be applied to the asset’s eventual replacement. In other words, if councils aim to break even each year, then at the end of the life of an asset, a cash amount equivalent to the previous depreciation charges would be available for replacing the asset.

The preservation of cash for the eventual replacement of assets helps ensure intergenerational equity for councils’ constituents.

⁵ The Standing Committee on State Development’s inquiry ‘Ability of local government to fund infrastructure and services’.

Source: Councils’ financial statements (audited).

Total cash and investments across councils is $19.3 billion, with $12.0 billion externally restricted. NSW councils’ cash and investment balances have grown over the past two years.

The graph below shows the proportion of total cash and investment balances, by council classification, split into externally restricted and not restricted portions over the past three financial years.

Source: Councils’ financial statements (audited).

The LG Act states that ‘money received as a result of levying a special rate or charge may not be used otherwise than for the purpose for which the rate or charge was levied’. Under the LG Act, the Minister can approve internal loans to use money collected through a special rate or charge for another purpose. In the absence of ministerial approval, only non-restricted cash can be used for operational purposes. Common types of special rates and charges include those for water, sewerage, drainage, domestic waste and stormwater management.

Restricted cash does not need to be kept in a separate bank account and is recorded in, and controlled using, subledgers.

The proportion of cash that is externally restricted has grown slightly for metropolitan councils. While the overall balances at regional and particularly rural councils is lower, the proportion that is restricted has remained static for each of the three years presented. For all council classifications, the highest proportion of cash and investments is externally restricted.

Bathurst Regional Council and Glen Innes Severn Council spent restricted cash during the 2023–24 financial year for other than their intended purposes without ministerial approval, in breach of the LG Act. Sutherland Shire Council and City of Ryde Council spent restricted cash for other than their intended purposes in previous years without ministerial approval, also in breach of the LG Act.

Over the past three financial years all councils had positive operating cash flows. Trends in cash flows can indicate where councils are likely to face challenges in remaining financially sustainable. Where there are negative net cash flows from operating activities that continue for two to three years, action needs to be taken to optimise cash management. Such action can include:

• managing debtors to minimise days locked up in debtors and write-offs
• tighter control of the amount and timing of expenses
• ensuring that procurement processes for materials and services deliver value for money
• monitoring cash balances and subledger accounts to reduce the risk that restricted cash is used to fund operations, leading to non-compliance with the LG Act.

Time lags between incurring expenses and receiving revenue put pressure on cash flows

Rates are the most substantial source of a council’s revenue. Where elected councillors wish to increase rates beyond the rate peg set by the Independent Pricing and Regulatory Tribunal (IPART) they must apply for a special rate variation (SRV). Approval of a SRV takes time, involves community consultation and must be supported by the council.

Grant funding is the second most significant revenue stream for councils, but the timing and quantum of grant funding is less predictable than other sources of revenue. The Standing Committee of State Development recommends the consideration of grant models that provide a more secure and sustainable source of funding, allowing greater discretion and determination in a timely manner.⁶

Because many councils have experienced natural disaster events in successive years, placing their communities and their resources under enormous pressure, grant money has been made available. Grant funding is also allocated to councils under the Roads to Recovery program and the Local Roads and Community Infrastructure for specified purposes consistent with the aims of those programs.

Grant funding, except for the general component of the annual Financial Assistance Grants, is tied to specific activities and cannot be used for the general operating expenses of councils. The local road component of the Financial Assistance Grants is untied, but must be spent on roads. While Financial Assistance Grants are paid in advance, other grants are generally paid on achievement of predetermined milestones relating to specific projects. There is often a time lag between when costs are incurred and when these grant revenues are received.

The need to preserve an operating cash balance means councils may defer certain expenditures that are discretionary in terms of nature and timing until additional funds are available.

⁶ The Standing Committee on State Development’s inquiry ‘Ability of Local Government to Fund Infrastructure and Services’.

Source: Audit management letters for 30 June 2023 and 30 June 2024 audits.

The graph below shows the breakdown of 30 June 2024 audit findings by key themes and risk.

Source: Audit Office findings.

The high-risk and common audit findings across these areas are explored further below. Governance, asset management and IT continue to dominate audit findings.

Governance

High-risk findings

Four high-risk findings were reported for this area, as detailed in the table below.

Common findings

Common governance findings reported in audit management letters include:

• absence of policies and procedures
• absence of business continuity plans (BCPs)
• deficiencies in risk management
• weak fraud controls
• poor contract management.

Thirteen councils had an outdated or no business continuity plan

A BCP is a widespread mechanism used by organisations to ensure that they are prepared to respond effectively to disruptions, including natural disasters. Business continuity management involves developing, implementing and maintaining policies, frameworks and programs to assist an organisation manage business disruptions. Plans should be tested regularly under a range of scenarios to ensure that they will be reliable during an actual event, and to provide feedback for continuous improvement.

Thirteen councils did not have a BCP, or their BCP was outdated (31 in 2022–23). Fifty-seven councils with BCPs in place recently tested the plans (93 in 2022–23). However, testing at 19 councils was limited to testing information and technology elements of the BCPs. Sixty-seven councils had not tested their BCPs recently.

All councils are required to appropriately assess and manage risks under the LG Act. The DPHI published its ‘Risk Management and Internal Audit for Local Government in NSW’ in December 2022. These guidelines became mandatory from 1 July 2024 and require:

• the Audit Risk and Improvement Committee and internal audit to be responsible for the review of the effectiveness of business continuity arrangements, including BCPs, disaster recovery plans and the periodic testing of these plans
• that risk management is a core responsibility of all senior council management.

Thirty-one councils did not have a crisis management plan in place

Thirty-one councils did not have a separate crisis management plan in place or a BCP that covers crisis management (40 in 2022–23).

A crisis management plan outlines how a business will react if a crisis occurs. It can be part of the BCP or it can be a separate plan. It should identify who will act and what their role(s) will be. The goal of a crisis management plan is to minimise damage and restore business operations as quickly as possible.

Councils need to improve their fraud control frameworks

Effective fraud control processes help to protect councils from events that risk serious reputational damage and financial loss. Councils should improve their fraud control frameworks.

Deficiencies in fraud control processes are summarised in the table below.

Source: Audit Office findings.

During the 2023–24 financial audits we notified the Independent Commission Against Corruption of 47 potential fraud and corruption cases across 22 councils, three county councils and two joint organisations. All but one matter were also self-reported. These matters included:

• accepting gifts to influence decisions
• improper procurement/contractor engagement
• bias in development consents
• improper appointment processes for new hires
• not acquitting credit card charges for fuel, food, beverages and clothing as legitimate business expenses
• misuse of resources for private purposes
• inappropriate employee timesheets and expense claims
• misappropriation of development bonds.

Asset management

Councils own and manage large infrastructure asset portfolios to support the delivery of community services. Asset management involves operational aspects such as maintenance and physical security, as well as accounting procedures such as recording and valuing assets in accordance with Australian Accounting Standards.

High-risk findings

Ten high-risk findings were reported for this area, as detailed in the table below.

Common findings

Our audit management letters reported deficiencies in asset valuation processes, and inaccurate and incomplete fixed asset registers.

Thirty-nine councils had inaccurate and incomplete fixed asset registers

Maintaining accurate and up-to-date asset data helps councils make appropriate decisions around asset management. The fixed asset register issues at 39 councils included:

• not maintaining an accurate and complete fixed asset register:
  • issues with duplicate or missing assets
  • incorrect classification of assets
  • incorrect componentisation of assets
  • issues with assessing useful lives
  • discrepancies between fixed asset register and other information records (e.g., Crown land information database and technical asset registers)
• not regularly updating the fixed asset register for additions and disposals
• not maintaining the asset registers in a secure format (using unlocked spreadsheets or multiple unreconciled systems).

The source of prior period errors and uncorrected errors continue to relate mainly to the quality of asset records and asset valuations.

There were deficiencies in infrastructure asset revaluation processes at 54 councils

We identified deficiencies in infrastructure asset valuation processes at 54 councils (48 in 2022–23). These included:

• not assessing the useful life, condition and fair value of all asset classes annually
• inadequate supporting documents for key assumptions and judgements applied, including:
  • useful life assessments
  • condition and impairment assessments
  • fair value assessments
  • unit rates
• incorrectly classifying assets
• incorrectly excluding some assets from valuations
• errors in annual fair value assessments when applying indices to adjust fair values
• deficiencies in the annual fair value assessment process
• management not documenting their quality review over the asset valuation.

Some councils have ineffective valuation processes which are performed too late

Performing asset valuations allows management and auditors time to complete procedures and identify potential issues before the financial statements close process. Bringing this work forward can improve the timeliness and accuracy of financial reporting. The effective date of the comprehensive valuation of any asset category can be any point during the financial year subject to audit. As reported in Chapter 2 ‘Audit results’:

• thirty-seven councils (43 in 2022–23) completed IPPE valuations before 30 June 2024
• thirty-six councils (32 in 2022–23) performed fair value assessments of IPPE before 30 June 2024.

Councils should have a project plan in place to manage the asset valuation process. Suggested deliverables to be included in a timetable for council valuations may include the following.

Information technology

Councils rely on IT to deliver services and manage information. While IT delivers considerable benefits, it also presents risks that councils need to address. IT general controls relate to the procedures and activities designed to ensure the confidentiality and integrity of systems and data. These controls underpin the integrity of financial reporting.

Financial audits review IT general controls for key financial systems that support the preparation of council financial statements. These include:

• policies and procedures
• IT risk management
• privileged user access restriction and monitoring
• user access management
• system software acquisition, change and maintenance
• patch management
• disaster recovery planning
• cyber security (refer to the next chapter).

High-risk findings

High-risk findings reported in this area are detailed in the table below.

Common findings

In addition to the high-risk findings reported above, our audit management letters reported deficiencies in IT policies and procedures and a lack of user access management, including management of privileged users.

There are insufficient controls over access to systems by users and privileged users

We identified the following common access management findings:

• periodic user access review, which ensures that users’ access to key IT systems is appropriate and commensurate with their roles and responsibilities, was not performed at 37 councils (55 in 2022–23)
• there were gaps in the management of privileged users at 42 councils (38 in 2022–23). This included gaps in restricting privileged users’ access and monitoring their activity.

The number of councils with insufficient control over user access management, including privileged users, has reduced as councils have addressed previously reported matters.

Where robust access management processes are not in place, inappropriate access may exist. This increases the risk of the unauthorised processing or modifying of transactions, or of sensitive data being stolen. These common findings may be rated high-risk when there are no mitigating controls to prevent or detect unauthorised activity.

Financial reporting and accounting

Financial reporting is an important element of good governance. Confidence in, and transparency of, public sector decision-making is enhanced when financial reporting is accurate and timely. Financial accounting refers to the processes adopted by management to record and review financial information. Councils use a combination of manual and automated processes and information systems to process financial information. Effective processes and controls support the accuracy and completeness of information presented in the financial statements.

High-risk findings

There were five high-risk findings in this area, as detailed in the table below.

Common findings

A lack of segregation of duties over the posting of manual journal adjustments at 22 councils

Independent review and authorisation of manual journal adjustments is important to reduce the risk of fraud or error in the financial statements. There was a lack of segregation of duties over the posting of manual journal adjustments to financial ledgers at 22 councils (12 in 2022–23).

Preparation of key account reconciliations was not timely or independently reviewed

Regular reconciliations of financial information, with appropriate review processes, help to identity and resolve discrepancies between different systems and records. They also preserve the integrity of financial statements and can identify fraud. Our audits found:

• no evidence of independent reviews of key account reconciliations at 35 councils (18 in 2022–23).
• untimely reconciliations of all key balances in the financial statements at 26 councils (28 in 2022–23).

Purchases and payables

Councils spend substantial funds each year to procure goods and services. It is therefore important that there is appropriate probity, accountability and transparency in procurement to achieve value for money and reduce the risk of unauthorised purchases, and corrupt and fraudulent behaviour.

High-risk findings

Two high-risk findings were reported for this area, as detailed in the table below.

Common findings

Credit card management requires improvement

Credit cards are a convenient and efficient procurement method. However, as they access council funds, it is in the public interest for their use to be monitored. Credit cards are subject to misuse and fraud by cardholders, merchants and fraudsters. It is important that councils effectively manage credit card use, minimise the risk of misuse and fraud, and ensure that the intended benefits are realised.

Common findings identified in council credit card management practices include:

• absence of or outdated credit card policies and procedures
• insufficient controls over credit card reconciliations
• inadequate or absence of timely review or authorisation of credit card expenses.

Insufficient review of changes to creditor information at 13 councils

Thirteen councils (six in 2022–23) did not perform a sufficient review of changes to creditor information in the supplier master file, including verification of bank account details. This increases the risk of unauthorised changes to key information, resulting in payments to incorrect or fraudulent accounts, leading to financial losses for councils. The increasing rates and sophistication of cybercrime amplify the risk of control weaknesses being exploited and going undetected for longer periods.

Payroll

Effective payroll processes ensure councils manage their workforce in compliance with legislation, employment agreements and the Local Government Award. Payroll processes, controls and information systems should protect the integrity of employee records to ensure accuracy of employee payments and leave entitlement calculations.

Common findings

Eighteen councils did not review changes to employee payroll data

Eighteen councils did not have adequate processes in place to review changes to employee payroll data (12 in 2022–23). This includes not generating reports to identify changes to master file data and/or pay run variance reports. In some cases, although reports were produced, they were not independently reviewed. This increases the risk of unauthorised changes or errors being undetected and remaining undetected for long periods, increasing the risk of financial loss to councils. Cyber criminals also target vulnerabilities in payroll processes and controls.

Payroll processes need to improve at many councils

Other common findings identified in payroll include:

• no review of termination payments
• leave forms not reviewed, not updated in the system and not filed
• lack of segregation of duties
• lack or untimely review of payroll reconciliations.

Cash and banking

Councils process a high volume of transactions each year. Effective controls over cash collection, disbursements and reconciliations reduce the risk of fraud and error.

Common findings

Outdated bank signatories at 14 councils

Expired bank signatories are not being removed on a timely basis. Fourteen councils (eight in 2022–23) had former employees listed as account signatories for bank accounts. This increases the risk of unauthorised transactions.

Revenue and receivables

Councils receive revenue from a range of different sources, including ratepayers, users of facilities, other levels of government, developers and investments. Councils require appropriate controls to accurately record revenue and receivables in compliance with Australian Accounting Standards and other legal requirements.

High-risk findings

One high-risk finding was reported for this area, as detailed in the table below.

Common findings

Revenue processes and controls need to improve at many councils

Other common findings across councils include:

• not formally assessing grant funding against measurement criteria under AASB 15 ‘Revenue from Contracts with Customers’ and AASB 1058 ‘Income of Not-for-Profit-Entities’, leading to errors in the financial statements
• not reconciling the grant register and not keeping it up to date
• lack of independent review of changes made to data in revenue systems and revenue master files
• lack of exception reporting
• incorrect classification of properties for rating purposes.

Deficiencies in revenue recognition practices resulted in the identification of 18 uncorrected errors (totalling $34.3 million) in councils’ financial statements, and three prior period errors (totalling $7.1 million) (25 errors, $22 million in 2022–23). While there has been some improvement, many of the errors were detected by auditors rather than through appropriate and consistently applied management processes and controls.

Internal audit

The Institute of Internal Auditors defines internal audit as ‘an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations’. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.

According to the Local Government Regulation and the ‘Guidelines for Risk Management and Internal Audit for Local Government in NSW’, commencing 1 July 2024, councils (including county councils and joint organisations) must have an internal audit function to review the council’s operations, risk management and control activities.

No internal audit function at 10 councils, four county councils and 12 joint organisations

The table below shows the number of councils, county councils and joint organisations with gaps in their internal audit functions.

Source: Audit Office findings.

It is likely, given the weaknesses noted above, that several councils will not comply with the newly commenced internal audit requirements of the Local Government Regulation. The Regulation requires councils, county councils and joint organisations to notify the Departmental Chief Executive within 28 days of the failure to comply with the Regulation and publish a statement of non-compliance details in the annual report. There was no internal audit function at 10 councils, four county councils and all but one joint organisation.

For the councils and county councils that did have internal audit functions, the table below shows the range of internal audit annual budgets by classification.

Source: Audit Office analysis.

Metropolitan councils have the largest budgets for internal audit. In the current audits we identified no areas for improvement relating to the internal audit functions and their governance.

The operations of rural and regional councils range in size and complexity. The nature of their internal audit functions and governance also range in maturity and in the budget allocated to their delivery. It is important that internal audit budgets are sufficient to ensure appropriate coverage by internal audit of acknowledged risks. However, not all improvements involve additional expense. Improved governance processes and adequate oversight of internal audit activities and recommendations can also achieve better outcomes for smaller councils.

Councils, county councils and joint organisations can share an internal audit function. This should be a formal arrangement that outlines the governance arrangements, how it will operate and how the costs will be shared.

Source: Audit Office findings. Data are not available for all years. The graph shows the trend from when we first reviewed these controls in 2019.

While the overall trend indicates improvements in these key cyber security controls, especially regarding governance, there has been a slight drop in cyber security training and awareness and cyber incident management. The improved areas of cyber security policy and risk management have been a focus of our financial audits and it is encouraging to see councils responding to the recommendations in our financial statement audit management letters and our Local Government 2023 Auditor-General’s Report.

This chapter covers some aspects of cyber security risk management, cyber security training and further analysis of the above controls based on data collected from NSW councils.

Source: Audit Office findings for councils, county councils and joint organisations.

The clear preference of cyber security frameworks is the Essential Eight (chosen by 100 councils). Thirty-eight per cent of councils have selected it as their only framework. Other frameworks that councils have adopted include the NSW Cyber Security Policy, the federal Information Security Manual, ISO 27001 ‘Information Security, Cybersecurity and Privacy Protection – Information Security Management Systems – Requirements’, or frameworks purchased from vendors.

Fifty-five per cent of councils followed only one of the above frameworks, with the remainder selecting elements from two to four different frameworks. The following table shows the combinations of cyber security frameworks used by councils.

Source: Audit Office analysis for councils, county councils and joint organisations.

The cyber security frameworks differ in their scope and purpose. Selection of some frameworks may limit the focus and attention to components of cyber security rather than provide a comprehensive approach. The differences in the two main frameworks used by councils are as follows:

• The Essential Eight is a subset of eight mitigation strategies to protect against cyber threats
• The Guidelines have a broader set of requirements covering governance and identification, detection, response and recovery, and protection. The Guidelines target councils, integrate the Essential Eight into their requirements and suggest a minimum standard for the Essential Eight.

Adopting the Essential Eight alone may protect key systems and data, but may not provide sufficient focus on other cyber security elements that are included in the Guidelines.

Thirty-seven councils did not have a cyber security policy

Translating cyber security frameworks into cyber security policy is important to set organisational-wide expectations and objectives, and to articulate the scope for users and stakeholders. It is also key to articulating a council’s posture on cyber security.

There has been an improvement in the adoption of cyber security policies by councils. In 2024, 26% councils (34% in 2023; 80% in 2019) did not have a current cyber security policy, and six were in the process of developing a draft policy. Forty-nine per cent of councils without a cyber security policy are rural councils.

Source: Audit Office findings.

Phishing is when cyber criminals trick people into giving them information that can enable unauthorised access. They send emails or messages purporting to be from large known and trusted organisations, and often demand urgent action by recipients.

Forty-five per cent of councils did not run a phishing simulation during the 2024 financial year. Of the 55% of councils that did run a phishing exercise, five councils did not give staff any feedback if they did react inappropriately to the phishing exercise. These councils are working on procedures to ensure that users are aware of the risks associated with their actions.

When individual staff did not respond appropriately to a phishing exercise, councils used the following methods to improve their cyber security awareness:

• they required the staff member to attend additional training (51 councils)
• they provided written or verbal feedback about the exercise and how they should have responded (30)
• they informed the staff member’s manager of the result (10)
• they reflected repeated phishing test failures in staff appraisals (6)
• they performed other actions such as praising staff who successfully passed, focused on particular business units and informed users of the overall results (28).