Refine search Expand filter

Audit progress

- Any -

Sector

- Any -

Year

- Any -

Report type

- Any -

Topic

- Any -

Reports

Published

Service NSW's handling of personal information

Premier and Cabinet
Finance
Cyber security
Fraud
Information technology
Internal controls and governance
Management and administration
Risk
Service delivery

The Auditor-General for New South Wales, Margaret Crawford, released a report today examining the effectiveness of Service NSW’s handling of customers’ personal information to ensure its privacy.

The audit found that Service NSW is not effectively handling personal customer and business information to ensure its privacy. Service NSW continues to use business processes that pose a risk to the privacy of personal information. This includes the routine emailing of personal information between Service NSW service centres and other agencies, which is one of the processes that contributed to the data breach earlier this year. The audit found that previously identified risks and recommended solutions had not been implemented on a timely basis.

The Auditor-General made eight recommendations aimed at ensuring improved processes, technologies, and governance arrangements for how Service NSW handles customers’ personal information.

The Hon. Victor Dominello, MP, Minister for Customer Service, requested this audit under section 27(B)(3)(c) of the Public Finance and Audit Act 1983 following public reports in May 2020 of a cyber security attack which had led to a breach of Service NSW customer information. This audit also included the Department of Customer Service which supports Service NSW with privacy, risk and governance functions.

Service NSW was established in 2013 with the intention that it would, over time, 'become the primary interaction point for customers accessing New South Wales Government transaction services'.

Service NSW's functions are set out in the Service NSW (One stop Access to Government Services) Act 2013. This legislation allows for other NSW Government agencies to delegate to and enter into agreements with the Chief Executive Officer of Service NSW in order for Service NSW to undertake service functions for the agency.

Service NSW now has agreements with 36 NSW Government client agencies to facilitate over 1,200 types of interactions and transactions for the community.

The nature of each agreement between Service NSW and its client agencies varies. Some client agencies have delegated authority to allow Service NSW staff to conduct transactions on their behalf in the agencies' systems. Other arrangements do not include the same degree of delegation. In these cases, Service NSW provides services such as responding to enquiries and validating documents.

In addition, Service NSW conducts transactions for its own programs, such as the Seniors Card. Personal information for these programs, as well as information for customers' MyServiceNSW accounts, are stored by Service NSW on its Salesforce Customer Relationship Management (CRM) system.

In March 2020, Service NSW suffered two cyber security attacks in short succession. Technical analysis undertaken by the Department of Customer Service (DCS) concluded that these attacks resulted from a phishing exercise through which external threat actors gained access to the email accounts of 47 staff members. These attacks resulted in the breach of a large amount of personal customer information that was contained in these email accounts. See Section 1.1 for further details.

This audit is being conducted in response to a request from the Hon. Victor Dominello, Minister for Customer Service, under section 27B(3)(c) of the Public Finance and Audit Act 1983. Minister Dominello requested that the Auditor General conduct a performance audit in relation to Service NSW's handling of sensitive customer and business information.

This audit assessed how effectively Service NSW handles personal customer and business information to ensure its privacy.

It addressed the following:

  • Does Service NSW have processes and governance in place to identify and manage risks to the privacy of personal customer and business information?
  • Does Service NSW have policies, processes and systems in place that support the effective handling of personal customer and business information to ensure its privacy?
  • Has Service NSW effectively implemented its policies, processes and systems for managing personal customer and business information?

Conclusion

Service NSW is not effectively handling personal customer and business information to ensure its privacy. It continues to use business processes that pose a risk to the privacy of personal information. These include routinely emailing personal customer information to client agencies, which is one of the processes that contributed to the March 2020 data breach. Previously identified risks and recommended solutions had not been implemented on a timely basis.

Service NSW identifies privacy as a strategic risk in both its Risk Management Guideline and enterprise risk register and sets out a zero level appetite for privacy risk in its risk appetite statement. That said, the governance, policies, and processes established by Service NSW to mitigate privacy risk are not effective in ensuring the privacy of personal customer and business information. While Service NSW had risk identification and management processes in place at the time of the March 2020 data breach, these did not prevent the breach occurring.

Some of the practices that contributed to the data breach are still being followed by Service NSW staff. For example, business processes still require Service NSW staff to scan and email personal information to some client agencies.

The lack of multi factor authentication has been identified as another key contributing factor to the March 2020 data breach as this enabled the external threat actors to gain access to staff email accounts once they had obtained the user account details through a phishing exercise. Service NSW had identified the lack of multi factor authentication on its webmail platform as a risk more than a year prior to the breach and had committed to addressing this by June 2019. It was not implemented until after the breach occurred.

There are weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce Customer Relationship Management (CRM) system, which holds the personal information of over four million NSW residents.

Internal audits carried out by Service NSW, including one completed in August 2020, have identified significant weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce CRM system. These include deficiencies in the management of role based access, monitoring and audit of user access, and partitioning of program specific transaction information. These deficiencies create an increased risk of unauthorised access to the personal information of over four million customers held in the system.

Lines of responsibility for meeting privacy obligations are not clearly drawn between Service NSW and its client agencies.

Service NSW has agreements in place with client agencies. However, the agreements lack detail and clarity about the roles and responsibilities of the agencies in relation to the collection, storage and security of customer's personal information. This lack of clarity raises the risk that privacy obligations will become confused and missed between the agencies.

Service NSW carries out privacy impact assessments for major new projects but does not routinely review existing processes and systems.

Service NSW carries out privacy impact assessments as part of its routine processes for implementing major new projects, ensuring that privacy management is considered as part of project design. Service NSW does not regularly undertake privacy impact assessments or reviews of existing or legacy processes and systems, which has resulted in some processes continuing despite posing significant risks to the privacy of personal information, such as the scanning, emailing, and storing of identification documents.

1. Key findings

Service NSW identifies privacy risks, but the controls and processes it put in place to mitigate these privacy risks were not adequate to prevent or limit the extent of the data breach that occurred in March 2020

Service NSW’s approach to risk management is framed by its Risk Management Guideline, which defines 'privacy and compliance' as one of the key types of risk for the agency. Service NSW's enterprise risk register identifies four strategic privacy related risks. Service NSW has set out a zero level appetite for privacy risk in its risk appetite statement.

Service NSW has assessed the adequacy of its controls for privacy risks as needing improvement. To be fully effective, the Risk Management Guideline says that these controls should have a focus that is ‘largely preventative and address the root causes’.

One of the business processes that was a key contributing factor to the data breach was the emailing of personal information by Service NSW staff to client agencies.

This process had been identified as a risk prior to the breach and some steps had been put in place to mitigate the risk. In particular, staff were required to manually delete emails that contained personal information. However, these measures were ineffective in preventing the breach, as the external threat actors still gained access to 47 staff email accounts that contained a large amount of personal information.

It is unclear why Service NSW did not effectively mitigate this risk prior to the breaches. However, Service NSW has advised that it implemented measures in June and October 2020 to automatically archive emails likely to contain personal information. This is expected to limit the quantity of information retained in email accounts for extended periods.

Service NSW has not put in place any technical or other solutions to avoid Service NSW staff having to scan and email personal information to some client agencies. Urgent action is needed to remove the requirement for staff to email personal information to client agencies, thereby mitigating the risk inherent in sending and storing this information using email.

There are weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce CRM system, which holds the personal information of over four million customers

There are weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce CRM system. These weaknesses include deficiencies in governance of role based access, monitoring and audit of staff access, and partitioning of program specific transaction information. These deficiencies create an increased risk of unauthorised access to the personal information of over four million customers which is stored in this system.

In addition, there is an absence of important controls to safeguard customers' privacy, such as multi factor authentication and reviewable logs of access history to their information. Such controls, when properly implemented, would enhance the control that customers are able to exercise over their personal information.

A privacy impact assessment conducted on Service NSW’s Salesforce CRM system in 2015 recommended that the system include the ability for customers to review access history to their personal information, as well as the option for customers to apply multi factor authentication to their accounts. While both these recommendations appeared positively received by Service NSW, neither have been implemented.

Since its inception, Service NSW’s use of Salesforce has extended to storing transaction data, particularly for transactions for which Service NSW is responsible, such as the Seniors Card. It also holds details of over four million MyServiceNSW account holders, including name, email address and phone number, and optional address details. It was not originally intended for the system to hold this volume and nature of customer information.

Lines of responsibility for meeting privacy obligations are unclear between Service NSW and its client agencies

Service NSW's privacy management plan does not clearly set out the privacy obligations of Service NSW and its client agencies. It sets out that 'compliance with the privacy principles will primarily be the responsibility of that [client] agency'. However, Service NSW has its own obligations under the security principles of the Privacy and Personal Information Protection Act 1998 (PPIP Act) to take reasonable steps to prevent unauthorised access to personal information, which is not made clear in the privacy management plan.

The agreements between Service NSW and client agencies reviewed for this audit only include general and high level references to privacy. Most do not include details of each parties' privacy responsibilities such as: which agency will provide the customer with a privacy notice explaining how their personal information will be handled, how personal information will be kept secure, how long Service NSW will retain information, what processes will be followed for internal reviews, and what specific planning is in place to respond to data breaches.

Service NSW's privacy management plan has not been updated to include new programs and governance changes

Service NSW's privacy management plan includes most of the matters required by law or good practice, with some exceptions. It does not explain any exemptions that the agency commonly relies on under the PPIP Act and does not address any health information that Service NSW may handle. It had also not been updated to reflect governance changes and the fact that, at the time this audit commenced, Service NSW was disclosing the content of internal review applications (the formal expression for 'complaints') to the Department of Customer Service (DCS). These governance changes were part of the centralisation of Service NSW's corporate support functions into DCS in late 2019, though internal review staff were seconded back into Service NSW during the course of this audit.

The current July 2019 privacy management plan has also not been updated since the rollout of a number of major new initiatives in 2020. These include 2019–20 bushfire emergency recovery initiatives (such as small business grants) and COVID 19 pandemic response initiatives (such as small business grants, border permits and the COVID safe check in app).

Service NSW routinely conducts privacy impact assessments for new initiatives, though privacy risks remain in legacy systems and processes

Service NSW routinely conducts privacy impact assessments for major new initiatives and the assessments reviewed for this audit largely accorded with good practice guidance.

Service NSW does not routinely review existing processes and systems to ensure that they are effective in ensuring the privacy of customer personal information. Business processes that create the highest risk to privacy, such as emailing of personal information, are more common in these longstanding legacy systems.

Service NSW's significant and rapid growth has outpaced the establishment of a robust control environment which has exacerbated privacy risks

Since it was established in 2013, Service NSW has experienced significant growth in the number and diversity of the types of transactions it provides, as well as the number of client agencies with which it works. The pace and extent of this growth has contributed to important controls not being properly implemented on a timely basis, which has heightened privacy risks, particularly in regard to existing, legacy systems and processes.

The pace of change and increasing demand for new program implementation has limited the opportunity for Service NSW, in collaboration with its client agencies, to revisit and redesign legacy business practices which pose a greater privacy risk. This includes the scanning and emailing of personal information.

While 2019–20 has seen additional demands placed on Service NSW in responding to the 2019–20 bushfire emergency and COVID 19 pandemic, it is the nature of the agency’s work that it operates in a fast paced and complex environment, where it is required to respond to multiple client agencies and stakeholders. Ensuring customer privacy should be integral to Service NSW’s business as usual operations.

2. Recommendations

Service NSW commissioned a number of external reviews and investigations stemming from the data breaches. The Auditor General's recommendations below have taken these other reviews into account. In order to offer assurance that it is appropriately protecting the privacy of its customers, Service NSW should address the full breadth of findings and recommendations made across all relevant reviews.

As a matter of urgency, Service NSW should:

1. in consultation with relevant client agencies and the Department of Customer Service, implement a solution for a secure method of transferring personal information between Service NSW and client agencies

2. review the need to store scanned copies of personal information and, if still required, implement a more secure method of storing this information and regular deletion of material.

By March 2021, Service NSW should:

3. ensure that all new agreements entered into with client agencies from 1 April 2021 address the deficiencies identified in this audit, including that they provide clarity on:

  • the content and provision of privacy collection notices
  • the terms by which personal information will be retained, stored, archived, and disposed of when no longer required
  • steps that will be taken by each agency to ensure that personal information is kept secure
  • the circumstances in which, and processes by which, applications for internal review will be referred by one agency to the other
  • how identified breaches of privacy will be handled between agencies

4. in collaboration with the Department of Customer Service, review its privacy management plan to address the deficiencies raised in this audit, including:

  • to clarify Service NSW's understanding of how responsibility for meeting privacy obligations are delineated between Service NSW and client agencies
  • to better reflect the full scope and complexity of personal information handled by Service NSW
  • to better explain how applications for internal review are handled between Service NSW and the Department of Customer Service
  • to ensure regular ongoing review, either according to a schedule or when Service NSW experiences substantial change to its programs and handling of personal information

5. in consultation with the Department of Customer Service, review its policies and processes for the management of privacy risks, including to:

  • ensure that there are appropriate mechanisms to escalate identified privacy risks from business units to the Executive Leadership Team
  • ensure that there are action plans to address strategic privacy risks that are assessed as having ineffective controls.
By June 2021, Service NSW should:

6. address deficiencies in the controls over, and security for, its Salesforce customer relationship management and related systems that hold customer personal information, including:

  • establish policies and processes for regular access reviews and monitoring of user activity in these systems, including for privileged users
  • enable partitioning and role based access restrictions to personal information collected for different programs
  • provide customers the choice to use multi factor authentication to further secure their MyServiceNSW accounts
  • enable customers to view the transaction history of their personal information to detect possible mishandling.
By December 2021, Service NSW should:

7. ensure that all existing agreements with client agencies address the deficiencies identified in this audit, including that they provide clarity on:

  • the content and provision of privacy collection notices
  • the terms by which personal information will be retained, stored, archived, and disposed of when no longer required
  • steps that will be taken by each agency to ensure that personal information is kept secure
  • the circumstances in which, and processes by which, applications for internal review will be referred by one agency to the other
  • how identified breaches of privacy will be handled between agencies

8. carry out a risk assessment of all processes, systems and transactions that involve the handling of personal information and undertake a privacy impact assessment for those that:

  • are identified as high risk and have not previously had a privacy impact assessment
  • have had major changes or updates since the privacy impact assessment was completed.

Appendix one – Responses from agencies

Appendix two – About the audit

 

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Published

The effectiveness of the financial arrangements and management practices in four integrity agencies

Premier and Cabinet
Treasury
Management and administration

The Auditor-General for New South Wales, Margaret Crawford, released a report today examining the effectiveness of the financial arrangements and management practices of four integrity agencies: the Independent Commission Against Corruption, the NSW Electoral Commission, the NSW Ombudsman, and the Law Enforcement Conduct Commission. The audit also included NSW Treasury and the Department of Premier and Cabinet (DPC) because both departments are involved in the processes that lead to decisions about funding for the integrity agencies and managing access to this funding. The Hon. Don Harwin MLC, Special Minister of State, requested this audit under section 27(B)(3)(c) of the Public Finance and Audit Act 1983.

The audit found that the current approach to determining and administering annual funding for the integrity agencies presents threats to their independent status. The approach used by NSW Treasury and DPC is consistent with the legislative and Constitutional framework for financial management in New South Wales, but it does not sufficiently recognise that the roles and functions of the integrity agencies that are the focus of this audit are different to other departments and agencies. Specific mechanisms that present threats to the independence of the integrity agencies include the absence of transparency in decisions about funding for the integrity agencies, the means of applying efficiency dividends and budget savings and reform measures, the process of providing additional funding from DPC to the integrity agencies, and requests for the integrity agencies to report to DPC on their activities and outcomes.

The Auditor-General outlined the principles that inform the report’s recommendations in order to strengthen the financial arrangements for the integrity agencies. These principles are:

  • There should be structured oversight by Parliament of the performance and financial management of the integrity agencies.
  • Parliament’s role in the budget process should be expanded to ensure Cabinet is provided with more independent advice on the funding requirements for the integrity agencies.
  • There should be transparency to Parliament and the relevant agency for decisions made about funding for the integrity agencies.
  • The integrity agencies should be required to demonstrate their accountability as prudent managers of their financial resources.

The report also notes that the NSW Parliament should be consulted when considering the report’s recommendations.

Read full report (PDF)

This audit examined the effectiveness of the financial arrangements and management practices of four integrity agencies. It was conducted with reference to the legislative and Constitutional framework that is currently in place for financial management in New South Wales.

This report appropriately recognises that the government of the day is responsible for the prudent and responsible management of the state’s finances. It identifies several areas of ambiguity in the way the current financial arrangements apply to the integrity agencies that are the subject of this audit. It also highlights threats to the independence of the integrity agencies that may arise from the involvement of the Executive Government in the decision making about funding. The report argues these risks are not mitigated sufficiently under the current financial arrangements.

The recommendations in this report outline the principles that should inform the financial arrangements for the integrity agencies. Consistent with the Audit Office of NSW’s role in auditing NSW Government departments and agencies, the recommendations are directed to NSW Treasury and the Department of Premier and Cabinet. However, the report recognises that the current role of these entities in the funding arrangements for the integrity agencies poses a threat to their independence. Consequently, it is important to recognise the important role of the NSW Parliament in determining the appropriate funding model for the integrity agencies. The audited agencies should consult closely with the NSW Parliament when considering these recommendations to ensure the views of Parliament are reflected appropriately in any changes arising from the implementation of these recommendations. This recognises the appropriate role of the NSW Parliament in safeguarding the independence of its integrity agencies.

On 4 November 2019, the Hon. Don Harwin MLC, Special Minister of State, requested this audit under section 27(B)(3)(c) of the Public Finance and Audit Act 1983.

Consistent with the Minister’s request, this audit assessed the effectiveness of the financial arrangements and management practices of four integrity agencies - the Independent Commission Against Corruption (ICAC), the NSW Electoral Commission (NSWEC), the NSW Ombudsman (NSWO) and the Law Enforcement Conduct Commission (LECC). The audit also included NSW Treasury and the Department of Premier and Cabinet (DPC) because both departments are involved in the processes that lead to decisions about funding for the integrity agencies and managing access to this funding.

The NSW Government, through the Treasurer, is responsible to the citizens of New South Wales for the prudent and responsible management of the state’s finances. The annual budget is the primary process that the NSW Government uses for financial management. Decisions about funding for the integrity agencies are made through this budget process. NSW Treasury provides guidance to all government departments and agencies, including the integrity agencies that are the focus of this audit, on the Government’s priorities for the budget. NSW Treasury also reviews and provides advice to the Expenditure Review Committee of Cabinet on proposals for funding through the budget.

The integrity agencies are subject to the application of ‘efficiency dividends’ and ‘budget savings and reform measures’, which limit their access to the full funding that has been approved by Parliament. NSW Treasury and DPC manage the application of these limits to the integrity agencies. The integrity agencies are grouped within the DPC ‘cluster’, which is an administrative arrangement created by the NSW Government. Clusters do not have legal status but are used for administrative and financial management. DPC has provided additional funding during the financial year to some of the integrity agencies in the years covered in this audit. DPC also oversees the involvement of the integrity agencies in developing and reporting on their outcomes. This is a requirement of NSW Treasury’s outcome budgeting reforms, which are currently being implemented.

Each of the integrity agencies is overseen by a parliamentary committee that includes members of both houses of the NSW Parliament. These committees are responsible for reviewing the performance of the integrity agencies that they oversee. They do not have a role in funding decisions. ICAC and LECC each have additional oversight from an Inspector. The Inspector of the ICAC’s role is to oversee the operations and conduct of ICAC to ensure that it complies with the law. The Inspector of the LECC’s role is to oversee the way LECC carries out its functions, with a focus on the legality of LECC’s use of its powers. Neither of these Inspectors has a role in funding decisions.

The Audit Office of NSW is an independent integrity agency that receives some of its revenue through the NSW Government’s budget process and sits within the DPC cluster. We have taken the following actions to preserve our independence and mitigate potential conflicts of interest that could arise in conducting this audit:

  • not considering or commenting on the financial arrangements for our office
  • requesting a deferral of our office’s evidence to an inquiry by the NSW Legislative Council’s Public Accountability Committee that is considering the budget process for integrity agencies. The inquiry includes the four integrity agencies that are the subject of this audit and our office
  • seeking independent legal advice on the framework for the financial arrangements for the integrity agencies
  • using additional internal review processes to provide quality assurance to audit conclusions.

Conclusion

The current approach to determining annual funding for the integrity agencies presents threats to their independent status. The approach is consistent with the legislative and Constitutional framework for financial management in New South Wales, but it does not sufficiently recognise that the roles and functions of the integrity agencies that are the focus of this audit are different to other departments and agencies.

The government of the day is responsible to the citizens of New South Wales for the prudent and responsible management of the state’s finances. Accordingly, the government of the day has a central role in decisions about funding for departments and agencies and in determining the financial management processes to be applied. This is clearly established in the legislative framework and conventions for managing public funds in New South Wales. This system is primarily designed to determine the funding for departments and agencies that are responsible to ministers. It is less appropriate for integrity agencies because it does not provide additional protection against the risk that funding decisions could be influenced by previous or planned investigations by the integrity agencies. This risk has the potential to limit the ability of the integrity agencies to fulfil their legislative mandate. The extent and nature of this risk differs for each of the integrity agencies. This is outlined in the key findings section below and described in detail in Chapters 2–5 of this report.

Aspects of the financial management mechanisms used to administer funding for the integrity agencies create tensions with their independent status. These mechanisms include the means of applying efficiency dividends and budget savings and reform measures, the provision of additional funding from DPC to the integrity agencies, and requests for the integrity agencies to report to DPC on their activities and outcomes.

NSW Treasury and DPC have administered efficiency dividends and budget savings and reform measures to the integrity agencies. This results in the integrity agencies not being able to access the full funding approved by Parliament. There are two competing interpretations of appropriation legislation that lead to different conclusions about whether there is a clear legal basis for doing this. NSW Treasury and DPC focus on the fact that the Appropriation Act provides funding for the integrity agencies to a Premier, rather than the agency, and does not state that a Premier must provide the full amount of funding approved to the agency. This interpretation leads to the view that a Premier can restrict access to appropriation funding that was approved by Parliament. An alternative interpretation of the Appropriation Act would consider factors specific to the integrity agencies that differentiate them from other agencies subject to these measures. These factors include that the integrity agencies are independent of ministerial control, accountable to Parliament for performing specific legislated functions, and some may conduct investigations that involve a Premier, or DPC or NSW Treasury. If this alternative interpretation is used, then the reduction of the integrity agencies’ access to appropriation funding approved by Parliament could diminish the independent status of the integrity agencies and limit their ability to fulfil their legislative mandate.

DPC has given additional funding to three of the integrity agencies in recent years in response to requests from the agencies. If the integrity agencies require additional funding during the year, the only mechanism available is to seek funding from DPC. This creates a potential threat to the independence of the integrity agencies. Asking DPC to make decisions about funding allocations between an integrity agency and another agency in the DPC cluster is inappropriate because DPC is not responsible for the functions or actions of an integrity agency. It is also possible that DPC could be the subject of an investigation conducted by an integrity agency. DPC has advised that it considers these risks more theoretical than real.

DPC’s provision of $2.5 million in additional funding to ICAC in 2019–20 may not have been consistent with the Appropriation Act 2019 (the Act), because of a change to the Act compared to previous appropriation legislation. The additional funding that was provided to ICAC in 2019–20 by DPC had been appropriated to DPC under Part 2 of the Act. The Act specified that funding appropriated under Part 2 could only be used for the purposes specified in that Part. ICAC receives its appropriation under Part 4 of the Act. It is contestable as to whether the purpose of an appropriation under Part 2 of the Act would include providing funding for an agency that receives an appropriation under another part of the Act.

The integrity agencies have been asked to report on activities and outcomes to DPC as part of the outcome budgeting reforms that are being implemented by NSW Treasury. This is inconsistent with their independent status because the integrity agencies are accountable to Parliament for their activities, not DPC or a Premier.

Our audit also assessed the integrity agencies’ systems for planning, budgeting and monitoring the efficiency of their work. We did not find major deficiencies in the management practices of the integrity agencies. We did identify opportunities for improvement in each agency. These are specific to the circumstances of each agency and are outlined in the key findings section below and Chapters 2–5 of this report.

On 4 November 2019, the Hon. Don Harwin MLC, Special Minister of State, requested this audit under section 27(B)(3)(c) of the Public Finance and Audit Act 1983.

Consistent with the Minister’s request, this audit assessed the effectiveness of the financial arrangements and management practices of four integrity agencies - the Independent Commission Against Corruption (ICAC), the NSW Electoral Commission (NSWEC), the NSW Ombudsman (NSWO) and the Law Enforcement Conduct Commission (LECC). The audit also included NSW Treasury and the Department of Premier and Cabinet (DPC) because both departments have a role in the financial arrangements for the integrity agencies. NSW Treasury manages the budget process that determines the annual funding for the integrity agencies. DPC has a role in managing access to this funding because the integrity agencies are placed within the DPC ‘cluster’.

The Audit Office of NSW is an independent integrity agency that receives some of its revenue through the NSW Government’s budget process and sits within the DPC cluster. We have taken the following actions to preserve our independence and mitigate potential conflicts of interest that could arise in conducting this audit:

  • not considering or commenting on the financial arrangements for our office
  • requesting a deferral of our office’s evidence to an inquiry by the NSW Legislative Council’s Public Accountability Committee that is considering the budget process for integrity agencies and the NSW Parliament, including the four integrity agencies in this audit and our office
  • seeking independent legal advice on the framework for the financial arrangements of the four integrity agencies in this audit
  • using additional internal review processes to provide quality assurance to audit conclusions.

Conclusion

Financial arrangements for ICAC

ICAC's main functions are to investigate and prevent corruption in the public sector. Its legislation establishes it as an independent agency that is accountable to Parliament.

Decisions about the annual appropriation for ICAC are made by the Cabinet, with advice from NSW Treasury. Members of Cabinet or NSW Treasury could be involved in or affected by an ICAC investigation. There is no independent advice to Cabinet on ICAC’s funding requirements and there is no transparency to Parliament about the reasons for decisions made about ICAC’s budget. The absence of these safeguards in the current financial arrangements creates a threat to ICAC’s independence and have the potential to limit its ability to fulfil its legislative mandate.

ICAC submitted budget proposals seeking increases to its appropriation funding in several recent years. The budget proposals related to funding to expand its workforce to respond to increases in the volume and complexity of its work. Some of these proposals were rejected without reasons being provided. There are no formal mechanisms available to ICAC to question or challenge these decisions. The process available to ICAC to request additional funding outside the annual budget creates further risks to its independence.

ICAC’s management practices

ICAC’s staff use structured processes for prioritising work against its legislative mandate and it has conducted recent reviews to assess its operational efficiency. ICAC's internal budgeting processes are adequate but could be improved with better documentation of the reasons for its budget decisions.

Conclusion

Financial arrangements for NSWEC

NSWEC conducts elections and is responsible for maintaining the integrity of the electoral system in New South Wales. NSWEC’s legislation states that it should conduct elections and investigate potential breaches of electoral law independently and be accountable to Parliament. Decisions about the annual appropriation for NSWEC are made by the Cabinet. It is possible that NSWEC’s investigations of electoral integrity could include members of Cabinet or the political party that holds government. There is a risk that decisions about its funding could be influenced by the conduct of these investigations. If realised, this would be a threat to NSWEC’s independence and ability to fulfil its legislative mandate. NSWEC has not received the full funding amount it has requested in recent years. There is inadequate transparency about how funding decisions were made and there are no formal mechanisms to question or challenge these decisions.

The conduct of elections is a key element of a democratic system and under-funding this function could have serious implications. NSWEC’s requests for additional appropriation funding are assessed alongside the priorities of the government of the day. Its role transcends these immediate priorities and there is a risk that its funding requirements may not be prioritised.

NSWEC’s management practices

NSWEC’s internal budgeting processes and efficiency programs are clear and well documented. NSWEC has identified options to improve its operational and corporate efficiency but has not implemented all of these.

Conclusion

Financial arrangements for NSWO

NSWO oversees government agencies and some government-funded private sector bodies that provide services to the community or exercise administrative functions. NSWO’s legislation makes it clear that it should operate independently of the agencies it oversees and be accountable to Parliament.

NSWO’s investigations do not include members of Cabinet, except in relation to Public Interest Disclosures made about a minister, so the risk that decisions about its budget could be affected by its investigations is relatively lower. However, NSWO's investigations can comment on and make recommendations about government policies, which may have been endorsed by Cabinet or an individual minister, and its investigations cover systemic issues for which ministers and the heads of government departments are responsible. NSWO faces a further challenge in its ability to make compelling budget proposals under the current financial arrangements. Its funding requests are assessed alongside the government’s priorities, but its work is unlikely to align directly with these priorities.

NSWO’s management practices

NSWO has assessed its operational and corporate efficiency recently and has implemented major changes to its operating model in response to this. Its internal budgeting process is adequate but could be improved by being documented more thoroughly.

Conclusion

Financial arrangements for LECC

LECC's main functions are to investigate allegations of misconduct by law enforcement and oversee police handing of complaints. LECC’s legislation states it should operate independently of the agencies it oversees and be accountable to Parliament. LECC’s jurisdiction does not include members of Cabinet, NSW Treasury or DPC. However, LECC’s investigations have the potential to have a negative impact on a Minister for Police, who is a member of Cabinet, and the government of the day. There is a risk that decision makers for LECC’s funding could be influenced by these considerations. While LECC has not sought increases to its appropriation funding in recent years, there are no formal mechanisms to question or challenge these decisions if it did have concerns about its funding in the future.

Unlike the other integrity agencies in this audit, LECC is not classified as a separate GSF agency under the Government Sector Finance Act 2018. This difference means that LECC has less independence from the Executive Government, because LECC would have to comply with a Treasurer’s Direction even if it believes it is not consistent with the independent exercise of its functions.

LECC's management practices

LECC's internal budgeting processes are clear and documented and it has identified and implemented operational and corporate efficiency savings in several areas. LECC published a new strategic plan in July 2020. Over the first three years of its operations since 2017, LECC had not conducted effective strategic planning which made it difficult for LECC to demonstrate that it had a cohesive approach to its operations across the agency during this time.

Conclusion

Aspects of the financial management mechanisms used by NSW Treasury and DPC to administer funding for the integrity agencies create tensions with their independent status.

NSW Treasury and DPC have administered efficiency dividends and budget savings and reform measures which results in the integrity agencies not being able to access the full funding approved by Parliament. There are two competing interpretations of appropriation legislation that lead to different conclusions about whether there is a clear legal basis for doing this. NSW Treasury and DPC take the view that the Appropriation Act provides funding for the integrity agencies to a Premier and does not state that a Premier must provide the full amount of funding to the agencies. This interpretation leads to the view that a Premier can restrict access to appropriation funding that was approved by Parliament. An alternative approach to interpreting the Appropriation Act would consider the contextual factors specific to the integrity agencies. These factors include: the integrity agencies are independent of ministerial control, the integrity agencies are accountable to Parliament for performing specific legislated functions, and the integrity agencies may conduct investigations that involve a Premier, or DPC or NSW Treasury. If this alternative interpretation is accepted, then the reduction of the integrity agencies’ access to appropriation funding could diminish the independent status of the integrity agencies.

DPC has given additional funding to three of the integrity agencies in recent years in response to requests from the agencies. If the integrity agencies require additional funding during the year, the only mechanism available is to seek funding from DPC. This creates a potential threat to the independence of the integrity agencies. Asking DPC to make decisions about funding allocations between an integrity agency and another agency in the DPC cluster is inappropriate because DPC is not responsible for the functions or actions of an integrity agency. It is also possible that DPC could be the subject of an investigation conducted by an integrity agency. Separately, DPC’s provision of $2.5 million in additional funding to ICAC in 2019–20 may not have been consistent with the Appropriation Act 2019. The appropriations for DPC and ICAC were made under different parts of the Act. Appropriation funding can only be paid out for the purpose specified in each part of the Act. It is not clear whether it is permissible to transfer funding between agencies that receive appropriations from different Parts of the Act.

The integrity agencies have recently been asked to report activity and outcome measures to DPC, as the principal department for the cluster that they have been placed in, under the outcome budgeting reforms that are being implemented by NSW Treasury. This is inconsistent with their independent status because the integrity agencies are accountable to Parliament for their activities, not DPC or a Premier. DPC has advised that it considers the risks to the independence of the integrity agencies described above to be more theoretical than real.

Appendix one – Response from agencies

Appendix two – About the audit

Appendix three – Opinion from the Crown Solicitor’s Office

 

 

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Published

Members' Additional Entitlements 2017

Premier and Cabinet
Compliance
Internal controls and governance
Management and administration
Regulation
Service delivery

In a report released today, the Auditor-General for New South Wales, Margaret Crawford, identified two instances where Members of Parliament did not materially comply with the Parliamentary Remuneration Tribunal’s Determination relating to additional entitlements. The Department of Parliamentary Services has subsequently requested that the two Members concerned repay amounts that were incorrectly claimed. One claim was made under the Electorate to Sydney Travel allowance and the other from the Communication allowance.

Appendix one - Response from Parliamentary Remuneration Tribunal

Appendix two - Response from Department of Parliamentary Services

Published

Performance audit insights: key findings from 2014-2018

Whole of Government
Compliance
Fraud
Information technology
Internal controls and governance
Procurement
Project management

A report released today by the Auditor-General for New South Wales, Margaret Crawford, presents key findings from four years of performance audits. The report findings are presented around six areas of government activity including planning for the future, meeting community expectations for key services, investment in infrastructure, managing natural resources, ensuring good governance and digital disruption.

In this report, we present common findings and lessons from the past four years of performance audits, and offer insights to the public sector on elements of effective performance. We have analysed the key findings and recommendations from 61 performance audits tabled in the NSW Parliament between July 2014 and June 2018, spanning varied areas of government activity. We will also use this report to help determine areas of unaddressed risk across all parts of government, and to shape our future audit priorities.

Governments play an important stewardship role. Their decisions need to consider intergenerational equity by ensuring that investment strategies are sustainable. Governments also need to consider the impact of their decisions on different parts of the community. We recognise that governments face challenges in delivering programs and services, targeting complex social issues with finite resources.

Governments are changing how they deliver services to respond to citizen needs and deliver greater value for money. In this section, we reflect on audits that looked at how government entities are planning their activities to meet the needs of the community into the future.

State and local government exist to provide services to citizens, and citizens are playing a greater role in defining what services they want or need. Expectations about consultation, ease of access, timeliness, and customisation of services are rising. Governments face challenges to continually improve the way they plan and deliver services to meet these expectations. Governments also need to provide quality services for a growing and ageing population whilst working within a constrained financial environment.

Over the past four years, our performance audits have assessed aspects of State and local government services, including education, health services, disability support, corrective services, and many others. In this section, we draw together common findings that government entities should reflect on when providing services to the community.

The NSW Government’s 2018–19 Budget forecasts an $87.2 billion infrastructure investment program over the next four years. Infrastructure investment of this size carries significant opportunities and risks. Competition for resources is high and maintaining the capability to manage and deliver projects effectively is challenging. Governments also need to plan effectively to ensure infrastructure built today will meet future needs.

Over the past four years, we have looked at some of the ways NSW Government agencies justify and prioritise projects for funding, work with contractors to deliver projects, and track and report on progress. In this section, we draw together common findings from our audits that government entities should consider when planning future infrastructure projects.

Governments face challenges in balancing the use of natural resources to meet diverse interests, while supporting a sustainable natural environment for the future. They need to supply communities with water, produce energy, protect natural habitats, and support farming, industry, and economic development.

Some of our recent audits have considered how government agencies are managing natural resources and protecting the environment for future generations. In this section, we have drawn together common findings across our audits that government entities should consider in managing the environment and natural resources.

A range of checks and balances is needed to support public confidence in government decision making. To maintain trust, government agencies should act transparently, and in accordance with relevant legislation and policy. This is particularly important as the public sector increasingly engages with external partners to deliver services and provide a more contestable environment.

Good governance arrangements should result in improved service delivery and more effective and efficient use of resources. Our audits have looked at many different elements of governance, including making sure the necessary processes and workplace cultures are in place to help government entities achieve their aims. In this section, we have drawn together various aspects of governance that government entities should consider.

The global increase in digital technology provides governments with opportunities to interact with citizens in more immediate and responsive ways than was previously possible. Data can be used in powerful ways such as predicting future demand for services, targeting interventions, responding to crises, and evaluating outcomes. Governments face challenges in doing this while maintaining secure digital environments that protect citizen interests, privacy, and autonomy.

Our audits have assessed some of the ways that government entities are incorporating digital change into their work. In this section, we draw together common themes that governments could consider in protecting their digital assets, or expanding their digital capabilities.
 

Appendix one – Performance audits 2014 to 2018

Appendix two – Performance auditing

Appendix three – About this report

Published

Assessment of the use of a training program

Finance
Internal controls and governance
Management and administration

The Department of Finance, Services and Innovation (DFSI) and Service NSW's use of Franklin Covey's '7 Habits' program (the Program) met identified business needs according to a report released today by the Auditor-General for New South Wales Margaret Crawford. 

This audit assesses the effectiveness and economy of the Department of Finance, Services and Innovation's, including Service NSW's, use of the Franklin Covey ‘7 Habits’ program (the Program). On 15 March 2018, the Hon. Victor Dominello MP, Minister for Finance, Services and Property, requested the Auditor General conduct this audit under section 27(B)(3)(c) of the Public Finance and Audit Act 1983 (the Act).

About the agencies

The Department of Finance, Services and Innovation (the Department) is the lead agency of the Finance, Services and Innovation cluster. The Department has a number of divisions and business units, including: ICT and Digital Government, Property and Advisory Group, Better Regulation, NSW Fair Trading, Government and Corporate Services, and Revenue NSW. At 30 June 2017, the Department (excluding Service NSW) had 5,239 full-time equivalent staff.

Service NSW is a central point of contact for customers accessing NSW Government Services. It is a Division of the Finance, Services and Innovation cluster and operates as an executive agency. As an executive agency, Service NSW is led by a Chief Executive Officer, who is responsible to the Minister for Finance, Services and Property but appointed by the Secretary of the Department of Finance, Services and Innovation. Service NSW was established in 2013 and has operated under the Finance, Services and Innovation cluster since July 2015. At 30 June 2017, Service NSW had 1,989 full-time equivalent staff.

About the Program

The Program that the Department and Service NSW are implementing, and which is the subject of this audit, is a professional development training course which focusses on organisational culture emphasising personal effectiveness, leadership development and change management. All staff in the Department and Service NSW will receive the training, which involves:

  • a 360-degree assessment where every staff member receives feedback from their manager, direct reports, and peers
  • a two-day training workshop, which will be delivered face to face by accredited facilitators
  • 2 years of online access to all training materials created by the provider of the Program.

As part of the licensing arrangement purchased by the agencies, the Program also provides access (at no extra cost) to the full range of the provider's training and development courses that might be useful for other learning and development activities. This includes courses to improve staff capability in communication skills, leadership, productivity and customer engagement. The Department is considering using one of these courses to develop leadership capabilities. Service NSW has integrated three of these courses into its people development curriculum.

Service NSW commenced the first sessions of the Program in May 2017. At 24 April 2018, around 1,000 staff had undertaken the training. Service NSW expects all staff to complete the Program by June 2019.

The Department of Finance, Services and Innovation commenced the first sessions of the Program in August 2017. At 18 April 2018, around 175 staff had undertaken the training. The Department expects all staff to complete the Program by December 2019.

Audit objective and criteria

The audit sought to assess the effectiveness and economy of the Finance, Services and Innovation cluster’s use of the Program. In making this assessment, we considered whether:

  1.  the Program is being used effectively, including whether
    1. there is an identified need for the Program
    2. the use of the Program meets the identified need
    3. Finance, Services and Innovation cluster agencies evaluate the effectiveness of the Program
  2. the Program is economical, including whether:
    1. the procurement complies with all relevant policies and processes
    2. funding and resources allocated to the Program are reasonable.
Conclusion
The Department of Finance, Services and Innovation, and Service NSW developed workforce strategies which identified a business need to improve organisational culture and staff engagement. The Program met the identified business needs and both agencies negotiated value for money contracts for the delivery of the Program when compared to other available options for training all staff.
However, the agencies did not document evidence to show that training all staff members was necessary to meet their business needs, as compared with training fewer staff members at a lower overall cost. As a result, we are unable to form a view on whether the approach to train all staff members was economical. The agency heads have subsequently provided information supporting their decisions to train all staff members. This information indicates their decisions were based on evidence that this would meet the goals of their workforce strategies, including improving employee engagement scores and organisational culture change.
The Department is paying $1,320,700, over three years, for up to 5,600 staff to participate in the Program ($235.84 per person). Service NSW is paying $595,000, over two years, for up to 2,400 staff to participate in the Program ($247.92 per person).
The agencies are collecting the data they need to evaluate the Program and there is some evidence that the Program is achieving its objectives in Service NSW. Due to the timing of this audit, there is not yet enough information available to comment on whether the Program is achieving its objectives in the Department.

Sector-wide learnings

Implementing robust learning and development frameworks

  1. Agencies should evidence decisions about how proposed learning and development opportunities will meet staff and business needs - both in the program design, and through evaluation. In many cases, organisations may have unique needs or circumstances, or may want to trial innovative approaches to improving organisational capability. Innovation should be encouraged, to avoid the risk that agencies are locked into outdated training and development models. However such approaches should be balanced by ensuring that business needs are well scoped and defined.
     
  2. Agencies implementing innovative or new approaches to learning and development should build-in iterative evaluations (such as pulse surveys, or collecting post-participation qualitative feedback) to ensure that the training is delivered on intended benefits, and to inform improvements to ongoing rollout.
     
  3. Agencies implementing innovative or new training programs should ensure they build enough flexibility into contracts so that they can assess how well programs are meeting staff and business needs, and use evidence to inform whether further rollout should occur.

Appendix one – Response from agencies

Appendix two – Evaluation methodologies

Appendix three – About the audit

Published

Solar Bonus Scheme

Premier and Cabinet
Compliance
Infrastructure
Management and administration
Project management
Regulation
Risk
Service delivery

A NSW Auditor General’s Report has found that the NSW Government and its agencies grossly underestimated the cost and number of people that would install systems under the Solar Bonus Scheme.

By October 2010, the estimated cost of the Scheme, if it continued the way it was going, would have reached $3.988 billion. More than ten times the original estimate of $362 million. In response to the increased cost, the gross tariff for new applicants was reduced from 60 to 20 cents reducing the estimated cost to $1.954 billion.

It was a statutory requirement that when 50 mega watts of installed capacity was reached, the Government would review the Scheme. By the time the review was completed the installed capacity had reached 101 mega watts.

View our audit program
View audit program
EXPLORE
upcoming audits
Have your say
CONTRIBUTE