Reports
Actions for Customer Service 2021
Customer Service 2021
This report analyses the results of our audits of the Customer Service cluster agencies for the year ended 30 June 2021.
Our preferred approach is to table the ‘Report on State Finances’ in Parliament before any other cluster report. This is because the ‘Report on State Finances’ focuses on the audit results and observations relating to the Total State Sector Accounts, in effect a consolidation of all government agencies. This year the ‘Report on State Finances’ has been delayed due to significant accounting issues being considered in the Total State Sector Accounts and which may impact the Treasury and Transport clusters.
As there are no outstanding matters relating to audits in the Customer Service cluster impacting the Total State Sector Accounts we have decided to break with normal practice and table this cluster report ahead of the ‘Report on State Finances’.
What the report is about
The results of Customer Service cluster agencies' financial statement audits for the year ended 30 June 2021.
What we found
Unmodified audit opinions were issued for all Customer Service cluster agencies.
The number of monetary misstatements decreased from 48 in 2019–20 to 46 in 2020–21.
Seven out of eight agencies did not complete all mandatory early close procedures.
What the key issues were
Upon the implementation of AASB 1059 'Service Concession Arrangements: Grantors', the Department of Customer Service (the department) recognised a service concession asset, the land titling database, totalling $845 million for the first time at 1 July 2019.
The department reported several retrospective corrections of prior period errors.
The 2020–21 audits identified three high-risk and 59 moderate risk issues across the cluster. The high-risk issues were related to:
- the Department of Customer Service – internal control qualifications and control deviations in GovConnect service providers
- the Department of Customer Service – significant control deficiencies in information technology change management controls
- Rental Bond Board – uncertainties in the accounting treatment of rental bonds.
The percentage of repeat issues we report to management and those charged with governance in management letters increased from 29 per cent in prior year to 42 per cent in 2020–21 while the number of items decreased from 94 to 93.
The magnitude and number of internal control exceptions in GovConnect service providers increased resulting in additional audit procedures to address the risks of fraud and errors in the financial statements.
What we recommended
The department should improve the validation process of key valuation assumptions and inputs provided by the private operator NSW Land Registry Services. It should revisit its accounting treatment of new land titling records.
The department should ensure GovConnect service providers prioritise the remediation of control deficiencies in information technology services.
The department should continue to improve controls in cyber security management.
Cyber Security NSW and NSW Government agencies need to prioritise improvements to their cyber security resilience as a matter of urgency.
The New South Wales Government Telecommunications Authority should improve its fixed assets management and financial reporting process to accommodate its growing fixed assets profile.
Fast factsThe Customer Service cluster aims to plan, prioritise, fund and drive digital transformation and customer service across every cluster in the NSW Government.
|
This report provides Parliament and other users of the Customer Service cluster’s financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:
- financial reporting
- audit observations.
Financial reporting is an important element of good governance. Confidence and transparency in public sector decision-making are enhanced when financial reporting is accurate and timely.
This chapter outlines our audit observations related to the financial reporting of agencies in the Customer Service cluster (the cluster) for 2021.
Section highlights
|
Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision-making.
This chapter outlines our observations and insights from our financial statement audits of agencies in the Customer Service.
Section highlights
|
Findings reported to management
Forty-two per cent of findings reported to management were repeat issues
Breakdowns and weaknesses in internal controls increase the risk of fraud and error. Deficiencies in internal controls, matters of governance interest and unresolved issues were reported to management and those charged with governance of agencies. The Audit Office does this through management letters, which include observations, related implications, recommendations and risk ratings.
In 2020–21, there were 93 findings raised across the cluster (94 in 2019–20). Forty-two per cent of all issues were repeat issues (29 per cent in 2019–20).
The most common repeat issues related to weaknesses in controls over information technology user access administration.
A delay in implementing audit recommendations increases the risk of intentional and accidental errors in processing information, producing management reports and generating financial statements. This can impair decision-making, affect service delivery and expose agencies to fraud, financial loss and reputational damage. Poor controls may also mean agency staff are less likely to follow internal policies, inadvertently causing the agency not to comply with legislation, regulation and central agency policies.
The table below describes the common issues identified across the cluster by category and risk rating.
Risk rating | Issue |
Information technology | |
High3 1 new, 1 repeat |
The financial audits identified the need for agencies to improve information technology processes and controls that support the integrity of financial data used to prepare agencies' financial statements. Of particular concern are issues associated with:
High-risk issues are discussed later in the chapter. |
Moderate2 |
|
Low1 |
|
Internal control deficiencies or improvements | |
Moderate2 |
The financial audits identified internal control weaknesses across key business processes, including:
|
Low1 |
|
Financial reporting | |
High3 |
The financial audits identified opportunities for agencies to strengthen financial reporting, including:
High-risk issues are discussed later in the chapter. |
Moderate2 |
|
Low1 |
|
Governance and oversight | |
Moderate2 10 new, 3 repeat |
The financial audits identified opportunities for agencies to improve governance and oversight processes, including:
|
Low1 3 new |
|
Non-compliance with key legislation and/or central agency policies | |
Moderate2 4 new, 4 repeat |
The financial audits identified the need for agencies to improve its compliance with key legislation and central agency policies, including:
|
Low1 1 repeat |
2020–21 audits identified three high-risk findings
High-risk findings, including repeat findings, were reported at the following cluster agencies. One of the 2019–20 high-risk findings were not resolved.
Agency | Description |
2020–21 findings | |
Department of Customer Service Repeat finding: Qualifications and control deviations in GovConnect NSW controls assurance reports |
The GovConnect information technology general controls (ITGC) provided by the department, Infosys and Unisys were qualified in 2020–21. The key controls over user access, system changes and batch process failed in all ITGC reports. Most of these deviations were not mitigated or sufficiently mitigated to address the risk of unauthorised user access. The control deficiencies in ITGC increase:
The role of the department has changed significantly from a coordinating agency on behalf of GovConnect customers to a GovConnect IT service provider. It is leading a new IT operating model called ‘Service Integration and Application Management’ (SIAM) to strengthen governance and improve performance of GovConnect service providers. The Department is responsible for the remediation of control deficiencies and continuous improvement in the GovConnect environment. This matter was assessed as high-risk, if not adequately addressed, it had the potential to result in material fraud and error in the department's financial statements and reputation damages. This issue is further discussed later in this chapter. |
2020–21 findings | |
Department of Customer Service New finding: Change management significant control deficiencies |
Revenue NSW, a division of the department has a key role in managing the State’s finances. It administers State taxes, manages fines, recovers State debt and administers grants and subsidies. The audit team found significant control deficiencies in change management controls:
We have included this matter as a high-risk management letter finding, as the audit team could not identify mitigating controls. The system activity of these developers was also not being independently logged and monitored. This increases the risk of unauthorised system change. This can significantly affect the integrity of tax calculation, business process approvals, invalid changes to bank accounts, unauthorised refunds and write-offs. The audit team conducted a risk analysis over the relevant business processes affected by this issue and performed additional audit procedures to address the audit risk. |
Rental Bond Board Repeat finding: Accounting treatment of rental bonds held in trust |
The Rental Bond Board (the Board) holds rental bonds totalling $1.7 billion at 30 June 2021. The Board treated the rental bonds off-balance sheet and disclosed the rental bonds as ‘trust funds’. This treatment is based on management’s judgement that the Board does not have control of these funds. Previously the Board obtained advices from the Crown Solicitors who stated that in their view the rental bond funds held in the rental bond account were not moneys held in trust and the Residential Tenancies Act 2010 (the Act) should be reviewed and amended to better support its accounting treatment of rental bonds. The Board has initiated the need to amend the Act, however the implementation of the legislative amendments is still pending. This matter was assessed as high-risk, if not adequately supported, it had the potential to result in material misstatements in the Board's financial statements. |
The number of moderate risk findings increased from prior year
Fifty-nine moderate risk findings were reported in 2020–21, which was a 11.3 per cent increase from 2019–20. Of these, 26 were repeat findings, and 33 were new issues.
Moderate risk findings include:
- weaknesses in user access management, such as untimely access removal for terminated staff, and a lack of periodic user access review
- accounting for leases such as the review of extension options, assessing indicators of impairment and reviewing the lease reports for completeness and accuracy
- formalising arrangements between agencies including corporate service arrangements, funding arrangements, leases, use of SAP system and computer assets
- use of purchasing cards where our data analytics performed indicated potential gaps and controls and non-compliance with government policies.
The magnitude and number of internal control exceptions in GovConnect service providers have increased
In 2015, the NSW Government selected Unisys Australia Pty Limited’s (Unisys) as an information technology (IT) outsourced service provider and Infosys Limited (Infosys) as a business process outsourced service provider. The outsourced services arrangement was branded GovConnect NSW (GovConnect). The Department of Customer Service (the department) is the contract authority for the NSW Government. In 2019, the NSW Government transitioned a number of Unisys’ IT services progressively to the department and ceased all Unisys's IT services in May 2021. In 2020-21, Infosys, Unisys and the Department were co-providers of business processes and information technology services that constitute the GovConnect environment.
The role of the department has changed significantly from a coordinating agency on behalf of GovConnect customers to a GovConnect IT service provider. The department is responsible for the remediation of control deficiencies and continuous improvement in GovConnect internal control environment.
The department leads the project management of GovConnect services, including the arrangement to provide internal control assurance reports to customers in 2020–21. It engages an independent service auditor (service auditor) from the private sector to perform annual assurance reviews of controls at GovConnect service providers in accordance with Australian Standard on Assurance Engagements 3402 'Assurance Reports on Controls at a Service Organisation' (ASAE 3402). The service auditor reports on the internal controls at a service organisation, which are relevant to a user entity's internal control environment.
The service auditor issued eight ASAE 3402 reports covering business processes controls and information technology general controls (ITGC) provided by the service providers. Four out of eight reports were qualified, a significant increase from previous years.
The table below shows the service auditor's ASAE 3402 opinions issued in various business processes and information technology services provided by service providers for the last five years.
ASAE 3402 controls report# | 2015–16^ | 2016–17 | 2017–18 | 2018–19 | 2019–20 | 2020–21 |
Infosys Accounts receivable | Qualified | Unqualified | Unqualified | Unqualified | Unqualified | Qualified |
Infosys Accounts payable | Qualified | Qualified | Unqualified | Unqualified | Unqualified | Unqualified |
Infosys Fixed assets | Qualified | Unqualified | Unqualified | Unqualified | Unqualified | Unqualified |
Infosys General ledger | Qualified | Qualified | Unqualified | Unqualified | Unqualified | Unqualified |
Infosys Payroll | Adverse | Qualified | Unqualified | Unqualified | Unqualified | Unqualified |
Infosys ITGC | Qualified | Qualified | Unqualified | Unqualified | Unqualified | Qualified |
Unisys ITGC | Qualified | Unqualified | Qualified | Qualified | Unqualified | Qualified |
The department ITGC* | -- | -- | -- | -- | Qualified | Qualified |
ServiceFirst** | Disclaimer | -- | -- | -- | -- | -- |
In 2020–21, the information technology services controls reports issued to the department, Infosys and Unisys were qualified. Infosys' accounts receivable business process controls report was also qualified. The audit qualifications were because:
- the service auditor did not get access to the complete set of records processed during the financial year for several ITGC controls. The system that stored these records was hosted at Unisys. From December 2019 to 28 May 2021, the services at Unisys were progressively migrated to the department's IT environment but this system could not be migrated to the department in the required format, resulting in audit scope limitation for service auditors
- of the deviations identified during sample testing of ITGC controls
- the monthly follow up of outstanding receivables was not performed regularly, which was the only key control to address the timely collection of accounts receivable.
Internal control exceptions in GovConnect information and technology services require urgent remediations
The relevant controls over user access, system changes and password controls failed in all three ASAE 3402 GovConnect ITGC reports. These control failures can lead to unauthorised system access, system and configuration changes (workflow approvals, three-way match, etc.) and modifications to key reports. It increases the risk of:
- fraud and error in the financial statements
- ineffective segregation of duties controls
- accuracy and completeness of system generated reports for the agencies using the SAPConnect system.
The table shows the number of ITGC control deviations compared to prior year:
Year ended 30 June | 2021 | 2020 | ||
Total controls tested | Total number of control deviations and findings | Total controls tested | Total number of control deviations and findings | |
Infosys ITGC | 41 | 16 | 35 | 8 |
Unisys ITGC | 25 | 11 | 33 | 4 |
DCS ITGC | 31 | 9 | 10 | 5 |
Most of these deviations were not mitigated or sufficiently mitigated to address the risk of unauthorised user access.
The service auditor identified significant areas for remediation:
- governance arrangement of the IT services
- user access management controls
- SAP database controls
- logical access
- incident management.
In response to the internal control qualifications, the audit teams performed data analytics over payroll and accounts payable. The data analytics identified several terminated employees that were paid long after their termination dates which resulted in salary overpayments during 2020–21. While management had put processes in place to recover these overpayments, the payroll processing controls need to be improved to prevent such overpayments.
The Department of Customer Service advised that it established a ‘Control Reframe Project’ (the project) to address the internal control exceptions at GovConnect service providers. The objective of the project is to ensure the GovConnect assurance model is aligned with clear lines of responsibility and remediation actions are in place to support the delivery of services and achieve an improved outcome for future years.
Recommendation
We recommend the Department of Customer Service:
- improve governance and internal control environment over the information technology services
- ensure GovConnect service providers prioritise remediation actions to address internal control exceptions
- perform a post-implementation review of the transition of the Unisys arrangement to identify lessons learnt and continuous improvement
- develop data analytics to help analyse and identify high-risk patterns and anomalies in GovConnect key transaction systems, augmenting their existing monitoring and detective controls.
The NSW Public Sector's cyber security resilience needs urgent attention
The 2020 'Central Agencies' Report to Parliament highlighted the need for Cyber Security NSW, a business unit within the Department of Customer Service, and NSW Government agencies to prioritise improvements to their cyber security resilience as a matter of urgency. A status update of the 2020 recommendation is included in Appendix five of this report.
The Audit Office's Annual Work Program identifies cyber security as a focus area for the Audit Office in 2021–24. It outlines a three-pronged approach to auditing cyber security in this period:
- considering how agencies are responding to the risks associated with cyber security across our financial audits across the NSW public sector
- examining the effectiveness of cyber security planning and governance arrangements for large NSW state government agencies for our Internal Controls and Governance report
- conducting deep-dive performance audits of the effectiveness of specific agency activities in preparing for, and responding to cyber security risks.
A performance audit 'Managing cyber risks' was tabled in Parliament in July 2021. The audit made several recommendations to audited agencies to uplift their cyber security management. It also recommended the Department of Customer Service to:
- clarify the requirement of the NSW Cyber Security Policy (CSP) reporting to all systems
- require agencies to report the target level of maturity for each mandatory requirement.
A compliance audit 'Compliance with the NSW Cyber Security Policy' was tabled in October 2021. The audit examined whether agencies are complying with the NSW Cyber Security Policy to ensure all NSW Government departments and public service agencies are managing cyber security risks to their information and systems.
The report found that key elements to strengthen cyber security governance, controls and culture are not sufficiently robust and not consistently applied. There has been insufficient progress to improve cyber security safeguards across NSW Government agencies. The poor levels of cyber security maturity are a significant concern. Improvement requires dedicated leadership and resourcing. To comply with some elements of the government’s policy agencies will have to invest in technical uplift and some measures may take time to implement. However, other elements of the policy do not require any investment in technology. They simply require leadership and management commitment to improve cyber literacy and culture. And they require accountability and transparency. Transparent reporting of performance is a key means to improve performance.
The report noted that the CSP was not achieving the objective of improved cyber governance, controls and culture. The compliance audit made several recommendations to Cyber Security NSW and other NSW Government agencies.
The 2021 maturity self-assessment results against the Australian Cyber Security Centre Essential 8 for the 25 largest NSW State Government agencies are reported in the 2021 'Internal Control and Governance' Report to Parliament.
Repeat recommendation
Cyber Security NSW and NSW Government agencies need to prioritise improvements to their cyber security resilience as a matter of urgency.
Management of cyber security risk
Our 2020-21 financial audit assessed whether cyber security risks represent a risk of material misstatement to the department's own financial statements. A request performance audit 'Service NSW's handling of personal information' was tabled on 18 December 2020. The audit followed two cyber security incidents that resulted in data breaches of customer information. As part of our audit procedures, we obtained an understanding of the controls the department has in place to address the risk of cyber security incidents and respond to any incidences which may have occurred during the year, including its impact on the audit.
Our assessment of the department’s own cyber risk management shows that:
- an approved security incident response plan was not in place during the reporting period. There was a lack of testing over incident detection and monitoring process
- a formal process over patch management that includes assessment, determining relevance and priority, timely rollout and escalation and reporting of long outstanding patches to senior management is being established.
The department provides information security services including cyber security management to cluster agencies. We found that there were insufficient communications within the Customer Service cluster over the controls and assurance over cyber security risk management. Some cluster agencies had put in place limited controls over cyber security risk management.
Recommendation
We recommend the Department of Customer Service:
- establish an approved security incident response plan and formal process over patch management
- improve communications with cluster agencies over the controls and assurance in cyber security management.
Appendix one – Misstatements in financial statements submitted for audit
Appendix two – Early close procedures
Appendix three – Timeliness of financial reporting
Appendix four – Financial data
Appendix five – Status of 2020 recommendations
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Actions for Machinery of government changes
Machinery of government changes
What the report is about
The term ‘machinery of government’ refers to the way government functions and responsibilities are organised.
The decision to make machinery of government changes is made by the Premier. Changes may be made for a range of reasons, including to support the policy and/or political objectives of the government of the day.
Larger machinery of government changes typically occur after an election or a change of Premier.
This report assessed how effectively the Department of Planning, Industry and Environment (DPIE) and the Department of Regional NSW (DRNSW) managed their 2019 and 2020 machinery of government changes, respectively. It also considered the role of the Department of Premier and Cabinet (DPC) and NSW Treasury in overseeing machinery of government changes.
What we found
The anticipated benefits of the changes were not articulated in sufficient detail and the achievement of benefits has not been monitored. The costs of the changes were not tracked or reported.
DPC and NSW Treasury provided principles to guide implementation but did not require departments to collect or report information about the benefits or costs of the changes.
The implementation of the machinery of government changes was completed within the set timeframes, and operations for the new departments commenced as scheduled.
Major implementation challenges included negotiation about the allocation of corporate support staff and the integration of complex corporate and ICT systems.
What we recommended
DPC and NSW Treasury should:
- consolidate existing guidance on machinery of government changes into a single document that is available to all departments and agencies
- provide guidance for departments and agencies to use when negotiating corporate services staff transfers as a part of machinery of government changes, including a standard rate for calculating corporate services requirements
- progress work to develop and implement common processes and systems for corporate services in order to support more efficient movement of staff between departments and agencies.
Fast facts
- $23.7m is the estimated minimum direct cost of the 2019 DPIE changes to date, noting additional ICT costs will be incurred
- $4.0m is the estimated minimum direct cost of the 2020 DRNSW changes, with an estimated $2.7 million ongoing annual cost
- 40+ NSW Government entities affected by the 2019 machinery of government changes
The term ‘machinery of government’ refers to the way government functions and responsibilities are allocated and structured across government departments and agencies. A machinery of government change is the reorganisation of these structures. This can involve establishing, merging or abolishing departments and agencies and transferring functions and responsibilities from one department or agency to another.
The decision to make machinery of government changes is made by the Premier. These changes may be made for a range of reasons, including to support the policy and/or political objectives of the government of the day. Machinery of government changes are formally set out in Administrative Arrangements Orders, which are prepared by the Department of Premier and Cabinet, as instructed by the Premier, and issued as legislative instruments under the Constitution Act 1902.
The heads of agencies subject to machinery of government changes are responsible for implementing them. For more complex changes, central agencies are also involved in providing guidance and monitoring progress.
The NSW Government announced major machinery of government changes after the 2019 state government election. These changes took place between April and June 2019 and involved abolishing five departments (Industry; Planning and Environment; Family and Community Services; Justice; and Finance, Services and Innovation) and creating three new departments (Planning, Industry and Environment; Communities and Justice; and Customer Service). This also resulted in changes to the 'clusters' associated with departments. The NSW Government uses clusters to group certain agencies and entities with related departments for administrative and financial management. Clusters do not have legal status. Most other departments that were not abolished had some functions added or removed as a part of these machinery of government changes. For example, the functions relating to regional policy and service delivery in the Department of Premier and Cabinet were moved to the new Department of Planning, Industry and Environment.
Our Report on State Finances 2019, tabled in October 2019, outlined these changes and identified several issues that can arise from machinery of government changes if risks are not identified early and properly managed. These include: challenges measuring the costs and benefits of machinery of government changes; disruption to services due to unclear roles and responsibilities; and disruption to control environments due to staff, system and process changes.
In April 2020, the Department of Regional NSW was created in a separate machinery of government change. This involved moving functions and agencies related to regional policy and service delivery from the Department of Planning, Industry and Environment into a standalone department.
This audit assessed how effectively the Department of Planning, Industry and Environment (DPIE) and the Department of Regional NSW (DRNSW) managed their 2019 and 2020 machinery of government changes, respectively. It also considered the role of the Department of Premier and Cabinet and NSW Treasury in overseeing machinery of government changes. The audit investigated whether:
- DPIE and DRNSW have integrated new responsibilities and functions in an effective and timely manner
- DPIE and DRNSW can demonstrate the costs of the machinery of government changes
- The machinery of government changes have achieved or are achieving intended outcomes and benefits.
It is unclear whether the benefits of the machinery of government changes that created the Department of Planning, Industry and Environment (DPIE) and the Department of Regional NSW (DRNSW) outweigh the costs. The anticipated benefits of the changes were not articulated in sufficient detail and the achievement of directly attributable benefits has not been monitored. The costs of the changes were not tracked or reported. The benefits and costs of the machinery of government changes were not tracked because the Department of Premier and Cabinet (DPC) and NSW Treasury did not require departments to collect or report this information. The implementation of the machinery of government changes was completed within the set timeframes, and operations for the new departments commenced as scheduled. This was achieved despite short timelines and no additional budget allocation for the implementation of the changes.
The rationale for establishing DPIE was not documented at the time of the 2019 machinery of government changes and the anticipated benefits of the change were not defined by the government or the department. For DRNSW, the government’s stated purpose was to provide better representation and support for regional areas, but no prior analysis was conducted to quantify any problems or set targets for improvement. Both departments reported some anecdotal benefits linked to the machinery of government changes. However, improvements in these areas are difficult to attribute because neither department set specific measures or targets to align with these intended benefits. Since the machinery of government changes were completed, limited data has been gathered to allow comparisons of performance before and after the changes.
DPC and NSW Treasury advised that they did not define the purpose and benefits of the machinery of government changes, or request affected departments to do so, because these were decisions of the government and the role of the public service was to implement the decisions.
We have attempted to quantify some of the costs of the DPIE and DRNSW changes based on the information the audited agencies could provide. This information does not capture the full costs of the changes because some costs, such as the impact of disruption on staff, are very difficult to quantify, and the costs of ICT separation and integration work may continue for several more years. Noting these limitations, we estimate the initial costs of these machinery of government changes are at least $23.7 million for DPIE and $4.0 million for DRNSW. For DPIE, this is predominantly made up of ICT costs and redundancy payments made around the time of the machinery of government change. For DRNSW it includes ICT costs and an increase in senior executive costs for a standalone department, which we estimate is an ongoing cost of at least $1.9 million per year.
For the DPIE machinery of government change, there were risks associated with placing functions and agencies that represent potentially competing policy interests within the same 'cluster', such as environment protection and industry. We did not see evidence of plans to manage these issues being considered by DPIE as a part of the machinery of government change process.
The efficiency of machinery of government changes could be improved in several ways. This includes providing additional standardised guidance on the allocation of corporate functions and resources when agencies are being merged or separated, and consolidating guidance on defining, measuring and monitoring the benefits and costs of machinery of government changes.
Appendix one – Response from agencies
Appendix two – About the audit
Appendix three – Performance auditing
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Parliamentary reference - Report number #359 - released (17 December 2021).
Actions for Managing climate risks to assets and services
Managing climate risks to assets and services
What the report is about
This report assessed how effectively the Department of Planning, Industry and Environment (DPIE) and NSW Treasury have supported state agencies to manage climate risks to their assets and services.
Climate risks that can impact on state agencies' assets and services include flooding, bushfires, and extreme temperatures. Impacts can include damage to transport, communications and energy infrastructure, increases in hospital admissions, and making social housing or school buildings unsuitable.
NSW Treasury estimates these risks could have significant costs.
What we found
DPIE and NSW Treasury’s support to agencies to manage climate risks to their assets and services has been insufficient.
In 2021, key agencies with critical assets and services have not conducted climate risk assessments, and most lack adaptation plans.
DPIE has not delivered on the NSW Government commitment to develop a state-wide climate change adaptation action plan. This was to be complete in 2017.
There is also no adaptation strategy for the state. These have been released in all other Australian jurisdictions. The NSW Government’s draft strategic plan for its Climate Change Fund was also never finalised.
DPIE’s approach to developing climate projections is robust, but it hasn’t effectively educated agencies in how to use this information to assess climate risk.
NSW Treasury did not consistently apply dedicated resourcing to support agencies' climate risk management until late 2019.
In March 2021, DPIE and NSW Treasury released the Climate Risk Ready NSW Guide and Course. These are designed to improve support to agencies.
What we recommended
DPIE and NSW Treasury should, in partnership:
- enhance the coordination of climate risk management across agencies
- implement climate risk management across their clusters.
DPIE should:
- update information and strengthen education to agencies, and monitor progress
- review relevant land-use planning, development and building guidance
- deliver a climate change adaptation action plan for the state.
NSW Treasury should:
- strengthen climate risk-related guidance to agencies
- coordinate guidance on resilience in infrastructure planning
- review how climate risks have been assured in agencies’ asset management plans.
Fast facts
4 years
between commitments in the NSW Climate Change Policy Framework, and DPIE and NSW Treasury producing key supports to agencies for climate risk management.
$120bn
Value of physical assets held by nine NSW Government entities we examined that have not completed climate risk assessments.
Low capability to do climate risk assessment has been found across state agencies. The total value of NSW Government physical assets is $365 billion, as at 30 June 2020.
x3
NSW Treasury’s estimates of the annual fiscal and economic costs associated with natural disasters will triple by 2060–61.
According to the Intergovernmental Panel on Climate Change in 2021, each of the last four decades has been successively warmer and surface temperatures will continue to increase until at least the mid-century. The Commonwealth Scientific and Industrial Research Organisation (CSIRO) and the Bureau of Meteorology (BoM) have reported that extreme weather across Australia is more frequent and intense, and there have been longer-term changes to weather patterns. They also report sea levels are rising around Australia increasing the risk of inundation and damage to coastal infrastructure and communities.
According to the Department of Planning, Industry and Environment (the department), in New South Wales the impacts of a changing climate, and the risks associated with it, will be felt differently across regions, populations and economic sectors. The department's climate projections indicate the number of hot days will increase, rainfall will vary across the state, and the number of severe fire days will increase.
The NSW Government is a provider of essential services, such as health care, education and public transport. It also owns and manages around $365 billion in physical assets (as at June 2020). More than $180 billion of its assets are in major infrastructure such as roads and railway lines.
In NSW, climate risks that could directly impact on state agencies' assets and services include flooding, bushfires, and extreme temperatures. In recent years, natural hazards exacerbated by climate change have damaged and disrupted government transport, communications and energy infrastructure. As climate risks eventuate, they can also increase hospital admissions when people are affected by poorer air quality, and make social housing dwellings or schools unsafe and unusable during heatwaves. The physical impacts of a changing climate also have significant financial costs. Taking into account projected economic growth, NSW Treasury has estimated that the fiscal and economic costs associated with natural disasters due to climate change will more than triple per year by 2061.
The department and NSW Treasury advise that leading practice in climate risk management includes a process that explicitly identifies climate risks and integrates these into existing risk management, monitoring and reporting systems. This is in line with international risk management and climate adaptation standards. For agencies to manage the physical risks of climate change to their assets and services, leading practice identified by the department means that they need to:
- use robust climate projection information to understand the potential climate impacts
- undertake sound climate risk assessments, within an enterprise risk management framework
- implement adaptation plans that reduce these risks, and harness opportunities.
Adaptation responses that could be planned for include: controlling development in flood-prone locations; ensuring demand for health services can be met during heatwaves; improving thermal comfort in schools to support student engagement; proactive asset maintenance to reduce disruption of essential services, and safeguarding infrastructure from more frequent and intense natural disasters.
According to NSW Treasury policy, agencies are individually responsible for risk management systems appropriate to their context. The department and NSW Treasury have key roles in ensuring that agencies are supported with robust information and timely, relevant guidance to help manage risks to assets and services effectively, especially for emerging risks that require coordinated responses, such as those posed by climate change.
This audit assessed whether the department and NSW Treasury are effectively supporting NSW Government agencies to manage climate risks to their assets and services. It focused on the management of physical risks to assets and services associated with climate change.
Conclusion
The Department of Planning, Industry and Environment (the department) has made climate projections available to agencies since 2014, but provided limited guidance to assist agencies to identify and manage climate risks. NSW Treasury first noted climate change as a contextual factor in its 2012 guidance on risk management. NSW Treasury only clarified requirements for agencies to integrate climate considerations into their risk management processes in December 2020.
The department has not delivered on a NSW Government commitment for a state-wide climate change adaptation action plan, which was meant to be completed in 2017. Currently many state agencies that own or manage assets and provide services do not have climate risk management in place.
Since 2019, the department and NSW Treasury have worked in partnership to develop a coordinated approach to supporting agencies to manage these risks. This includes guidance to agencies on climate risk assessment and adaptation planning published in 2021.
More work is needed to embed, sustain and lead effective climate risk management across the NSW public sector, especially for the state's critical infrastructure and essential services that may be exposed to climate change impacts.
The NSW Government set directions in the 2016 NSW Climate Change Policy Framework to 'manage the impact of climate change on its assets and services by embedding climate change considerations into asset and risk management’ and more broadly into 'government decision-making'.
The department released climate projections and has made information on projected climate change impacts available since 2014, but this has not been effectively communicated to agencies. The absence of a state-wide climate change adaptation action plan has limited the department's implementation of a coordinated, well-communicated program of support to agencies for their climate risk management.
NSW Treasury is responsible for managing the state's finances and providing stewardship to the public sector on financial and risk management, but it did not consistently apply dedicated resourcing to support agencies' climate risk management until late 2019. NSW Treasury estimates the financial costs of climate-related physical risks are significant and will continue to grow.
The partnership between the department and NSW Treasury has produced the 2021 Climate Risk Ready NSW Guide and Course, which aim to help agencies understand their exposure to climate risks and develop adaptation responses. The Guide maps out a process for climate risk assessment and adaptation planning and is referenced in NSW Treasury policy on internal audit and risk management. It is also referenced in NSW Treasury guidance to agencies on how to reflect the effects of climate-related matters in financial statements.
There is more work to be done by the department on maintaining robust, accessible climate information and educating agencies in its use. NSW Treasury will need to continue to update its policies, guidance and economic analyses with relevant climate considerations to support an informed, coordinated approach to managing physical climate risks to agencies' assets and services, and to the state's finances more broadly.
The effectiveness of the department and NSW Treasury's support involves the proactive and sustained take-up of climate risk management by state agencies. There is a key role for the department and NSW Treasury in monitoring this progress and its results.
The support delivered to agencies around climate risk management, including risk assessment and adaptation planning, has been slow to start and of limited impact. The department's capacity to implement a coordinated approach to supporting agencies has also been limited by the absence of a state-wide adaptation strategy and related action plan.
In 2021, products were released by the department and NSW Treasury with potential to improve support to agencies on climate risk assessment and adaption planning (that this, Climate Risk Ready NSW Guide and Course, which provides links to key NSW Treasury polices). The department and NSW Treasury are now leading work to develop a more coordinated approach to climate risk management for agencies' assets and services, and building the resilience of the state to climate risk more broadly.
While climate projections have been available to agencies and the community more broadly since 2013–14, the department has not been effective in educating the relevant data users within agencies in how to use the information for climate risk assessments and adaptation planning.
The absence of a strategy focused on this is significant and has contributed to the current low levels of climate risk assessment uptake across agencies (see section 2). Agencies are required to use the climate projections developed by the department when developing long term plans and strategies as part of the NSW Government Common Planning Assumptions.
For the department, key opportunities to embed climate risk management include leveraging land use planning policies and guidance to drive adaptation, which has potential to better protect the state's assets and services. NSW Treasury has a role in continuing to update its policies, guidance and economic analyses with relevant climate change considerations to support an informed, coordinated approach to addressing physical climate risks to agencies' assets and services, and to the state's finances more broadly.
There is currently no plan on how the department and NSW Treasury intend to routinely monitor the progress of agencies with implementing the CRR Guide or developing climate risk 'maturity' more broadly. As agencies are responsible for implementing risk management systems that meet NSW Treasury standards, which now clearly includes consideration of climate risk (TPP20-08), establishing effective monitoring, reporting and accountability around this progress should be a priority for the department and NSW Treasury.
Appendix one – Response from agencies
Appendix two – Timeline of key activities
Appendix three – About the audit
Appendix four – Performance auditing
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Parliamentary reference - Report number #355 - released (7 September 2021).
Actions for Grants administration for disaster relief
Grants administration for disaster relief
What the report is about
The report examined whether NSW Treasury, Service NSW and the Department of Customer Service effectively administered grants programs funded under the $750 million Small Business Support Fund, including:
- $10,000 Small Business Support Grant
- $3,000 Small Business Recovery Grant.
What we found
The agencies effectively implemented the grants within required timeframes, reflecting the NSW Government’s decision to deliver urgent financial support to small businesses impacted by the COVID-19 pandemic.
NSW Treasury met urgent timeframes to design the grants and Service NSW made timely payments in line with the grants' objectives and eligibility criteria.
Service NSW and the Department of Customer Service strengthened processes to detect and minimise fraud in response to identified external fraud risks, and to investigate suspected fraudulent applications.
Fraud security checks and investigations are ongoing, and the agencies will not know the full extent of fraud across the grants until these processes have been completed.
The agencies regularly monitored and reported on the timeliness of payments to small business applicants but have not yet measured all benefits of the grants programs.
The $10,000 Support Grant and the $3,000 Recovery Grant have provided around $630 million in one off grant payments to eligible small businesses.
What we recommended
NSW Treasury should finalise and implement an evaluation of both grants programs, including obtaining feedback from businesses.
Service NSW should develop a framework that documents expected controls for how it administers grants, including business processes, fraud control and governance and probity requirements.
Service NSW should publish information on all grants programs, including grants distribution and uptake.
The Department of Customer Service should ensure its processes for managing conflicts of interest meets its policy requirements.
Upcoming performance audit
The Audit Office is conducting a further performance audit into grants administration for disaster relief focussing on bushfire grants. This is planned to complete in 2021-22.
Fast factsSmall Business Support Fund
Grant program administration
|
Further information
Please contact Ian Goodwin, Deputy Auditor-General on 9275 7347 or by email.
The NSW Government responded to the partial shutdown of the NSW economy caused by the COVID-19 pandemic in 2020 by, among other measures, announcing on 3 April 2020 that it would place $750 million into the Small Business Support Fund (the Fund).
Under the Fund, the NSW Government would pay one-off grants of up to $10,000 to small business impacted by the shutdown. The objectives of the $10,000 Small Business Support Grant ($10,000 Support Grant) were to:
- ease the pressure on small businesses that have been affected by the COVID-19 pandemic
- support the ongoing operations of small businesses highly impacted by the COVID-19 restrictions
- deliver cash-flow into small businesses as soon as possible so that small businesses could meet pressing financial needs.
Grant applications were assessed against eligibility criteria that were determined by the NSW Government. The eligibility criteria for the $10,000 Support Grant required an employing small business to demonstrate it was significantly impacted by the COVID-19 pandemic by self-declaring or demonstrating a significant decline of 75 per cent or more in turnover compared to 2019. Documentation requirements were relaxed for small businesses within highly impacted industries.
In June 2020, the NSW Government announced a second round of one-off grants of up to $3,000 to small businesses that were highly impacted by the COVID-19 pandemic ($3,000 Recovery Grant). The objective of the $3,000 Recovery Grant was to help small businesses in 'highly impacted industries' — those directly impacted by the restrictions and closures put in place under the Public Health Orders — to meet the costs of safely reopening or scaling up operations.
The eligibility criteria for the $3,000 Recovery Grant required that a small business be in a highly impacted industry, demonstrate that it was significantly impacted by the COVID-19 pandemic by declaring a significant decline in turnover, and had costs associated with reopening under the 'COVID-Safe' requirements.
NSW Treasury and Service NSW implemented both grants on behalf of the NSW Government. The process of applying for a grant was intended to be quick and easy, with Service NSW using automated assessments and simple online application forms to process applications. Applicants applied for the $10,000 Support Grant through the Service NSW website between 14 April 2020 to 30 June 2020 and applied for the $3,000 Small Business Recovery Grant between 1 July 2020 and 31 August 2020.
At May 2021, around $520 million has been paid to over 52,500 grant applicants under the $10,000 Support Grant and around $109 million had been paid to around 36,700 grant applicants under the $3,000 Recovery Grant.
The Audit Office plans to undertake a performance audit into grants administration for disaster relief focussing on bushfire grants in 2021–22.
This audit assessed whether the grants funded under the $750 million Small Business Support Fund were effectively administered and implemented to provide disaster relief. It addressed the following questions:
- Were funded grants programs planned, designed and targeted effectively?
- Were funded grants programs implemented in line with the objectives and criteria and delivery requirements?
- Have agencies established measures to monitor intended benefits and outcomes?
This audit did not seek to assess the effectiveness of any other grant programs or stimulus measures. It also did not seek to assess the impact of the funding on applicants, or the future prospects of small businesses that received support.
ConclusionNSW Treasury and Service NSW effectively implemented two grants within required timeframes reflecting the NSW Government's decision to deliver urgent financial support to small businesses impacted by the COVID-19 pandemic in 2020. The $10,000 Support Grant and the $3,000 Recovery Grant have provided around $630 million in one-off grant payments to eligible small businesses.NSW Treasury met urgent timeframes to design the grants and Service NSW made timely payments in line with the grants' objectives and eligibility criteria.NSW Treasury met urgent timeframes to provide advice to the NSW Government on the grant design, proposed delivery partner, expected numbers of eligible businesses and the suitability of the proposed grant payment amount within the required timeframes. This was achieved within one day for the $10,000 Support Grant and within four days for the $3,000 Support Grant. In the context of the complex and changing pandemic and economic conditions between March and July 2020, NSW Treasury's advice to government outlined the risk, feasibility, expected demand estimates and assumptions for the grants. NSW Treasury's demand projections were limited by uncertainty as to the pandemic's economic impact. Estimated demand for the grants was not met, resulting in around $120 million from the Small Business Support Fund remaining unspent. Service NSW met urgent timeframes to stand-up both grants: 11 days for the $10,000 Support Grant and 26 days for the $3,000 Recovery Grant. It met agreed delivery requirements and made timely payments to small businesses in line with the grants' objectives and eligibility criteria. Over 65,000 businesses have received a payment under either grant, and over 23,000 businesses received both grants. Gaps in project and risk management processes were expected given the tight timeframe to implement the grants.The tight timeframe in which the agencies had to implement the grants contributed to gaps in project and risk management. The agencies advised that compromises were understood by both parties and were a necessary trade-off to ensure payments were made quickly. Service NSW and the Department of Customer Service have acted to strengthen their processes to detect and minimise fraud in response to identified external fraud risks and to investigate suspected fraudulent applications since the grants commenced. Service NSW intends to further enhance fraud controls for grants applications and payments for future grants by implementing a fraud control framework by December 2021. The agencies regularly monitored and reported on the timeliness of payments to small business applicants but have not yet measured all benefits of the grants programs.Service NSW and NSW Treasury established processes to monitor and report on the timeliness of payments to grant applicants. NSW Treasury has not yet measured all intended impacts of the grants, nor undertaken processes to obtain detailed feedback from grant recipients. Without these measures, there is limited insight into the extent to which the grants helped to support small businesses or ability to capture lessons which could be applied in future grants programs. NSW Treasury advises that an evaluation will commence from mid-2021. |
1. Key findings
Around $630 million in timely one-off grant payments have been made to small businesses
Service NSW and NSW Treasury have paid around $630 million in one-off grant payments to small businesses via two grants administered under the $750 million Small Business Support Fund. At May 2021:
- around $520 million has been paid to over 52,500 grant applications received for the $10,000 Small Business Support Grant ($10,000 Support Grant)
- around $109 million has been paid to 36,700 grant applications received for the $3,000 Small Business Recovery Grant ($3,000 Recovery Grant).
Across both grants, over 65,000 small businesses received a payment across either grant, and over 23,000 businesses received payments under both grants.
NSW Treasury advise that, while no data was collected on the time to pay applicants for the $10,000 Support Grant, from its monitoring of the grants' outputs it was satisfied that payment timeframes met its expectations. Service NSW met its targeted time to pay applicants with payments made within ten days for the $3,000 Recovery Grant.
Funds for both grants were not fully spent due to limitations in data and uncertainty of the COVID-19 pandemic's impact. At May 2021, the final demand for the $10,000 Support Grant was around 30 per cent less than initially anticipated and the final demand for the $3,000 Recovery Grant was around 40 per cent less than initially anticipated.
NSW Treasury developed proposals establishing high level design and delivery expectations within rapid timeframes
NSW Treasury put forward proposals to the NSW Government for the two grants administered under the $750 million Small Business Support Fund. It met rapid timeframes for producing this advice: within one day for the $10,000 Support Grant and within four days for the $3,000 Recovery Grant. NSW Treasury's advice to the NSW Government on how to best target the total funding, eligibility criteria and the feasibility of delivering the grants through Service NSW was based on comparable grants programs – including the $10,000 Small Business Bushfire Support Grant – which at that time were ongoing.
The proposals established, at a high-level, the rationale for the grants, expected financial costs, risks and analysis on budget impacts, and confirmation that Service NSW could deliver the grants applications platform. NSW Treasury's demand projections were uncertain due to limited data in the early stages of the pandemic regarding potential economic impact.
Given the tight timeframes, the proposals did not fully consider all planning and design aspects for both grants. For example, there was minimal identification of the costs and benefits of the programs, and a lack of detailed design and delivery requirements. The proposals outlined that arrangements to finalise the risk management, controls, and auditing plan would be agreed by Service NSW and NSW Treasury before implementation.
In future circumstances where urgent advice on program design is required, NSW Treasury could set clearer expectations for the delivery agency, including fully considering costs, benefits and delivery requirements that could be carried through to project governance and implementation.
Service NSW implemented both grants in line with delivery expectations
Service NSW met urgent timeframes to stand-up both grants: 11 days for the $10,000 Support Grant and 26 days for the $3,000 Recovery Grant. Delivery expectations for each grant were established under a grant project agreement (grant agreement). Service NSW delivered the online application platform, assessment of applications, payments and reporting of the grants' uptake as per the grant agreements.
The urgent timeframes to deliver the grants contributed to gaps in Service NSW's project and risk management processes throughout the lifecycle of both grants. For example, the requirement to meet pressing timeframes for the $10,000 Support Grant launch meant agencies had reduced time to achieve sign-off on key documentation. As a result, important documents and processes – including the grant agreement, risk documentation and key business process and quality assurance processes – were not finalised ahead of launch.
Quality assurance and compliance processes for detecting fraud were not settled until after the conclusion of the applications for the $10,000 Support Grant, and were not completed until late 2020. Some project documents, including risk registers, communication plans and project briefs are still not finalised.
The longer timeframe to develop the $3,000 Recovery Grant meant that agencies were able to build on their understanding of the implementation requirements from the $10,000 Support Grant, and better document these expectations and understanding while ensuring that key documents and sign-offs were in place prior to launch.
Service NSW tightened its risk management and controls in response to evidence of fraudulent applications
In May 2020, Service NSW and the Department of Customer Service (DCS) were alerted to suspected fraudulent activity within grants administered by Service NSW. Initially, Service NSW anticipated that up to $8.8 million of the $10,000 Support Grant was at risk of exposure to fraudulent applications. However, Service NSW reported that, at April 2021, $1.9 million for the $10,000 Support Grant and $254,000 for the $3,000 Recovery Grant from paid applications were at risk of fraud exposure.
Following an internal review of the potential exposure to fraudulent or ineligible applications, Service NSW implemented additional automated security checks on applications, increased manual assessments of grant applications, established a dedicated taskforce for grants administration and engaged a unit within DCS to manage high-risk investigations.
Service NSW and DCS's increased governance and oversight has resulted in an established case management function, increased referrals to law enforcement, prioritised investigations of suspicious applications and the development of a 'Fraud Control Framework' aimed at addressing external fraud risks. Given Service NSW had limited experience in these processes in context of administering grant payments, such actions were an appropriate response.
Security checks and investigations of suspicious applications are ongoing. Service NSW will not know the full extent of fraud across the grants until these processes have been fully completed.
Service NSW and Department of Customer Service can improve how conflicts of interest are managed for future programs
Compliance with agency policies and processes to manage conflicts of interest and financial subdelegations demonstrates that investment decisions are being made by appropriately skilled and experienced staff, allowing agencies to operate efficiently, and reducing the risk of internal fraud.
DCS was unable to produce employee conflicts of interest declarations for the $10,000 Support Grant. Therefore, it is not known how many employees had completed conflicts of interest declarations for this round.
DCS provided information on conflicts of interest declarations for the $3,000 Recovery Grant. Twenty-nine per cent of declarations provided for employees undertaking grant assessments for the $3,000 Recovery Grant were incomplete at March 2021, and a further nine per cent were not finalised even though they indicated a real, potential or perceived conflict.
For future grants programs, ensuring compliance with conflicts of interest policies would help DCS and Service NSW to have greater confidence that conflicts of interest are appropriately identified and managed.
NSW Treasury has not yet measured all benefits or outcomes of the grants
In April 2021, NSW Treasury updated its evaluation plan for the $10,000 Support Grant and $3,000 Recovery Grant in support of an economic evaluation to commence from mid-2021. The updated evaluation plan outlines inputs, activities, and outputs as well as immediate, short term and medium term outcomes for both grants.
The evaluation will consider the extent to which both grants achieved their intended outcomes, and whether the economic benefits exceeded the costs to help inform decisions about the nature and design of any future small business support programs. This will complement, and feed into a broader review of all NSW Government COVID-19 stimulus measures.
Service NSW rapidly developed an approach to administer the grants
Over recent disasters, such as the 2019–20 bushfires and the COVID-19 pandemic, Service NSW has been responsible for administering grant programs on behalf of other government agencies.
Service NSW implemented both grants under its Project Management Framework and under each grant agreement with NSW Treasury as it does not have its own grants administration framework. To address the risks that emerged during delivery, Service NSW developed an approach to standardise and monitor the administration of the grants while they were being implemented.
Service NSW now has an opportunity to establish a grants administration framework, based on the processes, lessons and outcomes captured under the grants administration taskforce and in developing its fraud control framework. Embedding these processes into business as usual for grants administration will enable Service NSW to have a consistent set of expectations for controls, business processes and governance and probity requirements for future grants it implements.
2. Recommendations
By December 2021, NSW Treasury should:
1. finalise and implement an evaluation of the $10,000 Support Grant and $3,000 Recovery Grant, including obtaining direct feedback from businesses on how grant funds achieved the grant objectives.
By December 2021, Service NSW should:
2. develop a grants administration framework, which documents expected controls – including fraud controls – business processes and governance and probity requirements
3. publish information on all grants programs, including grants distribution and uptake.
By December 2021, the Department of Customer Service should:
4. ensure its process for managing conflicts of interest meets policy requirements by:
- ensuring employees promptly declare any real, potential or perceived conflicts of interest
- annually producing a list of conflicts of interest for records retention purposes
- requiring a separate register of conflicts of interest declarations where a grant program is deemed as high risk.
3. Lessons for grants administered within urgent timeframes
The two grants this audit examined were administered within a context of urgent timeframes, and increased complexity and uncertainty about the impact of the COVID-19 pandemic. The following lessons are shared to assist sponsor and delivery agencies in administering future grants where rapid implementation is required.
Sponsor agencies should consider the following lessons:
1. develop an approach to define and measure benefits for rapidly developed programs and projects where a full business case and cost-benefit analysis is not feasible
2. establish common processes and expectations for co-administered grants:
- periodically assure agencies' capability to deliver grants programs
- agree and establish risk appetite statements with administering agencies
- clearly establish expected performance levels and targets under any agreement
3. review the processes and outcomes of rapidly developed programs, capture lessons learned, and apply these in planning and delivering future programs.
Delivery agencies should consider the following lessons:
1. risk management and risk appetite:
- perform robust assessment procedures to ensure risks associated with delivery of the project are identified
- ensure the controls implemented adequately address identified risks
- agree and document the acceptable risk appetite at the outset
- review risk management processes after the grants are issued when unable to finalise risk management processes ahead of launch
2. grant agreements between NSW public sector agencies:
- ensure agreements are finalised in a timely manner
- ensure agreements clearly outline:
- roles and responsibilities of both parties,
- changes in scope of services provided
- fees and charges applicable
3. frameworks for grants administration:
- ensure that there is a common set of expectations in place to guide grants administration including standard controls and processes for managing risk, capturing lessons learned and reporting on outcomes.
Appendix one – Response from agencies
Appendix three – Public Health Orders
Appendix four – Highly impacted industries
Appendix five – About the audit
Appendix six – Performance auditing
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Parliamentary reference - Report number #352 - released (24 June 2021).
Actions for Service NSW's handling of personal information
Service NSW's handling of personal information
The Auditor-General for New South Wales, Margaret Crawford, released a report today examining the effectiveness of Service NSW’s handling of customers’ personal information to ensure its privacy.
The audit found that Service NSW is not effectively handling personal customer and business information to ensure its privacy. Service NSW continues to use business processes that pose a risk to the privacy of personal information. This includes the routine emailing of personal information between Service NSW service centres and other agencies, which is one of the processes that contributed to the data breach earlier this year. The audit found that previously identified risks and recommended solutions had not been implemented on a timely basis.
The Auditor-General made eight recommendations aimed at ensuring improved processes, technologies, and governance arrangements for how Service NSW handles customers’ personal information.
The Hon. Victor Dominello, MP, Minister for Customer Service, requested this audit under section 27(B)(3)(c) of the Public Finance and Audit Act 1983 following public reports in May 2020 of a cyber security attack which had led to a breach of Service NSW customer information. This audit also included the Department of Customer Service which supports Service NSW with privacy, risk and governance functions.
Service NSW was established in 2013 with the intention that it would, over time, 'become the primary interaction point for customers accessing New South Wales Government transaction services'.
Service NSW's functions are set out in the Service NSW (One stop Access to Government Services) Act 2013. This legislation allows for other NSW Government agencies to delegate to and enter into agreements with the Chief Executive Officer of Service NSW in order for Service NSW to undertake service functions for the agency.
Service NSW now has agreements with 36 NSW Government client agencies to facilitate over 1,200 types of interactions and transactions for the community.
The nature of each agreement between Service NSW and its client agencies varies. Some client agencies have delegated authority to allow Service NSW staff to conduct transactions on their behalf in the agencies' systems. Other arrangements do not include the same degree of delegation. In these cases, Service NSW provides services such as responding to enquiries and validating documents.
In addition, Service NSW conducts transactions for its own programs, such as the Seniors Card. Personal information for these programs, as well as information for customers' MyServiceNSW accounts, are stored by Service NSW on its Salesforce Customer Relationship Management (CRM) system.
In March 2020, Service NSW suffered two cyber security attacks in short succession. Technical analysis undertaken by the Department of Customer Service (DCS) concluded that these attacks resulted from a phishing exercise through which external threat actors gained access to the email accounts of 47 staff members. These attacks resulted in the breach of a large amount of personal customer information that was contained in these email accounts. See Section 1.1 for further details.
This audit is being conducted in response to a request from the Hon. Victor Dominello, Minister for Customer Service, under section 27B(3)(c) of the Public Finance and Audit Act 1983. Minister Dominello requested that the Auditor General conduct a performance audit in relation to Service NSW's handling of sensitive customer and business information.
This audit assessed how effectively Service NSW handles personal customer and business information to ensure its privacy.
It addressed the following:
- Does Service NSW have processes and governance in place to identify and manage risks to the privacy of personal customer and business information?
- Does Service NSW have policies, processes and systems in place that support the effective handling of personal customer and business information to ensure its privacy?
- Has Service NSW effectively implemented its policies, processes and systems for managing personal customer and business information?
ConclusionService NSW is not effectively handling personal customer and business information to ensure its privacy. It continues to use business processes that pose a risk to the privacy of personal information. These include routinely emailing personal customer information to client agencies, which is one of the processes that contributed to the March 2020 data breach. Previously identified risks and recommended solutions had not been implemented on a timely basis.Service NSW identifies privacy as a strategic risk in both its Risk Management Guideline and enterprise risk register and sets out a zero level appetite for privacy risk in its risk appetite statement. That said, the governance, policies, and processes established by Service NSW to mitigate privacy risk are not effective in ensuring the privacy of personal customer and business information. While Service NSW had risk identification and management processes in place at the time of the March 2020 data breach, these did not prevent the breach occurring. Some of the practices that contributed to the data breach are still being followed by Service NSW staff. For example, business processes still require Service NSW staff to scan and email personal information to some client agencies. The lack of multi factor authentication has been identified as another key contributing factor to the March 2020 data breach as this enabled the external threat actors to gain access to staff email accounts once they had obtained the user account details through a phishing exercise. Service NSW had identified the lack of multi factor authentication on its webmail platform as a risk more than a year prior to the breach and had committed to addressing this by June 2019. It was not implemented until after the breach occurred. There are weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce Customer Relationship Management (CRM) system, which holds the personal information of over four million NSW residents.Internal audits carried out by Service NSW, including one completed in August 2020, have identified significant weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce CRM system. These include deficiencies in the management of role based access, monitoring and audit of user access, and partitioning of program specific transaction information. These deficiencies create an increased risk of unauthorised access to the personal information of over four million customers held in the system. Lines of responsibility for meeting privacy obligations are not clearly drawn between Service NSW and its client agencies.Service NSW has agreements in place with client agencies. However, the agreements lack detail and clarity about the roles and responsibilities of the agencies in relation to the collection, storage and security of customer's personal information. This lack of clarity raises the risk that privacy obligations will become confused and missed between the agencies. Service NSW carries out privacy impact assessments for major new projects but does not routinely review existing processes and systems.Service NSW carries out privacy impact assessments as part of its routine processes for implementing major new projects, ensuring that privacy management is considered as part of project design. Service NSW does not regularly undertake privacy impact assessments or reviews of existing or legacy processes and systems, which has resulted in some processes continuing despite posing significant risks to the privacy of personal information, such as the scanning, emailing, and storing of identification documents. |
1. Key findings
Service NSW identifies privacy risks, but the controls and processes it put in place to mitigate these privacy risks were not adequate to prevent or limit the extent of the data breach that occurred in March 2020
Service NSW’s approach to risk management is framed by its Risk Management Guideline, which defines 'privacy and compliance' as one of the key types of risk for the agency. Service NSW's enterprise risk register identifies four strategic privacy related risks. Service NSW has set out a zero level appetite for privacy risk in its risk appetite statement.
Service NSW has assessed the adequacy of its controls for privacy risks as needing improvement. To be fully effective, the Risk Management Guideline says that these controls should have a focus that is ‘largely preventative and address the root causes’.
One of the business processes that was a key contributing factor to the data breach was the emailing of personal information by Service NSW staff to client agencies.
This process had been identified as a risk prior to the breach and some steps had been put in place to mitigate the risk. In particular, staff were required to manually delete emails that contained personal information. However, these measures were ineffective in preventing the breach, as the external threat actors still gained access to 47 staff email accounts that contained a large amount of personal information.
It is unclear why Service NSW did not effectively mitigate this risk prior to the breaches. However, Service NSW has advised that it implemented measures in June and October 2020 to automatically archive emails likely to contain personal information. This is expected to limit the quantity of information retained in email accounts for extended periods.
Service NSW has not put in place any technical or other solutions to avoid Service NSW staff having to scan and email personal information to some client agencies. Urgent action is needed to remove the requirement for staff to email personal information to client agencies, thereby mitigating the risk inherent in sending and storing this information using email.
There are weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce CRM system, which holds the personal information of over four million customers
There are weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce CRM system. These weaknesses include deficiencies in governance of role based access, monitoring and audit of staff access, and partitioning of program specific transaction information. These deficiencies create an increased risk of unauthorised access to the personal information of over four million customers which is stored in this system.
In addition, there is an absence of important controls to safeguard customers' privacy, such as multi factor authentication and reviewable logs of access history to their information. Such controls, when properly implemented, would enhance the control that customers are able to exercise over their personal information.
A privacy impact assessment conducted on Service NSW’s Salesforce CRM system in 2015 recommended that the system include the ability for customers to review access history to their personal information, as well as the option for customers to apply multi factor authentication to their accounts. While both these recommendations appeared positively received by Service NSW, neither have been implemented.
Since its inception, Service NSW’s use of Salesforce has extended to storing transaction data, particularly for transactions for which Service NSW is responsible, such as the Seniors Card. It also holds details of over four million MyServiceNSW account holders, including name, email address and phone number, and optional address details. It was not originally intended for the system to hold this volume and nature of customer information.
Lines of responsibility for meeting privacy obligations are unclear between Service NSW and its client agencies
Service NSW's privacy management plan does not clearly set out the privacy obligations of Service NSW and its client agencies. It sets out that 'compliance with the privacy principles will primarily be the responsibility of that [client] agency'. However, Service NSW has its own obligations under the security principles of the Privacy and Personal Information Protection Act 1998 (PPIP Act) to take reasonable steps to prevent unauthorised access to personal information, which is not made clear in the privacy management plan.
The agreements between Service NSW and client agencies reviewed for this audit only include general and high level references to privacy. Most do not include details of each parties' privacy responsibilities such as: which agency will provide the customer with a privacy notice explaining how their personal information will be handled, how personal information will be kept secure, how long Service NSW will retain information, what processes will be followed for internal reviews, and what specific planning is in place to respond to data breaches.
Service NSW's privacy management plan has not been updated to include new programs and governance changes
Service NSW's privacy management plan includes most of the matters required by law or good practice, with some exceptions. It does not explain any exemptions that the agency commonly relies on under the PPIP Act and does not address any health information that Service NSW may handle. It had also not been updated to reflect governance changes and the fact that, at the time this audit commenced, Service NSW was disclosing the content of internal review applications (the formal expression for 'complaints') to the Department of Customer Service (DCS). These governance changes were part of the centralisation of Service NSW's corporate support functions into DCS in late 2019, though internal review staff were seconded back into Service NSW during the course of this audit.
The current July 2019 privacy management plan has also not been updated since the rollout of a number of major new initiatives in 2020. These include 2019–20 bushfire emergency recovery initiatives (such as small business grants) and COVID 19 pandemic response initiatives (such as small business grants, border permits and the COVID safe check in app).
Service NSW routinely conducts privacy impact assessments for new initiatives, though privacy risks remain in legacy systems and processes
Service NSW routinely conducts privacy impact assessments for major new initiatives and the assessments reviewed for this audit largely accorded with good practice guidance.
Service NSW does not routinely review existing processes and systems to ensure that they are effective in ensuring the privacy of customer personal information. Business processes that create the highest risk to privacy, such as emailing of personal information, are more common in these longstanding legacy systems.
Service NSW's significant and rapid growth has outpaced the establishment of a robust control environment which has exacerbated privacy risks
Since it was established in 2013, Service NSW has experienced significant growth in the number and diversity of the types of transactions it provides, as well as the number of client agencies with which it works. The pace and extent of this growth has contributed to important controls not being properly implemented on a timely basis, which has heightened privacy risks, particularly in regard to existing, legacy systems and processes.
The pace of change and increasing demand for new program implementation has limited the opportunity for Service NSW, in collaboration with its client agencies, to revisit and redesign legacy business practices which pose a greater privacy risk. This includes the scanning and emailing of personal information.
While 2019–20 has seen additional demands placed on Service NSW in responding to the 2019–20 bushfire emergency and COVID 19 pandemic, it is the nature of the agency’s work that it operates in a fast paced and complex environment, where it is required to respond to multiple client agencies and stakeholders. Ensuring customer privacy should be integral to Service NSW’s business as usual operations.
2. Recommendations
Service NSW commissioned a number of external reviews and investigations stemming from the data breaches. The Auditor General's recommendations below have taken these other reviews into account. In order to offer assurance that it is appropriately protecting the privacy of its customers, Service NSW should address the full breadth of findings and recommendations made across all relevant reviews.
As a matter of urgency, Service NSW should:
1. in consultation with relevant client agencies and the Department of Customer Service, implement a solution for a secure method of transferring personal information between Service NSW and client agencies
2. review the need to store scanned copies of personal information and, if still required, implement a more secure method of storing this information and regular deletion of material.
By March 2021, Service NSW should:
3. ensure that all new agreements entered into with client agencies from 1 April 2021 address the deficiencies identified in this audit, including that they provide clarity on:
- the content and provision of privacy collection notices
- the terms by which personal information will be retained, stored, archived, and disposed of when no longer required
- steps that will be taken by each agency to ensure that personal information is kept secure
- the circumstances in which, and processes by which, applications for internal review will be referred by one agency to the other
- how identified breaches of privacy will be handled between agencies
4. in collaboration with the Department of Customer Service, review its privacy management plan to address the deficiencies raised in this audit, including:
- to clarify Service NSW's understanding of how responsibility for meeting privacy obligations are delineated between Service NSW and client agencies
- to better reflect the full scope and complexity of personal information handled by Service NSW
- to better explain how applications for internal review are handled between Service NSW and the Department of Customer Service
- to ensure regular ongoing review, either according to a schedule or when Service NSW experiences substantial change to its programs and handling of personal information
5. in consultation with the Department of Customer Service, review its policies and processes for the management of privacy risks, including to:
- ensure that there are appropriate mechanisms to escalate identified privacy risks from business units to the Executive Leadership Team
- ensure that there are action plans to address strategic privacy risks that are assessed as having ineffective controls.
By June 2021, Service NSW should:
6. address deficiencies in the controls over, and security for, its Salesforce customer relationship management and related systems that hold customer personal information, including:
- establish policies and processes for regular access reviews and monitoring of user activity in these systems, including for privileged users
- enable partitioning and role based access restrictions to personal information collected for different programs
- provide customers the choice to use multi factor authentication to further secure their MyServiceNSW accounts
- enable customers to view the transaction history of their personal information to detect possible mishandling.
By December 2021, Service NSW should:
7. ensure that all existing agreements with client agencies address the deficiencies identified in this audit, including that they provide clarity on:
- the content and provision of privacy collection notices
- the terms by which personal information will be retained, stored, archived, and disposed of when no longer required
- steps that will be taken by each agency to ensure that personal information is kept secure
- the circumstances in which, and processes by which, applications for internal review will be referred by one agency to the other
- how identified breaches of privacy will be handled between agencies
8. carry out a risk assessment of all processes, systems and transactions that involve the handling of personal information and undertake a privacy impact assessment for those that:
- are identified as high risk and have not previously had a privacy impact assessment
- have had major changes or updates since the privacy impact assessment was completed.
Appendix one – Responses from agencies
Appendix two – About the audit
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Actions for One TAFE NSW modernisation program
One TAFE NSW modernisation program
The Auditor-General for New South Wales, Margaret Crawford, released a report today examining the management of the One TAFE NSW modernisation program.
In 2016, the Government released 'A Vision for TAFE NSW' which stated that TAFE NSW needed to become more flexible, efficient and competitive. It set out the need to progressively reduce significant cost inefficiencies, including by moving away from separate institutes to a single institute model. TAFE NSW established the One TAFE NSW modernisation program to deliver on that vision.
The Auditor General found that the One TAFE NSW modernisation program did not deliver against its key objectives within planned timeframes. The modernisation program originally aimed to realise $250 million in annual savings from 2018–19. Because of project delays and higher than expected transition costs, TAFE NSW did not meet the original savings target. TAFE NSW has made progress on key elements of the program and anticipates that savings will be realised in coming years.
The report makes two recommendations to improve governance arrangements for delivering on commercial objectives and increasing transparency of non commercial activities.
The report also identifies a series of lessons for future government transformation programs.
TAFE NSW is the public provider of Vocational Education and Training (VET) in New South Wales. In 2018, TAFE NSW enrolled 436,000 students in more than 1,200 courses at around 130 locations across the State.
There have been major policy changes impacting TAFE NSW over the past decade. Under the Smart and Skilled reform, TAFE NSW started to compete with other Registered Training Organisations (RTOs) for a share of the student market.
In 2016, the NSW Government released 'A Vision for TAFE NSW'. The Vision stated that a failure to adapt to market circumstances had left TAFE NSW with unsustainable costs and inefficiencies. To address this, TAFE NSW needed to become more flexible, efficient and competitive. It set out that TAFE NSW must progressively reduce significant cost inefficiencies, including by moving away from a model of separate institutes to a One TAFE NSW model. The NSW Government set TAFE NSW a target to achieve savings through implementing the Vision.
TAFE NSW established the One TAFE NSW modernisation program to deliver on that vision. The program initially aimed to deliver savings of $250 million per year from 2018–19, but this target was reviewed and updated as the program was being delivered.
This audit assessed whether TAFE NSW effectively managed the One TAFE NSW modernisation program to deliver on the NSW Government's vision for TAFE NSW. In making this assessment, the audit examined whether:
- delivery of the program was well planned
- the program was driven by sound governance arrangements
- TAFE NSW is making progress against the intended outcomes of the program.
The audit focused on the effectiveness of planning, governance and reporting arrangements. It examined five projects within the overall modernisation program as case studies.
Conclusion
The One TAFE NSW modernisation program was an ambitious plan to deliver on the NSW Government’s vision for TAFE NSW, while achieving ongoing savings. Several factors contributed to TAFE NSW not effectively managing the program to deliver on planned timeframes and objectives. These factors include unclear expectations of the primary role of TAFE NSW, unrealistic timeframes, undertaking a large number of complex projects concurrently, governance arrangements that were not fit-for-purpose and poor-quality data.
Planning for the modernisation program and its projects was driven by top-down savings targets and pre-determined timeframes. This led to TAFE NSW attempting to deliver a large number of programs concurrently within tight timeframes. Program management capability was underdeveloped at the commencement of the program and this affected the quality of planning for delivery.
There was a lack of clarity around TAFE NSW's primary purpose. Part of the NSW Government's vision for TAFE NSW was for it to be more commercial, competitive and efficient. These objectives were not fully supported by existing legislation. The commercial objectives of the modernisation program conflicted with legislated social objectives for TAFE NSW. TAFE NSW did not have the autonomy to operate like a government-owned business in a market environment. And while TAFE NSW received separate funding to support students facing disadvantage this did not cover the costs of other non-commercial activities undertaken for social purposes, such as delivering uneconomic courses. The role of the TAFE Commission Board was ambiguous during the initial years of the program, which increased reporting requirements and blurred accountabilities for decision-making.
TAFE NSW's Strategic Plan 2016-22 nominated ten key milestones for delivery by January 2019. TAFE NSW has made progress against several important milestones, including that TAFE ‘is a single TAFE NSW brand’ and has 'industry specific TAFE NSW SkillsPoints'. Other key elements have yet to be delivered, including that TAFE NSW achieves 'integrated enterprise-wide business systems'. Because of delays to projects and higher than expected transition costs, TAFE NSW reported that it did not meet the originally targeted $250 million in annual savings for 2018–19 (which was reviewed and updated as the program was being delivered).
Appendix one – Response from agency
Appendix two – About the audit
Appendix three – Performance auditing
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Parliamentary reference - Report number #346 - released 17 December 2020
Actions for Central Agencies 2020
Central Agencies 2020
This report analyses the results of our audits of the financial statements of the Treasury, Premier and Cabinet, Customer Service cluster agencies (central agencies), and the Legislature for the year ended 30 June 2020. The table below summarises our key observations.
1. Financial reporting
Audit opinions and timeliness of reporting |
Unqualified audit opinions were issued on the 2019–20 financial statements of central agencies and the Legislature. The audit opinion on the Social and Affordable Housing NSW Fund's compliance with the payment requirements of the Social and Affordable Housing NSW Fund Act 2016 was qualified. All agencies met statutory deadlines for submitting |
Agencies were financially impacted by recent emergency events | The NSW Government allocated $1.4 billion to provide small business support and bushfire recovery relief, support COVID-19 quarantine compliance management, recruit more staff to respond to increased customer demand, and meet additional COVID-19 cleaning requirements. Agencies spent $901 million (64 per cent of the allocated funding) for the financial year ended 30 June 2020. NSW Self Insurance Corporation reported an increase of $850 million in its liability for claims related to emergency events. |
AASB 16 'Leases' resulted in significant changes to agencies' financial position | The implementation of new accounting standards was challenging for many agencies. The New South Wales Government Telecommunications Authority was not well-prepared to implement AASB 16 'Leases' and had not completely assessed contracts that contained leases. This resulted in understatements of leased assets and liabilities by $56 million which were subsequently corrected. |
Implementation of new revenue standards | NSW Treasury did not adequately implement the new revenue standard AASB 1058 ‘Income of Not-for-Profit Entities’ for the Crown Entity. This resulted in understatements of $274 million in opening equity and $254 million to current year revenue, which have been corrected in the final financial statements. |
2. Audit observations
Management letter findings and repeat issues | Our 2019–20 audits identified nine high risk and 122 moderate risk issues across central agencies and the Legislature. The high risk issues were identified in the audits of:
High risk findings include:
Of the 122 moderate risk issues, 36 per cent were repeat issues. The most common repeat issue related to weaknesses in controls over information technology user access administration, which increases the risk of inappropriate access to systems and records. |
Grants administration for disaster relief | Service NSW delivers grants responding to emergency events on behalf of other NSW Public Sector agencies. Since the first grant program commenced in January 2020, Service NSW processed approximately $791 million to NSW citizens and businesses impacted by emergency events for the financial year ended 30 June 2020. A performance audit of grants administration for disaster relief is planned for 2020–21. It will assess whether grants programs administered under the Small Business Support Fund were effectively designed and implemented to provide disaster relief. |
Internal controls at GovConnect NSW service providers require enhancement |
GovConnect NSW provides transactional and information technology services to central agencies. It engages an independent service auditor (service auditor) from the private sector to perform annual assurance reviews of controls at service providers, namely Infosys, Unisys and the Department of Customer Service (DCS). The service auditor issued:
These may impact on the ability of agencies to detect and respond to a cyber incident. Recommendation: We recommend DCS work with GovConnect service providers to resolve the identified control deficiencies as a matter of priority. |
The NSW Public Sector's cyber security resilience needs to improve |
The NSW Cyber Security Policy requires agencies to provide a maturity self-assessment against the Australian Cyber Security Centre (ACSC) Essential 8 to the head of the agency and Cyber Security NSW annually. Completed self-assessment returns highlighted limited progress in implementing the Essential 8. Repeat recommendation: Cyber Security NSW and NSW government agencies need to prioritise improvements to their cyber security resilience as a matter of urgency |
Three Insurance and Care NSW (icare) entities had net asset deficiencies at 30 June 2020 | The Workers Compensation Nominal Insurer, NSW Self Insurance Corporation and the Lifetime Care and Support Authority of NSW all had negative net assets at 30 June 2020. These icare entities did not hold sufficient assets to meet the estimated present value of all of their future payment obligations at 30 June 2020. The deterioration in net assets was largely due to increases in outstanding claims liabilities. Notwithstanding the overall net asset deficiencies, the financial statements for these entities were prepared on a going concern basis. This is because future payment obligations are not all due within the next 12 months. Settlement is instead expected to occur over years into the future, depending on the nature of the benefits provided by each scheme. |
icare has not been able to demonstrate that its allocation of costs reflects the actual costs incurred by the Workers Compensation Nominal Insurer and other schemes |
Costs are incurred by icare as the 'service entity' of the statutory scheme it administers, and then subsequently recovered from the schemes through 'service fees'. In the absence of documentation supported by robust supporting analysis, there is a risk of the schemes being overcharged, and the allocation of costs being in breach of legislative requirements. Recommendation: icare should ensure its approach to allocating service fees to the Workers Compensation Nominal Insurer and the other schemes it manages, is transparent and reflects actual costs. |
icare did not comply with GIPA requirements | icare did not comply with the Government Information (Public Access) Act 2009 (GIPA) contract disclosure requirements in 2019–20 and has not complied for several years. A total of 417 contracts were identified by management as not having been published on the NSW Government’s eTendering website. The final upload of these past contracts occurred on 20 August 2020. |
Implementation of Machinery of Government (MoG) changes | MoG changes impacted the governance and business processes of some agencies. Our audits identified and reported areas for improvement in the consolidation of corporate functions following MoG implementation processes at Infrastructure NSW and in the Customer Service cluster. |
This report provides Parliament and other users of NSW Government central agencies' financial statements and the Legislature's financial statements with the results of our financial audits, observations, analyses, conclusions and recommendations.
Emergency events, such as bushfires, floods and the COVID-19 pandemic significantly impacted agencies in 2019–20. Our findings on nine agencies that were most impacted by recent emergency events are included throughout this report.
Refer to Appendix one for the names of all central agencies and Appendix four for the nine agencies most impacted by emergency events.
Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely. This chapter outlines our audit observations on the financial reporting of central agencies and the Legislature for 2020, including the financial implications from recent emergency events.
Section highlights
|
Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.
This chapter outlines:
- our observations and insights from the financial statement audits of agencies in the central agencies and the Legislature
- our assessment of how well agencies adapted their systems, policies, procedures and governance arrangements in response to recent emergencies.
Section highlights
|
Actions for Internal controls and governance 2020
Internal controls and governance 2020
The Auditor-General for New South Wales, Margaret Crawford today released her report on the findings and recommendations from the 2019–20 financial audits that relate to internal controls and governance at 40 of the largest agencies in the NSW public sector.
The bushfire and flood emergencies and the COVID‑19 pandemic continue to have a significant impact on the people and public sector of New South Wales. The scale of the government response to these events has been significant. The report focuses on the effectiveness of internal controls and governance processes, including relevant agencies’ response to the emergencies. In particular, the report focuses on:
- financial and information technology controls
- business continuity and disaster recovery planning arrangements
- procurement, including emergency procurement
- delegations that support timely and effective decision-making.
Due to the ongoing impact of COVID‑19 agencies have not yet returned to a business‑as‑usual environment. ‘Agencies will need to assess their response to the recent emergencies and update their business continuity, disaster recovery and other business resilience frameworks to reflect the lessons learnt from these events’ the Auditor-General said.
The report noted that special procurement provisions were put in place to allow agencies to better respond to the COVID-19 pandemic. The Auditor-General recommended agencies update their procurement policies to reflect the current requirements of the NSW Procurement Framework and the emergency procurement requirements.
This report analyses the internal controls and governance of 40 of the largest agencies in the NSW public sector for the year ended 30 June 2020. These 40 agencies constitute an estimated 85 per cent of total expenditure for all NSW public sector agencies.
1. Internal control trends
New, repeat and high risk findings |
Internal control deficiencies increased by 13 per cent compared to last year. This is predominately due to a seven per cent increase in new internal control deficiencies and 24 per cent increase in repeat internal control deficiencies. There were ten high risk findings compared to four last year. The recent emergencies have consumed agency time and resources and may have contributed to the increase in internal control deficiencies, particularly repeat deficiencies. Agencies should:
|
Common findings |
A number of findings remain common across multiple agencies over the last four years, including:
|
2. Information technology controls
IT general controls |
We found deficiencies in information security controls over key financial systems including:
The deficiencies above increase the risk of non-compliance with the NSW Cyber Security Policy, which requires agencies to have processes in place to manage user access, including privileged user access to sensitive information or systems and remove that access once it is not required or employment is terminated. |
3. Business continuity and disaster recovery planning
Assessing risks to business continuity and Scenario testing |
The response to the recent emergencies and the COVID-19 pandemic has encompassed a wide range of activities, including policy setting, on-going service delivery, safety and availability of staff, availability of IT and other systems and financial management. Agencies were required to activate their business continuity plans in response, and with the continued impact of COVID-19 have not yet returned to a business-as-usual environment. Our audits focused on the preparedness of agency business continuity and disaster recovery planning arrangements prior to the onset of the COVID-19 pandemic. We identified deficiencies in agency business continuity and disaster recovery planning arrangements. Twenty-three per cent of agencies had not conducted a business impact analysis (BIA) to identify critical business functions and determine business continuity priorities. Agencies can also improve the content of their BIA. For example, ten per cent of agencies' BIAs did not include recovery time objectives and six per cent of agencies did not identify key IT systems that support critical business functions. Scenario testing improves the effectiveness with which a live crisis is handled, but 40 per cent of agencies had not conducted a business continuity scenario testing exercise in the period from 1 January 2019 to 31 December 2019. There were also opportunities to improve the effectiveness of scenario testing exercises by:
Agencies have responded to the recent emergencies but addressing deficiencies will ensure agencies have adequate safeguards in their processes to again respond in the future, if required. During 2020–21 we plan to conduct a performance audit on 'Business continuity and disaster recovery planning'. This audit will consider the effectiveness of agency business continuity planning arrangements to maintain business continuity through the recent emergencies and/or COVID-19 pandemic and return to a business-as-usual environment. We also plan to conduct a performance audit on whole-of-government 'Coordination of emergency responses'. |
Responding to disruptions |
We found agencies' governance functions could have been better informed about responses to disruptive incidents that had activated a business continuity or disaster recovery response between 1 January 2019 to 31 December 2019. For instance: in 89 per cent of instances where a business continuity response was activated, a post-incident review had been performed. In 82 per cent of these instances, the outcomes were reported to a relevant governance or executive management committee in 95 per cent of instances where a disaster recovery response was activated, a post incident review had been performed. In 86 per cent of these instances, the outcomes were reported to a relevant governance committee or executive management committee. Examples of recorded incidents included extensive air quality issues and power outages due to bushfires, system and network outages, and infected and hijacked servers. Agencies should assess their response to the recent emergencies and the COVID-19 pandemic and update business continuity, disaster recovery and other business resilience frameworks to incorporate lessons learned. Agencies should report to those charged with governance on the results and planned actions. |
Management review and oversight | Eighty-two per cent and 86 per cent of agencies report to their audit and risk committees (ARC) on their business continuity and disaster recovery planning arrangements, respectively. Only 18 per cent and five per cent of ARCs are briefed on the results of respective scenario testing. Briefing ARCs on the results of scenario testing exercises helps inform their decisions about whether sound and effective business continuity and disaster recovery arrangements have been established. |
4. Procurement, including emergency procurement
Policy framework |
Agency procurement policies did not capture the requirements of several key NSW Procurement Board Directions (the Directions), increasing the risk of non-compliance with the Directions. We noted:
Recommendation: Agencies should review their procurement policies and guidelines to ensure they capture the key requirements of the NSW Government Procurement Policy Framework, including NSW Procurement Board Directions. |
Managing contracts |
Eighty-eight per cent of agencies maintain a central contract register to record all details of contracts above $150,000, which is a requirement of GIPA legislation. Of the agencies that maintained registers, 13 per cent did not capture all contracts and eight per cent did not include all relevant contract details. Sixteen per cent of agencies did not periodically review their contract register. Timely review increases compliance with GIPA legislation, and enhances the effectiveness with which procurement business units monitor contract end dates, contract extensions and commence new procurement. |
Training and support |
Ninety-three per cent of agencies provide training to staff involved in procurement processes, and a further 77 per cent of agencies provide this training on an on-going basis. Of the seven per cent of agencies that had not provided training to staff, we noted gaps in aspects of their procurement activity, including:
Training on procurement activities ensures there is effective management of procurement processes to support operational requirements, and compliance with procurement directions. |
Procurement activities | While agencies had implemented controls for tender activities above $650,000, 43 per cent of unaccredited agencies did not comply with the NSW Procurement Policy Framework because they had not had their procurement endorsed by an accredited agency within the cluster or by NSW Procurement. This endorsement aims to ensure the procurement is properly planned to deliver a value for money outcome before it commences. |
Emergency procurement |
As at 30 June 2020, agencies within the scope of this report reported conducting 32,239 emergency procurements with a total contract value of $316,908,485. Emergency procurement activities included the purchase of COVID-19 cleaning and hygiene supplies. The government, through NSW Procurement released the 'COVID-19 Emergency procurement procedure', which relaxed procurement requirements to allow agencies to make COVID-19 emergency procurements. Our review against the emergency procurement measures found most agencies complied with requirements. For example:
Complying with the procedure helps to ensure government resources are being efficiently, effectively, economically and in accordance with the law. Recommendation: Agency procurement frameworks should be reviewed and updated so they can respond effectively to emergency situations that may arise in the future. This includes:
|
5. Delegations
Instruments of delegation |
We found that agencies have established financial and human resources delegations, but some had not revisited their delegation manuals following the legislative and machinery of government changes. For those agencies impacted by machinery of government changes we noted:
Delegations manuals are not always complete; 16 per cent of agencies had no delegation for writing off bad debts and 26 per cent of agencies had no delegation for writing off capital assets. Recommendation: Agencies should ensure their financial and human resources delegation manuals contain regular set review dates and are updated to reflect the Government Sector Finance Act 2018, machinery of government changes and their current organisational structure and roles and responsibilities. |
Compliance with delegations |
Agencies did not understand or correctly apply the requirements of the Government Sector Finance Act 2018 (GSF Act), resulting in non-compliance with the Act. We found that 18 per cent of agencies spent deemed appropriations without obtaining an authorised delegation from the relevant Minister(s), as required by sections 4.6(1) and 5.5(3) of the GSF Act. Further detail on this issue will be included in our Auditor-General's Reports to Parliament on Central Agencies, Education, Health and Stronger Communities, which will be tabled throughout December 2020. Recommendation: Agencies should review financial and human resources delegations to ensure they capture all key functions of laws and regulations, and clearly specify the relevant power or function being conferred on the officer. |
6. Status of 2019 recommendations
Progress implementing last year's recommendations |
Recommendations were made last year to improve transparency over reporting on gifts and benefits and improve the visibility management and those charged with governance had over actions taken to address conflicts of interest that may arise. This year, we continue to note:
While we acknowledge the significance of the recent emergencies, which have consumed agency time and resources, we note limited progress has been made implementing these recommendations. Further detail on the status of implementing all recommendations is in Appendix 2. Recommendation: Agencies should re-visit the recommendations made in last year's report on internal controls and governance and action these recommendations. |
Internal controls are processes, policies and procedures that help agencies to:
- operate effectively and efficiently
- produce reliable financial reports
- comply with laws and regulations
- support ethical government.
This chapter outlines the overall trends for agency controls and governance issues, including the number of audit findings, the degree of risk those deficiencies pose to the agency, and a summary of the most common deficiencies we found across agencies. The rest of this report presents this year’s controls and governance findings in more detail.
Section highlights We identified ten high risk findings, compared to four last year with two findings repeated from the previous year. There was an overall increase of 13 per cent in the number of internal control deficiencies compared to last year due to a seven per cent increase in new internal control deficiencies, and a 24 per cent increase in repeat internal control deficiencies. The recent emergencies have consumed agency time and resources and may have contributed to the increase in internal control deficiencies, particularly repeat deficiencies. We identified a number of findings that remain common across multiple agencies over the last four years. Some of these findings related to areas that are fundamental to good internal control environments and effective organisational governance. Examples include:
Policies, procedures and internal controls should be properly designed, be appropriate for the current organisational structure and its business activities, and work effectively. |
This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency controls to manage key financial systems.
Section highlights Government agencies’ financial reporting is heavily reliant on information technology (IT). We continue to see a high number of deficiencies related to IT general controls, particularly those related to user access administration. These controls are key in adequately protecting IT systems from inappropriate access and misuse. IT is also important to the delivery of agency services. These systems often provide the data to help monitor the efficiency and effectiveness of agency processes and services they deliver. Our financial audits do not review all agency IT systems. For example, IT systems used to support agency service delivery are generally outside the scope of our financial audit. However, agencies should also consider the relevance of our findings to these systems. Agencies need to continue to focus on assessing the risks of inappropriate access and misuse and the implementation of controls to adequately protect their systems, focussing on the processes in place to grant, remove and monitor user access, particularly privileged user access. |
This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency business continuity and disaster recovery planning arrangements.
Section highlights We identified deficiencies in agency business continuity and disaster recovery planning arrangements and opportunities for agencies to enhance their business continuity management and disaster recovery planning arrangements. This will better prepare them to respond to a disruption to their critical functions, resulting from an emergency or other serious event. Twenty-three per cent of agencies had not conducted a business impact analysis (BIA) to identify critical business functions and determine business continuity priorities and 40 per cent of agencies had not conducted a business continuity scenario testing exercise in the period from 1 January 2019 to 31 December 2019. Scenario testing improves the effectiveness with which a live crisis is handled. This section focusses on the preparedness of agency business continuity and disaster recovery planning arrangements prior to the onset of the COVID-19 pandemic. While agencies have responded to the recent emergencies, proactively addressing deficiencies will ensure agencies have adequate safeguards in their processes to again respond in the future, if required. During 2020–21 we plan to conduct a performance audit on 'Business continuity and disaster recovery planning'. This audit will consider the effectiveness of agency business continuity planning arrangements to maintain business continuity through the recent emergencies and/or COVID-19 pandemic and return to a business-as-usual environment. We also plan to conduct a performance audit on whole-of-government 'Coordination of emergency responses'. |
This chapter outlines our audit observations, conclusions and recommendations, arising from our review of procurement agency procurement policies and procurement activity.
Section highlights We found agencies have procurement policies in place to manage procurement activity, but the content of these policies was not sufficiently detailed to ensure compliance with NSW Procurement Board Directions (the Directions). The Directions aim to ensure procurement activity achieves value for money and meets the principles of probity and fairness. Agencies have generally implemented controls over their procurement process. In relation to emergency procurement activity, agencies reported conducting 32,239 emergency procurements with a total contract value of $316,908,485 up to 30 June 2020. Our review of emergency procurement activity conducted during 2019–20 identified areas where some agencies did not fully comply with the 'COVID-19 Emergency procurement procedure'. We also found not all agencies are maintaining complete and accurate contract registers. This not only increases the risk of non-compliance with GIPA legislation, but also limits the effectiveness of procurement business units to monitor contract end dates, contract extensions and commence new procurement in a timely manner. We noted instances where agencies renewed or extended contracts without going through a competitive tender process during the year. |
This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency compliance with financial and human resources delegations.
Appendix one – List of 2020 recommendations
Appendix two – Status of 2019 recommendations
Appendix three – Cluster agencies
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Actions for Government advertising 2018-19 and 2019-20
Government advertising 2018-19 and 2019-20
A report released today by the Auditor-General for New South Wales, Margaret Crawford found that select advertising campaigns conducted by Service NSW and the NSW Rural Fire Service met most requirements of the Government Advertising Act, regulations, Guidelines and other laws. However, the audit found that Service NSW inappropriately used its post campaign evaluation to measure sentiment towards and confidence in the NSW Government.
While agency analysis shows that the ‘Cost of Living’ (phases 2 and 3) and ‘How Fireproof is Your Plan?’ campaigns achieved most of their objectives, the campaign objectives and targets set by both agencies were not sufficient to measure all aspects of campaign effectiveness.
The report makes two recommendations to the Department of Customer Service. The first is to review its guidance to ensure agencies are not using post campaign evaluations to measure sentiment towards the government. The second, to review its guidance and the new process of peer review to ensure they support agencies to comply with the Act, the regulations and the Guidelines.
The Government Advertising Act 2011 requires the Auditor General to conduct an annual performance audit of one or more government agencies to see whether their advertising activities were carried out in an effective, economical and efficient manner and in compliance with the Government Advertising Act 2011.
The Government Advertising Act 2011 (the Act) requires the Auditor-General to conduct a performance audit on the activities of one or more government agencies in relation to government advertising campaigns in each financial year. The performance audit assesses whether a government agency or agencies have carried out activities in relation to government advertising in an effective, economical and efficient manner and in compliance with the Act, the regulations, other laws and the Government Advertising Guidelines (the Guidelines). This audit examined two campaigns run during the 2018–19 and 2019–20 financial years respectively:
- the 'Cost of Living' campaign run by Service NSW (phases 2 and 3 delivered in 2018–19)
- the 'How Fireproof Is Your Plan?' (Fireproof) campaign run by NSW Rural Fire Service (year two of a three-year campaign delivered in 2019–20).
Section 6 of the Act prohibits political advertising. Under this section, material that is part of a government advertising campaign must not contain the name, voice or image of a minister, member of parliament or a candidate nominated for election to parliament or the name, logo or any slogan of a political party. Further, a campaign must not be designed to influence (directly or indirectly) support for a political party.
Conclusion
Neither campaign breached the prohibition on political advertising contained in section 6 of the Act. While both campaigns met most requirements of the Act, the regulations, other laws and the Guidelines, we identified some instances of non-compliance. Service NSW inappropriately used its post campaign evaluation to measure sentiment towards and confidence in the NSW Government.
Service NSW used its post-campaign evaluation to measure sentiment towards and confidence in the NSW Government. While neither campaign breached the prohibition on political advertising contained in section 6 of the Act, measuring sentiment towards and confidence in the NSW Government is not an appropriate use of the post-campaign evaluation and creates a risk that the results may be used for party political purposes. This risk is heightened as both phases 2 and 3 of the Cost of Living campaign were run immediately before the NSW state election. We have made this finding previously in our report 'Government advertising 2017–18'.
The campaign objectives and targets set by both agencies were not sufficient to fully measure campaign effectiveness. Service NSW advertised seven rebates in phase 2 of the campaign but only set targets for the awareness and uptake of three of these rebates. NSW Rural Fire Service set objectives and targets to be achieved over the life of the three-year campaign but did not set targets to be achieved for each year of the campaign. While the Fireproof campaign is a three-year campaign, each year of the campaign is subject to a separate approval and peer review process.
Agency analysis shows that both campaigns achieved most of their objectives. There was some overlap in the timing of phases 2 and 3 of the Cost of Living campaign and both phases had similar high-level objectives to increase awareness of rebates, making it difficult to evaluate the effectiveness of each distinct campaign phase. NSW Rural Fire Service conducted a post-campaign evaluation for year two of the Fireproof campaign (2019–20) but although this showed positive results against the overall objectives of the three-year campaign, NSW Rural Fire Service did not set specific targets for year two of the campaign, making it difficult to evaluate effectiveness for that year.
Service NSW was not able to demonstrate that its campaign was economical as it directly negotiated with a single supplier for the creative materials for phase 2. This is contrary to the NSW Government's procurement rules which require agencies to obtain three quotes when using suppliers on a prequalification scheme. Service NSW did not comply with its own procurement policy, which restricts Service NSW employees from entering into discussions with a supplier until the appropriate delegate approves a direct procurement. NSW Rural Fire Service achieved cost efficiencies by re-using creative material developed in the first year of the campaign. NSW Rural Fire Service also received $4 million worth of free advertising time and space.
The cost benefit analyses prepared by both agencies did not fully meet the requirements in the Guidelines. Both agencies identified an alternative to advertising but did not assess the costs and benefits of that alternative. We have made this finding previously in our report 'Government advertising 2017–18' and in our report 'Government advertising 2015–16 and 2016–17'.
In 2018–19, Service NSW delivered phases 2 and 3 of the 'Cost of Living' campaign. The Cost of Living advertising campaign aimed to build awareness of the help available to ease the cost of living for people under financial pressure including awareness of specific rebates that can be claimed. As part of the Cost of Living program, Service NSW developed a webpage designed as a single portal to access more than 40 NSW Government savings, rebates and initiatives (which originated from over 12 different agencies). It also launched the Cost of Living service which includes face to face meetings and phone interviews to help people claim rebates from the NSW Government. Phase 2 of the campaign ran from September 2018 to August 2019. Phase 3 of the campaign ran from January 2019 to July 2019. The budgets for phases 2 and 3 were $4.127 million and $934,800 respectively. See Appendix two for more details on this campaign.
Campaign materials we reviewed did not breach section 6 of the Act
The audit team reviewed campaign materials developed as part of the paid advertising campaign including radio transcripts, digital videos and display. The audit team did not review the use of social media outside paid social media content as section four of the Act defines government advertising as the dissemination of information which is funded by or on behalf of a government agency. See Appendix two for examples of campaign materials for this campaign.
Section 6 of the Act prohibits political advertising as part of a government advertising campaign. A government advertising campaign must not:
- be designed to influence (directly or indirectly) support for a political party
- contain the name, voice or image of a minister, a member of parliament or a candidate nominated for election to parliament
- contain the name, logo, slogan or any other reference to a political party.
The audit found no breaches of section 6 of the Act in the campaign material we reviewed.
Post-campaign evaluations measured sentiment towards and confidence in the NSW Government
The post-campaign evaluation for phases 2 and 3 measured levels of confidence with the statement ‘the NSW Government has your best interests at heart’, despite the fact this was not a stated objective of the campaign. This is not an appropriate use of the post-campaign evaluation, which should measure the success of the campaign against its stated objectives. The post-campaign evaluation for phase 3 found that exposure to the campaign improved sentiment towards the government amongst those who did not have confidence in the NSW Government.
Service NSW advised that it was important to measure the sentiment of the advertising including the wording 'best interests' as it did not want the whole of government brand to be detrimental to customer engagement with applying for the rebates.
Following phase 2, Service NSW conducted analysis of media sentiment using the key words 'cost of living' and the names of the Premier, Treasurer and Minister for Customer Service. The analysis presented the level of positive, negative and neutral media sentiment. The Government Advertising Guidelines 2012 list the purposes that government advertising may serve which do not include improving the perception of the government. The inclusion of this analysis in Service NSW's post-campaign evaluation creates a risk that the results may be used for party political purposes.
Section 10 of the Act restricts agencies from carrying out a campaign after 26 January in the calendar year before the Legislative Assembly is due to expire and before the election for the Legislative Assembly in that year. Service NSW authorised a media agency to book media in line with the media plans for the campaign. The media plans for the campaign show that Service NSW did not authorise or plan to run any advertisements between 27 January 2019 and 23 March 2019.
Service NSW did not set targets for all rebates advertised in phase 2
Service NSW did not set targets for four of the seven rebates that were advertised as part of phase 2 of the campaign. These rebates were the Family Energy Rebate, Appliance Replacement Offer, National Parks Concession Offer and the Pensioner Travel Voucher. As a result, it was unable to evaluate whether the advertisements for these rebates were effective. Service NSW advised that at the time the campaign went to peer review, when campaign objectives are set, it did not know which rebates would be included in the advertisements.
Service NSW stated in its submission to the Department of Premier and Cabinet that it may change the creative content for phase 2 as it announced new initiatives and rebates. The peer review process should have ensured that Service NSW set targets for any additional rebates or savings it intended to advertise before that advertising commenced to ensure a strategic approach to the campaigns that clearly demonstrated anticipated benefits were in place.
The post-campaign evaluation for phase 2 shows that the advertising campaign met most of its objectives
Service NSW set overall campaign objectives and specific targets for some rebates advertised as part of phase 2 of the campaign. The objectives, targets and results for phase 2 are shown in Exhibit 5. In phase 2, Service NSW established baseline data on levels of awareness of government rebates during the peer review process. The baseline level of awareness for government rebates was 44 per cent. The level of awareness for specific rebates was 46 per cent for the Compulsory Third Party (CTP) green slip refund, and 21 per cent for both Active Kids and Toll Relief.
Post-campaign evaluation reports for phase 2 show that the campaign met its objective to raise awareness of NSW Government rebates, achieving a 16 per cent increase in awareness from 44 per cent to 51 per cent. The campaign did not meet its target to increase awareness of the CTP green slip refund by ten per cent.
Service NSW did not report the results of the uptake of the CTP green slip refund, Active Kids and Toll Relief in its post campaign effectiveness report submitted to the Department of Premier and Cabinet. However, other post-campaign evaluation documentation, which Service NSW advise was submitted to the Department of Premier and Cabinet, show that these targets were met.
Service NSW did not report to the Department of Premier and Cabinet on whether it achieved the target of a ten per cent increase of average monthly visits to the Cost of Living webpage. Service NSW reported that it had achieved an average of 11,753 visitors to the webpage per day during the campaign. These average daily results indicate that the target was met.
Campaign objectives and targets | Does the post-campaign evaluation show that the target was met? |
---|---|
1. a) Increase awareness of rebates from the NSW Government by ten per cent. | |
b) Increase average monthly visits to the Cost of Living webpage by ten per cent. |
|
2. Increase awareness of rebates and savings by ten per cent for: |
|
|
|
|
|
|
|
3. Increase awareness that NSW Government initiatives relating to the cost of living are available via Service NSW by ten per cent. | |
4. Increase the uptake of rebates and savings for the CTP green slip refund, Active Kids and Toll Relief by ten per cent. |
Key | Yes | Not Fully |
Source: Service NSW. Audit Office analysis.
The post-campaign evaluation for phase 3 shows that the advertising campaign met most of its objectives
Service NSW set overall campaign objectives and specific targets for the two rebates advertised as part of phase 3 of the campaign. The objectives, targets and results for phase 3 are shown in Exhibit 6.
In phase 3, Service NSW established baseline data on levels of awareness during the peer review process. The baseline level of awareness for government rebates was 44 per cent. This is the same baseline that was used to measure performance for phase 2 of the campaign. Service NSW did not set baselines for awareness and uptake of Energy Switch and Creative Kids as these were new services.
Post-campaign evaluation reports for phase 3 show that the campaign met its objective to raise awareness of NSW Government rebates by ten per cent, achieving a 30 per cent increase in awareness from 44 per cent to 57 per cent. The overall increase in message take-out was met with 43 per cent agreeing with the message that the NSW Government is taking steps to ease the cost of living. The campaign achieved awareness and uptake targets for the specific rebates included in phase 3, except for awareness of Creative Kids which achieved 28 per cent awareness, falling short of the 30 per cent awareness target.
Campaign objectives and targets | Does the post-campaign evaluation show that the target was met? |
---|---|
1. Increase message takeout that ‘The NSW Government is taking steps to help ease the cost of living in NSW’ by ten per cent for those who can recall the campaign. | |
2. Increase awareness that the NSW Government has a range of rebates and savings by ten per cent. | |
3. Generate awareness with NSW residents aged 18+ of: |
|
|
|
|
|
4. Create uptake of Energy Switch and Creative Kids (8,356 clicks on the Energy Switch website and 107,938 Creative Kids vouchers downloaded with 70 per cent conversion). |
Key | Yes | Not Fully |
The timing of campaign phases meant that it was difficult for Service NSW to evaluate each distinct campaign phase and reduced opportunities to incorporate learnings from previous phases
Service NSW commenced planning for phase 2 of the campaign while phase 1 was still underway. This limited the opportunity for Service NSW to incorporate learnings from phase 1 into phase 2. There was some overlap in the timing of phase 2 and the start of phase 3 of the campaign, making it difficult to evaluate the effectiveness of each distinct campaign phase. Both phases 2 and 3 had the same high-level outcome objective to raise awareness of rebates by ten per cent. The baseline measures that were used to evaluate performance for phase 3 were the same as those used to evaluate phase 2. As a result, Service NSW was not able to separately evaluate these two phases of the campaign. This is important given the budgets for phases 2 and 3 were $4.127million and $934,800 respectively.
Service NSW allocated 7.5 per cent of its media budget to communications with culturally and linguistically diverse (CALD) and Aboriginal audiences
The NSW Government CALD and Aboriginal Advertising Policy requires that agencies spend at least 7.5 per cent of an advertising campaign media budget on direct communications with CALD and Aboriginal audiences. Service NSW authorised a media company to book media in line with the media plans for the campaign. The media plans for phases 2 and 3 of the campaign indicate that Service NSW met this requirement, with 7.5 per cent of the budget allocated to these audiences in phase 2 and 10.4 per cent in phase 3.
The post campaign evaluation for phases 1 and 2 of the Cost of Living campaign contained a recommendation to look at other opportunities to reach CALD audiences. Effective communication with CALD audiences was particularly important in phase 3 of the campaign, where they made up 30 per cent of the target audience for the Creative Kids advertisement. The post-campaign analysis for phase 3 showed that the campaign performed well with some, but not all CALD audiences. The post-campaign analysis also showed low awareness and uptake with Aboriginal audiences. Pre-campaign focus groups in phase 3 found Aboriginal audiences had a negative reaction to the campaign tag line ‘NSW Government is helping with the cost of living’ however this tagline was still used in some advertisements in phase 3.
The cost-benefit analysis (CBA) for phase 2 did not accurately assess the benefits of the campaign and did not assess the costs and benefits of alternatives to advertising
Under the Government Advertising Act 2011, agencies are required to prepare a CBA when the cost of the campaign is likely to exceed $1 million. The CBA conducted by Service NSW for phase 2 includes $8 million in benefits attributed to the advertisements for the Energy Switch tool and $6.9 million in benefits attributed to the advertisements for Creative Kids vouchers. These benefits should not have been included in the CBA for phase 2 as they were not included in this phase of the campaign. The CBA did not estimate the benefits of some other rebates and savings advertised in phase 2 of the campaign. This means that the CBA did not accurately assess the benefits of the campaign. Service NSW advised that at the time the CBA was developed it had not selected the rebates to be included in the campaign.
The Government Advertising Guidelines require agencies to consider options other than advertising to achieve the desired objective including a comparison of costs and benefits. The CBA developed as part of phase 2 identified using existing NSW Government communication channels as an alternative to advertising but did not assess the costs and benefits of this alternative.
This is a repeat finding from two previous government advertising audits. The report ‘Government Advertising: 2015–16 and 2016–17’ found that both agencies subject to the audit did not meet the requirements in the guidelines to consider alternatives to advertising. The report made a recommendation to the Department of Premier and Cabinet to work with Treasury to ensure the requirements of the guidelines are fully reflected in the 'Cost-Benefit Analysis Framework for Government Advertising and Information Campaigns'. The report ‘Government advertising 2017–18’ found that one agency subject to the audit did not identify to what extent the benefits could be achieved without advertising, nor did it consider alternatives to advertising which could achieve the same impact as the advertising campaign.
Service NSW negotiated with a single creative agency in phase 2, making it difficult to demonstrate value for money
Agencies are required to obtain three quotes when procuring a creative agency on the prequalification scheme if the estimated cost of the creative content is greater than $150,000. In phase 2 of the campaign, Service NSW extended the contract with the creative agency used for phase 1 of the campaign and did not obtain three quotes despite the cost of the creative content for phase 2 being $731,480. The requirement to obtain three quotes was met in phase 1 when initially selecting this creative agency.
Service NSWs procurement policy details that direct negotiation may be appropriate where there is a compelling reason to renew or rollover a contract beyond temporal or convenience reasons or in the cases of a genuine emergency. In its briefing to the Chief Executive, Service NSW stated that this contract extension was sought due to the time-sensitive nature of the project and that if work was delayed by a tender process, Service NSW may not be able to meet marketing milestones and this could result in limited customer uptake. This reason is not a genuine emergency and is not compelling as it does not explain what consequences would occur if it did not meet the marketing milestones or if there was limited customer uptake.
Service NSW's procurement policy also states that under no circumstances must Service NSW employees enter into discussions with a supplier until the delegate has formally made their decision to enter into direct negotiation. Service NSW briefed the Chief Executive of Service NSW in relation to extending the contract on 5 September 2018. The briefing states that the creative agency had already begun developing creative content for phase 2 and Service NSW had already received quotes from the creative provider for the proposed work prior to 5 September 2018. Procurement sign-offs were not completed until 7 September 2018. The engagement of the creative provider prior to appropriate approvals was contrary to Service NSWs procurement policy.
The economy of the campaign may have been limited by not meeting the procurement requirements in phase 2. It is possible that the creative provider may have offered a more competitive rate if it was aware that Service NSW was seeking quotes from other creative providers. Additionally, it is possible that another creative provider could have provided better value for money.
In phase 3 of the campaign, the estimated cost of the creative exceeded $150,000 however Service NSW chose to contract two different creative agencies, and the cost for each agency fell below the threshold to obtain three quotes. Agencies are permitted to obtain one quote when using a creative provider on the prequalification scheme if the cost is between $50,000 to $150,000. Service NSW advised that it contracted two creative providers as two different project teams were responsible for the rebates, each with separate marketing budgets.
Service NSW allowed sufficient time for cost-efficient media placement
During the peer review process, the Department of Premier and Cabinet advised agencies about the time they should allow to ensure cost-efficient media placement. For example, the Department of Premier and Cabinet advised that agencies book television advertising six to 12 weeks in advance and that agencies book radio advertising two to eight weeks in advance.
Service NSW allowed sufficient time between the completion of the peer review process and the commencement of the first advertising. Service NSW signed the agreement with the approved Media Agency Services provider with sufficient time to achieve cost-efficient media placement for all types of media used in this campaign.
The campaign may have been misleading for some people who were not eligible for rebates
Advertisements we reviewed focused on the amount of savings that could be obtained from rebates, for example ‘Save up to $285’, and ended with a statement ‘To save, visit service.nsw.gov.au. This directed viewers to the Cost of Living website which contains eligibility information. However, the advertisements in phases 2 and 3 we reviewed did not contain any details on the eligibility for these rebates and not all advertisements stated that eligibility criteria apply. Service NSW advised that the eligibility criteria for each rebate is extensive and that it was not possible to include this in the creative material.
Post-campaign evaluations in phase 3 recommended that advertisements for Creative Kids should indicate eligibility (e.g. age criteria) as statements on savings have the potential to be misleading when not all viewers will be eligible for rebates. Social media analysis conducted following phase 2 showed ineligibility or inability to claim rebates or refunds caused anger for some respondents.
Some advertisements in phase 2 stated ‘we've got something for everyone’. However, as rebates were subject to eligibility criteria, it is possible that some residents in NSW would not be eligible for any rebates as part of the Cost of Living initiative. As such, this statement has the potential to be misleading.
The campaign included statements that underestimated the savings that some customers could obtain
The Guidelines require accuracy in the presentation of all facts, statistics, comparisons and other arguments. The Guidelines also require that all claims of fact included in government advertising campaigns must be able to be substantiated.
In phase 2, the possible savings customers could obtain for two rebates or savings exceeded the amounts stated in the advertising campaign. Exhibit 7 shows some advertisements in phase 2 which stated, ‘My Green Slip Saving Save up to $60’. However, the State Insurance Regulatory Authority website shows that savings for some types of motor vehicles under the 2017 CTP scheme exceed $60. The State Insurance Regulatory Authority website states that the average saving under this scheme has been $129. Service NSW advised that these advertisements were designed for regional markets and that it used different advertisements for metropolitan areas which contained different amounts of savings.
Some advertisements in phase 2 stated, ‘My Toll Relief save up to $700’. The Service NSW website states that drivers can obtain free vehicle registration if they have spent $1,352 or more in tolls in the previous financial year. The cost of registration for some vehicles exceeds $700. This means the savings detailed in the advertisement were lower than what some customers could actually save.
NSW Rural Fire Service conducted the 'How FireProof Is Your Plan?' (Fireproof) campaign. The Fireproof campaign is a three-year campaign which ran in 2018–19 (year one), 2019–20 (year two) and is planned for 2020–21 (year three). This audit examined year two of the campaign (2019–20).
The Fireproof campaign is a public safety campaign encouraging people to plan and prepare for bush fires across the summer period. The campaign aims to improve the quality of bush fire planning and preparation in the community and decrease the impact of fires on the community when they occur.
Campaign materials we reviewed did not breach section 6 of the Act
The audit team reviewed campaign materials developed as part of the paid advertising campaign for example radio advertisements, television commercials and digital displays. The audit team did not review the use of social media outside paid social media content as section four of the Act defines government advertising as the dissemination of information which is funded by or on behalf of a government agency. Examples of campaign materials are shown in Appendix two.
Section 6 of the Act prohibits political advertising as part of a government advertising campaign. A government advertising campaign must not:
- be designed to influence (directly or indirectly) support for a political party
- contain the name, voice or image of a minister, a member of parliament or a candidate nominated for election to parliament
- contain the name, logo, slogan or any other reference to a political party.
The audit found no breaches of section 6 of the Act in the campaign material we reviewed.
NSW Rural Fire Service did not set targets for the second year of the campaign
The second year of the Fireproof campaign (2019–20) had the same objectives as the first year of the campaign (2018–19), however no specific targets were set for the second year. The advertising submission for the first year of the campaign (2018–19) details the targets for each objective as an increase of ten per cent against the baseline data to be achieved by March 2021, at the end of the three-year campaign.
The second year of the Fireproof campaign (2019–20) was one of the first campaigns approved under the new budget and peer review processes introduced by the Department of Customer Service in 2019–20. The new process for peer review introduced a new template for campaign submissions. The former template for campaign submissions contained more prompts for agencies to ensure the submission contained sufficient detail of campaign objectives, baseline measures, targets, dates for measurement and detail on how they would measure objectives. Despite this, the peer review process should have identified that NSW Rural Fire Service did not set targets for the second year of the campaign.
The 2016 Guidelines for Implementing NSW Government Evaluation Framework for Advertising and Communications requires campaign objectives to be SMART (specific, measurable, achievable, realistic and timed). NSW Rural Fire Service did not meet this requirement for year two of the Fireproof campaign.
Post-campaign evaluations showed increases against four out of five objectives, however there were no specific targets
NSW Rural Fire Service set three campaign objectives at the time it submitted the second year of the campaign (2019–20) to the Department of Customer Service for peer review. However, the post-campaign effectiveness report submitted to the Department of Customer Service measured campaign effectiveness against five campaign objectives. The objectives in the post-campaign effectiveness report were the same objectives set for the first year of the campaign, which is appropriate as this was a repeat campaign.
NSW Rural Fire Service achieved increases against four of their five objectives. However, as noted above there were no specific targets (such as percentage increases) against which performance of the 2019–20 campaign could be measured. Despite this, at the end of the second year, the Fireproof campaign had already achieved some of the targets that NSW Rural Fire Service had set for the end of the third year of the campaign. The post-campaign research showed that both audience recall and exposure to the campaign increased significantly from the prior year. The campaign objectives and results are shown in Exhibit 8.
For those people who already have a bush fire plan, the campaign aimed to increase the number of those plans which have included two or more elements from the Guide to Making a Bush Fire Survival Plan. Elements from the Guide to Making A Bush Fire Survival Plan include actions such as deciding what to take with you if you leave, ensuring you have the right equipment for defending your home and allocating responsibilities to members of a household. The post-campaign evaluation showed that the campaign did not achieve an increase against this objective for people who planned to stay and defend their property rather than leave.
Campaign objectives | Does the post-campaign evaluation show increases against the objective? |
---|---|
1. Continue to increase the number of people that have discussed and/or written a plan with regards to what they will do in the event of a fire. | |
2. Of those who indicate they have a plan, increase the number of people who have included two or more elements from the Guide to Making a Bush Fire Survival Plan: | |
|
|
|
|
3. Increase the frequency in completing preparation activities around a person’s property. | |
4. Increase the number of people who correctly assess it is their responsibility to complete preparation activities and enact their plan without direct intervention from emergency services. | |
5. Visits to MyFirePlan website. |
Key | Yes | No |
NSW Rural Fire Service achieved cost efficiencies by reusing creative content developed in the first year of the campaign
Total creative and production costs incurred in year one of the campaign were $1.08 million. Rather than commissioning new creative materials, NSW Rural Fire Service re-used the same creative content in year two of the campaign. NSW Rural Fire Service incurred $100,000 in creative and production costs in year two of the campaign and achieved cost-efficiencies by reusing the same creative developed in the prior year.
NSW Rural Fire Service allowed sufficient time for cost-efficient media placement and received free media placements
The Department of Customer Service advises agencies to work with media contacts to book media in advance to ensure a cost-efficient placement. Prior to 2019–20, the Department of Premier and Cabinet provided suggested timeframes for agencies to book media as part of the peer review process. For example, it advised agencies to book television six to 12 weeks in advance and book radio advertising two to eight weeks in advance. NSW Rural Fire Service allowed sufficient time for a cost-efficient media placement.
NSW Rural Fire Service received $4 million of free advertising time and space donated by media companies due to the extent and impact of the 2019–20 fire season.
The cost benefit analysis (CBA) did not assess the costs and benefits of alternatives to advertising
Under the Government Advertising Act 2011, agencies are required to prepare a CBA when the cost of the campaign is likely to exceed $1 million. As part of the CBA, the Government Advertising Guidelines require agencies to consider options other than advertising to achieve the desired objective including a comparison of costs and benefits.
The CBA for the Fireproof campaign (year two) notes that the proposed campaign is one component of a broader community engagement strategy which has been developed over time and is based on research and evaluation. The CBA considers two options to achieve the objectives of the campaign. The first option is community engagement activities without an advertising campaign and the second option is community engagement activities alongside an advertising campaign. The CBA does not identify and assess the costs and benefits of both of the options in order to assess the most cost-efficient option.
This is a repeat finding from two previous government advertising audits. The report ‘Government Advertising: 2015–16 and 2016–17’ found that both agencies subject to the audit did not meet the requirements in the guidelines to consider alternatives to advertising. The report made a recommendation to the Department of Premier and Cabinet to work with Treasury to ensure the requirements of the guidelines are fully reflected in the 'Cost-Benefit Analysis Framework for Government Advertising and Information Campaigns'. The report ‘Government advertising 2017–18’ found that one agency subject to the audit did not identify to what extent the benefits could be achieved without advertising, nor did it consider alternatives to advertising which could achieve the same impact as the advertising campaign.
Appendix one – Responses from agencies
Appendix two – About the campaigns
Appendix three – About the audit
Appendix four – Performance auditing
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Parliamentary reference - Report number #342 - released 19 November 2020
Actions for The effectiveness of the financial arrangements and management practices in four integrity agencies
The effectiveness of the financial arrangements and management practices in four integrity agencies
The Auditor-General for New South Wales, Margaret Crawford, released a report today examining the effectiveness of the financial arrangements and management practices of four integrity agencies: the Independent Commission Against Corruption, the NSW Electoral Commission, the NSW Ombudsman, and the Law Enforcement Conduct Commission. The audit also included NSW Treasury and the Department of Premier and Cabinet (DPC) because both departments are involved in the processes that lead to decisions about funding for the integrity agencies and managing access to this funding. The Hon. Don Harwin MLC, Special Minister of State, requested this audit under section 27(B)(3)(c) of the Public Finance and Audit Act 1983.
The audit found that the current approach to determining and administering annual funding for the integrity agencies presents threats to their independent status. The approach used by NSW Treasury and DPC is consistent with the legislative and Constitutional framework for financial management in New South Wales, but it does not sufficiently recognise that the roles and functions of the integrity agencies that are the focus of this audit are different to other departments and agencies. Specific mechanisms that present threats to the independence of the integrity agencies include the absence of transparency in decisions about funding for the integrity agencies, the means of applying efficiency dividends and budget savings and reform measures, the process of providing additional funding from DPC to the integrity agencies, and requests for the integrity agencies to report to DPC on their activities and outcomes.
The Auditor-General outlined the principles that inform the report’s recommendations in order to strengthen the financial arrangements for the integrity agencies. These principles are:
- There should be structured oversight by Parliament of the performance and financial management of the integrity agencies.
- Parliament’s role in the budget process should be expanded to ensure Cabinet is provided with more independent advice on the funding requirements for the integrity agencies.
- There should be transparency to Parliament and the relevant agency for decisions made about funding for the integrity agencies.
- The integrity agencies should be required to demonstrate their accountability as prudent managers of their financial resources.
The report also notes that the NSW Parliament should be consulted when considering the report’s recommendations.
This audit examined the effectiveness of the financial arrangements and management practices of four integrity agencies. It was conducted with reference to the legislative and Constitutional framework that is currently in place for financial management in New South Wales.
This report appropriately recognises that the government of the day is responsible for the prudent and responsible management of the state’s finances. It identifies several areas of ambiguity in the way the current financial arrangements apply to the integrity agencies that are the subject of this audit. It also highlights threats to the independence of the integrity agencies that may arise from the involvement of the Executive Government in the decision making about funding. The report argues these risks are not mitigated sufficiently under the current financial arrangements.
The recommendations in this report outline the principles that should inform the financial arrangements for the integrity agencies. Consistent with the Audit Office of NSW’s role in auditing NSW Government departments and agencies, the recommendations are directed to NSW Treasury and the Department of Premier and Cabinet. However, the report recognises that the current role of these entities in the funding arrangements for the integrity agencies poses a threat to their independence. Consequently, it is important to recognise the important role of the NSW Parliament in determining the appropriate funding model for the integrity agencies. The audited agencies should consult closely with the NSW Parliament when considering these recommendations to ensure the views of Parliament are reflected appropriately in any changes arising from the implementation of these recommendations. This recognises the appropriate role of the NSW Parliament in safeguarding the independence of its integrity agencies.
On 4 November 2019, the Hon. Don Harwin MLC, Special Minister of State, requested this audit under section 27(B)(3)(c) of the Public Finance and Audit Act 1983.
Consistent with the Minister’s request, this audit assessed the effectiveness of the financial arrangements and management practices of four integrity agencies - the Independent Commission Against Corruption (ICAC), the NSW Electoral Commission (NSWEC), the NSW Ombudsman (NSWO) and the Law Enforcement Conduct Commission (LECC). The audit also included NSW Treasury and the Department of Premier and Cabinet (DPC) because both departments are involved in the processes that lead to decisions about funding for the integrity agencies and managing access to this funding.
The NSW Government, through the Treasurer, is responsible to the citizens of New South Wales for the prudent and responsible management of the state’s finances. The annual budget is the primary process that the NSW Government uses for financial management. Decisions about funding for the integrity agencies are made through this budget process. NSW Treasury provides guidance to all government departments and agencies, including the integrity agencies that are the focus of this audit, on the Government’s priorities for the budget. NSW Treasury also reviews and provides advice to the Expenditure Review Committee of Cabinet on proposals for funding through the budget.
The integrity agencies are subject to the application of ‘efficiency dividends’ and ‘budget savings and reform measures’, which limit their access to the full funding that has been approved by Parliament. NSW Treasury and DPC manage the application of these limits to the integrity agencies. The integrity agencies are grouped within the DPC ‘cluster’, which is an administrative arrangement created by the NSW Government. Clusters do not have legal status but are used for administrative and financial management. DPC has provided additional funding during the financial year to some of the integrity agencies in the years covered in this audit. DPC also oversees the involvement of the integrity agencies in developing and reporting on their outcomes. This is a requirement of NSW Treasury’s outcome budgeting reforms, which are currently being implemented.
Each of the integrity agencies is overseen by a parliamentary committee that includes members of both houses of the NSW Parliament. These committees are responsible for reviewing the performance of the integrity agencies that they oversee. They do not have a role in funding decisions. ICAC and LECC each have additional oversight from an Inspector. The Inspector of the ICAC’s role is to oversee the operations and conduct of ICAC to ensure that it complies with the law. The Inspector of the LECC’s role is to oversee the way LECC carries out its functions, with a focus on the legality of LECC’s use of its powers. Neither of these Inspectors has a role in funding decisions.
The Audit Office of NSW is an independent integrity agency that receives some of its revenue through the NSW Government’s budget process and sits within the DPC cluster. We have taken the following actions to preserve our independence and mitigate potential conflicts of interest that could arise in conducting this audit:
- not considering or commenting on the financial arrangements for our office
- requesting a deferral of our office’s evidence to an inquiry by the NSW Legislative Council’s Public Accountability Committee that is considering the budget process for integrity agencies. The inquiry includes the four integrity agencies that are the subject of this audit and our office
- seeking independent legal advice on the framework for the financial arrangements for the integrity agencies
- using additional internal review processes to provide quality assurance to audit conclusions.
Conclusion
The current approach to determining annual funding for the integrity agencies presents threats to their independent status. The approach is consistent with the legislative and Constitutional framework for financial management in New South Wales, but it does not sufficiently recognise that the roles and functions of the integrity agencies that are the focus of this audit are different to other departments and agencies.
The government of the day is responsible to the citizens of New South Wales for the prudent and responsible management of the state’s finances. Accordingly, the government of the day has a central role in decisions about funding for departments and agencies and in determining the financial management processes to be applied. This is clearly established in the legislative framework and conventions for managing public funds in New South Wales. This system is primarily designed to determine the funding for departments and agencies that are responsible to ministers. It is less appropriate for integrity agencies because it does not provide additional protection against the risk that funding decisions could be influenced by previous or planned investigations by the integrity agencies. This risk has the potential to limit the ability of the integrity agencies to fulfil their legislative mandate. The extent and nature of this risk differs for each of the integrity agencies. This is outlined in the key findings section below and described in detail in Chapters 2–5 of this report.
Aspects of the financial management mechanisms used to administer funding for the integrity agencies create tensions with their independent status. These mechanisms include the means of applying efficiency dividends and budget savings and reform measures, the provision of additional funding from DPC to the integrity agencies, and requests for the integrity agencies to report to DPC on their activities and outcomes.
NSW Treasury and DPC have administered efficiency dividends and budget savings and reform measures to the integrity agencies. This results in the integrity agencies not being able to access the full funding approved by Parliament. There are two competing interpretations of appropriation legislation that lead to different conclusions about whether there is a clear legal basis for doing this. NSW Treasury and DPC focus on the fact that the Appropriation Act provides funding for the integrity agencies to a Premier, rather than the agency, and does not state that a Premier must provide the full amount of funding approved to the agency. This interpretation leads to the view that a Premier can restrict access to appropriation funding that was approved by Parliament. An alternative interpretation of the Appropriation Act would consider factors specific to the integrity agencies that differentiate them from other agencies subject to these measures. These factors include that the integrity agencies are independent of ministerial control, accountable to Parliament for performing specific legislated functions, and some may conduct investigations that involve a Premier, or DPC or NSW Treasury. If this alternative interpretation is used, then the reduction of the integrity agencies’ access to appropriation funding approved by Parliament could diminish the independent status of the integrity agencies and limit their ability to fulfil their legislative mandate.
DPC has given additional funding to three of the integrity agencies in recent years in response to requests from the agencies. If the integrity agencies require additional funding during the year, the only mechanism available is to seek funding from DPC. This creates a potential threat to the independence of the integrity agencies. Asking DPC to make decisions about funding allocations between an integrity agency and another agency in the DPC cluster is inappropriate because DPC is not responsible for the functions or actions of an integrity agency. It is also possible that DPC could be the subject of an investigation conducted by an integrity agency. DPC has advised that it considers these risks more theoretical than real.
DPC’s provision of $2.5 million in additional funding to ICAC in 2019–20 may not have been consistent with the Appropriation Act 2019 (the Act), because of a change to the Act compared to previous appropriation legislation. The additional funding that was provided to ICAC in 2019–20 by DPC had been appropriated to DPC under Part 2 of the Act. The Act specified that funding appropriated under Part 2 could only be used for the purposes specified in that Part. ICAC receives its appropriation under Part 4 of the Act. It is contestable as to whether the purpose of an appropriation under Part 2 of the Act would include providing funding for an agency that receives an appropriation under another part of the Act.
The integrity agencies have been asked to report on activities and outcomes to DPC as part of the outcome budgeting reforms that are being implemented by NSW Treasury. This is inconsistent with their independent status because the integrity agencies are accountable to Parliament for their activities, not DPC or a Premier.
Our audit also assessed the integrity agencies’ systems for planning, budgeting and monitoring the efficiency of their work. We did not find major deficiencies in the management practices of the integrity agencies. We did identify opportunities for improvement in each agency. These are specific to the circumstances of each agency and are outlined in the key findings section below and Chapters 2–5 of this report.
On 4 November 2019, the Hon. Don Harwin MLC, Special Minister of State, requested this audit under section 27(B)(3)(c) of the Public Finance and Audit Act 1983.
Consistent with the Minister’s request, this audit assessed the effectiveness of the financial arrangements and management practices of four integrity agencies - the Independent Commission Against Corruption (ICAC), the NSW Electoral Commission (NSWEC), the NSW Ombudsman (NSWO) and the Law Enforcement Conduct Commission (LECC). The audit also included NSW Treasury and the Department of Premier and Cabinet (DPC) because both departments have a role in the financial arrangements for the integrity agencies. NSW Treasury manages the budget process that determines the annual funding for the integrity agencies. DPC has a role in managing access to this funding because the integrity agencies are placed within the DPC ‘cluster’.
The Audit Office of NSW is an independent integrity agency that receives some of its revenue through the NSW Government’s budget process and sits within the DPC cluster. We have taken the following actions to preserve our independence and mitigate potential conflicts of interest that could arise in conducting this audit:
- not considering or commenting on the financial arrangements for our office
- requesting a deferral of our office’s evidence to an inquiry by the NSW Legislative Council’s Public Accountability Committee that is considering the budget process for integrity agencies and the NSW Parliament, including the four integrity agencies in this audit and our office
- seeking independent legal advice on the framework for the financial arrangements of the four integrity agencies in this audit
- using additional internal review processes to provide quality assurance to audit conclusions.
Conclusion
Financial arrangements for ICAC
ICAC's main functions are to investigate and prevent corruption in the public sector. Its legislation establishes it as an independent agency that is accountable to Parliament.
Decisions about the annual appropriation for ICAC are made by the Cabinet, with advice from NSW Treasury. Members of Cabinet or NSW Treasury could be involved in or affected by an ICAC investigation. There is no independent advice to Cabinet on ICAC’s funding requirements and there is no transparency to Parliament about the reasons for decisions made about ICAC’s budget. The absence of these safeguards in the current financial arrangements creates a threat to ICAC’s independence and have the potential to limit its ability to fulfil its legislative mandate.
ICAC submitted budget proposals seeking increases to its appropriation funding in several recent years. The budget proposals related to funding to expand its workforce to respond to increases in the volume and complexity of its work. Some of these proposals were rejected without reasons being provided. There are no formal mechanisms available to ICAC to question or challenge these decisions. The process available to ICAC to request additional funding outside the annual budget creates further risks to its independence.
ICAC’s management practices
ICAC’s staff use structured processes for prioritising work against its legislative mandate and it has conducted recent reviews to assess its operational efficiency. ICAC's internal budgeting processes are adequate but could be improved with better documentation of the reasons for its budget decisions.
Conclusion
Financial arrangements for NSWEC
NSWEC conducts elections and is responsible for maintaining the integrity of the electoral system in New South Wales. NSWEC’s legislation states that it should conduct elections and investigate potential breaches of electoral law independently and be accountable to Parliament. Decisions about the annual appropriation for NSWEC are made by the Cabinet. It is possible that NSWEC’s investigations of electoral integrity could include members of Cabinet or the political party that holds government. There is a risk that decisions about its funding could be influenced by the conduct of these investigations. If realised, this would be a threat to NSWEC’s independence and ability to fulfil its legislative mandate. NSWEC has not received the full funding amount it has requested in recent years. There is inadequate transparency about how funding decisions were made and there are no formal mechanisms to question or challenge these decisions.
The conduct of elections is a key element of a democratic system and under-funding this function could have serious implications. NSWEC’s requests for additional appropriation funding are assessed alongside the priorities of the government of the day. Its role transcends these immediate priorities and there is a risk that its funding requirements may not be prioritised.
NSWEC’s management practices
NSWEC’s internal budgeting processes and efficiency programs are clear and well documented. NSWEC has identified options to improve its operational and corporate efficiency but has not implemented all of these.
Conclusion
Financial arrangements for NSWO
NSWO oversees government agencies and some government-funded private sector bodies that provide services to the community or exercise administrative functions. NSWO’s legislation makes it clear that it should operate independently of the agencies it oversees and be accountable to Parliament.
NSWO’s investigations do not include members of Cabinet, except in relation to Public Interest Disclosures made about a minister, so the risk that decisions about its budget could be affected by its investigations is relatively lower. However, NSWO's investigations can comment on and make recommendations about government policies, which may have been endorsed by Cabinet or an individual minister, and its investigations cover systemic issues for which ministers and the heads of government departments are responsible. NSWO faces a further challenge in its ability to make compelling budget proposals under the current financial arrangements. Its funding requests are assessed alongside the government’s priorities, but its work is unlikely to align directly with these priorities.
NSWO’s management practices
NSWO has assessed its operational and corporate efficiency recently and has implemented major changes to its operating model in response to this. Its internal budgeting process is adequate but could be improved by being documented more thoroughly.
Conclusion
Financial arrangements for LECC
LECC's main functions are to investigate allegations of misconduct by law enforcement and oversee police handing of complaints. LECC’s legislation states it should operate independently of the agencies it oversees and be accountable to Parliament. LECC’s jurisdiction does not include members of Cabinet, NSW Treasury or DPC. However, LECC’s investigations have the potential to have a negative impact on a Minister for Police, who is a member of Cabinet, and the government of the day. There is a risk that decision makers for LECC’s funding could be influenced by these considerations. While LECC has not sought increases to its appropriation funding in recent years, there are no formal mechanisms to question or challenge these decisions if it did have concerns about its funding in the future.
Unlike the other integrity agencies in this audit, LECC is not classified as a separate GSF agency under the Government Sector Finance Act 2018. This difference means that LECC has less independence from the Executive Government, because LECC would have to comply with a Treasurer’s Direction even if it believes it is not consistent with the independent exercise of its functions.
LECC's management practices
LECC's internal budgeting processes are clear and documented and it has identified and implemented operational and corporate efficiency savings in several areas. LECC published a new strategic plan in July 2020. Over the first three years of its operations since 2017, LECC had not conducted effective strategic planning which made it difficult for LECC to demonstrate that it had a cohesive approach to its operations across the agency during this time.
Conclusion
Aspects of the financial management mechanisms used by NSW Treasury and DPC to administer funding for the integrity agencies create tensions with their independent status.
NSW Treasury and DPC have administered efficiency dividends and budget savings and reform measures which results in the integrity agencies not being able to access the full funding approved by Parliament. There are two competing interpretations of appropriation legislation that lead to different conclusions about whether there is a clear legal basis for doing this. NSW Treasury and DPC take the view that the Appropriation Act provides funding for the integrity agencies to a Premier and does not state that a Premier must provide the full amount of funding to the agencies. This interpretation leads to the view that a Premier can restrict access to appropriation funding that was approved by Parliament. An alternative approach to interpreting the Appropriation Act would consider the contextual factors specific to the integrity agencies. These factors include: the integrity agencies are independent of ministerial control, the integrity agencies are accountable to Parliament for performing specific legislated functions, and the integrity agencies may conduct investigations that involve a Premier, or DPC or NSW Treasury. If this alternative interpretation is accepted, then the reduction of the integrity agencies’ access to appropriation funding could diminish the independent status of the integrity agencies.
DPC has given additional funding to three of the integrity agencies in recent years in response to requests from the agencies. If the integrity agencies require additional funding during the year, the only mechanism available is to seek funding from DPC. This creates a potential threat to the independence of the integrity agencies. Asking DPC to make decisions about funding allocations between an integrity agency and another agency in the DPC cluster is inappropriate because DPC is not responsible for the functions or actions of an integrity agency. It is also possible that DPC could be the subject of an investigation conducted by an integrity agency. Separately, DPC’s provision of $2.5 million in additional funding to ICAC in 2019–20 may not have been consistent with the Appropriation Act 2019. The appropriations for DPC and ICAC were made under different parts of the Act. Appropriation funding can only be paid out for the purpose specified in each part of the Act. It is not clear whether it is permissible to transfer funding between agencies that receive appropriations from different Parts of the Act.
The integrity agencies have recently been asked to report activity and outcome measures to DPC, as the principal department for the cluster that they have been placed in, under the outcome budgeting reforms that are being implemented by NSW Treasury. This is inconsistent with their independent status because the integrity agencies are accountable to Parliament for their activities, not DPC or a Premier. DPC has advised that it considers the risks to the independence of the integrity agencies described above to be more theoretical than real.
Appendix one – Response from agencies
Appendix two – About the audit
Appendix three – Opinion from the Crown Solicitor’s Office
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.