Reports
Internal controls and governance 2021
This report analyses the internal controls and governance of the 25 largest agencies in the NSW public sector, excluding state owned corporations and public financial corporations, for the year ended 30 June 2021.
Our preferred approach is to table the ‘Report on State Finances’ in Parliament before any other cluster report. This is because the ‘Report on State Finances’ focuses on the audit results and observations relating to the Total State Sector Accounts, in effect a consolidation of all government agencies. This year the ‘Report on State Finances’ has been delayed due to significant accounting issues being considered in the Total State Sector Accounts and which may impact the Treasury and Transport clusters.
As there are no matters in this report impacting the Total State Sector Accounts we have decided to break with normal practice and table this report ahead of the ‘Report on State Finances’.
What the report is about
This report analyses the internal controls and governance of the 25 largest agencies in the NSW public sector, excluding state owned corporations and public financial corporations, for the year ended 30 June 2021.
What we found
Internal control trends
The proportion of control deficiencies identified as high risk this year increased to 2.8 per cent (2.5 per cent in 2019–20). Six high risk findings related to financial controls while three related to IT controls. Two were repeat findings from the previous year.
Repeat findings of control deficiencies now represent 49 per cent of all findings (42 per cent in 2019–20).
Information technology
We continue to see a high number of deficiencies relating to IT general controls, particularly around user access administration and privileged user access which affected 82 per cent of agencies.
Cyber security
Agencies' self-assessed maturity levels against the NSW Cyber Security Policy (CSP) mandatory requirements are low. Although agencies are required to demonstrate continuous improvement against the CSP, 20 per cent have not set target levels and of those that have set target levels, 40 per cent have not met their target levels.
Policies, processes and definition around security incidents and data breaches lack consistency. Improvement is required to ensure breaches are recorded in registers and action taken to address the root cause of incidents.
Conflicts of interest
Agencies' policies generally meet the minimum requirements of the Ethical Framework set out in the Government Sector Employment Act 2013. However, few meet the Independent Commission Against Corruption's best practice guidelines. Policies could be strengthened in relation to requirements around annual declarations of interests from employees and contractors.
Masterfile management
Policies governing the management of supplier masterfiles and employee masterfiles existed in 79 per cent and 54 per cent of agencies respectively.
Weaknesses were identified in those policies. Access restriction, segregation of duties and record keeping were the most common opportunities for improvement.
Tracking recommendations
Most agencies do not maintain a register to monitor recommendations from performance audits and public inquiries. Registers of recommendations could be improved to include risk ratings and record revisions to due dates. While recommendations can take several years to fully address, the oldest open items were originally due for completion by June 2016.
What we recommended
Agencies should:
- prioritise actions to address repeat control deficiencies, particularly those that have been repeated findings for a number of years
- prioritise improvements to their cyber security and resilience as a matter of urgency
- formalise and implement policies on tracking and monitoring the progress of implementing recommendations from performance audits and public inquiries.
Fast facts
The 25 largest NSW government agencies in this report cover all nine clusters and represent over 95 per cent of total expenditure for NSW public sector.
- 9 high risk audit findings were identified this year
- 40% of agencies have not formally accepted residual cyber risk based on their self-assessed maturity levels
- 52% of agencies do not have a policy on tracking recommendations from performance audits and public inquiries
- 50% of all internal control deficiencies identified in 2020–21 were repeat findings
- 75% is the average completion rate of annual staff declarations of interests.
Internal controls are processes, policies and procedures that help agencies to:
- operate effectively and efficiently
- produce reliable financial reports
- comply with laws and regulations
- support ethical government.
This chapter outlines the overall trends for agency controls and governance issues, including the number of audit findings, the degree of risk those deficiencies pose to the agency, and a summary of the most common deficiencies we found across agencies. The rest of this report presents this year’s controls and governance findings in more detail.
The scope of this year's report covers 25 general government sector agencies. Last year's report covered 40 agencies within the total state sector. For consistency and comparability, we have adjusted the 2020 results to include only the agencies remaining within scope of this year's report. Therefore, the 2020 figures will not necessarily align with those reported in our 2020 report.
Section highlights
|
This chapter outlines our audit observations, conclusions and recommendations arising from our review of agency controls to manage key financial systems.
Section highlights
|
This chapter outlines our audit observations, conclusions and recommendations arising from our review of agencies' cyber security planning and governance arrangements.
Section highlights
|
This chapter outlines our audit observations, conclusions and recommendations arising from our review of agencies' conflicts of interest management processes.
Section highlights
|
This chapter outlines our audit observations, conclusions and recommendations arising from our review of agency's management of supplier and employee masterfiles.
Section highlights
|
This chapter outlines our audit observations, conclusions and recommendations arising from our review of agencies' processes to track and monitor the implementation of recommendations from performance audits and public inquiries.
Section highlights
|
COVID Intensive Learning Support Program
What the report is about
This audit examined a state-wide program to provide small-group tuition to students disadvantaged by the move to learning from home during 2020.
The audit assessed the design and implementation of the program.
What we found
The program design was based on research and data showing learning loss during 2020.
The department rapidly planned and developed the policy design and guidelines for schools.
Governance arrangements matured during program delivery.
The department changed the models for funding schools but did not clearly explain the reasons for doing so.
Government schools with over 900 students were disadvantaged by the funding model compared to smaller schools.
Guidelines, resources and professional learning helped schools implement the program.
Staff eligibility for the program was expanded after reported difficulties in recruiting qualified teachers in some areas.
Online tuition and third-party provider options were developed throughout the program.
There were issues with the quality and timeliness of data used to monitor school progress.
Evaluation arrangements were developed early in the program.
Data limitations mean the evaluation will not be able to fully assess all program objectives.
What we recommended
- Distributing funds between schools more equitably and improving communication of the funding methods.
- Clearer communication about the intended targeted group of students.
- Reviewing the time needed to administer the program.
- Improve support for educators other than qualified teachers.
- Offer the online tuition program to more schools.
- Analysis of the effects of learning from home during 2021 across equity groups and geographic areas.
- Working with universities to increase use of pre-service teachers in the program.
The report also identifies lessons learned for future programs.
Fast facts
- $337m in total program funding. $289 million for government schools and $31 million for non government schools
- 12 days to develop the policy and provide costings to Treasury
- 290,000 targeted students in government schools and 31,000 in non government schools
- 80% of schools were providing small group tuition by the target start date of Week 6, Term 1
- 2–4 months was the estimated student learning loss from the move to learning from home during 2020
- 7,600 tutors engaged in the program as at September 2021.
The NSW Government announced the COVID Intensive Learning Support Program on 10 November 2020, as part of the 2020–21 NSW Budget. The primary goal of the $337 million program was to deliver intensive small group tuition for students who were disadvantaged by the move to remote and/or flexible learning, helping to close the equity gap. It included:
- $306 million to provide small-group tuition for eligible students across every NSW Government primary, secondary and special purpose school
- $31.0 million for around 400 non-government schools to provide small-group tuition to students with the greatest levels of need.
The objective of this audit was to assess the effectiveness of the design and implementation of the COVID Intensive Learning Support Program (the program). To address this objective, the audit assessed whether the Department of Education (the department):
- effectively designed the program and supporting governance arrangements
- is effectively implementing the program.
This audit focuses on activities between October 2020 and August 2021, which aimed to address the first session of learning from home in New South Wales. From August to October 2021, students in many areas of New South Wales were learning from home again, but this second period has not been a focus of this audit. On 18 October 2021, the NSW Government announced the program would be extended into 2022.
Conclusion
The COVID Intensive Learning Support Program was effectively designed to help students catch up on learning loss due to the interruptions to schooling caused by COVID-19. The department rapidly stood up a taskforce to implement the program and then developed supporting governance arrangements during implementation.
Most students in New South Wales were required to learn from home for at least seven weeks during 2020 due to the impact of the Novel-Coronavirus (COVID-19). The department researched, analysed and advised government on several options to address the learning loss that resulted. It recommended small group tuition as the preferred option as it was supported by available evidence and could be rolled out at scale with speed. It identified risks of ensuring an adequate supply of educators and options to address those risks. Consistent with its analysis of where the impact of the learning loss was most severe, the department proposed to direct funding to schools with higher concentrations of students from the most disadvantaged backgrounds.
The department established a cross-functional taskforce to conduct detailed planning and support program implementation. Short timeframes meant the taskforce initially sought approval for key decisions from the program sponsor and existing oversight bodies on an as-needed basis before dedicated program governance arrangements were formalised. Once established, the governance body met regularly to oversee program delivery.
The COVID Intensive Learning Support Program is being effectively implemented. The department has refined the program during rollout to respond to risks, issues and feedback from schools. Issues with how schools enter data into department systems have affected the timeliness and accuracy of program monitoring information.
The department provided schools with guidelines, example models of delivery, systems to record student progress and professional learning. Around 80 per cent of schools had begun delivering tuition under the program by the target date. Schools reported issues with sourcing qualified teachers as a key reason they were unable to start the program by the expected date. In response, the department expanded the type of staff schools could employ, developed an online tuition program, and allowed schools to engage third-party providers to help schools that had difficulty finding qualified teachers for the program.
The department used existing systems to monitor school progress in implementing the program. This reduced the administrative burden on schools, but there were several issues with data quality and timeliness. The program included a mid-year review point to check whether schools were on track to spend their funding. This helped focus schools on ensuring funding would be spent and allowed for redistribution between schools.
The department considered program evaluation early in policy design and planning. It embedded an evaluator on the taskforce and expanded a key assessment program to help provide evidence of impact. A process and outcome evaluation is underway which will help inform future delivery. The evaluation will examine educational impacts for students participating in the program but it has not established methods to reliably assess the extent to which the program has met a goal to help 'close the equity gap' for students.
This chapter considers how effectively the COVID Intensive Learning Support Program (the program) was designed and planned for implementation.
This chapter considers how effectively the COVID Intensive Learning Support Program was implemented over our period of review (Terms 1 and 2, 2021).
Appendix one – Response from agency
Appendix two – About the audit
Appendix three – Performance auditing
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Parliamentary reference - Report number #358 - released (15 December 2021).
Education 2021
This report analyses the results of our audits of the Education cluster agencies for the year ended 30 June 2021.
Our preferred approach is to table the ‘Report on State Finances’ in Parliament before any other cluster report. This is because the 'Report on State Finances' focuses on the audit results and observations relating to the Total State Sector Accounts, in effect a consolidation of all government agencies. This year the 'Report on State Finances' has been delayed due to significant accounting issues being considered in the Total State Sector Accounts and which may impact the Treasury and Transport clusters.
As there are no outstanding matters relating to audits in the Education cluster impacting the Total State Sector Accounts we have decided to break with normal practice and table this cluster report ahead of the ‘Report on State Finances’.
What the report is about
The results of the Education cluster (the cluster) agencies' financial statements audits for the year ended 30 June 2021.
What we found
Unmodified audit opinions were issued on the Department of Education (the department), the NSW Education Standards Authority and the NSW Skills Board's financial statements.
An 'other matter' paragraph was included in the Technical and Further Education Commission's (the TAFE Commission) audit opinion drawing attention to legislative non-compliance concerning financial delegations during the reporting year.
The number of misstatements identified in the financial statements of cluster agencies decreased from 14 in 2019–20 to seven.
What the key issues were
The department and the TAFE Commission revalued their land assets this year, recognising collective increases of $863.8 million.
The department and the TAFE Commission are not scheduled to perform comprehensive revaluations of their buildings until 2022–23. Construction costs, which are a key input in their current replacement cost valuation methodologies for buildings, may have increased by an estimated nine per cent since the last comprehensive revaluation in 2017–18 based on broad based indices used by the department and the TAFE Commission. While the estimated index increase indicates the fair value of buildings may exceed the carrying values, the use of such high-level indicators has a degree of estimation uncertainty due to the specialised nature of the assets. Therefore, both agencies did not adjust the values of their buildings.
The number of issues we reported to management decreased. Fifty per cent of issues were repeated from prior years.
Of the 11 newly identified moderate rated issues, seven related to internal control deficiencies, with six identified in procurement and payroll controls.
What we recommended
The department and the TAFE Commission reconsider policy settings governing the frequency of revaluations; and refine and consider the outcomes of interim fair value assessments to ensure asset carrying values reflect fair value at each balance date.
Cluster agencies should prioritise and action recommendations to address internal control deficiencies.
Fast facts
The Education cluster, comprising four agencies, administers and delivers education and training services for NSW students, workers and industry.
- $38.6b property, plant and equipment as at 30 June 2021
- $21.2b total expenditure incurred in 2020–21
- 100% unqualified audit opinions were issued on agencies’ 30 June 2021 financial statements
- 22 moderate risk management letter findings were identified and reported to management
- 7 monetary misstatements were reported in 2020–21
- 50% of reported issues were repeat issues
This report provides Parliament and other users of the Education cluster’s financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:
- financial reporting
- audit observations.
Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.
This chapter outlines our audit observations related to the financial reporting of agencies in the Education cluster (the cluster) for 2021.
Section highlights
|
Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.
This chapter outlines our observations and insights from our financial statement audits of agencies in the Education cluster.
Section highlights
|
Findings reported to management
The number of findings reported to management has decreased. Fifty per cent of all issues were repeat issues
Breakdowns and weaknesses in internal controls increase the risk of fraud and error. Deficiencies in internal controls, matters of governance interest and unresolved issues were reported to management and those charged with governance of agencies. The Audit Office does this through management letters, which include observations, related implications, recommendations and risk ratings.
In 2020–21, there were 28 findings raised across the cluster (33 in 2019–20). Fifty per cent of all issues were repeat issues (45 per cent in 2019–20).
The most common repeat issues related to weaknesses in controls over information technology general controls, application controls, and identified deficiencies in procurement and payroll practices.
A delay in implementing audit recommendations increases the risk of intentional and accidental errors in processing information, producing management reports and generating financial statements. This can impair decision-making, affect service delivery and expose agencies to fraud, financial loss and reputational damage. Poor controls may also mean agency staff are less likely to follow internal policies, inadvertently causing the agency not to comply with legislation, regulation and central agency policies.
The table below describes the common issues identified across the cluster by category and risk rating.
| Risk rating | Issue |
| Information technology | |
|
Moderate2 |
The financial audits identified areas for agencies to improve information technology processes and controls that support the integrity of financial data used to prepare agencies' financial statements. Of note were deficiencies identified in:
|
|
Low1 |
|
| Internal control deficiencies or improvements | |
|
Moderate2 |
The financial audits identified internal control weaknesses across key business processes relevant to financial reporting. Of note were deficiencies identified in:
|
|
Low1 |
|
| Financial reporting | |
|
Moderate2 |
The financial audits identified:
|
|
Low1 |
|
3 High risk from the consequence and/or likelihood of an event that has had, or may have a negative impact on the entity.
2 Moderate risk from the consequence and/or likelihood of an event that has had, or may have a negative impact on the entity.
1 Low risk from the consequence and/or likelihood of an event that has had, or may have a negative impact on the entity.
The department continues to address recommendations to improve monitoring of privileged user access
Privileged users have higher levels of access to systems, and in some instances, may include access that can bypass segregation of duty controls. If reviews of access logs are not fully embedded in the control environment, the risk of unauthorised transactions occurring and not being detected in a timely manner is elevated.
In 2019–20 a high-risk issue was reported at the department relating to the inadequate monitoring and follow up of privileged user activity in its enterprise resource planning system – SAP. This year the department has largely addressed our findings by initiating a review of the identified instances of privileged user activity and establishing periodic oversight controls. There remains a need to improve the timeliness and completeness of these newly implemented controls.
Data analytics identified the root cause of internal control deficiencies in procurement and payroll
Our 2020–21 agency management letters identified seven new moderate risk internal control deficiency matters, of which six related to payroll and procurement.
To enhance our financial statement audit of the department we applied data analytics over elements of the department's procurement and payroll control processes. Our procedures, conducted over periods across the financial year, helped identify the following:
- a low level of compliance with procurement practices requiring the creation of purchase orders before invoices are received. The root cause was a lack of understanding by agency staff of the procurement processes
- transactions related to previous years being recorded in the current year. The root cause was a lack of understanding of the three-way matching process and the goods received/not invoiced facilities within SAP
- negative payments in fortnightly pay runs, predominantly representing deductions to recover salary payments made in error. The root cause was the lack of timeliness in notifying payroll for cessation of employment, or for employees undertaking secondments who should have been classified as being on leave without pay.
Recommendation
We recommend cluster agencies prioritise and action recommendations to address the internal control deficiencies outlined above.
Appendix one – Early close procedures
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Compliance with the NSW Cyber Security Policy
What the report is about
This audit assessed nine agencies’ compliance with the NSW Cyber Security Policy (CSP) including whether, during the year to 30 June 2020, the participating agencies:
- met their reporting obligations under the CSP
- reported accurate self-assessments of their level of maturity implementing the CSP’s requirements including the Australian Cyber Security Centre’s (ACSC) Essential 8.
What we found
Key elements to strengthen cyber security governance, controls and culture are not sufficiently robust and not consistently applied. The CSP is not achieving the objectives of improved cyber governance, controls and culture because:
- the CSP does not specify a minimum level for agencies to achieve in implementing the 'mandatory requirements' or the Essential 8
- the CSP does not require agencies to report their target levels, nor does it require risk acceptance decisions to be documented or formally endorsed
- each participating agency had implemented one or more of the mandatory requirements in an ad hoc or inconsistent basis
- none of the participating agencies had implemented all of the Essential 8 controls
- agencies tended to over-assess their cyber security maturity - all nine participating agencies were unable to support all of their self-assessments with evidence
- there is no monitoring of the adequacy or accuracy of agencies' self-assessments.
What we recommended
In this report, we repeat recommendations made in the 2019 and 2020 Central Agencies reports, that Cyber Security NSW and NSW Government agencies need to prioritise improvements to cyber security resilience as a matter of urgency.
Cyber Security NSW should:
- monitor and report compliance with the CSP
- require agencies to report the target and achieved levels of maturity
- require agencies to justify why it is appropriate to target a low level of maturity
- require the agency head to formally accept the residual risk
- challenge agencies' target maturity levels.
Agencies should resolve discrepancies between their reported level of maturity and the level they are able to support with evidence.
Separately, the agencies we audited requested that we not disclose our audit findings. We reluctantly agreed to anonymise our findings, even though they are more than 12 months old. We are of the view that transparency and accountability to the Parliament of New South Wales are part of the solution, not the problem.
The poor levels of agency cyber security maturity are a significant concern. Improvement requires leadership and resourcing.
Fast factsThe NSW Cyber Security Policy requires agencies to report their level of maturity implementing the mandatory requirements, which includes the ACSC's Essential 8.
|
This report assesses whether state government agencies are complying with the NSW Cyber Security Policy. The audit was based on the level of compliance reported at 30 June 2020.
Our audit identified non-compliance and significant weaknesses against the government’s policy.
Audited agencies have requested that we not report the findings of this audit to the Parliament of New South Wales, even though the findings are more than 12 months old, believing that the audit report would expose their weaknesses to threat actors.
I have reluctantly agreed to modify my report to anonymise agencies and their specific failings because the vulnerabilities identified have not yet been remedied. Time, leadership and prioritised action should have been sufficient for agencies to improve their cyber safeguards. I am of the view that transparency and accountability to the Parliament is part of the solution, not the problem.
The poor levels of cyber security maturity are a significant concern. Improvement requires dedicated leadership and resourcing. To comply with some elements of the government’s policy agencies will have to invest in technical uplift and some measures may take time to implement. However, other elements of the policy do not require any investment in technology. They simply require leadership and management commitment to improve cyber literacy and culture. And they require accountability and transparency. Transparent reporting of performance is a key means to improve performance.
Cyber security is increasingly a focus of governments around Australia. The Australian Cyber Security Centre (ACSC) is the Australian Government’s lead agency for cyber security and is part of the Australian Signals Directorate, a statutory authority within the Australian Government’s Defence portfolio. The ACSC has advised that government agencies at all levels, as well as individuals and other organisations were increasingly targeted over the 2021 financial year1. The ACSC received over 67,500 cybercrime reports, a 13 per cent increase on the previous year. This equates to one reported cyber attack every eight minutes. They also noted that attacks by cyber criminals and state actors are becoming increasingly sophisticated and complex and that the attacks are increasingly likely to be categorised as ‘substantial’ in impact.
High profile attacks in Australia and overseas have included a sustained malware campaign targeted at the health sector2, a phishing campaign deploying emotet malware, spear phishing campaigns targeting people with administrator or other high-level access, and denial of service attacks. The continuing trend towards digital delivery of government services has increased the vulnerability of organisations to cyber threats.
The COVID-19 pandemic has increased these risks. It has increased Australian dependence on the internet – to work remotely, to access services and information, and to communicate and continue our daily lives. Traditional security policies within an organisation’s perimeter are harder to enforce in networks made up of home and other private networks, and assets the organisation does not manage. This has increased the cyber risks for NSW Government agencies.
In March 2020, Service NSW suffered two cyber security incidents in short succession. Technical analysis undertaken by the Department of Customer Service (DCS) concluded that these cyber breaches resulted from a phishing exercise through which external threat actors gained access to the email accounts of 47 staff members. These attacks resulted in the breach of a large amount of personal customer information contained in these email accounts. These attacks were the subject of the Auditor-General's report on Service NSW's handling of personal information tabled on 18 December 2020.
This audit also follows two significant performance audits. Managing cyber risks, tabled on 13 July 2021 found Transport for NSW and Sydney Trains were not effectively managing their cyber security risks. Integrity of data in the Births, Deaths and Marriages Register, tabled 7 April 2020 found that although there are controls in place to prevent and detect unauthorised access to, and activity in the register, there were significant gaps in these controls.
The NSW Cyber Security Policy (CSP) was issued by Cyber Security NSW, a business unit within the Department of Customer Service, and took effect from 1 February 2019. It applies to all NSW Government departments and public service agencies, including statutory authorities. Of the 104 agencies in the NSW public sector that self-assessed their maturity implementing the mandatory requirements, only five assessed their maturity at level three or above (on the five point maturity scale). This means that, according to their own self-assessments, 99 agencies practiced requirements within the framework in what the CSP’s maturity model describes as an ad hoc manner, or they did not practice the requirement at all. Cyber Security NSW and NSW Government agencies need to prioritise improvements to their cybersecurity and resilience as a matter of priority.
This audit looks specifically at the compliance of nine key agencies with the CSP. It looks at their achievement implementing the requirements of the policy, the accuracy of their self-assessments and the attestations they made as to their compliance with the CSP.
The CSP outlines the mandatory requirements to which all NSW Government departments and public service agencies must adhere. It seeks to ensure cyber security risks to agencies’ information and systems are appropriately managed. The key areas of responsibility for agencies are:
- Lead - Agencies must implement cyber security planning and governance and report against the requirements outlined in the CSP and other cyber security measures.
- Prepare - Agencies must build and support a cyber security culture across their agency and NSW Government more broadly.
- Prevent - Agencies must manage cyber security risks to safeguard and secure their information and systems.
- Detect/Respond/Recover - Agencies must improve their resilience including their ability to rapidly detect cyber incidents and respond appropriately.
- Report - Agencies must report against the requirements outlined in the CSP and other cyber security measures.
DCS has only recommended, but not mandated the CSP for state owned corporations, local councils and universities.
NSW Government agencies must include an attestation on cyber security in their annual report and provide a copy to Cyber Security NSW by 31 August each year stating whether, for the preceding financial year, the agency has:
- assessed its cyber security risks
- appropriately addressed cyber security at agency governance forums
- a cyber incident response plan that is integrated with the security components of business continuity arrangements, and the response plan has been tested during the previous 12 months (involving senior business executives)
- certified the agency’s Information Security Management System (ISMS) or confirmed the agency’s Cyber Security Framework (CSF)
- a plan to continuously improve the management of cyber security governance and resilience.
The purpose of the attestation is to focus the agency's attention on its cyber risks and the mitigation of those risks.
Agencies assess their level of compliance in accordance with a maturity model. The CSP does not mandate a minimum maturity threshold for any requirement, including implementation of the Australian Cyber Security Centre's (ACSC) Essential 8 Strategies to Mitigate Cyber Security Incidents (Essential 8).
Agencies are required to set a target maturity level based on their risk appetite for each requirement, seek continual improvement in their maturity, and annually assess their maturity on an ascending scale of one to five for all requirements (refer to Appendix two for the maturity model). Each control within the Essential 8 is assessed on an ascending scale of zero to three reflecting the agency's level of alignment with the strategy (refer to Appendix three for the maturity model).
Scope of this audit
We assessed whether agencies had provided accurate reporting on their level of maturity implementing the requirements of the CSP in a documented way and covering all their systems.
The scope of this audit covered nine agencies (the participating agencies). These agencies were selected because they are the lead agency in their cluster, or have a significant digital presence within their respective cluster. The list of participating agencies is in section 1.2. The audit aimed to determine whether, during the year to 30th June 2020, the participating agencies:
- met their reporting obligations under the CSP
- provided accurate reporting in self-assessments against the CSP’s mandatory requirements, including their implementation of the Australian Cyber Security Centre’s (ACSC) Essential 8
- achieved implementation of mandatory requirements at maturity levels which meet or exceed the ‘level three - defined’ threshold (i.e. are documented and practiced on a regular and consistent basis).
While the audit does assess the accuracy of agency self-assessed ratings, the audit did not assess the appropriateness of the maturity ratings.
ConclusionKey elements to strengthen cyber security governance, controls and culture are not sufficiently robust and not consistently applied. There has been insufficient progress to improve cyber security safeguards across NSW Government agencies.The NSW CSP replaced the NSW Digital Information Security Policy from 1 February 2019. New requirements of the CSP were, inter alia, to strengthen cyber security governance, strengthen cyber security controls and improve cyber security culture.The CSP is not achieving the objective of improved cyber governance, controls and culture because:
|
1. Key findings
The CSP allows agencies to determine their own level of maturity to implement the 'mandatory requirements', which can include not practicing a policy requirement or implementing a policy requirement on an ad hoc basis. These determinations do not need to be justified
Agencies can decide not to implement requirements of the CSP, or they can decide to implement them only in an informal or ad-hoc manner. The CSP allows agencies to determine their desired level of maturity in implementing the requirements on a scale of one to five - level one being 'initial – not practiced' and level five being 'optimised'. The desired level of maturity is determined by the agency based on their own assessment of the risk of the services they provide and the information they hold.
The reporting template for the 2019 version of the CSP stated that level three maturity - where a policy requirement is practiced on a regular and consistent basis and its processes are documented - was required for compliance with the CSP. This requirement was removed in the 2020 revision of the reporting template.
This CSP does not require the decisions on risk tolerance, or the timeframes agencies have set to implement requirements to be documented or formally endorsed by the agency head. There is no requirement to report these decisions to Cyber Security NSW.
Some comparable jurisdictions require formal risk acceptance decisions where requirements are not implemented. The NSW CSP does not have a similar formal requirement
Some jurisdictions, with a similar policy framework to NSW, require agencies to demonstrate reasons for not implementing requirements, and require agency heads to formally acknowledge the residual risk. The NSW CSP does not require these considerations to be documented, nor does it require an explicit acknowledgement and acceptance of the residual risk by the agency head or Cyber Security NSW. The NSW CSP does not require that the records of how agencies considered and decided which measures to adopt to be documented and auditable, limiting transparency and accountability of decisions made.
All of the participating agencies had implemented one or more of the mandatory requirements in an ad hoc or inconsistent basis
All of the participating agencies had implemented one or more of the mandatory requirements at level one or two. Maturity below level three typically means not all elements of the requirement have been implemented, or the requirements have been implemented on an ad-hoc or inconsistent basis.
None of the participating agencies has implemented all of the Essential 8 controls at level one – that is, only partly aligned with the intent of the mitigation strategy
Eight of the nine agencies we audited had not implemented any of the Essential 8 strategies to level three – that is, fully aligned with the intent of the mitigation strategy. At the time of this audit the ACSC advised that:
as a baseline organisations should aim to reach to reach Maturity Level Three for each mitigation strategy3.
The Australian Signals Directorate4 currently advises that, with respect to the Essential 8:
[even] level three maturity will not stop adversaries willing and able to invest enough time, money and effort to compromise a target. As such, organisations still need to consider the remainder of the mitigation strategies from the Strategies to Mitigate Cyber Security Incidents and the Australian Government Information Security Manual
All agencies failed to reach even level one maturity for at least three of the Essential 8.
Cyber Security NSW modified the ACSC model for implementation of the Essential 8
The NSW maturity model used for the Essential 8 does not fully align with the ACSC’s model. At the time of this audit the major difference was the inclusion of level zero in the NSW CSP maturity scale. Level zero broadly means that the relevant cyber mitigation strategy is not implemented or is not applied consistently. Level zero had been removed by the ACSC in February 2019 and was not part of the framework at the time of this audit. It was re-introduced in July 2021 when the ACSC revised the detailed criteria for each element of the essential 8 maturity model. The indicators to reach level one on the new ACSC model are more detailed, specific and rigorous than those currently prescribed for NSW Government agencies. Cyber Security NSW asserted the level zero on the CSP maturity scale:
is not identical to the level zero of the ACSC’s previous Essential 8 maturity model, but is a NSW-specific inclusion designed to prevent agencies incorrectly assessing as level one when they have not achieved that level.
Attestations did not accurately reflect whether agencies implemented the requirements
Of the nine participating agencies, seven did not modify the proforma wording in their attestation to reflect their actual situation. Despite known gaps in their implementation of mandatory requirements, these agencies stated that they had 'managed cyber security risks in a manner consistent with the Mandatory Requirements set out in the NSW Government Cyber Security Policy'. Only two agencies modified the wording of the attestation to reflect their actual situation.
Attestations should be accurate so that agencies’ and the government’s response to the risk of cyber attack is properly informed by an understanding of the gaps in agency implementation of the policy requirements and the Essential 8. Without accurate information about these gaps, subsequent decisions as to prioritisation of effort and deployment of resources are unlikely to effectively mitigate the risks faced by NSW Government agencies.
Participating agencies were not able to support all of their self-assessments with evidence and had overstated their maturity assessments, limiting the effectiveness of agency risk management approaches
Seven of the nine participating agencies reported levels of maturity against both the mandatory requirements and the Essential 8 that were not supported by evidence.
Each of the nine participating agencies for this audit had overstated their level of maturity against at least one of the 20 mandatory requirements. Seven agencies were not able to provide evidence to support their self-assessed ratings for the Essential 8 controls.
Where agency staff over-assess the current state of their cyber resilience, it can undermine the effectiveness of subsequent decision making by Agency Heads and those charged with governance. It means that actions taken in mitigating cyber risks are less likely to be appropriate and that gaps in implementing cyber security measures will remain, exposing them to cyber attack.
Agencies' self-assessments across government exposed poor levels of maturity in implementing the mandatory requirements and the Essential 8 controls
We reviewed the data 104 NSW agencies provided to Cyber Security NSW. The 104 agencies includes nine audited agencies referred to in more detail in this report. Our review of the 104 agency self-assessment returns submitted to Cyber Security NSW highlighted that, consistent with previous years, there remains reported poor levels of cyber security maturity. We reported the previous years’ self-assessments in the Central Agencies 2019 Report to Parliament and the Central Agencies 2020 Report to Parliament.
Only five out of the 104 agencies self-assessed that they had implemented all of the mandatory requirements at level three or above (against the five point scale). Fourteen agencies self-assessed that they had implemented each of the Essential 8 controls at level one maturity or higher (using Cyber NSW’s four point scale). The remainder reported at level zero for implementation of one or more of the Essential 8 controls, meaning that for the majority of agencies the cyber mitigation strategy has not been implemented, or is applied inconsistently.
Where agencies had reported in both 2019 and 2020, agencies’ self-assessments showed little improvement over the previous year’s self-assessments:
- 14 agencies reported improvement across both the Essential 8 and the mandatory requirements
- 8 agencies reported a net decline in both the Essential 8 and the mandatory requirements.
The poor levels of maturity in implementing the Essential 8 over the last couple of years is an area of significant concern that requires better leadership and resourcing to prioritise the required significant improvement in agency cyber security measures.
2. Recommendations
Cyber Security NSW should:
1. monitor and report compliance with the CSP by:
- obtaining objective assurance over the accuracy of self-assessments
- requiring agencies to resolve inaccurate or anomalous self-assessments where these are apparent
2. require agencies to report:
- the target level of maturity for each mandatory requirement they have determined appropriate for their agency
- the agency head's acceptance of the residual risk where the target levels are low
3. identify and challenge discrepancies between agencies' target maturity levels and the risks of the information they hold and services they provide
4. more closely align their policy with the most current version of the ACSC model.
Participating agencies should:
5. resolve the discrepancies between their reported level of maturity and the level they are able to demonstrate with evidence, and:
- compile and retain in accessible form the artefacts that demonstrate the basis of their self-assessments
- refer to the CSP guidance when determining their current level of maturity
- ensure the attestations they make refer to departures from the CSP
- have processes whereby the agency head and those charged with governance formally accept the residual cyber risks.
Repeat recommendation from the 2019 Central Agencies report and the 2020 Central Agencies report
6. Cyber Security NSW and NSW Government agencies need to prioritise improvements to their cyber security and resilience as a matter of urgency.
The objective of the CSP is to ensure cyber security risks are appropriately managed. However, meeting this objective depends on the requirements being implemented at all agencies to a level of maturity that addresses their specific cyber security risks. Agency systems and data are increasingly interconnected. If an agency does not implement the requirements, or implements them only in an ad-hoc or informal way, an agency is more susceptible to their systems and data being compromised, which may affect the confidentiality of citizens' data and the reliability of services, including critical infrastructure services.
Agencies determine their own target level of maturity, which may mean the requirement is not addressed, or is addressed in an ad hoc or inconsistent way
While the CSP is mandatory for all agencies, it does not set a minimum maturity threshold for agencies to meet.
The reporting template issued in 2019 stated that agencies were required to reach level three maturity in order to comply with the CSP. The 2020 revision6 of the CSP and guidance indicates that level three maturity may not be sufficient to mitigate risks. It advises the agency may determine the level to which it believes it is suitable to implement the requirements, and allows for an agency to aim for a target level of maturity less than level three. The agency can set its optimal maturity level with reference to its risk tolerance with the objective that that aim ‘to be as high as possible’. However, ‘as high as possible’ does not necessarily mean ‘fully implemented’. The CSP contemplates that a lower level of maturity is sufficient if it aligns with the agency's risk tolerance.
| 2019 reporting template | 2020 reporting template |
| ‘A Mandatory Requirement is considered met if a maturity level of three is achieved. The Agency may choose to pursue a higher maturity level if required.
There is no mandated level for the Essential 8 Maturity reporting’. |
‘There is no mandated maturity level for either the Mandatory Requirement reporting or Essential 8 reporting. Agencies need to risk-assess their optimal maturity and aim to be 'as high as possible’. |
|
Source: Maturity Reporting Template v4.0, February 2019.
|
Source: CSP Reporting Template 2020, May 2020.
|
The Department of Customer Service asserts that while the quotes above were part of their annual templates and policy documents, their documents were incorrect. They assert that the policy has never required a minimum level of maturity to be reached. They have responded to our enquiries that:
…a level three maturity was not a requirement of the Policy or Maturity Model’ and ‘it is misleading to suggest it was a requirement of the Policy.
This audit found that, based on the 2020 reporting template there is no established minimum baseline. Consequently, because the Department of Customer Service had not established a minimum baseline agencies are able to target lower levels (providing they were within the agency’s own risk appetite), which includes targeting to not practice a CSP policy requirement, or to practice a CSP policy requirement on an ad hoc basis.
Where requirements are not implemented, documentation of formal acceptance of the residual risks by the agency head is not required
The New Zealand Government has an approach that is not dissimilar to NSW, in that it also identifies 20 mandatory requirements and allows for a risk based approach to implementation. However, the New Zealand approach puts more rigor around risk acceptance decisions.
The New Zealand Government requires that agencies that do not implement the requirements must demonstrate that a measure is not relevant for them. It requires agencies to document the rationale for not implementing the measure, including explicit acknowledgement of the residual risk by the agency head. They require these records to be auditable.
A security measure with a ‘must’ or ‘must not’ compliance requirement is mandatory. You must implement or follow mandatory security measures unless you can demonstrate that a measure is not relevant in your context.
Not using a security measure without due consideration may increase residual risk for your organisation. This residual risk needs to be agreed and acknowledged by your organisation head.
A formal auditable record of how you considered and decided which measures to adopt is required as part of the governance and assurance processes within your organisation.
The NSW CSP does not require these considerations to be documented or auditable and does not require an explicit acknowledgement or acceptance of the residual risk by the agency head.
None of the participating agencies achieved level three implementation for all mandatory risk prevention and mitigation requirements
Maturity level three is the minimum level whereby an agency has implemented documented processes that are practiced on a regular basis across their environment. An agency has not reached level three if the requirement is implemented on an ad-hoc or inconsistent basis, or if not all elements of the requirement have been implemented.
None of the participating agencies achieved level three implementation for all mandatory requirements.
The requirements of the CSP are organised into five sections. Agency implementation of these requirements is discussed in the next five sections of this report.
- Lead: Planning and governance requirements. Section 2.1
- Prepare: Cyber security culture requirements. Section 2.2
- Prevent: Managing cyber incident prevention requirements. Section 2.3
- Detect/Respond/Recover: Resilience requirements. Section 2.4
- Report: Reporting requirements. Section 2.5.
Appendix one – Response from agencies
Appendix two – The maturity model for the mandatory requirements
Appendix three – Essential 8 maturity model
Appendix four – About the audit
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Managing climate risks to assets and services
What the report is about
This report assessed how effectively the Department of Planning, Industry and Environment (DPIE) and NSW Treasury have supported state agencies to manage climate risks to their assets and services.
Climate risks that can impact on state agencies' assets and services include flooding, bushfires, and extreme temperatures. Impacts can include damage to transport, communications and energy infrastructure, increases in hospital admissions, and making social housing or school buildings unsuitable.
NSW Treasury estimates these risks could have significant costs.
What we found
DPIE and NSW Treasury’s support to agencies to manage climate risks to their assets and services has been insufficient.
In 2021, key agencies with critical assets and services have not conducted climate risk assessments, and most lack adaptation plans.
DPIE has not delivered on the NSW Government commitment to develop a state-wide climate change adaptation action plan. This was to be complete in 2017.
There is also no adaptation strategy for the state. These have been released in all other Australian jurisdictions. The NSW Government’s draft strategic plan for its Climate Change Fund was also never finalised.
DPIE’s approach to developing climate projections is robust, but it hasn’t effectively educated agencies in how to use this information to assess climate risk.
NSW Treasury did not consistently apply dedicated resourcing to support agencies' climate risk management until late 2019.
In March 2021, DPIE and NSW Treasury released the Climate Risk Ready NSW Guide and Course. These are designed to improve support to agencies.
What we recommended
DPIE and NSW Treasury should, in partnership:
- enhance the coordination of climate risk management across agencies
- implement climate risk management across their clusters.
DPIE should:
- update information and strengthen education to agencies, and monitor progress
- review relevant land-use planning, development and building guidance
- deliver a climate change adaptation action plan for the state.
NSW Treasury should:
- strengthen climate risk-related guidance to agencies
- coordinate guidance on resilience in infrastructure planning
- review how climate risks have been assured in agencies’ asset management plans.
Fast facts
4 years
between commitments in the NSW Climate Change Policy Framework, and DPIE and NSW Treasury producing key supports to agencies for climate risk management.
$120bn
Value of physical assets held by nine NSW Government entities we examined that have not completed climate risk assessments.
Low capability to do climate risk assessment has been found across state agencies. The total value of NSW Government physical assets is $365 billion, as at 30 June 2020.
x3
NSW Treasury’s estimates of the annual fiscal and economic costs associated with natural disasters will triple by 2060–61.
According to the Intergovernmental Panel on Climate Change in 2021, each of the last four decades has been successively warmer and surface temperatures will continue to increase until at least the mid-century. The Commonwealth Scientific and Industrial Research Organisation (CSIRO) and the Bureau of Meteorology (BoM) have reported that extreme weather across Australia is more frequent and intense, and there have been longer-term changes to weather patterns. They also report sea levels are rising around Australia increasing the risk of inundation and damage to coastal infrastructure and communities.
According to the Department of Planning, Industry and Environment (the department), in New South Wales the impacts of a changing climate, and the risks associated with it, will be felt differently across regions, populations and economic sectors. The department's climate projections indicate the number of hot days will increase, rainfall will vary across the state, and the number of severe fire days will increase.
The NSW Government is a provider of essential services, such as health care, education and public transport. It also owns and manages around $365 billion in physical assets (as at June 2020). More than $180 billion of its assets are in major infrastructure such as roads and railway lines.
In NSW, climate risks that could directly impact on state agencies' assets and services include flooding, bushfires, and extreme temperatures. In recent years, natural hazards exacerbated by climate change have damaged and disrupted government transport, communications and energy infrastructure. As climate risks eventuate, they can also increase hospital admissions when people are affected by poorer air quality, and make social housing dwellings or schools unsafe and unusable during heatwaves. The physical impacts of a changing climate also have significant financial costs. Taking into account projected economic growth, NSW Treasury has estimated that the fiscal and economic costs associated with natural disasters due to climate change will more than triple per year by 2061.
The department and NSW Treasury advise that leading practice in climate risk management includes a process that explicitly identifies climate risks and integrates these into existing risk management, monitoring and reporting systems. This is in line with international risk management and climate adaptation standards. For agencies to manage the physical risks of climate change to their assets and services, leading practice identified by the department means that they need to:
- use robust climate projection information to understand the potential climate impacts
- undertake sound climate risk assessments, within an enterprise risk management framework
- implement adaptation plans that reduce these risks, and harness opportunities.
Adaptation responses that could be planned for include: controlling development in flood-prone locations; ensuring demand for health services can be met during heatwaves; improving thermal comfort in schools to support student engagement; proactive asset maintenance to reduce disruption of essential services, and safeguarding infrastructure from more frequent and intense natural disasters.
According to NSW Treasury policy, agencies are individually responsible for risk management systems appropriate to their context. The department and NSW Treasury have key roles in ensuring that agencies are supported with robust information and timely, relevant guidance to help manage risks to assets and services effectively, especially for emerging risks that require coordinated responses, such as those posed by climate change.
This audit assessed whether the department and NSW Treasury are effectively supporting NSW Government agencies to manage climate risks to their assets and services. It focused on the management of physical risks to assets and services associated with climate change.
Conclusion
The Department of Planning, Industry and Environment (the department) has made climate projections available to agencies since 2014, but provided limited guidance to assist agencies to identify and manage climate risks. NSW Treasury first noted climate change as a contextual factor in its 2012 guidance on risk management. NSW Treasury only clarified requirements for agencies to integrate climate considerations into their risk management processes in December 2020.
The department has not delivered on a NSW Government commitment for a state-wide climate change adaptation action plan, which was meant to be completed in 2017. Currently many state agencies that own or manage assets and provide services do not have climate risk management in place.
Since 2019, the department and NSW Treasury have worked in partnership to develop a coordinated approach to supporting agencies to manage these risks. This includes guidance to agencies on climate risk assessment and adaptation planning published in 2021.
More work is needed to embed, sustain and lead effective climate risk management across the NSW public sector, especially for the state's critical infrastructure and essential services that may be exposed to climate change impacts.
The NSW Government set directions in the 2016 NSW Climate Change Policy Framework to 'manage the impact of climate change on its assets and services by embedding climate change considerations into asset and risk management’ and more broadly into 'government decision-making'.
The department released climate projections and has made information on projected climate change impacts available since 2014, but this has not been effectively communicated to agencies. The absence of a state-wide climate change adaptation action plan has limited the department's implementation of a coordinated, well-communicated program of support to agencies for their climate risk management.
NSW Treasury is responsible for managing the state's finances and providing stewardship to the public sector on financial and risk management, but it did not consistently apply dedicated resourcing to support agencies' climate risk management until late 2019. NSW Treasury estimates the financial costs of climate-related physical risks are significant and will continue to grow.
The partnership between the department and NSW Treasury has produced the 2021 Climate Risk Ready NSW Guide and Course, which aim to help agencies understand their exposure to climate risks and develop adaptation responses. The Guide maps out a process for climate risk assessment and adaptation planning and is referenced in NSW Treasury policy on internal audit and risk management. It is also referenced in NSW Treasury guidance to agencies on how to reflect the effects of climate-related matters in financial statements.
There is more work to be done by the department on maintaining robust, accessible climate information and educating agencies in its use. NSW Treasury will need to continue to update its policies, guidance and economic analyses with relevant climate considerations to support an informed, coordinated approach to managing physical climate risks to agencies' assets and services, and to the state's finances more broadly.
The effectiveness of the department and NSW Treasury's support involves the proactive and sustained take-up of climate risk management by state agencies. There is a key role for the department and NSW Treasury in monitoring this progress and its results.
The support delivered to agencies around climate risk management, including risk assessment and adaptation planning, has been slow to start and of limited impact. The department's capacity to implement a coordinated approach to supporting agencies has also been limited by the absence of a state-wide adaptation strategy and related action plan.
In 2021, products were released by the department and NSW Treasury with potential to improve support to agencies on climate risk assessment and adaption planning (that this, Climate Risk Ready NSW Guide and Course, which provides links to key NSW Treasury polices). The department and NSW Treasury are now leading work to develop a more coordinated approach to climate risk management for agencies' assets and services, and building the resilience of the state to climate risk more broadly.
While climate projections have been available to agencies and the community more broadly since 2013–14, the department has not been effective in educating the relevant data users within agencies in how to use the information for climate risk assessments and adaptation planning.
The absence of a strategy focused on this is significant and has contributed to the current low levels of climate risk assessment uptake across agencies (see section 2). Agencies are required to use the climate projections developed by the department when developing long term plans and strategies as part of the NSW Government Common Planning Assumptions.
For the department, key opportunities to embed climate risk management include leveraging land use planning policies and guidance to drive adaptation, which has potential to better protect the state's assets and services. NSW Treasury has a role in continuing to update its policies, guidance and economic analyses with relevant climate change considerations to support an informed, coordinated approach to addressing physical climate risks to agencies' assets and services, and to the state's finances more broadly.
There is currently no plan on how the department and NSW Treasury intend to routinely monitor the progress of agencies with implementing the CRR Guide or developing climate risk 'maturity' more broadly. As agencies are responsible for implementing risk management systems that meet NSW Treasury standards, which now clearly includes consideration of climate risk (TPP20-08), establishing effective monitoring, reporting and accountability around this progress should be a priority for the department and NSW Treasury.
Appendix one – Response from agencies
Appendix two – Timeline of key activities
Appendix three – About the audit
Appendix four – Performance auditing
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Parliamentary reference - Report number #355 - released (7 September 2021).
Fast-tracked Assessment Program
What the report is about
This report examines the effectiveness of the Fast-tracked Assessment Program, administered by the Department of Planning, Industry and Environment (DPIE) between April 2020 and October 2020.
The program aimed to support the construction industry during the COVID-19 crisis by accelerating the final assessment stages for planning proposals and development applications.
DPIE selected projects and planning proposals for fast tracked assessment that demonstrated the potential to:
- deliver jobs
- progress to the next stage of development within six months of determination
- deliver public benefit.
The audit assessed whether the Fast-tracked Assessment Program achieved its objectives while complying with planning controls.
What we found
Through tranches three to six of the program, DPIE successfully accelerated the final stages of 53 assessments. DPIE reported that 89 per cent of these proceeded to the next stage of development within six months.
Assessment of projects and planning proposals was compliant with legislation and other requirements. However, the audit found gaps in DPIE's management of conflicts of interest.
DPIE has not evaluated or costed the program and is not able to demonstrate the extent to which it provided support to the construction industry during COVID-19.
Aspects of the program have been incorporated into longer term reforms to create a new level of transparency over the progress and status of planning assessments.
What we recommended
DPIE should:
- strengthen controls over conflicts of interest
- evaluate the Fast-tracked Assessment Program.
Fast facts
Construction industry support
- The program aimed at providing immediate support to the construction industry during the COVID-19 crisis
59 fast-tracked projects
- 59 projects and 42 planning proposals projects were assessed in six tranches
89% of all fast-tracked assessments in tranches three to six progressed to the next stage of the planning process within six months of determination
In April 2020, the Department of Planning, Industry and Environment (DPIE) introduced programs aimed at providing immediate support to the construction industry during the COVID-19 crisis. One of these was the Fast-tracked Assessment Program. This program identified planning proposals and development applications (DAs), across six tranches, that were partially-assessed and could be accelerated to determination.
In accordance with the program objectives, the planning proposals and DAs selected for fast-tracked assessment had to:
- deliver jobs – particularly in the construction industry
- be capable of progressing to the next stage of development within six months of determination
- deliver public benefit.
At the same time, the Fast-tracked Assessment Program was to lay a foundation for future reform of the planning system by piloting changes in the assessment process that could be adopted in the medium to long term.
This audit assessed whether the Fast-tracked Assessment Program achieved its objectives while complying with planning controls. The audit focused on tranches three to six of the program, which were determined between July 2020 and October 2020. The rationale for focusing on these four tranches was that the program design had been slightly modified after the first two tranches to address identified risks.
Conclusion
Through tranches three to six of the Fast-tracked Assessment Program, DPIE successfully accelerated the final stages of 53 assessments. DPIE’s internal monitoring indicates that 31 DAs and 16 planning proposals selected in these tranches proceeded to the next stage of development within six months of determination. DPIE achieved this while also successfully managing the risk of non-compliance with planning controls arising from the accelerated process. While DPIE has incorporated components of the Fast-tracked Assessment Program into other longer-term reforms, it has not evaluated the program and is not able to demonstrate the extent to which the program provided support to the construction industry during COVID-19.
Between April and October 2020, DPIE adopted a case management approach to accelerate the final stages of assessment for 42 planning proposals and 59 DAs in six tranches. Tranches three to six were the focus of this audit and included 22 planning proposals and 31 DAs. Applicants involved in the program were expected to progress their projects to the next stage of development within six months of determination. While DPIE had no way of compelling applicants to do this and relied on non-binding commitments obtained from applicants, DPIE’s internal monitoring indicates that 47 of the 53 applicants selected in tranches three to six honoured this commitment.
Fast-tracked assessment only applied to the final stages of assessment and required DPIE staff and other stakeholders to work towards a determination deadline. DPIE effectively used a case management approach to manage the risk that the accelerated timeframe could result in planning controls not being fully compliant with legislation. There is some room for improvement in the process, as four of 28 staff assessing planning proposals and DAs had not lodged current conflict of interest declarations.
Based on the results of and learnings from the Fast-tracked Assessment Program, DPIE has incorporated some elements of the program into other longer-term reforms. There is now increased transparency about when applicants can expect to receive a planning determination and DPIE has also introduced a case management approach for strategic and high priority planning applications. Applicants benefiting from case-managed assessment are now required to commit to a formal service charter that specifies the obligations of both DPIE and the applicant.
DPIE has not evaluated the Fast-tracked Assessment Program to understand the costs and benefits of the program, nor which aspects of the program were most effective as a basis for future reform.
Appendix one – Response from agency
Appendix two – Planning determination pathways
Appendix three – About the audit
Appendix four – Performance auditing
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Parliamentary reference - Report number #354 - released (27 July 2021).
Planning, Industry and Environment 2020
This report analyses the results of our audits of financial statements of the Planning, Industry and Environment cluster agencies for the year ended 30 June 2020. The table below summarises our key observations.
1. Financial reporting
|
Audit opinions |
There are 45 separate entities in the cluster. Unqualified audit opinions were issued for 38 cluster agencies' 30 June 2020 financial statements audits. Four financial statements audits are still ongoing, and three agencies were not subject to audit due to NSW Treasury reporting exemptions. |
|
Timeliness of financial reporting |
The majority of cluster agencies subject to statutory reporting deadlines met the revised timeline for submitting financial statements. Twenty‑four of the 26 cluster agencies required to submit early close financial statements met the revised timeframe. Due to issues identified during the audit, 13 financial statements audits were not completed and audit opinions not issued by the statutory deadline. |
|
Implementation of AASB 16 'Leases' |
Significant deficiencies were identified in Property NSW's lease data maintenance and lease calculations. Recommendation (partially repeat): Property NSW should:
Our audits of the cluster agencies identified there was a lack of thorough quality assurance over the accuracy of lease information provided by Property NSW. Recommendation: The Department and cluster agencies should:
|
|
Unprocessed Aboriginal land claims continued to increase |
In 2019–20, the Department resolved an additional 468 Aboriginal land claims compared to the prior year. However, the total number of unprocessed Aboriginal land claims increased by 914 to 36,769 at 30 June 2020. The number of claims remaining unprocessed for more than ten years after lodgement increased by 10.9 per cent from last year. Until claims are resolved, there is an uncertainty over who is entitled to the land and the uses and activities that can be carried out on the land. Auditor-General's Reports to Parliament since 2007 have recommended action to address the increasing number of unprocessed claims. To date, the Department has not been able to resolve this issue. During 2020–21, a performance audit will assess the effectiveness and efficiency of the administration of Aboriginal land claims. |
|
Financial reporting of Crown land managers |
The Department will need to provide additional support and guidance to help Crown land managers (CLMs) meet their financial reporting obligations. Recommendation: The Department should:
During 2019–20, NSW Treasury established the reporting exemption criteria for the CLMs. Based on available information, the Department determined 31 CLMs would not meet the exemption criteria and therefore are required to prepare annual financial statements. |
2. Audit observations
|
Internal controls |
Six high‑risk issues were identified across the cluster in 2019–20:
One in three internal control issues identified and reported to management in 2019–20 were repeat issues. Recommendation: Management letter recommendations to address internal control weaknesses should be actioned promptly, with a focus on addressing high‑risk and repeat issues. |
|
Agencies response to recent emergencies |
The unprecedented bushfires and COVID‑19 pandemic presented challenges for the cluster. Agencies established taskforces or response teams to respond to these emergencies. With more staff working from home, agencies implemented protocols and procedures to manage risks associated with the remote working arrangements, and also needed to address certain technology issues. The Department is responsible for the new Planning System Acceleration Program, which aims to fast‑track planning assessments, boost the State's economy and keep people in jobs during COVID‑19 pandemic. Between April and October 2020, the Department announced and determined 101 major projects and planning proposals. |
|
Recognition of Crown land |
Crown land is an important asset of the State. Management and recognition of Crown land assets is weakened when there is confusion over who is responsible for a particular Crown land parcel. Auditor-General's Reports to Parliament since 2017 have recommended that the Department should ensure the database of Crown land is complete and accurate. Whilst the Department has commenced actions to improve the database, this remained an issue in 2019–20. Recommendation (repeat issue): The Department should prioritise action to ensure the Crown land database is complete and accurate. This allows state agencies and local councils to be better informed about the Crown land they control. |
|
Implementation of Machinery of Government (MoG) changes |
Since its creation on 1 July 2019, the Department has largely established its governance arrangements, including setting up the Audit and Risk Committee and internal audit function for the Department and relevant cluster agencies. The Department still operated three main financial reporting systems in 2019–20, and has commenced the process to consolidate some of the systems. The recent Regional NSW MoG change led to the transfer of $446 million net assets and $284 million 2019–20 budget from the Department to the newly created Department of Regional NSW on 2 April 2020. |
This report provides parliament and other users of the Planning, Industry and Environment cluster agencies’ financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:
- financial reporting
- audit observations
- the impact of emergencies and the pandemic.
Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.
The COVID‑19 Legislation Amendment (Emergency Measures–Treasurer) Act 2020 amended legislation administered by the Treasurer to implement further emergency measures as a result of the COVID‑19 pandemic. These amendments:
- allowed the Treasurer to authorise payments from the Consolidated fund until the enactment of the 2020–21 budget – impacting the going concern assessments of cluster agencies
- revised budgetary, financial and annual reporting time frames – impacting the timeliness of financial reporting
- exempted certain statutory bodies and departments from preparing financial statements.
This chapter outlines our audit observations related to the financial reporting of agencies in the Planning, Industry and Environment cluster for 2020, including any financial implications from the recent emergency events.
Section highlights
The Department has not yet developed a statutory reporting framework for Crown land managers and will need to provide additional resources to help Crown land managers meet their financial reporting obligations. |
Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.
This chapter outlines our:
- observations and insights from our financial statements audits of agencies in the Planning, Industry and Environment cluster
- assessment of how well cluster agencies adapted their systems, policies and procedures, and governance arrangements in response to recent emergencies
- review of how the cluster agencies managed the increased risks associated with new programs aimed at stemming the spread of COVID-19 and stimulating the economy.
Cluster agencies experienced a range of control and governance related issues in recent years. An increased number of high risk issues and greater proportion of repeat issues were identified as part of our audits. It is important for cluster agencies to promptly address these issues.
Section highlights
|
Waste levy and grants for waste infrastructure
The Auditor-General for New South Wales, Margaret Crawford, released a report today that examined the effectiveness of the waste levy and grants for waste infrastructure in minimising the amount of waste sent to landfill and increasing recycling rates.
The audit found that the waste levy has a positive impact on diverting waste from landfill. However, while the levy rates increase each year in line with the consumer price index, the EPA has not conducted a review since 2009 to confirm whether they are set at the optimal level. The audit also found that there were no objective and transparent criteria for which local government areas should pay the levy, and the list of levied local government areas has not been reviewed since 2014.
Grant funding programs for waste infrastructure administered by the EPA and the Environmental Trust have supported increases in recycling capacity. However, these grant programs are not guided by a clear strategy for investment in waste infrastructure.
The Auditor-General made six recommendations aimed at ensuring the waste levy is as effective as possible at meeting its objectives and ensuring funding for waste infrastructure is contributing effectively to recycling and waste diversion targets.
Overall, waste generation in New South Wales (NSW) is increasing. This leads to an increasing need to manage waste in ways that reduce the environmental impact of waste and promote the efficient use of resources. In 2014, the NSW Government set targets relating to recycling rates and diversion of waste from landfill, to be achieved by 2021–22. The NSW Waste and Resource Recovery (WARR) Strategy 2014–21 identifies the waste levy, a strong compliance regime, and investment in recycling infrastructure as key tools for achieving these waste targets.
This audit assessed the effectiveness of the NSW Government in minimising waste sent to landfill and increasing recycling rates. The audit focused on the waste levy, which is paid by waste facility operators when waste is sent to landfill, and grant programs that fund infrastructure for waste reuse and recycling.
The waste levy is regulated by the Environment Protection Authority (EPA) and is generally paid when waste is disposed in landfill. The waste levy rates are set by the NSW Government and prescribed in the Protection of Environment Operations (Waste) Regulation 2014. As part of its broader role in reviewing the regulatory framework for managing waste and recycling, the EPA can provide advice to the government on the operation of the waste levy.
The purpose of the waste levy is to act as an incentive for waste generators to reduce, re-use or recycle waste by increasing the cost of sending waste to landfill. In 2019–20, around $750 million was collected through the waste levy in NSW. The government spends approximately one third of the revenue raised through the waste levy on waste and environmental programs.
One of the waste programs funded through the one third allocation of the waste levy is Waste Less, Recycle More (WLRM). This initiative funds smaller grant programs that focus on specific aspects of waste management. This audit focused on five grant programs that fund projects that provide new or enhanced waste infrastructure such as recycling facilities. Four of these programs were administered by the Environmental Trust and one by the EPA.
Conclusion
The waste levy has a positive impact on diverting waste from landfill. However, aspects of the EPA's administration of the waste levy could be improved, including the frequency of its modelling of the waste levy impact and coverage, and the timeliness of reporting. Grant funding programs have supported increases in recycling capacity but are not guided by a clear strategy for investment in waste infrastructure which would help effectively target them to where waste infrastructure is most needed. Data published by the EPA indicates that the NSW Government is on track to meet the recycling target for construction and demolition waste, but recycling targets for municipal solid waste and commercial and industrial waste are unlikely to be met.
Waste levy
The waste levy rate, including a schedule of annual increases to 2016, was set by the NSW Government in 2009. Since 2016, the waste levy rate has increased in line with the consumer price index (CPI). The EPA has not conducted recent modelling to test whether the waste levy is set at the optimal level to achieve its objectives. The waste levy operation was last reviewed in 2012, although some specific aspects of the waste levy have been reviewed more recently, including reviews of waste levy rates for two types of waste. The waste levy is applied at different rates across the state. Decisions about which local government areas (LGAs) are subject to the levy, and which rate each LGA pays, were made in 2009 and potential changes were considered but not implemented in 2014. Currently, there are no objective and transparent criteria for determining which LGAs pay the levy. The EPA collects waste data from waste operators. This data has improved since 2015, but published data is at least one year out of date which limits its usefulness to stakeholders when making decisions relating to waste management.
Grants for waste infrastructure
All state funding for new and enhanced waste infrastructure in NSW is administered through grants to councils and commercial waste operators. The government's Waste and Resource Recovery (WARR) Strategy 2014–21 includes few priorities for waste infrastructure and there is no other waste infrastructure strategy in place to guide investment. The absence of a formal strategy to guide infrastructure investment in NSW limits the ability of the State Government to develop a shared understanding between planners, councils and the waste industry about waste infrastructure requirements and priorities. The Department of Planning, Industry and Environment is currently developing a 20-year waste strategy and there is an opportunity for the government to take a more direct role in planning the type, location and timing of waste infrastructure needed in NSW.
The grants administration procedures used for the grant programs reviewed in this audit were well designed. However, we identified some gaps in risk management, record-keeping and consistency of information provided to applicants and assessment teams. In four of the five programs we examined, there was no direct alignment between program objectives and the NSW Government's overall waste targets.
Achievement of the 2014–21 state targets for waste and resource recovery (WARR targets) is reliant in part on the availability of infrastructure that supports waste diversion and recycling. The state WARR targets dependent on waste infrastructure are:
- Increase recycling rates to 70 per cent for municipal solid waste and commercial and industrial waste, and 80 per cent for construction and demolition waste.
- Increase waste diverted from landfill to 75 per cent.
A further target — manage problem waste better by establishing or upgrading 86 drop-off facilities or services for managing household problem wastes state-wide — is dependent on accessible community waste drop-off facilities across NSW.
Exhibit 7 identifies the five grant programs that provide funding for new or enhanced waste infrastructure to increase capacity for reuse or recycling of waste. All five of these programs were examined in the audit.
In addition to the grant programs shown in Exhibit 7, other programs provide funding for infrastructure, but at a smaller scale. Examples of these include:
- Bin Trim which provides rebates to small businesses for small scale recycling equipment such as cardboard and soft plastic balers.
- Litter grants which provide funding for litter bins.
- Weighbridges grants for installation of a weighbridge at waste facilities.
- Landfill consolidation and environmental improvement grants for rural councils to replace old landfills with transfer stations or to improve the infrastructure at landfill sites.
Appendix one – Responses from audited agencies
Appendix two – About the audit
Appendix three – Performance auditing
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Parliamentary reference - Report number #343 - released 26 November 2020
Education 2020
The Auditor-General for New South Wales, Margaret Crawford, released a report today titled Education 2020. This report focuses on key observations and findings from the most recent audits of agencies in the Education cluster.
Unqualified audit opinions were issued for all cluster agencies’ financial statements. However, internal control deficiencies were identified across the cluster agencies, including deficiencies in the management of purchasing cards and 15 internal control issues that were repeated from the previous year.
The 2019–20 natural disasters caused widespread damage in both Northern and Southern NSW. The COVID‑19 pandemic further challenged agencies, requiring social distancing and other infection control measures which disrupted the traditional means of teaching students. Agencies have adjusted their operations to respond to these emergency events.
The TAFE Commission’s revenues 2019–20 were impacted by the pandemic. Lower enrolments and an increase in fee-free short courses offered during the year contributed to the result.
This report analyses the results of our audits of financial statements of entities within the Education cluster for the year ended 30 June 2020. The table below summarises our key observations and recommendations.
1. Financial reporting
| Audit opinions | Unqualified audit opinions were issued for all cluster agencies' 30 June 2020 financial statements audits. |
| New accounting standards |
Agencies implemented three new accounting standards during the year. Our financial statement audits of the Department of Education (the Department) and NSW Education Standards Authority (NESA) identified issues with the leasing information provided by Property NSW (PNSW). Despite the outsourcing arrangement, both the Department and NESA remain ultimately responsible for the completeness and accuracy of this information, which would have benefited from a more thorough quality assurance, validation and review process before they placed reliance upon it. Recommendation: We recommend the Department and NESA:
|
| Changes were made to the financial reporting requirements this year to account for the impact of the pandemic |
Emergency legislation was enacted during the year in response to the COVID-19 pandemic. The legislation revised the statutory reporting deadlines for agencies to submit their financial statements and allowed the Treasurer to continue authorising payments from the consolidated fund until the enactment of the 2020–21 budget. All cluster agencies prepared their financial statements on a going concern basis and submitted their financial statements within the revised statutory deadlines. The State provided $159.0 million in stimulus funding to support the operations of cluster agencies during emergency events. Nearly half of this funding was to support cleaning activities by the Department and the Technical and Further Education Commission (the TAFE Commission) during the COVID-19 pandemic. |
| Quality and timeliness of financial reporting |
The number of monetary misstatements identified in agencies' financial statements decreased to 14 (23 in 2018–19). While the number of corrections made to the financial statements after the submission date increased to eight (two in 2018–19), it is important to note these corrections provide parliament and other users of the financial statements increased confidence in the accuracy and presentation of agencies' performance and financial position. |
| Sustainability of cluster agencies | The TAFE Commission's enrolments declined, and operating margins reduced, both being impacted by the COVID-19 pandemic. |
2. Audit observations
| Internal control deficiencies |
We identified 33 internal control issues, including 15 findings that were repeated from previous years. A high-risk issue was reported at the Department relating to the inadequate monitoring and follow up of privileged user activity in its enterprise resource planning system – SAP. Repeat findings relate to ongoing deficiencies in information technology controls and management policies, practices and procedures. Recommendation: Cluster agencies should:
|
| Agency responses to emergency events |
The Department established a separate bushfire relief directorate and COVID-19 Taskforce to assist and support school communities in response to recent emergencies. Other cluster agencies have established committees or response teams to oversee and address all aspects of the impact of COVID-19. |
| Schools review 2019 | We continue to identify instances of non-compliance in relation to cash management and procurement at schools. |
| Use of purchasing cards at the Department of Education |
Since 2015, the NSW Government has encouraged the use of purchasing cards by public sector agencies. Purchasing cards are efficient to transact low value, high volume procurement of goods and services, but the use must be effectively monitored. Our review of the Department's purchasing cards identified weaknesses in its oversight and monitoring controls, including the issue and cancellation of purchasing cards Opportunities exist for the Department to better monitor card use. Tools such as data analytics are an efficient and effective detective control to identify irregular activity or misuse by cardholders. Recommendation: The Department should:
|
This report provides parliament and other users of the Education cluster’s financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:
- financial reporting
- audit observations
- the impact of emergencies and the COVID-19 pandemic.
Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.
The COVID-19 Legislation Amendment (Emergency Measures–Treasurer) Act 2020 amended legislation administered by the Treasurer to implement further emergency measures as a result of the COVID-19 pandemic. These amendments:
- allowed the Treasurer to authorise payments from the consolidated fund until the enactment of the 2020–21 budget – supporting the going concern assessments of cluster agencies
- revised budgetary, financial and annual reporting time frames – impacting the timeliness of financial reporting
- exempted certain statutory bodies and departments from preparing financial statements.
This chapter outlines our audit observations related to the financial reporting of agencies in the Education cluster for 2020, including any financial implications from the recent emergency events.
Section highlightsUnqualified audit opinions were issued on the financial statements of cluster agencies.
All cluster agencies met the revised statutory deadlines for completing early close procedures and submitting their financial statements. Emergency legislation allowing the Treasurer to continue authorising payments from the consolidated fund under the existing Appropriations Act enabled cluster agencies to prepare financial statements on a going concern basis.
|
Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.
This chapter outlines our:
- observations and insights from our financial statement audits of agencies in the Education cluster. It also comments on our review of elements of the financial control framework applied by schools in NSW whose financial results form part of the Department of Education's (the Department) financial statements.
- assessment of how well cluster agencies adapted their systems, policies and procedures, and governance arrangements in response to recent emergencies.
Section highlights
|
Appendix one – List of 2020 recommendations
Appendix two – Status of 2019 and 2018 recommendations
Appendix three – Financial data
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Internal controls and governance 2020
The Auditor-General for New South Wales, Margaret Crawford today released her report on the findings and recommendations from the 2019–20 financial audits that relate to internal controls and governance at 40 of the largest agencies in the NSW public sector.
The bushfire and flood emergencies and the COVID‑19 pandemic continue to have a significant impact on the people and public sector of New South Wales. The scale of the government response to these events has been significant. The report focuses on the effectiveness of internal controls and governance processes, including relevant agencies’ response to the emergencies. In particular, the report focuses on:
- financial and information technology controls
- business continuity and disaster recovery planning arrangements
- procurement, including emergency procurement
- delegations that support timely and effective decision-making.
Due to the ongoing impact of COVID‑19 agencies have not yet returned to a business‑as‑usual environment. ‘Agencies will need to assess their response to the recent emergencies and update their business continuity, disaster recovery and other business resilience frameworks to reflect the lessons learnt from these events’ the Auditor-General said.
The report noted that special procurement provisions were put in place to allow agencies to better respond to the COVID-19 pandemic. The Auditor-General recommended agencies update their procurement policies to reflect the current requirements of the NSW Procurement Framework and the emergency procurement requirements.
This report analyses the internal controls and governance of 40 of the largest agencies in the NSW public sector for the year ended 30 June 2020. These 40 agencies constitute an estimated 85 per cent of total expenditure for all NSW public sector agencies.
1. Internal control trends
| New, repeat and high risk findings |
Internal control deficiencies increased by 13 per cent compared to last year. This is predominately due to a seven per cent increase in new internal control deficiencies and 24 per cent increase in repeat internal control deficiencies. There were ten high risk findings compared to four last year. The recent emergencies have consumed agency time and resources and may have contributed to the increase in internal control deficiencies, particularly repeat deficiencies. Agencies should:
|
| Common findings |
A number of findings remain common across multiple agencies over the last four years, including:
|
2. Information technology controls
| IT general controls |
We found deficiencies in information security controls over key financial systems including:
The deficiencies above increase the risk of non-compliance with the NSW Cyber Security Policy, which requires agencies to have processes in place to manage user access, including privileged user access to sensitive information or systems and remove that access once it is not required or employment is terminated. |
3. Business continuity and disaster recovery planning
| Assessing risks to business continuity and Scenario testing |
The response to the recent emergencies and the COVID-19 pandemic has encompassed a wide range of activities, including policy setting, on-going service delivery, safety and availability of staff, availability of IT and other systems and financial management. Agencies were required to activate their business continuity plans in response, and with the continued impact of COVID-19 have not yet returned to a business-as-usual environment. Our audits focused on the preparedness of agency business continuity and disaster recovery planning arrangements prior to the onset of the COVID-19 pandemic. We identified deficiencies in agency business continuity and disaster recovery planning arrangements. Twenty-three per cent of agencies had not conducted a business impact analysis (BIA) to identify critical business functions and determine business continuity priorities. Agencies can also improve the content of their BIA. For example, ten per cent of agencies' BIAs did not include recovery time objectives and six per cent of agencies did not identify key IT systems that support critical business functions. Scenario testing improves the effectiveness with which a live crisis is handled, but 40 per cent of agencies had not conducted a business continuity scenario testing exercise in the period from 1 January 2019 to 31 December 2019. There were also opportunities to improve the effectiveness of scenario testing exercises by:
Agencies have responded to the recent emergencies but addressing deficiencies will ensure agencies have adequate safeguards in their processes to again respond in the future, if required. During 2020–21 we plan to conduct a performance audit on 'Business continuity and disaster recovery planning'. This audit will consider the effectiveness of agency business continuity planning arrangements to maintain business continuity through the recent emergencies and/or COVID-19 pandemic and return to a business-as-usual environment. We also plan to conduct a performance audit on whole-of-government 'Coordination of emergency responses'. |
| Responding to disruptions |
We found agencies' governance functions could have been better informed about responses to disruptive incidents that had activated a business continuity or disaster recovery response between 1 January 2019 to 31 December 2019. For instance: in 89 per cent of instances where a business continuity response was activated, a post-incident review had been performed. In 82 per cent of these instances, the outcomes were reported to a relevant governance or executive management committee in 95 per cent of instances where a disaster recovery response was activated, a post incident review had been performed. In 86 per cent of these instances, the outcomes were reported to a relevant governance committee or executive management committee. Examples of recorded incidents included extensive air quality issues and power outages due to bushfires, system and network outages, and infected and hijacked servers. Agencies should assess their response to the recent emergencies and the COVID-19 pandemic and update business continuity, disaster recovery and other business resilience frameworks to incorporate lessons learned. Agencies should report to those charged with governance on the results and planned actions. |
| Management review and oversight | Eighty-two per cent and 86 per cent of agencies report to their audit and risk committees (ARC) on their business continuity and disaster recovery planning arrangements, respectively. Only 18 per cent and five per cent of ARCs are briefed on the results of respective scenario testing. Briefing ARCs on the results of scenario testing exercises helps inform their decisions about whether sound and effective business continuity and disaster recovery arrangements have been established. |
4. Procurement, including emergency procurement
| Policy framework |
Agency procurement policies did not capture the requirements of several key NSW Procurement Board Directions (the Directions), increasing the risk of non-compliance with the Directions. We noted:
Recommendation: Agencies should review their procurement policies and guidelines to ensure they capture the key requirements of the NSW Government Procurement Policy Framework, including NSW Procurement Board Directions. |
| Managing contracts |
Eighty-eight per cent of agencies maintain a central contract register to record all details of contracts above $150,000, which is a requirement of GIPA legislation. Of the agencies that maintained registers, 13 per cent did not capture all contracts and eight per cent did not include all relevant contract details. Sixteen per cent of agencies did not periodically review their contract register. Timely review increases compliance with GIPA legislation, and enhances the effectiveness with which procurement business units monitor contract end dates, contract extensions and commence new procurement. |
| Training and support |
Ninety-three per cent of agencies provide training to staff involved in procurement processes, and a further 77 per cent of agencies provide this training on an on-going basis. Of the seven per cent of agencies that had not provided training to staff, we noted gaps in aspects of their procurement activity, including:
Training on procurement activities ensures there is effective management of procurement processes to support operational requirements, and compliance with procurement directions. |
| Procurement activities | While agencies had implemented controls for tender activities above $650,000, 43 per cent of unaccredited agencies did not comply with the NSW Procurement Policy Framework because they had not had their procurement endorsed by an accredited agency within the cluster or by NSW Procurement. This endorsement aims to ensure the procurement is properly planned to deliver a value for money outcome before it commences. |
| Emergency procurement |
As at 30 June 2020, agencies within the scope of this report reported conducting 32,239 emergency procurements with a total contract value of $316,908,485. Emergency procurement activities included the purchase of COVID-19 cleaning and hygiene supplies. The government, through NSW Procurement released the 'COVID-19 Emergency procurement procedure', which relaxed procurement requirements to allow agencies to make COVID-19 emergency procurements. Our review against the emergency procurement measures found most agencies complied with requirements. For example:
Complying with the procedure helps to ensure government resources are being efficiently, effectively, economically and in accordance with the law. Recommendation: Agency procurement frameworks should be reviewed and updated so they can respond effectively to emergency situations that may arise in the future. This includes:
|
5. Delegations
| Instruments of delegation |
We found that agencies have established financial and human resources delegations, but some had not revisited their delegation manuals following the legislative and machinery of government changes. For those agencies impacted by machinery of government changes we noted:
Delegations manuals are not always complete; 16 per cent of agencies had no delegation for writing off bad debts and 26 per cent of agencies had no delegation for writing off capital assets. Recommendation: Agencies should ensure their financial and human resources delegation manuals contain regular set review dates and are updated to reflect the Government Sector Finance Act 2018, machinery of government changes and their current organisational structure and roles and responsibilities. |
| Compliance with delegations |
Agencies did not understand or correctly apply the requirements of the Government Sector Finance Act 2018 (GSF Act), resulting in non-compliance with the Act. We found that 18 per cent of agencies spent deemed appropriations without obtaining an authorised delegation from the relevant Minister(s), as required by sections 4.6(1) and 5.5(3) of the GSF Act. Further detail on this issue will be included in our Auditor-General's Reports to Parliament on Central Agencies, Education, Health and Stronger Communities, which will be tabled throughout December 2020. Recommendation: Agencies should review financial and human resources delegations to ensure they capture all key functions of laws and regulations, and clearly specify the relevant power or function being conferred on the officer. |
6. Status of 2019 recommendations
| Progress implementing last year's recommendations |
Recommendations were made last year to improve transparency over reporting on gifts and benefits and improve the visibility management and those charged with governance had over actions taken to address conflicts of interest that may arise. This year, we continue to note:
While we acknowledge the significance of the recent emergencies, which have consumed agency time and resources, we note limited progress has been made implementing these recommendations. Further detail on the status of implementing all recommendations is in Appendix 2. Recommendation: Agencies should re-visit the recommendations made in last year's report on internal controls and governance and action these recommendations. |
Internal controls are processes, policies and procedures that help agencies to:
- operate effectively and efficiently
- produce reliable financial reports
- comply with laws and regulations
- support ethical government.
This chapter outlines the overall trends for agency controls and governance issues, including the number of audit findings, the degree of risk those deficiencies pose to the agency, and a summary of the most common deficiencies we found across agencies. The rest of this report presents this year’s controls and governance findings in more detail.
|
Section highlights We identified ten high risk findings, compared to four last year with two findings repeated from the previous year. There was an overall increase of 13 per cent in the number of internal control deficiencies compared to last year due to a seven per cent increase in new internal control deficiencies, and a 24 per cent increase in repeat internal control deficiencies. The recent emergencies have consumed agency time and resources and may have contributed to the increase in internal control deficiencies, particularly repeat deficiencies. We identified a number of findings that remain common across multiple agencies over the last four years. Some of these findings related to areas that are fundamental to good internal control environments and effective organisational governance. Examples include:
Policies, procedures and internal controls should be properly designed, be appropriate for the current organisational structure and its business activities, and work effectively. |
This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency controls to manage key financial systems.
|
Section highlights Government agencies’ financial reporting is heavily reliant on information technology (IT). We continue to see a high number of deficiencies related to IT general controls, particularly those related to user access administration. These controls are key in adequately protecting IT systems from inappropriate access and misuse. IT is also important to the delivery of agency services. These systems often provide the data to help monitor the efficiency and effectiveness of agency processes and services they deliver. Our financial audits do not review all agency IT systems. For example, IT systems used to support agency service delivery are generally outside the scope of our financial audit. However, agencies should also consider the relevance of our findings to these systems. Agencies need to continue to focus on assessing the risks of inappropriate access and misuse and the implementation of controls to adequately protect their systems, focussing on the processes in place to grant, remove and monitor user access, particularly privileged user access. |
This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency business continuity and disaster recovery planning arrangements.
|
Section highlights We identified deficiencies in agency business continuity and disaster recovery planning arrangements and opportunities for agencies to enhance their business continuity management and disaster recovery planning arrangements. This will better prepare them to respond to a disruption to their critical functions, resulting from an emergency or other serious event. Twenty-three per cent of agencies had not conducted a business impact analysis (BIA) to identify critical business functions and determine business continuity priorities and 40 per cent of agencies had not conducted a business continuity scenario testing exercise in the period from 1 January 2019 to 31 December 2019. Scenario testing improves the effectiveness with which a live crisis is handled. This section focusses on the preparedness of agency business continuity and disaster recovery planning arrangements prior to the onset of the COVID-19 pandemic. While agencies have responded to the recent emergencies, proactively addressing deficiencies will ensure agencies have adequate safeguards in their processes to again respond in the future, if required. During 2020–21 we plan to conduct a performance audit on 'Business continuity and disaster recovery planning'. This audit will consider the effectiveness of agency business continuity planning arrangements to maintain business continuity through the recent emergencies and/or COVID-19 pandemic and return to a business-as-usual environment. We also plan to conduct a performance audit on whole-of-government 'Coordination of emergency responses'. |
This chapter outlines our audit observations, conclusions and recommendations, arising from our review of procurement agency procurement policies and procurement activity.
|
Section highlights We found agencies have procurement policies in place to manage procurement activity, but the content of these policies was not sufficiently detailed to ensure compliance with NSW Procurement Board Directions (the Directions). The Directions aim to ensure procurement activity achieves value for money and meets the principles of probity and fairness. Agencies have generally implemented controls over their procurement process. In relation to emergency procurement activity, agencies reported conducting 32,239 emergency procurements with a total contract value of $316,908,485 up to 30 June 2020. Our review of emergency procurement activity conducted during 2019–20 identified areas where some agencies did not fully comply with the 'COVID-19 Emergency procurement procedure'. We also found not all agencies are maintaining complete and accurate contract registers. This not only increases the risk of non-compliance with GIPA legislation, but also limits the effectiveness of procurement business units to monitor contract end dates, contract extensions and commence new procurement in a timely manner. We noted instances where agencies renewed or extended contracts without going through a competitive tender process during the year. |
This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency compliance with financial and human resources delegations.
Appendix one – List of 2020 recommendations
Appendix two – Status of 2019 recommendations
Appendix three – Cluster agencies
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
