Unmodified audit opinions were issued for all completed 30 June 2025 financial statements

Unmodified audit opinions were issued for the 30 June 2025 financial statements of 125 (of 128) councils, 8 (of 8) county councils and 11 (of 13) joint organisations.

Eighty-eight per cent of councils met the statutory deadline of 31 October for lodging financial statements (88% for 30 June 2024). Fourteen councils and 2 joint organisations (12%) received extensions from the Office of Local Government (OLG). Audits remain in progress for 3 councils.

Eighty-nine independent auditors' reports were issued in the 5 days before the statutory deadline. Councils, the Audit Office, and Audit, Risk and Improvement Committees (ARICs) can take further steps to improve the timeliness of financial reporting and the audit process. Early financial reporting procedures can improve the quality and timeliness of financial reporting.

Quality of financial reporting has improved

The number and value of errors in financial statements have declined, and fewer versions of financial statements were submitted for audit, indicating improving financial reporting processes. Quality of financial reporting could be further improved by addressing longstanding deficiencies in record keeping and timely valuations of infrastructure, property, plant and equipment (IPPE). Performing early financial reporting procedures, such as completing valuations by 30 June, will enable more complete draft financial statements.

NSW councils have a greater financial reporting burden than other Australian states

Progress by the OLG to declutter financial statements and reduce the burden of reporting has been slow. NSW councils continue to have a greater financial reporting burden than councils in other Australian states and are required to prepare and submit more statements for audit, such as special purpose financial statements.

OLG’s current financial reporting framework is ‘one size fits all’ as it does not scale to the varying size, risk profiles and complexity of councils, county councils and joint organisations in NSW. There is currently a disproportionate impact on smaller entities such as rural councils, county councils and joint organisations. The overall sector outcomes could be achieved with a scalable approach which considers resources available in different locations.

Financial sustainability

More councils reported operating losses for the year ended 30 June 2025

Seventeen councils reported operating losses this year. Continued operating losses may indicate financial sustainability risks. Councils with operating losses need to prioritise comprehensive budget repair through long-term financial planning, with expenditure control, to improve their financial sustainability.

Nineteen councils did not have cash and investments to meet 3 months of general fund expenses

Nineteen councils (2 metropolitan, 8 regional and 9 rural) had insufficient cash and investments, not subject to external restrictions, to pay 3 months of general fund expenses (compared with 16 at 30 June 2024). This highlights ongoing liquidity challenges for the sector, particularly for regional and rural councils. Appendix 2 contains details on the 11 councils most at risk.

Two councils spent restricted cash in breach of the Local Government Act 1993

Bathurst Regional Council and Upper Hunter Shire Council breached the Local Government Act 1993 by spending restricted cash for purposed other than those intended.

Financial assistance grants in 2024–25 had lowest growth in 7 years

The graph below shows the growth in financial assistance grants compared with growth in Commonwealth tax revenue.

1. By 30 June 2026, the Department of Planning, Housing and Infrastructure (the Department), should work with relevant State agencies to:
   • set a mandatory framework to guide councils in the responsible implementation of AI, drawing on existing frameworks established by other levels of government.
2. By 30 June 2026, councils should review their readiness for increased use of AI by:
   • reviewing and ensuring that fit-for-purpose governance arrangements are in place before deploying AI
   • considering the benefits of developing an AI strategy that can be integrated into a broader organisational plan to ensure that AI initiatives are coordinated and aligned with councils’ strategic priorities and objectives.
3. By 30 June 2026, councils should improve cyber security control frameworks by:
   • strengthening supply chain risk management governance
   • improving investment accountability by introducing cost-benefit analysis, return on investment tracking, aligning cyber spending with current threat landscapes, and managing underutilised, redundant and/or outdated cyber security tools and services.
4. By 30 June 2027, the Department should review its financial reporting framework in NSW by progressing:
   • a more scalable framework to reduce unnecessary administrative burden on rural councils, county councils and joint organisations
   • staged implementation of new requirements to allow smaller councils to learn from and leverage the experience of larger councils
   • opportunities for sharing resources, policy frameworks and information systems to achieve improved value for money and reduce duplicated effort across the sector.
5. By 30 June 2027, the Department should implement updated guidelines on major capital projects and ensure they:
   • align with assurance arrangements for the NSW Government sector, and include provisions for independent assurance
   • are scaled to project size and complexity, council size and location
   • address the full project lifecycle.

In NSW, local councils are established under the Local Government Act 1993 (the LG Act), which defines the powers and geographical areas for which councils are responsible.

At 30 June 2025, there were:

• 128 local councils (57 rural, 37 regional, 34 metropolitan)
• 13 joint organisations
• 8 county councils.

Councils provide a range of services and infrastructure for their local government area. Services include waste collection, planning and building approvals, animal management, libraries and recreational services. Councils build and maintain infrastructure, including roads, footpaths and stormwater. In many regional and rural areas, councils also provide the infrastructure for water supply and sewerage services.

County councils were established for specific purposes, such as to supply water, manage flood plains or eradicate noxious weeds.

Joint organisations were formed in regional NSW to improve the way local councils and other stakeholders work together to deliver regional priorities.

The Office of Local Government (OLG), within the Department of Planning, Housing and Infrastructure, is responsible for the regulation and oversight of councils, county councils and joint organisations.

Each council has unique characteristics

A local council’s size, location, demographics and the nature of the services it provides to its communities impact its financial sustainability and the risks it faces. To enable meaningful comparison, and for the purposes of analysing their financial results, councils are classified as ‘metropolitan’, ‘regional’ or ‘rural’ throughout this report. County councils and joint organisations are classified separately. Refer to Appendix 5 for a list of local councils and their classifications.

The map below shows the council classifications across NSW.

Financial audits provide independent opinions on the financial statements of councils. They are designed to give reasonable assurance that financial statements are true and fair, thus enhancing the degree of confidence users have in the financial statements.

This report analyses the audit results and findings of the financial audits of 125 councils, 8 county councils and 11 joint organisations for 2024–25. The financial statements and audits of 3 councils remain in progress at the date of this report.

It is important that the local government sector prepares financial statements that are free from material error to ensure transparency, accountability and confidence in financial management. Councils deliver a wide range of services and are exposed to varying degrees of financial, operational and strategic risk, each presenting unique challenges to accurate financial reporting.

In addition to presenting the results of financial audits, this report provides the NSW Parliament and NSW councils, county councils and joint organisations with insights into important areas of public sector financial accounting and management, which have important operational complexity, financial risk and long-term sustainability implications.

The table below details the analysis undertaken in this report.

NSW councils have a greater financial reporting burden than other Australian states

The Local Government Act 1993 (the LG Act) requires the Auditor-General to issue an audit opinion on each council’s:

• general purpose financial statements
• special purpose financial statements
• special schedule – permissible income.

Each year, as required by the State or Commonwealth Governments, the Auditor-General must also complete at least three grant acquittal audits.

Audit opinions

At the date of this report, unmodified audit opinions were issued for the 30 June 2025 financial statements of:

• 125 councils
• 8 county councils
• 11 joint organisations.

Issuance of an unmodified opinion means sufficient audit evidence was obtained to conclude that the financial statements were free of material misstatement and were prepared in accordance with Australian Accounting Standards and Chapter 13, Part 3, Division 2 of the LG Act.

The table below lists the audits that are in progress at the date of this report and the reasons why.

Two councils resolved issues that resulted in qualified audit opinions in previous years

During 2024–25, because of the resolution of issues described in the table below, an unmodified audit opinion was issued on both councils’ 30 June 2025 financial statements.

Prior-period errors

A prior-period error is a misstatement made by a council in previous financial years. It is identified by the auditor or council in the current financial year, and is corrected retrospectively by restating the opening balances and comparatives in the financial statements. The existence of prior-period errors corrected retrospectively can indicate deficiencies in a council’s financial reporting processes and internal controls.

The number of prior-period errors decreased in 2024–25, but remains high

Seven councils and one joint organisation retrospectively corrected 15 prior-period errors in their 30 June 2025 financial statements (32 in 2023–24). While there has been an improvement in the number of prior-period errors identified in 2024–25, indicating an uplift in the quality and reliability of councils’ financial reporting, the number of prior-period errors remains high.

Of the 15 prior-period errors identified, 6 councils had errors exceeding $30 million. These errors all related to IPPE.

The table below details the prior-period errors exceeding $30 million.

Source: Engagement closing reports from 30 June 2025 audits.

Uncorrected errors

Some errors in councils’ 30 June 2025 financial statements were not corrected

An uncorrected error is an error identified by the auditor or council in the financial statements that has not been corrected by the council. In other words, while errors are reported to council management, the errors have not been corrected because they do not consider them material, either individually or in aggregate. While the financial statements would be more accurate if the errors had been corrected, the errors are not sufficiently material to require the auditor to modify the Audit Office’s opinion of the councils’ financial statements.

The total number and value of uncorrected errors declined in 2024–25, an indication of improved quality of councils’ financial statement preparation processes. In 2024–25, there were 135 reportable errors (184 in 2023–24) and the total value of these errors was $344 million ($459 million in 2023–24).

The table below shows the number and value of uncorrected errors identified in 2024–25.

Source: Engagement closing reports from 30 June 2025 audits.

While they are decreasing, the number and value of errors identified indicates that financial statement preparation and quality assurance processes could be improved.

IPPE valuations and poor asset record keeping account for the majority of uncorrected errors

The chart below details the key drivers for uncorrected errors identified. In addition to all prior-period errors over $30 million mentioned above, 84% of the uncorrected errors relate to the measurement and recognition of IPPE, including errors in the valuation process and poor asset record-keeping practices leading to inaccurate asset register information.

The LG Act requires councils to submit audited financial statements to the OLG by 31 October. If a council cannot meet this date, it can apply to the Minister for Local Government (or their delegate) for an extension of time. Timely financial reporting is an indicator of sound financial management and helps inform decision-making by the councils’ elected representatives.

Eighty-eight per cent of councils lodged their 30 June 2025 audited financial statements by the statutory deadline – the same percentage as the last financial year

For the 30 June 2025 financial audits:

• 114 councils, 8 county councils and 9 joint organisations met the statutory deadline (113 councils, 8 county councils and 8 joint organisations for the 30 June 2024 financial statements)
• 14 councils and 2 joint organisations (12%) received one or more extensions to lodge their audited financial statements after 31 October (15 councils, 2 county councils, 3 joint organisations for the 30 June 2024 financial statements)
• 2 joint organisations breached the LG Act by missing the statutory deadline and not requesting an extension (2 joint organisations for the 30 June 2024 financial statements). These joint organisations are not currently operating and have asked the Minister for Local Government to approve their dissolution.

The most common reasons councils cited when applying for extensions related to:

• accounting or other matters that required more time to resolve
• resolving issues or complexity in undertaking asset valuations
• council resourcing issues, including turnover of key staff or inability to fill key financial management positions
• the impact of natural disasters, and the required prioritisation of recovery efforts.

Refer to Appendix 5 for further details.

Independent auditors' reports for 89 councils were issued in the last 5 days before the statutory deadline

The graph below shows that most of the independent auditors’ reports were issued in October with 89 being issued in the last 5 days before the statutory deadline.

An increasing number of councils made operating losses for the year ended 30 June 2025, with most highly dependent on grant funding

An operating loss means operating revenue is insufficient to meet operating expenses. In 2024–25, 17 councils made operating losses (one metropolitan, 4 regional and 12 rural) compared to 5 councils in 2023–24. Continued operating losses may indicate financial sustainability risks. Six of the 19 councils identified as being the least liquid also made an operating loss.

Councils with operating losses need to prioritise comprehensive budget repair through long-term financial planning, with expenditure control, to improve financial sustainability

Rates are the most substantial source of a council’s revenue. If elected councillors want to increase rates beyond the rate peg set by the Independent Pricing and Regulatory Tribunal (IPART), they must apply for a special rate variation (SRV). Approval of an SRV takes time, involves community consultation and must be supported by the council.

Grant funding is the second most significant revenue stream for councils, but the timing and quantum of grant funding is less predictable than other sources of revenue.

Because many councils have experienced natural disaster events in successive years, placing their communities and their resources under pressure, grant money has been made available. Consistent with the aims of the programs, grant funding is also allocated to councils under the Roads to Recovery program and the Local Roads and Community Infrastructure Program for specified purposes.

Grant funding, except for the general component of the annual Financial Assistance Grant, is tied to specific activities and cannot be used for councils' general operating expenses. The local road component of the Financial Assistance Grants is untied but must be spent on roads. Financial Assistance Grants are paid in advance, but the percentage received in advance has decreased each year, which has led to a decline in revenue each year. In June 2025, councils received 50% of the 2025–26 allocation, while in the previous year it was about 85%. This 35% reduction in cash receipts led to an increased number of councils with operating losses for the year ended 30 June 2025.

Other grants are generally paid on achievement of predetermined milestones relating to specific projects. There is often a time lag between when costs are incurred and when these grant revenues are received.

The need to preserve an operating cash balance means councils may defer certain expenditures that are discretionary or non-essential until additional funds are available.

Financial Assistance Grants in 2024–25 had their lowest growth over the past seven years

National principles for distributing Financial Assistance Grants to councils began on 1 July 1995 under the Local Government (Financial Assistance) Act 1995.

The graph below shows the percentage growth in Financial Assistance Grants against growth in Commonwealth tax revenue.

Councils hold cash and investments that are restricted by legislation or contractual arrangements. Effective management of these balances is crucial to ensure compliance with legislation and contract conditions while planning for future spending, including capital projects. Interest income earned on restricted funds is similarly restricted.

The LG Act states that ‘money received as a result of levying a special rate or charge may not be used otherwise than for the purpose for which the rate or charge was levied’. Under the LG Act, the Minister can approve internal loans to use money collected through a special rate or charge for another purpose. In the absence of ministerial approval, only non-restricted cash can be used for operational purposes. Common types of special rates and charges include those for water, sewerage, drainage, domestic waste and stormwater management.

Restricted cash does not need to be kept in a separate bank account and is recorded in, and controlled using, subledgers.

Two councils spent restricted cash in breach of the LG Act

Bathurst Regional Council and Upper Hunter Shire Council breached the LG Act by spending externally restricted cash for purposes other than those intended.

At times during 2024–25, these councils had insufficient cash flows, not subject to external restriction, to meet general fund expenses.

Both councils have subsequently received ministerial approval to use internal borrowings to support their cash flow.

Most cash and investments held by councils are externally restricted and can only be used for specific purposes

The graph below shows the total cash and investment balances split into externally restricted and not restricted, by council classification, over the past 3 financial years.

NSW residents and businesses receive water from Sydney Water Corporation, Hunter Water Corporation and local water utilities that are operated by councils or county councils.

Approximately 1.9 million people receive water from councils or county councils. Councils set water rates, though many rural councils with small populations have a small number of customers, so annual revenue is low.

Fifteen councils made operating losses for the water fund for the year ended 30 June 2025

Seventy-seven councils operate a water supply business, with 15 councils (2 regional and 13 rural) making an operating loss for these businesses for the year ended 30 June 2025. Councils with higher surpluses tend to be those with higher populations and more water connections that provide revenue.

There is a high reliance on funding from grants to operate and fund asset acquisition and renewal for water supply businesses. When grants revenue was removed, 30 councils (10 regional and 20 rural) had an operating loss.

The graph below shows the proportion of operating results of water supply businesses over the period 2021−25.

Councils collect local infrastructure contributions from developers under the Environmental Planning and Assessment Act 1979, the LG Act and the City of Sydney Act 1988 to fund infrastructure required to service and support new development. There are 3 types of contributions:

• section 7.11 – charged where there is a demonstrated link between the development and the infrastructure being funded
• section 7.12 – alternative to section 7.11 contributions and charged as a percentage of the estimated cost of the development
• planning agreements – a legal agreement negotiated between a developer and a planning authority to deliver an infrastructure outcome.

Councils are required to consider practice notes issued by the Secretary of the Department of Planning, Housing and Infrastructure when using contribution plans or planning agreements.

These contributions help councils to deliver roads, footpaths, traffic management, stormwater drainage, community facilities, parks and other recreation areas. Capital costs include the initial costs of providing infrastructure such as land acquisition, construction of facilities, costs of any borrowings and some administrative costs incurred by the council.

Councils collecting these contributions must prepare a contributions plan outlining how these contributions will be calculated and apportioned across different types of infrastructure, works programs and delivery plans. Councils can pool contributions to allow more timely funding of infrastructure.

In 2009, under section 7.11, a threshold of $20,000 per lot was introduced for all development, unless a Ministerial direction specifies a higher amount. This amount has not been indexed. Councils can charge above the threshold set by the Minister for Planning and Public Spaces, if they request an IPART review of a contribution plan, and the recommendation is approved by the Minister. These approvals are restricted to collect only for infrastructure on the essential works list. Twelve councils have obtained approval to charge above the cap for specific contribution plans.

Councils held $5.4 billion in local infrastructure contributions at 30 June 2025, with balances increasing

At 30 June 2025, councils across NSW collectively held $5.4 billion ($4.3 billion at 30 June 2024) in contributions collected from developers. The balance of contributions held by councils increased by $2.2 billion from 2020–21 to 2024–25.

The graph below shows the 30 June balance of externally restricted cash and investments, collected from developers, by council classification for the past 5 years.

Section 403 of the LG Act requires councils to have a long-term strategy for providing resources required to perform its functions. This is known as the Resourcing Strategy, which consists of 3 elements:

• long-term financial planning
• asset management planning
• workforce planning.

The OLG issued the ‘Integrated Planning & Reporting Handbook’ to provide guidance to councils on how to prepare and implement integrated planning.

Councils can improve modelling for different scenarios in financial planning

The table below presents compliance levels with some of the mandatory requirements for long-term financial planning (LTFP).

Source: Audit Office findings.

All councils’ long-term financial plans covered a 10-year period and included income and expenditure, balance sheet and cash flows. Metropolitan (9%), regional (22%) and rural (27%) councils should improve financial modelling for planned, optimistic and conservative scenarios. Some regional and rural councils should improve sensitivity analysis and methods for monitoring financial performance. Strengthening processes for scenario modelling, sensitivity analysis and methods for monitoring financial reporting will increase the effectiveness of long-term financial plans.

The Audit Office has commenced a performance audit on long-term financial planning. Refer to Looking forward for more information.

An audit of financial statements requires the auditor to obtain an understanding of councils’ internal controls that are relevant to the preparation of the financial statements. This includes evaluating the design and implementation of controls over financial reporting and identifying and reporting internal control deficiencies. Breakdowns and weaknesses in internal controls can increase the risk of non-compliance, fraud and error.

The Audit Office’s management letters report deficiencies in internal controls and other matters of governance interest to those charged with governance, including the general manager and ARICs.

The Audit Office reported audit findings to all councils, county councils and joint organisations in 2024–25. The total number of reported audit findings (1,410) was consistent with that in 2023–24 (1,406).

As explained in the chart below, 69% of reported findings were related to weaknesses in governance, asset management and IT.

The Audit Office identified key findings across the following areas:

• governance matters
• asset management
• IT
• purchases and payables
• payroll
• revenue and receivables
• cash and banking, including the management of externally restricted balances.

Governance matters

Deficiencies in governance frameworks reduce confidence in the integrity and effectiveness of systems and operations

One high-risk finding was reported as a council had not formalised its business continuity plan to define the processes required to continue operations during an event.

Other common reported findings include:

• absent or outdated policies and procedures
• incomplete contract register
• business continuity plans not formalised or tested
• inadequate procedures to ensure compliance with laws and regulations.

Councils need to improve their fraud control frameworks

Robust fraud risk assessment and control processes help to protect councils from events that risk serious reputational damage and financial loss.

While more councils have implemented policies for fraud and corruption prevention and conflicts of interest, some councils need to improve their training and fraud risk assessments. Deficiencies in fraud control processes are summarised in the table below.

Source: Audit Office findings. Some of the fraud control deficiencies were only collected this year.

Councils should take steps to provide improved governance related to fraud, including providing fraud awareness training to their staff and undertaking regular fraud risk assessments.

Changing vendor details without proper verification can lead to fraud

All requests to change vendor details should be independently verified and all changes should be independently reviewed. Ineffective controls to detect and prevent fraud can expose councils to financial loss, as demonstrated in the case study below.

Asset management

Councils own and manage large infrastructure asset portfolios to support the delivery of community services. Asset management involves operational aspects such as maintenance and physical security, as well as accounting procedures such as recording and valuing assets in accordance with Australian Accounting Standards.

Councils should improve managing, recording and valuing assets

Nine high-risk findings were reported for:

• deficiencies in asset valuation processes
• lack of timely review and management of work-in-progress
• not maintaining fixed asset registers in a secure format.

Other common reported findings include inadequate asset valuation processes and inaccurate and incomplete fixed asset registers.

Ineffective controls, including lack of timely reviews and management of work-in-progress, can lead to errors in financial statements, as demonstrated in the case study below.

Sixty-three councils had inaccurate and incomplete fixed asset registers

Having complete and accurate records of assets in place informs asset management decisions, improves the robustness of asset management plans and allows for effective monitoring of asset condition and performance.

Errors in underlying asset register data lead to errors in financial reporting.

Councils should take steps to improve the accuracy and completeness of fixed asset registers by:

• removing duplicate assets
• analysing data and comparing it to other systems such as ratings systems for completeness of land and technical asset registers for infrastructure
• regularly updating asset additions and disposals
• ensuring a strong alignment between fixed asset registers and other sources of information, including engineering records and asset management plans
• maintaining fixed asset registers in a secure format.

Sixty-eight councils have deficiencies in asset valuation processes

Incomplete and inaccurate underlying asset records, such as fixed asset registers, contribute to errors in asset valuations. They also contribute to errors in financial reporting.

Councils can improve their valuation processes by:

• having a valuation policy
• effectively planning valuations and starting the process early
• updating and reconciling registers before providing them to valuers to ensure they are accurate and complete
• completing key reconciliations between relevant databases
• documenting management’s review of draft and final valuation reports, including questioning valuers
• preparing position papers explaining methodology, key assumptions and judgements, and the reasons for movements
• engaging with auditors throughout the valuation process.

Information technology

Deficiencies in controls and monitoring of user access undermine the integrity of data and finance systems

Councils rely on IT to deliver services and manage information. While IT delivers considerable benefits, it also presents risks that councils need to address. IT general controls relate to the procedures and activities designed to ensure the confidentiality and integrity of systems and data.

Financial audits review IT general controls for key financial systems that support the preparation of council financial statements. These include:

• policies and procedures
• risk management
• privileged user access restriction and monitoring
• user access management
• system software acquisition, change and maintenance
• patch management
• disaster recovery planning
• cyber security (see Chapter 10).

Four high-risk findings were reported for:

• lack of policies and procedures for disaster recovery and password controls
• no monitoring of privileged user activity
• not performing user access reviews
• password parameters not meeting better practice.

Other common reported IT findings include:

• absence of policies and procedures
• failing to perform user access reviews to ensure access to key IT systems is appropriate and commensurate with their roles and responsibilities
• gaps in restricting privileged users’ access and not monitoring their activity
• absence of disaster recovery planning.

Risks arising from weak IT controls include:

• unauthorised access to data that may result in destruction of data or improper modification
• unauthorised changes to IT applications or other aspects of the IT environment
• inability to recover from IT incidents
• compromised segregation of duties and management that override established controls.

Most councils had insufficient controls over user and privileged user access to systems

Control weaknesses over system access were reported at 71 councils in 2024–25. Weaknesses in granting, removing and monitoring user access to systems can lead to inappropriate and unauthorised system access, increasing the risk of fraud, cyber attacks and invalid transactions. This can compromise the integrity, confidentiality and accuracy of financial data.

Councils should ensure that:

• access to the system is granted only after obtaining the necessary approvals, which should be formally documented and retained
• access removal is timely at employee termination, and processes are in place to allow timely communication by HR/payroll teams to system administrators to disable or delete inappropriate access
• reviews of user access are regularly performed to ensure existing access permissions are appropriate and user accounts are still required. Reviews and corrective action should be prompt and evidence of changes should be retained.

Purchases and payables

Deficiencies in procurement and contract management controls could impact value for money outcomes

It is critical to have appropriate probity, accountability and transparency in procurement to achieve value for money and reduce the risk of unauthorised purchases, and corrupt and fraudulent behaviour.

Three high-risk findings were reported for:

• significant weaknesses in procurement practices, lack of segregation of duties and over reliance on contractors, leading to alleged corrupt conduct
• inadequate review of changes to the vendor master file resulting in fraud
• non-compliance with the council’s own policies and the tendering requirements of the LG Act.

Other common findings include:

• inadequate reviews of changes to the vendor master file
• poor contract management frameworks
• lack of segregation of duties
• financial delegations not enforced.

Weak purchasing and payable controls, including those related to management of vendor master data and approval of payments, increase the risk of error, waste and fraud.

Ineffective controls in purchasing and payables management can expose a council to loss and fraud, as demonstrated in the case study below.

Payroll

Weak controls and lack of segregation of duties increase the risk of fraud, waste and error

Payroll is a significant expense. Effective payroll processes ensure councils manage their workforce in compliance with legislation, employment agreements and the Local Government Award.

Common payroll findings include:

• inadequate review of changes to the employee master file
• no review of termination payments
• leave forms not reviewed, not updated in the payroll system and not filed
• lack of segregation of duties
• lack or untimely review of payroll reconciliations.

Payroll processes, controls and information systems should be designed to protect the integrity of employee records. They should be designed to ensure accuracy of payments to employees and to prevent fraud and waste.

Cash and banking

Controls at some councils failed to prevent use of externally restricted cash and investments for improper purposes

Councils process a high volume of cash transactions each year. Effective controls over cash collection, disbursements and reconciliations can reduce the risk of fraud and error.

Two high-risk findings were reported for Bathurst Regional Council and Upper Hunter Shire Council who breached the LG Act by spending externally restricted cash and investments for an improper purpose.

Other common findings include:

• poor controls and processes for recording, monitoring and reporting externally restricted cash and investment balances
• outdated banking signatories
• non-compliance with loan covenant requirements.

Lack of effective cash management, including externally restricted cash, can lead to a breach of the LG Act, as outlined in the case study below.

Some councils have established effective cash management, as outlined in the case study below.

Revenue and receivables

Councils receive revenue from a range of different sources, including ratepayers, users of facilities, other levels of government and developers. Councils require appropriate controls to accurately record revenue and receivables in compliance with Australian Accounting Standards and other legal requirements.

Many councils need to improve their revenue processes and controls

One high-risk finding was reported for lack of controls and effective process for collecting revenue from water supply, including lack of effective review of quarterly billing reports, resulting in incorrect charges to customers.

Other revenue and receivables findings include:

• not formally assessing grant funding against measurement criteria under AASB 15 ‘Revenue from Contracts with Customers’ and AASB 1058 ‘Income of Not-for-Profit-Entities’
• not regularly updating and reconciling the grant register
• a lack of independent review of changes made to data in revenue systems and revenue master files
• a lack of exception reporting
• incorrect classification of properties for rating purposes.

Poor revenue controls can negatively impact customers and the reputation of councils, as outlined in the case study below.

From 1 July 2024, the Local Government (General) Regulation 2021 (the Regulation) requires all councils, county councils and joint organisations to:

• adopt and implement a framework for identifying and managing risk
• appoint an internal audit coordinator and adopt an internal audit charter
• have a chairperson and at least two independent members on the ARIC
• attest to compliance with Division 6A of the Regulation in their annual reports.

The Regulation requires councils, county councils and joint organisations to notify the Departmental Chief Executive within 28 days of the failure to comply with the Regulation, and to publish a statement of non-compliance in the annual report.

The OLG has issued ‘Guidelines for Risk Management and Internal Audit’, a model terms or reference for ARICs, model charter for internal audit and other templates to assist councils in implementing the requirements.

Risk management

Risk management helps councils to identify, assess and address potential risks. Maintaining sound risk management ensures that the council can manage uncertainties in a proactive way. This delivers benefits, such as improved decision-making and efficiency, while protecting resources and reputation.

Not all joint organisations have a framework for identifying and managing risk

Four joint organisations do not have a framework for identifying and managing risk as required by the Regulation.

Deficiencies in risk management could contribute to poor decision making, the inability to achieve organisational objectives, and financial losses. Councils should identify and effectively manage risks and opportunities to mitigate threats to assets, reputation and operational continuity.

Internal audit

The Institute of Internal Auditors defines internal audit as an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.

There is no internal audit function at 8 councils and 7 joint organisations

Eight councils and 7 joint organisations do not have an internal audit function as required by the Regulation.

These councils and joint organisations are missing out on opportunities to improve the effectiveness of their internal control environment, including risk management, compliance, fraud control, improved efficiency and cyber resilience. They should establish internal audit or consider sharing internal audit with another council.

The case study below shows the benefits of sharing the internal audit function.

Audit, Risk and Improvement Committees

In accordance with the LG Act, an ARIC must keep under review the following aspects of the council’s operations:

• compliance
• risk management
• fraud control
• financial management
• governance
• implementation of the strategic plan, delivery program and strategies
• service reviews
• collection of performance measurement data by the council
• any other matters prescribed by the regulations.

All councils have an ARIC, but six do not comply with membership requirements

All councils have an ARIC, and all but 6 have a chairperson and 2 independent members as required. The 6 councils advised that they are in the process of seeking additional independent members. Councils should enhance succession planning arrangements to ensure membership of ARICs comply with requirements.

Five joint organisations have no ARIC. Some of these are in the process of being dissolved. The remaining joint organisations should consider a shared ARIC in 2025–26.

Not all ARICs cover the required aspects of council operations

Many councils do not comply with certain requirements of the Act and guidelines that set out the elements of council operations that should be considered. This is summarised in the table below.

Source: Audit Office findings.

In setting the agenda for the ARIC work plan, councils should review the requirements of the Act and guidelines to ensure that the committee is being provided with information on, and giving appropriate attention to, all aspects of council operations.

Due to the timing of meetings, it was not always possible for financial statements to be reviewed prior to submission to audit. In most of the 33 councils where the committee did not review financial statements prior to submission, the ARIC reviewed the financial statements at the completion of the audit and before presentation of the financial statements to the governing body.

Councils should consider the timing of ARIC meetings in conjunction with financial statement preparation timelines to ensure that these committees review financial statements before they are presented for audit.

Management did not certify the effectiveness of internal controls at 61 councils

From 1 July 2024, ARIC responsibilities have included reviewing and advising on whether:

• financial management processes and controls are adequate
• cash management policies and procedures are adequate
• controls are monitored and reviewed to ensure that they are operating as intended.

To fulfil these and other responsibilities, management should certify the effectiveness of internal controls for the ARIC. There is no template for this in the OLG guidelines and the ARICs are still determining the form and content of what they need from management to satisfy this requirement. It is better practice to also provide this certification to those signing the Statement by Councillors and Management in the financial statements.

NSW government agencies’ chief finance officers must provide an annual letter of certification that:

• acknowledges their responsibility in designing, implementing, monitoring and continually evaluating the operating of the internal controls framework over the agency’s financial systems and information
• certifies the effectiveness of the operation of the internal control framework over financial systems and information throughout the financial year, and summarises any control weaknesses and deficiencies, their potential impact on financial systems and information, and any remedial action plans, including mitigating controls.

Some councils use an abridged version to satisfy this requirement.

Councils are responsible for development and management of a wide range of infrastructure, including roads, bridges, footpaths, stormwater drainage, water supply and sewerage.

Councils spent $6.1 billion to renew and acquire IPPE during 2024–25

At 30 June 2025, councils collectively managed $223 billion of IPPE.

The graph below shows the composition of assets managed by councils at 30 June 2025.

Councils are delivering 29 projects with total capital budgets of more than $30 million

Councils were delivering 29 projects with total capital budgets of more than $30 million at 30 June 2025. The total collective budget for these projects was $1.5 billion.

The graphs below show the status of the budget and schedule for each of these projects. Fifty-nine per cent of councils were within the original budget at 30 June 2025. In contrast, 72% of projects are experiencing delays, ranging between 24 days and 5 years.

Guidance for managing capital projects is outdated and inadequate

The Office of Local Government (OLG) requires that councils apply the Capital Expenditure Guidelines for all infrastructure facilities that will cost more than 10 per cent of ordinary annual rate revenue, or $1 million, whichever is greater. The guidelines do not apply to:

• capital expenditure on land purchases, land remediation, water supply networks, sewerage networks, stormwater drainage, domestic waste management facilities, roads, footpaths and bridges
• public–private partnerships
• projects funded under the Public Reservices Management Fund Act 1987
• design and feasibility studies that do not commit to a project.

The guidelines require councils to:

• develop a preliminary business case
• undertake a capital expenditure review that considers the need for the project, the capacity of the council to manage the project to completion, financial implications, alternative approaches and public consultation
• for projects of more than $10 million, develop project management, risk management and probity plans
• report on projects to council on a regular basis.

Under these guidelines, councils are required to notify the OLG of all capital expenditure projects that meet the criteria. This process does not provide assurance or approval. Councils are responsible for approval and management under their own financial delegations and governance arrangements.

The current guidelines have a narrow focus on project initiation and do not reflect the complexity and risks of modern infrastructure delivery. Other NSW public sector agencies are governed by a framework of policies and guidelines that aim to ensure value for money, efficient procurement and effective project management across the project life cycle.

These guidelines, and the notification process, do not provide guidance for councils on the types of project assurance arrangements, such as gateway reviews or assurance programs, which could be considered in project delivery and across the project life cycle. Neither do they provide assurance of a business case at the outset.

The OLG does not require councils to follow a mandatory framework for responsible AI adoption

To safeguard ethical standards and uphold the integrity of public institutions, as well as the rights of constituents, it is essential that councils establish robust governance frameworks to guide the development, deployment and oversight of AI technologies.

The OLG has not established a mandatory framework or minimum requirements for councils in relation to the adoption and responsible use of AI. While the Australian and NSW Governments have issued separate frameworks, it is not mandatory for a council to follow either. This increases the risk that councils may not have a robust approach to managing both the opportunities and risks presented by AI technologies.

The frameworks issued by both the Australian and NSW Governments establish:

• AI ethics principles
• AI assurance assessment requirements
• various other guidance and supporting material, including specific guidance on facets like generative and agentic AI and procurement essentials.

These frameworks offer a reference for councils to evaluate their readiness for implementing AI. The OLG could draw on the principles and guidance established in these frameworks to inform a mandatory framework or minimum requirements for councils. This will help to ensure that a consistent, responsible and effective method for managing AI risks is used across the local government sector.

Councils are in the early stages of AI adoption

Ninety councils have reported adopting a total of 109 different AI tools, either in pilot or fully implemented. However, this figure may be underestimated, as fewer than half of the councils currently monitor the number of AI tools they have implemented, and AI is increasingly being integrated into procured software solutions. One council reported adopting 15 AI tools, the most of any council.

Councils advised that they mostly use generative AI tools for general productivity and workflow enhancements. On a more limited basis, councils also reported using AI for:

• resident/developer interaction and support, including support for understanding land use or completing planning applications
• recruitment support
• cyber security support
• asset quality and maintenance assessments
• waste contamination identification.

Councils expect that AI use will continue to grow. Of the councils included in this chapter, 51% advised that they had AI tools under consideration, planning or development that were not yet in use at time of this report.

Councils should ensure that fit-for-purpose governance arrangements are in place before deploying AI

Although councils are only in the initial phases of adopting AI, emphasising governance and strategy before implementation will position them for long-term success. A strong foundation will help councils proactively address potential risks, such as bias, security and privacy, and removing barriers that will hinder effective adoption.

Sections 9.3 and 9.4 of this chapter consider in more detail the current state of councils’ governance and strategies supporting the use of AI.

Councils will need to remove several key barriers to support effective AI adoption

Councils identified challenges associated with the adoption and use of AI, including the following:

• Resource and budget constraints: councils reported limited financial resources, staffing and capacity to take advantage of the emergence of AI.
• Data quality, security, and privacy: concerns included ensuring data is accurate, secure, properly classified and protected, especially given the sensitive nature of council information.
• AI literacy and education: councils highlighted the need for comprehensive staff education on AI, including ethical and responsible use. The rapid evolution of AI creates a challenge for councils to keep governance, security and skills up to date.
• Governance, policy and ethical use: councils face challenges in establishing and maintaining effective AI governance, including developing policies, frameworks and ethical guardrails that keep pace with rapidly evolving technology and regulatory requirements.
• Technology readiness and integration: many councils reported challenges with outdated IT infrastructure, making it difficult to adopt, integrate and manage AI tools securely and effectively.
• Vendor management and approved tools: councils noted challenges in controlling which AI tools are used by staff, and managing risks associated with AI being embedded into operational systems without awareness.

Councils will need to maintain central oversight of AI adoption

Only 10% of councils advised that they had identified and documented all AI tools implemented in a centralised inventory. This is likely impacted by the fact that many councils have only adopted a few AI tools. However, as new AI tools emerge and are being implemented, councils may struggle to maintain visibility over which technologies are in use. This challenge is also affected by the growing integration of AI into procured software and in updates to existing software, increasing the risk councils do not know which AI is being used by staff and how and whether it is being managed responsibly and ethically.

A centralised inventory of AI tools in use is important for transparency, oversight and accountability. Without such oversight, councils cannot assure themselves that they have fit-for-purpose governance arrangements in place to oversee the use of AI.

Good governance and assurance arrangements support the effective delivery of ethical and lawful AI. There is no one size fits all governance model. The National framework for the assurance of artificial intelligence in government outlines that governance structures should be proportionate and adaptable to encourage innovation while maintaining ethical standards and protecting public interests.

Fewer than half of all councils have an AI policy

Only 40% of councils have established formal AI policies or embedded consideration of AI into existing policies. Some councils reported that an AI policy was under development or review.

An AI policy is an important element of good governance because it establishes ethical principles that guide the development, deployment and ongoing management of AI tools. It also provides a clear framework for decision making and accountability.

Councils must integrate AI into their existing governance arrangements as use grows

Councils must integrate AI considerations into their governance frameworks more effectively to address the specific and unique risks posed by AI. This includes evaluating AI’s broader impacts on accountability structures, policies and procedures (such as IT, procurement, risk management), and ensuring staff are adequately trained to take advantage of AI and ensure its responsible use. As more AI tools are developed and deployed, appropriate integration with current governance structures will become more important.

The table below details the governance over the adoption and use of AI by councils, focusing on whether the specific and unique risks posed by AI have been considered.

Enhanced visibility of opportunities, challenges and risks will better position councils to leverage the benefits of AI; however, most councils do not yet have an AI strategy

Only 10% of councils have reported to senior management or relevant council committees regarding the adoption and use of AI. Additionally, just 24% are systematically recording or monitoring risks associated with AI within their risk registers. While councils are in the early stages of adopting AI, only 11% have an AI adoption strategy.

This, and the limited level of oversight, could significantly hinder councils from fully leveraging the potential benefits that AI offers, leading to fragmented efforts that don’t fully align with councils’ objectives. Additionally, risks, both strategic and operational, may not be identified and mitigated.

Some councils are currently developing either a dedicated AI strategy or integrating one into a broader plan.

Cyber security insights 2025 highlights the following issues in local government cyber security risk management and processes over the past 8 years:

• cyber security policy adoption was only improving incrementally
• cyber security framework adoption improved but only 26% of councils adopted the Guidelines
• councils had not identified all their information assets that required protection.

The chart below shows selected cyber security control gaps from 2019−25. While the results do not mean that all risks are mitigated, it is encouraging that councils have focused on these gaps and there have been some improvements to cyber security controls over the past three years, in comparison to when the Audit Office first reviewed these controls in 2019.

As organisations continue to utilise third-party systems and services, the potential for cyber threats originating from a breached third party has grown significantly.

Understanding and managing cyber risk in supply chains is essential for maintaining business continuity and protecting valuable data and assets.

The Audit Office reviewed the process in place for managing cyber security risk, including risk arising from supply chains. This assessment focused on determining whether councils:

• effectively maintain, manage and monitor their cyber security risks, encompassing both internal threats and those associated with third parties and overall supply chains
• maintain up to date inventories of all assets related to both external and internal systems, supported by robust procedures to ensure completeness and appropriate risk classification of each asset
• employ structured protocols for third-party management, including formal due diligence practices, clear definition and oversight of roles and responsibilities, as well as ongoing management of security risks throughout the life cycle of IT partnerships.

Seventy-five councils do not include cyber security supply chain risk in their risk register

Only 75 councils (60%) included cyber threats in their risk register. Of these:

• only 80% have formal plans to mitigate their cyber security risk
• 60% (75) have not recognised cyber security supply chain risk in their registers.

Adoption of them is not mandatory, but the Guidelines provide advice on managing these cyber security supply chain risks. Foundational and detailed requirements 1.10 guides councils in how to identify and manage third-party service provider risks, facilitated by governance and contractual controls.

Seventy per cent of councils have not risk assessed their technology assets, and 31% do not record their understanding of external systems or services

Seventy per cent of councils did not have formal processes or criteria to formally classify and risk assess their technology assets that need protection. Identifying and assessing risk to their technology assets enable councils to prioritise cyber security controls according to business-critical information and high-risk assets.

There are gaps in understanding council third-party systems and services. Eighty-seven per cent of councils inventoried their internal systems and hardware, yet only 69% identified third-party services or systems. This may leave them vulnerable to understanding their interdependency and their exposure to third-party cyber security risks.

Seventy-one per cent of councils lacked formal governance over exception approvals for patching systems

Seventy-one per cent of councils did not have formal processes for documenting and approving exceptions where a business has accepted the risk of not applying required or recommended patches. Leaving systems without required or recommended patches may lead to vulnerabilities in the system and the IT environment, increasing the possibility of systems and information being breached.

More cyber security incident planning involving third-party providers is needed

Councils have weaknesses in their readiness to respond adequately and appropriately to cyber security incidents. Thirty-two per cent of councils do not have a formal cyber incident response plan, and 61% of councils do not periodically test their plans. Further, many do not have plans to test them or testing is ad hoc. Eighty per cent of councils do not include third-party providers when testing their cyber incident response plans.

There are weaknesses in managing third-party cyber security risks

Councils that do not manage third-party cyber security risks effectively expose themselves to significant vulnerabilities that may lead to data breaches, operational disruptions, financial losses and reputational damage.

Only 42% of councils have a formal due diligence process that includes cyber security risk that must be performed before entering supplier relationships. The remaining councils explained that they do not have those due diligence processes formalised, and cyber security risk is not specifically considered or will be developed.
In addition:

• 73% of councils do not have formal policies and procedures for the management of supply chain cyber security risk
• 63% of councils do not monitor and enforce third-party cyber security responsibilities throughout the technology product and service life cycle.

Cyber security insights 2025 identifies third-party risk management as one of the most significant and ongoing challenges facing NSW public sector agencies. These issues were more persistent from the Cyber security in local government audit, which reported that all three councils were not identifying or managing third-party cyber security risks effectively. Case studies of cyber incidents involving third parties are highlighted in both reports, showing the reality of cyber security risks coming from third parties.

The Guidelines give optional requirements to manage third-party risks. Once providers are identified, incidents, compliance and contract clauses must be managed.

In addressing ongoing cyber threats, councils must respond and protect their assets and data. However, technology is changing constantly in response to evolving cyber threats, making it crucial to continuously assess the effectiveness of cyber security investments. Regular monitoring ensures that the security measures in place are up to date and capable of addressing the latest threats and risks.

It also helps identify any gaps or outdated systems that may no longer provide adequate protection.

The Audit Office analysed processes that are in place for managing cyber security procurement and benefit realisation, including identification and management of duplicate/redundant cyber security tools and services. The assessment focused on determining whether councils:

• measure the effectiveness of their cyber security spending
• have processes or practices to prevent resource wastage or duplication of efforts in cyber security initiatives.

Seventy-two per cent of councils do not measure the effectiveness of cyber security spending

Seventy-two per cent of councils do not measure the effectiveness of their spending on cyber security. Evaluation of effectiveness was limited at most councils due to the absence of formal and proactive processes or a performance management framework. Informal assessment of financial effectiveness was considered during procurement or in response to budgetary pressures.

Forty councils that measured their spending effectiveness used qualitative metrics, including evaluation of their performance against their cyber frameworks or metrics on the number of blocked cyber security attacks. Twenty-two (55%) of these councils did not measure the financial benefits or cost efficiency of their cyber security spending. Assessing the cost efficiency of cyber security investments is crucial for efficient resource allocation, justifying expenditures, managing risks, ensuring stakeholder confidence, maintaining regulatory compliance and enabling continuous improvement.

Seventy-nine per cent of councils do not have a formal process for identifying and managing underutilised, redundant or outdated cyber security tools and services

Managing underutilised, redundant or outdated cyber security tools and services is essential as it:

• helps maintain a robust security posture by ensuring that all tools and services are effective and up to date, thereby reducing vulnerabilities and potential entry points for cyber attackers
• optimises resource allocation, allowing agencies to reallocate funds from ineffective tools to more impactful security measures. This not only enhances overall security but also ensures that the cyber security budget is used efficiently.

Councils advised that:

• 21 councils have at least one underutilised cyber security tool due to staff capability gaps or projects still in progress
• 8 councils have at least one redundant cyber security tool, but several councils were still developing processes to identify redundant tools
• 7 councils have outdated tools or services. Two of these councils are planning to upgrade and migrate their systems to improve their capability
• 42 councils have terminated a cyber security tool or service that was not improving their capability, not cost effective or was underutilised, redundant or outdated.