Report on Local Government 2019

Auditor-General's foreword

I am pleased to present my third report to the Parliament on the 2019 audits of local government councils in New South Wales.

This report notes that unqualified audit opinions were issued on the 2018–19 financial statements of 134 councils and 11 joint organisations. The opinion for one council was disclaimed and three audits are yet to complete.

The report also highlights improvements I have seen in financial reporting and governance arrangements across councils. Fewer errors were identified. More councils have audit, risk and improvement committees and internal audit functions. Risk management practices, including fraud control systems, have also improved.

These are very pleasing indicators of the gradual strengthening of governance and financial oversight of the sector. I want to acknowledge the investment councils have made in working with the Audit Office to improve consistency of practice and accountability generally.

Of course there is more work to do, particularly to prepare for new accounting standards and to strengthen controls over information technology and cyber security management. Asset management practices can also be improved. This report provides some guidance to council on these matters and we will continue to partner with the Office of Local Government in the Department of Planning, Industry and Environment to support good practice.

Margaret Crawford

Auditor-General
5 March 2020

Media release

This report focuses on key observations and findings from the 2018–19 financial audits of councils and joint organisations.

Unqualified audit opinions were issued on the financial statements for 134 councils and 11 joint organisations. The audit opinion for Bayside’s 2017–18 and 2018–19 financial statements were disclaimed. Three audits are still in progress and will be included in next year’s report.

The report highlights a number of areas where there has been improvement. There was a reduction in errors identified in council financial statements and high risk issues reported in audit management letters. More councils have audit, risk and improvement committees and internal audit functions. Risk management practices and fraud control systems have also improved.

The report also found that councils could do more to be better prepared for the new accounting standards, asset management practices could be strengthened, and information technology controls and cyber security management could be improved.

The Auditor-General recommended that the Office of Local Government within the Department of Planning, Industry and Environment develop a cyber security policy by 30 June 2021 to ensure a consistent response to cyber security risks across councils.

Read the PDF Report

Video overview

At a glance

NSW 128 local councils, 10 county councils, 13 joint organisations. Overview shows $15.3b revenues, $12.4b expenses, $166.0b assets and $7.3b liabilities
Audit results 
  Previous year Current year
Unqualified opinions 99% 99%
Disclaimed opinion 1 1
Incomplete audits 2% 2%
Submitted on time 80% 79%
Total value of prior period errors $2.4b $1.3b

 

Performance measures - Percentage of councils meeting the performance measures prescribed by OLG*
  Previous year Current year
Operating performance 74% 63%
Own source operating revenue 62% 63%
Cash expense cover ratio 99% 98%
Debt service cover ratio 96% 98%
Unrestricted current ratio 96% 96%
Outstanding rates and annual charges 90% 84%
*Office of Local Government within the Department of Planning, Industry and Environment (OLG)

 

Audit matters raised with councils

1,947 Total issues identified

Previous year: 1,728

71 High risk issues

Previous year: 83

Information technology 41%
Financial accounting 11%
Asset management 17%
Financial reporting 13%
Purchasing 8%
Other 10%

 

Information technology findings
  Previous year Current year

IT issues relate to access management

60% 68%
Councils do not have cyber security policy or framework - * 80%
*We did not look at this issue last year, which is why there is no data available.

 

 Asset management findings
  Previous year Current year
Issues with asset management systems 66 107
Issues with asset valuation processes 50 67
Crown land asset records:  Some discrepancies between DPIE and council records
Accounting for landfill sites: Inconsistent practices observed across councils

Insights for councils

Strengthen the quality and timeliness of financial reporting

Councils should:

  • allocate sufficient time and resources to the financial reporting process. Refer to page 18 for better practice guidance
  • have appropriate systems, processes and resources to implement the new accounting standards. Refer to page 20 for some key points to consider in the transition.
Improve governance and internal controls

Councils should:

  • ensure that audit recommendations in our management letters are addressed in a timely manner. High risk issues need to be prioritised and repeat issues from prior years resolved
  • have an audit, risk and improvement committee, which is a mandatory requirement by March 2021. Early adoption is encouraged
  • have an internal audit function to support a risk and compliance culture
  • have a legislative compliance framework to capture and monitor compliance with key laws and regulations
  • continue improving their fraud control systems
  • have adequate processes and controls to ensure compliance with their gifts and benefits policy and the Model Code of Conduct.
Strengthen IT controls and cyber security management

Councils should:

  • ensure key IT policies are formalised and regularly reviewed to ensure emerging risks are considered and policies are reflective of changes to the IT environment
  • ensure IT risks are identified and appropriately managed
  • improve user access management processes to ensure that information systems are secure and that there are adequate controls for making changes to information systems
  • implement at least the basic governance and internal controls to manage risks associated with cyber security.
Improve asset management practices

Councils should:

  • regularly update asset registers, reconcile their asset registers with asset management systems and have suitable controls in place to ensure the integrity of manual spreadsheets
  • start the asset valuation process earlier and ensure there is a clear plan to ensure valuations are managed and documented appropriately
  • periodically reconcile asset registers to the Crown Land Information Database (CLID) and investigate any discrepancies in a timely manner
  • review the methodology and assumptions in how they account for landfill sites.

Recommendation for the Department

The Office of Local Government within the Department of Planning, Industry and Environment should develop a cyber security policy by 30 June 2021 to ensure a consistent response to cyber security risks across councils.

1. Introduction

1.1 The Local Government Sector

Local Government is the third tier of government. It is established under state legislation, which defines the powers and geographical areas each council is responsible for.

Each council is a statutory corporation with elected councillors forming the governing body to direct council affairs in line with the Local Government Act 1993 and Local Government (General) Regulations 2005. Local councils provide services and infrastructure for a geographical area.

County councils are formed for specific purposes such as to supply water, manage flood plains or eradicate noxious weeds.

At 30 June 2019, there were 128 local councils, ten county councils and 13 joint organisations in New South Wales.

Animated picture of buildings in a city
Rural councils 38%
Regional councils 24%
Metropolitan councils 22%
Joint organisations 9%
County councils 7%

This report details the results of the 2018–19 financial audits of 125 councils, ten county councils and 11 joint organisations. It also includes the results of the 2017–18 financial audits of Bayside Council, Hilltops Council and Maitland Council which are now completed.

We are yet to issue an audit opinion on the 30 June 2019 financial statements of the following councils:

Council Reason for extension
Hilltops Council Resourcing issues at council and implementing a new IT system.
Mid Coast Council Resourcing issues at council and implementing a new IT system.
Murrumbidgee Council Resourcing issues at council.

Next year's Report to Parliament will include the outcome of these incomplete audits.

In preparing this report, the comments and analysis are drawn from:

  • audited financial statements
  • our performance audit reports
  • data collected from councils
  • audit findings reported to councils in our management letters.

1.2 Financial snapshot

The snapshot below shows the collective assets, liabilities, revenues and expenses for councils that make up the Local Government sector over the past three years. Each council is an independent entity that provides a range of services, influenced by its population density, demographics, economy, geographic and climatic characteristics. These characteristics influence the financial profile of each council.

  2017 2018 2019
Assets $152.1 billion $159.1 billion $166.0 billion
Liabilities $6.7 billion $6.9 billion $7.3 billion
Revenues $14.8 billion $14.9 billion $15.3 billion
Expenses $11.4 billion $11.7 billion $12.4 billion
Source: Audited financial statements for 30 June 2017, 30 June 2018 and 30 June 2019.

1.3 Joint Organisations

On 30 November 2017, the NSW Government amended the Local Government Act 1993 allowing councils in regional NSW to form Joint Organisations (JOs).

Map of New South Wales showing 13 Joint Organisations
Note: Eighty-six councils in regional NSW are members of 13 JOs.

The core activities of JOs include regional strategic planning and priority setting, regional advocacy and collaboration with the State and Australian Governments. In addition, JOs can also engage in shared services with member councils.

In accordance with the legislation, 11 out of 13 JOs were required to prepare financial statements for audit by the Auditor-General from 2018–19 onwards. The Far North West JO and Far South West JO were established on 12 July 2018. The Local Government (General) Regulation 2005 allows a Joint Organisation established after 1 July 2018 to prepare its first set of financial statements from the date of establishment to the last day of the financial year for the next period, which is 30 June 2020. The financial statements for the Far North West JO and Far South West JO will be audited next year.

1.4 Audit Office Annual Work Program

In addition to forming an opinion on the financial statements of councils, our audits examine a small number of specific topics across councils. We determine which topics to consider by looking for opportunities to improve public-sector accountability, governance and administration. We also consider the risks and challenges to councils in the Local Government sector and how these may be addressed during our audits. Our annual work program is carried out through our financial and performance audits.

Our 2018–19 financial audits focused on:

  • Credit card management (see Chapter 3)
  • Fraud controls (see Chapter 3)
  • Gifts and benefits (see Chapter 3)
  • Cyber security (see Chapter 4)
  • Landfill rehabilitation (see Chapter 5).

The following performance audits are scheduled to be published in 2020:

  • Credit card management
  • Developer contributions and voluntary planning agreements
  • Management of procurement.

Post 30 June 2020, the following performance audits are planned:

  • Audit, Risk and Improvement Committees
  • Cyber security
  • Rural water supply and sewerage - fees and charges.

 

2. Financial reporting and performance

Financial reporting is an important element of good governance. Confidence in and transparency of public sector decision making is enhanced when financial reporting is accurate and timely. Strong financial performance provides the platform for councils to deliver services and respond to community needs.

This chapter outlines our audit observations on the financial reporting and performance of councils and joint organisations.

Section highlights
  • There was a reduction in the number and dollar value of errors identified in councils' financial statements.
  • We continue to identify prior period errors, which are predominantly asset-related.
  • Unqualified audit opinions were issued for 99 per cent of completed audits for councils and joint organisations.
  • Three audits remain outstanding, with the outcomes to be reported in next year's Report to Parliament.
  • Seventy-nine per cent of councils and joint organisations lodged their financial reports by 31 October 2019.
  • Councils that performed some early reporting procedures achieved better outcomes in terms of the quality and timeliness of financial reporting.
  • Councils are at various levels of preparedness to implement the new accounting standards for the 2019–20 financial year. Some have made the necessary modifications to systems and processes, but others are still assessing impacts.
  • Most councils met the prescribed benchmarks for the liquidity and working capital performance measures over the past three years.
  • More councils reported negative operating performance compared with the prior year, meaning their operating expenditure exceeded their operating revenue.

    2.1 Quality of financial reporting

    The Auditor-General is required under the Local Government Act 1993 to issue an audit opinion on the following reports prepared by councils.

    General Purpose Financial Statements General purpose financial statements include the financial position and performance for overall council operations.
    Special Purpose Financial Statements Special purpose financial statements for declared business activities are required when councils provide services that compete with market participants.
    Special Schedule –Permissible Income Special Schedule - Permissible income for general rates details the amount councils can levy for rates in the next financial year. This amount is capped by the rate-peg limit set by the Independent Pricing and Regulatory Tribunal NSW.

    Indicators of quality financial reporting include:

    • unqualified audit opinions
    • low number of errors in the financial statements
    • less issues reported in our management letters relating to financial reporting processes.

    Audit opinions

    For completed audits, unqualified audit opinions were issued for all but one council

    Except for Bayside Council, the 2018–19 financial statements in the sector were free of material misstatement and users can rely on them to make informed decisions.

    99% unqualified audit opinions

    1% disclaimed audit opinion

    Three audits remain outstanding and the outcomes will be reported in next year's Report to Parliament.

    Two unqualified opinions and one disclaimed opinion issued on the 2017–18 audits

    Three financial audits from the previous year were not completed at the time of tabling the 'Local Government 2018' report in Parliament. We subsequently issued unqualified opinions for two of these councils and a disclaimed opinion for Bayside Council.

    Hilltops council did not meet the extension date approved by OLG for the 2017–18 audit. This was a breach of section 416 of the Local Government Act 1993 and was reported to the Minister for Local Government.

    Audit opinions for the 30 June 2019 and 30 June 2018 financial statements of Bayside Council were disclaimed

    A disclaimed audit opinion was issued for the 30 June 2018 financial statements of Bayside Council. This was based on management being unable to confirm that the financial statements present fairly the financial performance and position of the Council due to control deficiencies in the Council's financial accounting systems.

    Consequently, there was insufficient audit evidence to support the opening balances at 1 July 2018. This impacted the Income Statement, Statement of Comprehensive Income, Statement of Changes in Equity, Statement of Cash Flows and related notes accompanying the financial statements for the year ended 30 June 2019. We were also unable to obtain sufficient evidence to support the completeness and accuracy of stormwater drainage assets recorded in the 30 June 2019 financial statements. The pervasiveness of these issues resulted in a disclaimed opinion for the 30 June 2019 financial statements. Except for stormwater drainage assets, the opening balances as at 1 July 2019 were not impacted.

    Financial statements

    Our audits identified 133 issues (2017–18: 133 issues) relating to financial reporting processes. Thirty-two per cent were repeat issues.

    Infographic showing issues related to financial reporting processes
    Source: Interim and final management letters for 30 June 2019 and 30 June 2018 audits.

    High risk issues were reported at the following councils:

    Council Description
    Berrigan Shire Council The financial statements were delayed, key areas of the financial statements were not reconciled, and significant errors were identified and corrected.
    Central Coast Council The financial statements were significantly delayed, key reconciliations of the financial statement areas were prepared late in the process and there were a number of errors and disclosure deficiencies that were identified and corrected.
    Cootamundra-Gundagai Council The financial statements were delayed and a number of errors were identified and corrected. There were significant delays in reconciling the fixed asset balances to the general ledger and preparing a full set of financial statements.
    Dungog Shire Council The financial statement preparation process was delayed due to reconciliation of significant differences between the fixed assets register and the general ledger.
    Federation Council The financial statements were delayed, and significant errors were identified and corrected.
    Inner West Council The financial statements were delayed due to data migration to a new system, issues with the asset reconciliations and council staff resourcing. Numerous errors and disclosure deficiencies were identified and corrected.
    Murrumbidgee Council

    Council did not have workplans, timetables and adequate resourcing in place for the financial reporting process.

    Council was not regularly performing key functions such as reconciliations. These factors, along with the delays in the migration into a new IT system, led to significant delays in the financial reporting process.

    Murray River Council The financial statements were delayed due to council resourcing issues. A number of issues and errors were identified during the audit which were corrected.
    Riverina and Murray Joint Organisation The financial statements were delayed and there were a number of errors and disclosure deficiencies which were corrected.

    Common issues classified as moderate or low risk include:

    • not adequately assessing the impact of new accounting standards
    • inadequate financial reporting project plan, impacting the quality and timeliness of financial reporting.
    Reduction in number and dollar value of errors identified

    Our audits identified fewer errors, both in number and dollar value, compared to the prior year.

    Year ended 30 June     2019     2018
      Mauve circle with tick inside Red circle with exclamation Yellow circle with white minus sign Mauve circle with tick inside Red circle with exclamation Yellow circle with white minus sign
    Less than $5 million 161 214 27 181 283 28
    $5 million to $15 million 14 8 15 21 12 18
    $15 million to $30 million 6 0 7 7 1 4
    $30 million to $50 million 3 0 3 2 1 3
    $50 million and greater 1 0 7 4 0 7
    Total number of errors 185 222 59 215 297 60
    Total number of errors ($ billion) 0.5 0.2 1.3 1.0 0.4 2.4
    Key  Mauve circle with tick insideCorrected errors Red circle with exclamationUncorrected errors Yellow circle with white minus signPrior period errors
    Source: Engagement Closing Reports for 30 June 2019 audits. 
     
    Fifty-nine prior period errors were identified with a total value of $1.3 billion

    Our audits identified 59 prior period errors with a total value of $1.3 billion affecting the financial statements of councils (2017–18: 60 prior period errors with a value of $2.4 billion). These errors were subsequently corrected by the councils.

    Most of the prior period errors were asset-related. 

    59% poor asset management systems and records (e.g. duplicate assets, unrecorded assets)

    9% errors in comprehensive revaluations

    19% assets not carried at fair value

    13% other 

     Source: Engagement Closing Reports for 30 June 2019 audits.

    2.2 Timeliness of financial reporting

    Seventy-nine per cent of councils and joint organisations lodged their financial reports on-time

    The Local Government Act 1993 requires councils to submit audited financial reports to OLG by 31 October or apply for an extension.

    Seventy-nine per cent of councils and joint organisations1 (2017–18: 80 per cent of councils) lodged their 2018–19 audited financial reports before the deadline. More councils lodged their financial reports during September or earlier*.

    Infographic showing timeliness of financial reports lodged with OLG
    *Councils that lodged their financial reports during September or earlier include Bourke Shire Council, Campbelltown City Council, Coolamon Shire Council, Georges River Council, Hunter Joint Organisation, Ku-ring-gai Council, Narrandera Shire Council, New England Weeds Authority, Northern Beaches Council, Penrith City Council, Riverina Water County Council, The Hills Shire Council, Upper Macquarie County Council.

    Castlereagh Macquarie County Council, Illawarra Shoalhaven Joint Organisation and Mid North Coast Joint Organisation did not submit their audited financial statements by the statutory deadline and did not apply for an extension before the deadline lapsed. This constitutes a breach of section 416 of the Local Government Act 1993.

    Twenty-seven councils (2017–18: 24 councils) and three joint organisations applied for extensions to lodge their financial statements. Of these, eight councils applied for a further extension as they were unable to meet the original extension date approved by OLG.

    The diagram shows the common reasons why councils required extensions.

    42% resourcing issues

    28% poor financial records

    20% data migration issues

    10% asset valuation delays

    Source: Council extension letters.
     
    Sixty-two per cent of councils performed early financial reporting procedures

    This year, 62 per cent of councils (2017–18: 44 per cent of councils) performed early financial reporting procedures, including:

    • completing infrastructure, property, plant and equipment valuations before 30 June
    • preparing proforma financial statements and associated disclosures
    • assessing the impact of complex and one-off significant transactions.

    Eighty-five per cent (2017–18: 85 per cent) of councils who performed some early financial reporting procedures lodged their financial statements within the statutory deadline.

    Ninety-two per cent (2017–18: 85 per cent) of councils who performed valuations before 30 June lodged their financial statements within the statutory deadline.

    It is important that councils appropriately plan the financial reporting process to ensure statutory deadlines are met. Better practice guidance is provided below with some key actions to assist councils to improve the quality and timeliness of their financial reporting. 

    Better practice financial reporting
    Mauve circle with white tick inside Have a project timetable to effectively plan resources, assign key tasks and set timeframes. Mauve circle with white tick inside Reconcile key general ledger accounts to subsidiary ledgers and other information such as fixed asset registers.
    Mauve circle with white tick inside Prepare proforma financial statements to enable early review of the format, adequacy of accounting policies and note disclosures, and declutter and remove unnecessary notes. Mauve circle with white tick inside Engage the audit, risk and improvement committee early to consider the financial statements, key accounting estimates and significant changes in accounting policies.
    Mauve circle with white tick inside Revisit the project plan regularly to identify and manage delays and key issues. Mauve circle with white tick inside Assess the impact of new and revised accounting standards effective in the current and future years.
    Mauve circle with white tick inside Analyse budget variances and movements from prior year. Mauve circle with white tick inside Document proposed action plan to resolve prior year audit issues.
    Mauve circle with white tick inside Organise and manage information requirements from internal and external parties, including valuation experts. Mauve circle with white tick inside Document key assumptions and judgements used for estimates and financial statement preparation.
    Mauve circle with white tick inside Engage early and openly with the auditors. Mauve circle with white tick inside Assess the impact of material, complex and one-off significant transactions.
    Mauve circle with white tick inside

    Have a clear plan to ensure valuations are managed and documented appropriately.

    Conduct comprehensive revaluation of Infrastructure, property, plant and equipment (IPPE) by 30 June, including review of the outcomes for quality and reasonableness and resolving any queries.

    Assess the fair value of IPPE not subject to a comprehensive revaluation by 30 June.

    Mauve circle with white tick inside Keep adequate financial records to support the financial statements.

     Joint Organisations were required to prepare financial statements for audit by the Auditor-General from 2018–19 onwards.

    2.3 New accounting standards

    Three new accounting standards to be implemented this financial year
     
    30 June 2019 AASB 9 'Financial Instruments' (complete)
    30 June 2020

    AASB 16 'Leases'

    AASB 15 'Revenue from Contracts with Customers'

    AASB 1058 'Income of Not-for-Profit Entities'

    30 June 2021 AASB 1059 'Service Concession Arrangements: Grantors'

    Changes in accounting standards can materially impact the financial statements. It is important that councils and joint organisations review the impact of upcoming changes and have appropriate systems, processes and resources to implement the new accounting standards.

    Our audits identified and reported 60 instances (2017–18: 95 instances) where management could be better prepared for the changes to accounting standards. This was an improvement from the previous year and indicates some councils have made progress to prepare for the changes.

    Our audits found councils need to do more work on their impact assessments to minimise the risk of errors in the financial statement disclosures. Some councils disclosed that the new standards would not have a material impact on their reported financial position and performance but had little evidence to support this.

    Each council is unique and implementing the new standards is not straight forward as many new principles apply. Management judgement is needed to interpret how the principles will impact their specific council. As a result, councils face the following risks and challenges:

    • having the required technical skills in house
    • having accurate data and complete contract registers to assess the impacts
    • correctly and consistently interpreting the new requirements
    • adequately planning and preparing for their application
    • implementing new systems and processes to capture the information needed to meet the new reporting obligations.

    To help councils implement the new accounting standards, the OLG conducted workshops, developed guidance and mandated options for councils to adopt on transition.

    The table below shows the key points to consider in the transition.

    Assess Prepare Implement
    Develop a detailed project plan and identify key team members. Engage with key stakeholders, communicate the project plan. Continuous engagement with stakeholders.
    Identify key financial statement line items and complex transactions affected by the new standards. Determine staff training needs, schedule in advance and develop training material.
    Seek guidance from experts, if required.
    Execute staff training.
    Perform gap analysis between current and new recognition principles for revenue, leases and service concessions. Consider and determine what processes need to change to collect relevant data before implementing new accounting standards. Clearly document judgements made when applying the new standards.
    Determine transition options and practical applications. Assess completeness of contract registers and nature of contracts with customers, grant and lease agreements, arrangements with private sector operators.  
    Determine availability and populations of information/data to support these balances. Identify system enhancements or new software solutions to capture information for increased reporting obligations.

    Capture contract information/data.

    Integrate contract information/data into systems, update processes and controls.

    Implement and test completeness and accuracy of data and calculations. Ensure system is operating effectively and fully integrated into council's/joint organisation's operations.

    Adjust opening balances to reflect the impact of the new accounting standards.

      Revise accounting policies and guidelines to align with the new accounting standards. Communicate new policies and guidelines.
      Review and update financial statement disclosures. Socialise the updated accounting disclosures with your auditors.
      Identify impacts on key performance indicators and whether metrics need to change. Revise key performance indicators and internal reporting.

     

    2.4 Financial performance

    Councils are required to report against the performance indicators prescribed by OLG. Council's audited financial statements report performance against the six financial performance measures, including operating performance, revenue, liquidity and working capital measures.

    Operating performance and revenue measures

    The operating performance and revenue measures indicate whether councils:

    • kept operating expenses within operating revenue
    • generated sufficient own source revenue as a proportion of total revenue from all sources.

    Overall, more councils:

    • reported negative operating performance in 2018–19 compared with 2017–18
    • met the benchmark for own source operating revenue in 2018–19 compared with 2017–18.

    63% of councils met the operating performance ratio (2017–18: 74%)

    63% of councils met the own source operating revenue ratio (2017–18: 62%)

    Source: Audited financial statements for 2017–18 and 2018–19.
     
    More councils reported negative operating performance
    Line graph showing councils with negative operating performance from 2017 to 2019

    The percentage of metropolitan, regional and rural councils reporting negative operating performance has increased over the past three years.

    Councils should ensure they have appropriate financial management strategies in place to support their financial performance over the long term.

    Rural councils continue to face challenges in generating own source revenue

    In 2018–19, 68 per cent of rural councils did not meet the own source operating revenue benchmark (2017–18: 62 per cent). The ability to generate own source revenue remains a challenge for rural councils, who are more reliant on external funding from grants. Rural councils have high-value infrastructure assets covering large areas, less ratepayers, lower land values and less capacity to raise revenue from alternate sources compared with metropolitan councils. For example, they have less capacity to generate revenue from sources such as parking fees, property development and rental income.

    Liquidity and working capital performance measures

    The liquidity and working capital performance measures indicate whether councils can:

    • meet their future expenses without additional cash inflows
    • meet their short-term obligations as they fall due
    • service their debt including interest, principal and lease payments
    • collect sufficient rates and annual charges.

    Most councils met the benchmarks for the liquidity and working capital performance measures over the last two years.

    98% of councils met the cash expense cover ratio (2017–18: 99%)

    98% of councils met the debt service cover ratio (2017–18: 96%)

    96% of councils met the unrestricted current ratio (2017–18: 96%)

    84% of councils met the outstanding rates and annual charges benchmark (2017–18: 90%)

    Source: Audited financial statements for 2017-18 and 2018-19

    In 2018–19, all but three councils had the capacity to cover more than three months of expenditure without extra cash inflows (2017–18: one council). Seventy-four councils had enough cash on hand to fund more than 12 months of expenditure (2017–18: 69 councils). Another 52 councils had enough cash to fund between six and 12 months of expenditure (2017–18: 54 councils), and seven councils had enough cash to cover three to six months of expenditure (2017–18: 11 councils).

    Pie graph showing cash expense cover ratio for 2018-19
    Source: Audited financial statements for 2018–19.
     
    Another 19 councils would need to use externally restricted funds to cover three months of expenses

    Some funds are externally restricted and cannot be used for purposes other than what they were collected for, due to legislative or other externally imposed requirements. Councils are not required to exclude externally restricted funds when calculating the cash expense cover ratio.

    If externally restricted funds are excluded from the cash expense cover ratio, an additional 19 councils would not meet OLG's benchmark for the cash expense cover ratio.

    To pay for employees and other operating expenses, councils with low levels of unrestricted funds may need to:

    • borrow funds
    • seek approval from the Minister for Local Government to use externally restricted funds
    • reduce expenses and/or increase revenue.

     

    3. Governance and internal controls

    Strong governance systems and internal controls help councils to operate effectively and efficiently, produce reliable financial reports, comply with laws and regulations and support ethical government.

    This chapter outlines the overall trends related to governance and internal control issues across councils and joint organisations for 2018–19.

    Section highlights
    • While the total number of issues reported in our management letters increased compared with the prior year, the total number of high risk issues have decreased. Of the high-risk issues, 41 per cent were deficiencies in information technology controls.
    • More councils have established audit, risk and improvement committees and internal audit functions.
    • Councils have improved risk management practices, with over 75 per cent of councils now having a risk management policy and register.
    • While most councils have policies and processes to manage gifts and benefits, we identified some instances of non-compliance with the Model Code of Conduct.
    • Most councils have policies and processes to manage the use of credit cards.
    • Councils can strengthen policies and practices for managing fraud controls and legislative compliance.
    • There are further opportunities for councils to improve internal controls over revenue, purchasing, payroll, cash, financial accounting and governance processes.

      3.1 Internal controls

      Our financial audits focus on the key governance matters and internal controls supporting preparation of the councils' financial statements. We assess whether they are designed and implemented effectively to manage the risk of material error in the financial statements.

      We report control deficiencies identified to management and those charged with governance of a council through our audit management letters. The issues are rated as high, moderate or low risk in accordance with the risk management framework in the Treasury Policy Paper 12-03 ‘Risk Management Toolkit for the NSW Public Sector’.

      Our audits do not review all aspects of internal controls and governance every year. We select a range of measures, and report on those that present heightened risks for councils to address.

      The total number of issues reported in our management letters has increased

      The diagram shows the total number of issues reported in our management letters. This year, we reported 1,947 issues compared with 1,728 issues in the prior year.

      Management letters
        Low Moderate High
      Financial reporting 38 86 9
      Payroll 63 72 0
      Governance 78 210 3
      Revenue 58 47 2
      Cash and banking 55 41 2
      Asset management 101 186 12
      Purchasing 75 123 6
      Financial accounting 34 63 8
      Information technology 74 472 29
      Source: Interim and final management letters for 30 June 2019.

      High-risk findings

      The total number of high risk issues reported in our management letters has decreased

      Our 30 June 2019 financial audits identified 71 high-risk findings compared to 83 in 2017–18.

      The high-risk findings are in the following areas:

      • financial reporting and performance (see Chapter 2)
      • information technology (see Chapter 4)
      • asset management (see Chapter 5)
      • revenue process
      • purchasing process
      • cash and banking process
      • financial accounting
      • governance.

      Revenue process

      Our audits identified 107 issues related to revenue processes (2017–18: 126 issues). Fourteen per cent were repeat issues.

      Infographic showing interim and final management letters for 30 June 2019 and 2018 audirs
      Source: Interim and final management letters for 30 June 2019 and 30 June 2018 audits.

      High risk issues were reported at the following councils:

      Council Description
      Balranald Shire Council Lack of processes to verify the completeness and accuracy of revenue provided to council by an external operator of the Caravan park.
      Maitland City Council Lack of regular reconciliation between the rates and annual charges system and the general ledger. Also, council was unable to generate a list of outstanding rate levies by individual ratepayers that may impact the effectiveness of debt collection procedures.

      Common issues classified as moderate or low risk include:

      • inadequate segregation of duties in the revenue process
      • revenue reconciliations not prepared or reviewed
      • lack of review of changes to the debtor master file.

      There is currently a performance audit being performed over developer contributions, including voluntary planning agreements. This is scheduled to be tabled in Parliament during the second quarter of 2020. This audit will consider the governance and internal controls over developer contributions, including voluntary planning agreements, at four selected councils.

      Purchasing process

      Our audits identified 204 issues related to purchasing processes (2017–18: 206 issues). Eighteen per cent were repeat issues.

      Infographic showing interim and final management letters for 30 June 2019 and 30 June 2018 audits
      Source: Interim and final management letters for 30 June 2019 and 30 June 2018 audits.

      High risk issues were reported at the following councils:

      Council Description
      Murrumbidgee Council There was no formal review process to acquit credit card expenditure and some staff were sharing credit cards.
      Maitland City Council

      Council implemented a new procurement module during 2018–19. Our review of system controls identified deficiencies over the following areas:

      • request for quotation process
      • lack of review and approval of purchase orders
      • lack of system enforcement of financial delegations.
      Mid-Coast Council (two high risk issues)

      Control deficiencies were identified over the following areas:

      • vendor master file maintenance
      • lack of segregation of duties
      • invoice payments
      • lack of system enforcement of financial delegations.

      Shoalhaven City Council

      Liverpool Plains Shire Council

      Control deficiencies were identified over the authorisation of purchase orders.

      Common issues classified as moderate or low risk include:

      • inadequate segregation of duties in the purchase and payables processes
      • inappropriate use of purchase orders and/or not using purchase orders
      • lack of review of changes to the creditors master file.

      There is currently a performance audit being performed over the management of procurement. This is scheduled to be tabled in Parliament during the second quarter of 2020. The audit will assess how effectively procurement is managed for six selected councils, with the aim of generating sector-wide learnings on procurement and tender management.

      Most councils have policies and processes over credit card management

      Some councils use credit cards for purchasing general consumables, minor plant and equipment, hospitality and travel. The level of credit card usage varies across councils.

        30 June 2019
      Number of credit card transactions: 0 - 27,549
      Credit card expenditure: $0 - $3,102,049

      Effective credit card management helps to reduce the risk of inappropriate or unauthorised use of corporate credit cards.

      We reviewed the controls in place to manage the use of credit cards and our observations are summarised in the table below.

      Credit card management %
      Council has a periodic credit card acquittal process, which requires cardholders to provide receipts or other supporting documentation 98
      Credit card reconciliations are reviewed by an appropriate delegated authority 94
      Credit card reconciliations are reviewed in a timely manner 93
      Council has a corporate credit card policy 92
      New cardholder is required to sign the agreement of terms of use 87
      Corporate credit card policy is current 82

      The former Minister for Local Government requested we conduct a performance audit over credit card usage at local councils given the alleged misuse of a credit card at a rural council. This audit is scheduled to be tabled in Parliament during the second quarter of 2020. The audit will assess the effectiveness of credit card management practices at six selected councils, including testing the effectiveness of their policies in practice.

      Payroll process

      Our audits identified 135 issues related to payroll processes (2017–18: 123 issues). Twenty-four per cent were repeat issues.

      Infographic showing issues relating to payroll processes for 2018 and 2019
      Source: Interim and final management letters for 30 June 2019 and 30 June 2018 audits.

      Common issues classified as moderate or low risk include:

      • lack of review of changes to details in the employee master file
      • no review of payroll reports and timesheets.

      Cash and banking process

      Our audits identified 98 issues related to cash and banking processes (2017–18: 123 issues). Seventeen per cent were repeat issues.

      Infographic showing issues identified relating to cash and banking processes in 2018 and 2019
      Source: Interim and final management letters for 30 June 2019 and 30 June 2018 audits.

      High risk issues were reported at the following councils:

      Council Description
      Mid-Western Regional Council The Council breached the Unclaimed Money Act 1995 by not remitting monies held longer than six years to Revenue NSW.
      Upper Hunter Shire Council The Council breached the Local Government Act 1993 by utilising externally restricted funds without ministerial approval. This was due to an administrative delay in obtaining 2018–19 budgeted loan funds until 2 August 2019.

      Common issues classified as moderate or low risk include:

      • no segregation of duties in the cash handling and receipting processes
      • lack of review of bank reconciliations
      • lack of security controls over access to bank payment files
      • outdated bank signatories.

      Financial accounting process

      Our audits identified 105 issues related to financial accounting processes (2017–18: 104 issues). Thirty-one per cent were repeat issues.

      Infographic showing issues identified in financial accounting process for 2018 and 2019
      Source: Interim and final management letters for 30 June 2019 and 30 June 2018 audits.

      High risk issues were reported at the following councils:

      Council Description

      Central Darling Shire Council

      Hunter Joint Organisation

      Narrabri Shire Council

      Woollahra Municipal Council

      Some manual journals were prepared and posted by the same employee. The journals were not reviewed by an independent officer and there was a lack of supporting evidence for the manual journals.
      Shoalhaven City Council Council’s processes for preparing and posting manual journals did not require any independent review prior to the journals being posted to the general ledger.
      Central Darling Shire Council Lack of segregation of duties within the Council's finance function.

      Mid-Coast Council

      (two high risk issues)

      Inconsistent application of policies and procedures across Council's financial systems, processes and control environments.

      Council did not perform key balance reconciliations in a timely manner and there was no evidence of review. Some of the reconciliations have not been performed since the start of the financial year.

      Common issues classified as moderate or low risk include:

      • lack of review of reconciliations
      • key balance reconciliations not performed in a timely manner
      • lack of segregation of duties over processing journals.

      3.2 Governance

      Our audits identified 291 issues related to corporate governance (2017–18: 174 issues). Fifteen per cent were repeat issues.

      Infographic showing issues identified relating to governance in 2018 and 2019
      Source: Interim and final management letters for 30 June 2019 and 30 June 2018 audits.

      High risk issues were reported at the following councils:

      Council Description
      Bellingen Shire Council Non-compliance with workplace health and safety legislation and the Environment Protection Agency's requirements for waste and quarry operations.
      Murrumbidgee Council Incomplete contract registers and inadequate probity controls.
      Central Coast Council The Council used section 7.11 infrastructure contributions to pay Council administration expenses. This is a breach of the Environmental Planning and Assessment Act 1979. This has subsequently been repaid.

      The common governance issues can be grouped into the following areas, and are explained further below:

      • audit, risk and improvement committees
      • internal audit
      • legislative compliance
      • risk management
      • fraud controls
      • gifts and benefits.
      More councils have established audit, risk and improvement committees

      An effective audit, risk and improvement committee is an important contributor to good governance. An effective committee helps councils to build community confidence, meet legislative and other requirements and meet standards of probity, accountability and transparency.

      14 more councils have established audit, risk and improvement committees during 2018–19 resulting in 111 councils having committees

      Changes outlined in Section 428A of the Local Government Amendment (Governance and Planning) Act 2016 will require the remaining councils to establish an audit, risk and improvement committee by March 2021.

      For those councils with an audit, risk and improvement committee, we assessed their performance against better practice. The table below summarises our observations.

      Audit, risk and improvement committee 2019 2018
        % %
      Chair of the committee is independent 97 94
      Committee has a charter 96 98
      Committee monitors progress in addressing audit recommendations 95 87
      Committee is advised of financial reporting issues 90 90
      Majority of the committee members are independent 84 83
      Committee reviews the enterprise risk register 81 81
      Committee performs an annual self-assessment of its performance 52 48
       
      More councils have established an internal audit function

      Internal audit is another important element of an effective governance framework as it supports a risk and compliance culture. Internal audit provides assurance over council's governance practices and internal control environment and identifies where performance can improve.

      11 more councils have established an internal audit function during 2018–19 resulting in 103 councils having an internal audit function

      The Local Government Act 1993 also envisages the establishment of an internal audit function in each council to support the work of the audit, risk and improvement committee.

      For those councils with an internal audit function, we assessed their performance against better practice. The table below summarises our observations.

      Internal audit functions 2019 2018
        % %
      Audit, risk and improvement committee reviews the internal audit plan 99 90
      Internal audit plan is documented 95 95
      Audit, risk and improvement committee assesses the performance of internal audit 83 61
      Internal audit plan aligns with the enterprise risk register 78 85
       
      Councils need to improve practices to comply with key laws and regulations

      A legislative compliance framework assists councils to capture and monitor compliance with key laws and regulations.

      While there was a slight improvement in the percentage of councils with a legislative compliance policy and register, there needs to be further improvement overall.

      38% of councils have a legislative compliance policy (2017–18: 34%)

      41% of councils have a legislative compliance register (2017–18: 36%)

      Ineffective legislative compliance frameworks increase the risk of councils breaching legislation. This can attract penalties, affect service delivery and cause significant reputational damage.

      A compliance framework should be tailored to the size and risk profile of a council.

      Most councils have a risk management policy and register

      A risk management policy helps to provide a framework for managing risks. A risk register, aligned to strategic objectives, can be an effective tool to support decision-making.

      Over seventy per cent of councils have a risk management policy and register.

      Infographic showing risk management process

      89% of councils have a risk management policy (2017–18: 85%)

      76% of councils have an enterprise risk register (2017–18: 69%)

      76% of councils’ risk registers are aligned with their strategic objectives (2017–18: 87%)

      Councils have improved their fraud control systems

      Effective fraud control and ethical frameworks can help protect councils from events that risk serious reputational damage and financial loss.

      On 22 June 2018, the Auditor-General tabled in Parliament a performance audit report on ‘Fraud controls in local councils’. The report found councils often have fraud control procedures and systems in place but are not ensuring people understand them and how they work. There is also significant variation in the quality of fraud controls across councils.

      We performed a follow up review to assess the progress made since the performance audit2 in 2018. The results are summarised in the table below.

      Fraud controls 2019 2018
        % %
      Council has a fraud control policy 77 78
      Fraud awareness information is provided to new starters 70 58
      Fraud control policy was updated within the past three years 68 51
      Staff are required to complete an annual conflicts of interest declaration 57 35
      A fraud risk assessment has been undertaken within the past three years 35 18
      Council has a fraud control plan 54 37
      Fraud awareness training is provided for all staff (at least every three years) 50 35
      Fraud control health check was completed (within the last three years) 50 39
      Staff are required to sign off on the code of conduct annually 25 8
       
      Most councils have policies and processes to manage gifts and benefits

      Effective management of gifts and benefits helps to minimise real or perceived integrity and reputational risks. In the Local Government sector, there is a Model Code of Conduct (Model Code), which sets the minimum standards of conduct for council officials in relation to the receipt of gifts and benefits.

      Our review found most councils had sound policies, transparent record keeping and communication activities to manage gifts and benefits.

      Gifts and benefits management %
      Gifts and benefits policy covers the Mayor and the Councillors 97
      Gifts and benefits policy outlines the approval process for accepting gifts or benefits 96
      Gifts and benefits policy is included in the induction process for new staff 93
      Council has a gifts and benefits policy 93
      Gifts and benefits register captures key information 90
      Council maintains a central register for gifts and benefits declaration 89
      Council has a business ethics statement that communicates expected behaviours to suppliers and contractors 83
      Gifts and benefits policy was last updated within the past three years 71

      While most councils have sound policies and processes to manage gifts and benefits, we noted some instances of non-compliance with Part 6 of the Model Code.

      Twenty per cent of councils accepted cash-like gifts and benefits, which is not allowed under section 6.5 of the Model Code, regardless of the amount.

      Cash-like gifts include, but are not limited to gift vouchers, credit cards, debit cards with credit on them, prepayments such as phone or internet credit, lottery tickets or memberships or entitlements to discounts not available to the public or a broad class of persons.


      A total of 88 out of 128 local councils in New South Wales participated in the fraud control survey.

       

      4. Information technology

      Councils rely on information technology (IT) to deliver services and manage information. While IT delivers considerable benefits, it also presents risks that council needs to address.

      In prior years, we reported that councils need to improve IT governance and controls to manage key financial systems. This chapter outlines the progress made by councils in the management of key IT risks and controls, with an added focus on cyber security.

      Section highlights
      • We continue to report deficiencies in information technology controls, particularly around user access management. These controls are key to ensuring IT systems are protected from inappropriate access and misuse.
      • Many councils do not have IT policies and procedures and others do not identify, monitor or report on IT risks.
      • Cyber security management requires improvement, with some basic elements of governance not yet in place for many councils.

        4.1 High risk issues

        Our audits identified 575 issues related to information technology (2017–18: 448 issues). Sixty-eight per cent related to user access management (2017–18: 60 per cent).

        While the total number of IT control deficiencies reported in our management letters has increased compared with the prior year, the total number of high risk issues have decreased.

        Infographic showing issues identified in relation to information technology in 2018 and 2019
        Source: Interim and final management letters for 30 June 2019 and 30 June 2018 audits.

        High risk issues were reported at the following councils which related to one or more IT processes:

          Number of IT high risk issues IT policies and procedures IT risk management User access management Segregation of duties conflict Privileged user access Password configuration System implementation
        Bayside Council* 4     Black circle with white cross in the middle   Black circle with white cross in the middle Black circle with white cross in the middle Black circle with white cross in the middle
        Bellingen Shire Council 3 Black circle with white cross in the middle            
        Blue Mountains City Council 1         Black circle with white cross in the middle    
        Fairfield City Council 1         Black circle with white cross in the middle    
        Greater Hume Shire Council 1         Black circle with white cross in the middle    
        Hay Shire Council 2 Black circle with white cross in the middle       Black circle with white cross in the middle    
        Hilltops Council 1 Black circle with white cross in the middle            
        Lake Macquarie City Council 4 Black circle with white cross in the middle   Black circle with white cross in the middle     Black circle with white cross in the middle Black circle with white cross in the middle
        Liverpool Plains Shire Council 2     Black circle with white cross in the middle        
        Maitland City Council 2 Black circle with white cross in the middle Black circle with white cross in the middle   Black circle with white cross in the middle      
        Murrumbidgee Council 1 Black circle with white cross in the middle            
        Newcastle City Council 1 Black circle with white cross in the middle Black circle with white cross in the middle          
        Port Stephens Council 4 Black circle with white cross in the middle Black circle with white cross in the middle   Black circle with white cross in the middle     Black circle with white cross in the middle
        Uralla Shire Council 1         Black circle with white cross in the middle    
        Woollahra Municipal Council 1       Black circle with white cross in the middle Black circle with white cross in the middle    
        * The high risk issues relate to the 2017–18 audit of Bayside Council. The audit opinion for the 2018–19 audit was disclaimed, and an IT management letter was not issued.
        Source: Interim and final management letters for 30 June 2019 audits.

        The high-risk issues above are related to:

        • lack of key IT policies and procedures
        • lack or minimal IT risk management activities
        • user access reviews over key financial systems not performed
        • shared user accounts
        • segregation of duties not properly enforced in the key financial systems
        • privileged user access not being adequately restricted and monitored to identify suspicious or unauthorised activity
        • weak password configurations
        • system implementation with missing documentation, sign offs and unresolved defects.

        Overall IT control deficiencies identified in 30 June 2019 audits can be grouped into the following areas:

        • IT governance
        • IT general controls, including user access management, program change management, disaster recovery planning
        • cyber security management.

        We provide further commentary on each of these areas below.

        4.2 IT governance

        IT governance provides a structure to enable councils to effectively manage their IT risks and ensure associated activities are aligned to achieve their objectives.

        IT policies are not formalised or kept up-to-date

        It is important that key IT policies are formalised and regularly reviewed to ensure emerging risks are considered and policies are reflective of changes to the IT environment. Lack of formal IT policies and procedures may result in inconsistent and inappropriate practices and an increased likelihood of inappropriate access to key systems.

        There has not been much improvement in councils formalising their IT policies and ensuring they are regularly reviewed.

        71% of councils do not have IT policies over one or more of following areas:

        • IT security

        • IT change management

        • IT incident and problem management

        • disaster recovery

        • business continuity (2017–18: 73%)

        25% of available IT policies are not reviewed in line with the council's scheduled review date to ensure they are up to date (2017–18: 21%)

        More councils are identifying, monitoring and reporting IT risks

        Councils should identify and communicate risks arising from the use of IT to those charged with governance, so they are aware of the risks and able to respond appropriately within an acceptable timeframe.

        More councils are identifying, monitoring and reporting on IT risks.

        41% of councils do not have IT risk register (2017–18: 50%)

        22% of councils do not regularly communicate IT risks to management and those charged with governance (2017–18: 34%)

        4.3 IT general controls

        IT general controls are the procedures and activities designed to ensure confidentiality and integrity of systems and data. These controls underpin the integrity of financial reporting.

        Our financial audits involved the review of IT general controls relating to key financial systems supporting the preparation of council's financial statements, addressing:

        • user access management
        • privileged user access restriction and monitoring
        • system software acquisition, change and maintenance
        • disaster recovery planning.

        We did not review all council IT systems. For example, IT systems used to support service delivery are generally outside the scope of our financial audit. However, councils should consider the relevance of our findings below to these systems.

        User access management

        User access management of IT systems is improving

        Information technology is essential to how councils deliver services. While IT can improve service delivery, the growing dependency on technology means councils face risks of unauthorised access and misuse.

        Key areas of effective user access management are:

        • appropriate approvals for new access, and changes of access to IT systems
        • timely removal of access to IT systems
        • strong password controls to avoid user access being compromised
        • periodic user access review to identify any inappropriate access
        • restriction of privileged access to appropriate staff
        • monitoring of privileged access activities.

        The councils have improved their access management processes. However, further improvements are required for monitoring of privileged user account activities and periodic user access reviews.

        40% of councils without adequate controls for adding new users (2017–18: 47%)

        38% of councils do not restrict privileged user access (2017–18: 43%)

        33% of councils without adequate user access removal controls (2017–18: 43%)

        71% of councils do not monitor privileged user account activities (2017–18: 71%)

        43% of councils without sufficient password controls (2017–18: 43%)

        64% of councils do not conduct periodic user access reviews (New area of focus)

        Program change management

        Controls over IT system changes need to improve

        Changes to IT programs and related infrastructure components need to be authorised prior to implementation. This ensures changes are appropriate and in line with business requirements.

        Weak system change controls expose councils to the risk of:

        • unauthorised and/or inaccurate changes to systems or programs
        • issues with data accuracy and integrity
        • unintended changes to how programs process or report information
        • errors in financial reporting.

        Councils have not improved their change management controls over IT systems compared with the prior year.

        36% of councils do not have segregation of duties between the developer and the implementer of the change (2017–18: 36%)

        33% of councils are implementing changes to systems without appropriate approval (2017–18: 23%)

        Disaster recovery planning

        Disaster recovery planning and testing need to improve

        Disaster recovery planning (DRP) helps councils to minimise the disruption to operations in the event of a major systems outage or other disaster. Without detailed analysis and planning, councils may not be able to predict the impact of disruption, identify maximum tolerable outages, or successfully recover critical systems in the event of a disaster.

        Some councils do not have an adequate and current DRP.

        31% of councils have not formalised and approved the DRP

        28% of councils with formal DRP have not recently reviewed it

        55% of councils with formal DRP have not tested the plan with sufficient regularity

        4.4 Cyber security management

        Council’s response to cyber security risks can improve

        At a State Government level, the NSW Cyber Security Policy states that 'strong cyber security is an important component of the NSW Digital Government Strategy. The term cyber security covers all measures used to protect systems and information processed, stored or communicated on these systems from compromise of confidentiality, integrity and availability’. While there is currently no requirement for councils to comply with the State Government’s cyber security policy, councils may find it useful to refer to the policy for further guidance.

         

        Recommendation

        The Office of Local Government within the Department of Planning, Industry and Environment should develop a cyber security policy by 30 June 2021 to ensure a consistent response to cyber security risks across councils.

        Poor management of cyber security can expose councils to a broad range of risks, including financial loss, reputational damage and data breaches. The potential impacts may include:

        • theft of corporate and financial information and intellectual property
        • theft of money
        • denial of service
        • destruction of data
        • costs of repairing affected systems, networks and devices
        • legal fees and/or legal action from losses arising from denial-of-service attacks causing system downtime in critical systems
        • third-party losses when personal information stored on government systems is used for criminal purposes.

        We performed a high-level assessment to determine whether councils have the basic governance and internal controls to manage cyber security.

        80% of councils do not have formal cyber security policy/framework

        46% of councils have not included risk of cyber-attack in their risk register

        67% of councils have not recently performed penetrations testing (cyber-attack simulation)

        76% of councils have not delivered cyber security training to all of their staffs

        84% of councils do not have separate cyber security budget

        48% of councils do not have cyber security insurance policy

        78% of councils do not maintain a centralised register of cyber incident

        Councils’ cyber security management requires improvement, as most councils are yet to implement the basic elements of governance, such as a cyber security policy or framework. This will continue to be an area of focus, with an upcoming performance audit planned on cyber security post 30 June 2020.

         

        5. Asset management

        Councils are responsible for managing a significant range of assets to deliver services on behalf of the community.

        This chapter outlines our asset management observations across councils and joint organisations.

        Section highlights
        • There was an increase in the total number of issues reported in our management letters for asset management processes.
        • There were less high-risk issues reported compared to the previous year.
        • We continue to identify discrepancies between the council's Crown land asset records and the Crown Land Information Database (CLID) managed by the former Department of Industry (DOI).
        • Inconsistent practices remain across the Local Government sector in accounting for landfill sites.

          5.1 High risk issues

          Our audits identified 299 issues related to asset management (2017–18: 291 issues). There was a reduction in high risk matters reported in our management letters compared to the previous year.

          Infographic showing high risk issues identified in relation to asset management
          Source: Interim and final management letters for 30 June 2019 and 30 June 2018 audits.

          5.2 Asset management systems

          Asset management systems record key data on councils' infrastructure, property, plant and equipment. Maintaining accurate and up to date asset data helps council in making appropriate decisions around asset management.

          Our audits identified 107 issues related to councils' asset management systems (2017–18: 66 issues). Twenty-four per cent were repeat issues.

          High risk issues were reported at the following councils:

          Council Description

          Bayside Council

          (two high risk issues)

          Data quality issues were identified within the asset management system. Assets were also incorrectly classified, revaluation outcomes and disposed assets were not adjusted in a timely manner and an impairment assessment was not performed for some assets.
          Dungog Shire Council Fixed assets register is maintained in excel spreadsheets and reconciled with the general ledger at year-end. The reconciliation practice delayed the financial reporting process.
          Lockhart Shire Council Costs were incorrectly capitalised, asset register included assets previously disposed, and asset reconciliation was not performed.
          Midcoast Council The fixed asset register was not updated until year-end. This impacted the timing of depreciating the assets.

          Common issues classified as moderate or low risk include:

          • non-timely recognition of asset movements in the asset register
          • excel spreadsheets storing asset data outside asset management systems without any controls to protect the data integrity
          • assets in use not capitalised on a timely basis
          • asset registers not being reconciled with the asset management system
          • assets recorded in the incorrect asset classes in the asset registers
          • asset registers with duplicate assets
          • multiple asset registers maintained to record various asset classes
          • physical verification of property, plant and equipment is not performed regularly.

          5.3 Asset valuation processes

          Our audits identified 67 issues related to councils' asset valuation processes (2017–18: 50 issues). Twenty per cent were repeat issues.

          High risk issues were reported at the following councils:

          Council Description
          Cootamundra-Gundagai Regional Council Lack of sufficient information to support the componentisation of assets.
          Inner West Council Management did not perform quality assurance review of the asset valuation outcomes resulting in errors in the financial statements.
          Berrigan Shire Council Key assumptions and methodology supporting the comprehensive valuation of roads assets were not documented. The workpapers to support the valuation of water and sewerage were not reconciled and significant misstatements were identified.
          Murray River Council Council did not conduct a regular re-assessment of the carrying values of infrastructure assets to ensure they did not materially differ from fair values post amalgamation in 2017. When council conducted a revaluation of transportation assets in 2019 it identified a material prior period error which was mainly due to developer contributed assets and found assets.

          The Australian Accounting Standards require carrying values of infrastructure, property, plant and equipment assets to be reassessed with sufficient regularity to ensure they don’t materially differ from fair values. If carrying values are not regularly assessed, it may result in significant errors in the financial statements.

          Common issues classified as moderate or low risk include:

          • lack of formal re-assessment of the carrying values of infrastructure assets with sufficient regularity
          • absence of quality review procedures over the asset valuation outcomes
          • remaining useful life of infrastructure assets not being reviewed annually or supported by regular condition assessments
          • assets are not appropriately componentised into significant depreciable components
          • absence of a suitable methodology to allocate indirect costs to assets capitalised.

          5.4 Recognition of Crown land

          The former DOI was responsible for overseeing the management of NSW Crown land, which is estimated to cover approximately 42 per cent of the State. Crown land includes parks, reserves, roads and cemeteries. Parcels of Crown land are managed and controlled by Local Government and other private sector organisations, including corporations and statutory bodies. The Department of Planning, Industry and Environment (DPIE) now maintains the Crown Land Information Database (CLID), which records various details about the State's Crown land and the respective Crown land manager.

          Pie chart showing control of Crown Land at 30 June 2019
          Source: Crown Land Information Database (unaudited).

          A high risk issue was reported at the following council:

          Council Description
          Edward River Council Crown Land records did not reconcile with the Crown Land Information Database (CLID). Council did not complete the review of discrepancies by the agreed deadline. The issue was noted during the interim phase of the audit and was resolved before the audit was completed.
           
          We continue to identify discrepancies between the CLID and councils' Crown land records

          In the prior year, we reported discrepancies between councils' Crown land records and the CLID.

          On 1 July 2018, the former DOI launched an online portal to enable councils to query Crown land data. The portal provides councils with information on Crown land where they are identified as the manager in CLID.

          Since the launch of the online portal, Councils compared their Crown land records with the CLID and identified prior period errors in councils' 2018–19 financial statements. For the completed 2018–19 financial statements audits of local councils, the corrections resulted in a $201 million increase in Crown land assets recognised by nine councils.

          In November 2018, the former DOI commenced the implementation of CrownTracker as a replacement system for CLID. The DOI advised the key differences include:

          • spatial information will be captured in CrownTracker, which was previously imported and reconciled with CLID
          • a modern case management module which aims to improve delays in updating changes
          • integration with SAP and reporting tools to assist with financial reporting
          • an external portal for non-council Crown Land Managers to lodge financial reports.

          The project is due for completion by 30 June 2021.

          Our 2019 Planning, Industry and Environment Report to Parliament recommended the DPIE ensure the Crown land database is complete and accurate so state agencies and local councils are better informed about the Crown land they control.

          5.5 Accounting for landfill rehabilitation

          Councils manage landfill sites, which are in-ground facilities for the safe and secure disposal of waste. As landfill operators, councils have a legal obligation to monitor and provide aftercare for closed landfill sites for an extended period after their closure. This requires councils to comply with the requirements of the Protection of the Environment Operations Act 1997 and the standard landfill rehabilitation accounting practices. These include accounting for landfill cell costs, the landfill site land asset, rehabilitation obligations and the long-term management of landfill sites in accordance with the licensing requirements of the EPA.

          Accounting for landfill remediation provision is inconsistent across councils

          Australian Accounting Standards require a provision for landfill remediation when the obligation to operate landfill sites would result in cash outflows for the council, and it can be reliably measured. Such provisions should be annually reassessed for changes in assumptions, legal requirements and emergence of new landfill remediation techniques.

          Our review of Councils landfill rehabilitation accounting practices identified high-risk issues at the following councils:

          Council Description
          Snowy Monaro Regional Council Council was unable to reliably measure the future cost of rehabilitating closed landfill sites due to the uncertainty of the cost estimates, potential changes in legal requirements, nature of site disturbance and emergence of new landfill remediation techniques. Councils obligation to rehabilitate the closed site was disclosed as a contingent liability in the 2018–19 financial statements.
          Liverpool Plains Shire Council Council was unable to adequately identify disturbed landfill areas and accurately calculate the future cost of its rehabilitation. In addition, the council does not have a formalised landfill management plan as required by the EPA Act.

          Twenty councils have not formalised landfill management plans. Of the councils with a formalised plan, 27 have not reviewed the plans within the last two years.

          Fifteen councils did not re-assess the appropriateness of their future landfill rehabilitation costs. Of the councils that undertook the reassessment, we observed the following inconsistencies:

          Assessment of landfill rehabilitation costs Number of councils
          Potential cash inflows to reduce the future costs of landfill rehabilitation obligation for the landfill sites were not considered. For example, tipping fees. 42
          Post closure rehabilitation costs for landfill sites were not considered. 29
          The asset’s carrying value was not tested for impairment. 20
          Completeness and reasonability of the data used to calculate the landfill rehabilitation provision was not re-assessed. 14
          A corresponding asset against its landfill site rehabilitation obligation was not recorded. 8
          Remaining useful lives of the landfill sites were not re-assessed. 8
          Future landfill rehabilitation obligations were not reported in the 2018–19 financial statements. 5

           

          Appendices

          Appendix one – Response from the Office of Local Government within the Department of Planning, Industry and Environment

          Appendix two – Status of 2018 recommendations

          Appendix three – Status of audits 

           

          Copyright notice

          © Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.