Refine search Expand filter

Audit progress

- Any -

Sector

- Any -

Year

- Any -

Report type

- Any -

Topic

- Any -

Reports

Published

Internal controls and governance 2021

Whole of Government
Compliance
Cyber security

This report analyses the internal controls and governance of the 25 largest agencies in the NSW public sector, excluding state owned corporations and public financial corporations, for the year ended 30 June 2021.

Our preferred approach is to table the ‘Report on State Finances’ in Parliament before any other cluster report. This is because the ‘Report on State Finances’ focuses on the audit results and observations relating to the Total State Sector Accounts, in effect a consolidation of all government agencies. This year the ‘Report on State Finances’ has been delayed due to significant accounting issues being considered in the Total State Sector Accounts and which may impact the Treasury and Transport clusters.

As there are no matters in this report impacting the Total State Sector Accounts we have decided to break with normal practice and table this report ahead of the ‘Report on State Finances’.

What the report is about

This report analyses the internal controls and governance of the 25 largest agencies in the NSW public sector, excluding state owned corporations and public financial corporations, for the year ended 30 June 2021.

What we found

Internal control trends

The proportion of control deficiencies identified as high risk this year increased to 2.8 per cent (2.5 per cent in 2019–20). Six high risk findings related to financial controls while three related to IT controls. Two were repeat findings from the previous year.

Repeat findings of control deficiencies now represent 49 per cent of all findings (42 per cent in 2019–20).

Information technology

We continue to see a high number of deficiencies relating to IT general controls, particularly around user access administration and privileged user access which affected 82 per cent of agencies.

Cyber security

Agencies' self-assessed maturity levels against the NSW Cyber Security Policy (CSP) mandatory requirements are low. Although agencies are required to demonstrate continuous improvement against the CSP, 20 per cent have not set target levels and of those that have set target levels, 40 per cent have not met their target levels.

Policies, processes and definition around security incidents and data breaches lack consistency. Improvement is required to ensure breaches are recorded in registers and action taken to address the root cause of incidents.

Conflicts of interest

Agencies' policies generally meet the minimum requirements of the Ethical Framework set out in the Government Sector Employment Act 2013. However, few meet the Independent Commission Against Corruption's best practice guidelines. Policies could be strengthened in relation to requirements around annual declarations of interests from employees and contractors.

Masterfile management

Policies governing the management of supplier masterfiles and employee masterfiles existed in 79 per cent and 54 per cent of agencies respectively.

Weaknesses were identified in those policies. Access restriction, segregation of duties and record keeping were the most common opportunities for improvement.

Tracking recommendations

Most agencies do not maintain a register to monitor recommendations from performance audits and public inquiries. Registers of recommendations could be improved to include risk ratings and record revisions to due dates. While recommendations can take several years to fully address, the oldest open items were originally due for completion by June 2016.

What we recommended

Agencies should:

  • prioritise actions to address repeat control deficiencies, particularly those that have been repeated findings for a number of years
  • prioritise improvements to their cyber security and resilience as a matter of urgency
  • formalise and implement policies on tracking and monitoring the progress of implementing recommendations from performance audits and public inquiries.

Fast facts

The 25 largest NSW government agencies in this report cover all nine clusters and represent over 95 per cent of total expenditure for NSW public sector.

  • high risk audit findings were identified this year
  • 40% of agencies have not formally accepted residual cyber risk based on their self-assessed maturity levels
  • 52% of agencies do not have a policy on tracking recommendations from performance audits and public inquiries
  • 50% of all internal control deficiencies identified in 2020–21 were repeat findings
  • 75% is the average completion rate of annual staff declarations of interests.

Internal controls are processes, policies and procedures that help agencies to:

  • operate effectively and efficiently
  • produce reliable financial reports
  • comply with laws and regulations
  • support ethical government.

This chapter outlines the overall trends for agency controls and governance issues, including the number of audit findings, the degree of risk those deficiencies pose to the agency, and a summary of the most common deficiencies we found across agencies. The rest of this report presents this year’s controls and governance findings in more detail.

The scope of this year's report covers 25 general government sector agencies. Last year's report covered 40 agencies within the total state sector. For consistency and comparability, we have adjusted the 2020 results to include only the agencies remaining within scope of this year's report. Therefore, the 2020 figures will not necessarily align with those reported in our 2020 report.

Section highlights

  • We identified nine high risk findings, compared to eight last year, with two findings repeated from last year. Six of the nine findings related to financial controls and three related to IT controls.
  • The proportion of repeat deficiencies has increased from 44 per cent in 2019–20 to 50 per cent in 2020–21. The longer these weaknesses in internal control systems exist, the higher the risk that they may be exploited and consequential impact.

This chapter outlines our audit observations, conclusions and recommendations arising from our review of agency controls to manage key financial systems.

Section highlights

  • We continue to see a high number of deficiencies related to IT general controls, particularly those related to user access administration and privileged user access.
  • Agencies are increasingly contracting out key IT services to third parties, however, weaknesses in IT service providers' controls can expose an agency to cyber security risks.

This chapter outlines our audit observations, conclusions and recommendations arising from our review of agencies' cyber security planning and governance arrangements.

Section highlights

  • Agencies' self‑assessed cyber maturity levels against the NSW Cyber Security Policy mandatory requirements are low and have not met their target levels. Forty per cent of agencies have not formally accepted the residual risk from gaps between their target and current maturity levels.
  • Most agencies have conducted cyber awareness training to staff during 2020–21. Some have further enhanced this training through awareness exercises such as simulated phishing emails to test staff knowledge.
  • Registers of security incidents and breaches are not consistent across agencies. Four agencies recorded nil breaches during 2020–21, however, their definition of incidents and breaches was not consistent with other agencies. For instance, they did not include account compromises or denial of service attacks. Only seven agencies' registers included details of actions taken to resolve issues.

This chapter outlines our audit observations, conclusions and recommendations arising from our review of agencies' conflicts of interest management processes.

Section highlights

  • Most agencies have established conflicts of interest policies consistent with the mandatory requirements of the Code of Ethics and Conduct for NSW Government sector employees. Agencies' policies could be strengthened to apply the standard they apply to senior executives to all employees and contractors. Currently, only senior employees are required to make annual declarations of interests, yet the ability to make or influence decisions is delegated to others in the organisation.
  • Half of agencies' policies specify units or divisions that are at higher risk of conflicts of interest arising due to the nature of their business. Policies should identify additional measures at the unit/division level to mitigate these risks.
  • On average, less than 75 per cent of staff completed annual declarations of interest where required. This could be improved with ongoing staff training and awareness, and follow up on incomplete conflicts of interest.

This chapter outlines our audit observations, conclusions and recommendations arising from our review of agency's management of supplier and employee masterfiles.

Section highlights

  • Most agencies have established policies or procedures on supplier masterfile management, however, only 56 per cent do for employee masterfile management.
  • Less than half of agencies review user access rights to supplier or employee masterfiles which contain sensitive information and are susceptible to fraud. Access to edit the masterfiles should be limited to authorised personnel for whom it is required to perform their duties.

This chapter outlines our audit observations, conclusions and recommendations arising from our review of agencies' processes to track and monitor the implementation of recommendations from performance audits and public inquiries.

Section highlights

  • Less than half of all agencies have a formal policy on monitoring recommendations from performance audits or public inquiries. Agencies should formalise and implement policies on tracking and monitoring the progress of those recommendations.
  • 56 per cent of agencies maintain a register of recommendations from performance audits or public inquiries. Registers could be improved to include features such as risk/priority rating, milestone due dates, record of revisions to due dates and explanatory comments.
  • Recommendations can take several years to address, with the oldest unactioned items we noted dating back to 2016. Agencies reported completion of a third of recommendations that were raised within the last year.

Published

Planning, Industry and Environment 2021

Environment
Industry
Local Government
Planning
Asset valuation
Financial reporting
Information technology
Internal controls and governance
Risk

This report analyses the results of our audits of the Planning, Industry and Environment cluster agencies for the year ended 30 June 2021.

Our preferred approach is to table the ‘Report on State Finances’ in Parliament before any other cluster report. This is because the 'Report on State Finances' focuses on the audit results and observations relating to the Total State Sector Accounts, in effect a consolidation of all government agencies. This year the 'Report on State Finances' has been delayed due to significant accounting issues being considered in the Total State Sector Accounts and which may impact the Treasury and Transport clusters.

As there are no outstanding matters relating to audits in the Planning, Industry and Environment cluster impacting the Total State Sector Accounts we have decided to break with normal practice and table this cluster report ahead of the ‘Report on State Finances’.

What the report is about

The results of the Planning, Industry and Environment cluster agencies' financial statements audits for the year ended 30 June 2021.

What we found

Unmodified audit opinions were issued for all completed 30 June 2021 financial statements audits of cluster agencies. Three audits are ongoing.

An 'Other Matter' paragraph was included in the Independent Planning Commission's (the IPC) audit opinion because the prior year comparative figures were not audited. Prior to 2020–21, the IPC was not required to prepare separate financial statements under the Public Finance and Audit Act 1983 (PF&A Act). The financial reporting provisions of the Government Sector Finance Act 2018 now require the IPC to prepare financial statements.

The number of identified misstatements increased from 51 in 2019–20 to 54 in 2020–21.

The 2010–11 to 2019–20 audits of the Water Administration Ministerial Corporation’s (the Corporation) financial statements are incomplete due to insufficient records and evidence to support the transactions of the Corporation, particularly for the earlier years. Management has commenced actions to improve the governance and financial management of the Corporation. These audits are currently in progress and the 2020–21 audit will commence shortly.

There are 609 State controlled Crown land managers (CLMs) across New South Wales that predominantly manage small parcels of Crown land.

Eight CLMs prepared and submitted 2019–20 financial statements by the revised deadline of 30 June 2021. A further 24 CLMs did not prepare financial statements in accordance with the PF&A Act. The remaining CLMs were not required to prepare 2019–20 financial statements as they met NSW Treasury's financial reporting exemption criteria.

The Department of Planning, Industry and Environment's (the department) preliminary assessment indicates that 60 CLMs are required to prepare financial statements in 2020–21. To date, no CLMs have prepared and submitted financial statements for audit in 2020–21.

There are also 120 common trusts that have never submitted financial statements for audit. Common trusts are responsible for the care, control and management of land that has been set aside for specific use in a certain locality, such as grazing, camping or bushwalking.

What the key issues were

The number of matters we reported to management increased from 135 in 2019–20 to 180 in 2020–21, of which 40 per cent were repeat findings.

Seven high-risk issues were identified in 2020–21:

  • system control deficiencies at the department relating to user access to HR and payroll management systems, vendor master data management and journal processing, which require manual reviews to mitigate risks
  • deficiencies related to the Centennial Park and Moore Park Trust's tree assets valuation methodology
  • the Lord Howe Island Board did not regularly review and monitor privileged user access rights to key information systems
  • the Natural Resources Access Regulator identified and adjusted three prior period errors retrospectively, which indicate deficiencies within the financial reporting processes
  • deficiencies relating to the Parramatta Park Trust's tree assets valuation methodology
  • lease arrangements have not been confirmed between the Planning Ministerial Corporation and Office of Sport regarding the Sydney International Regatta Centre
  • the Wentworth Park Sporting Complex land manager (the land manager) has a $6.5 million loan with Greyhound Racing NSW (GRNSW). GRNSW requested the land manager to repay the loan. However, the land manager subsequently requested GRNSW to convert the loan to a grant. Should this request be denied, the land manager would not be able to continue as a going concern without financial support. This matter remains unresolved for many years.

There continues to be significant deficiencies in Crown land records. The department uses the Crown Land Information Database (CLID) to record key information relating to Crown land in New South Wales that are managed and controlled by the department and land managers (including councils and land managers controlled by the state). The CLID system was not designed to facilitate financial reporting and the department is required to conduct extensive adjustments and reconciliations to produce accurate information for the financial statements.

The department is implementing a new system to record Crown land (the CrownTracker project). The department advised that the project completion date will be confirmed by June 2022.

What we recommended

The department should ensure CLMs and common trusts meet their statutory reporting obligations.

Cluster agencies should prioritise and action recommendations to address internal control deficiencies, with a focus on addressing high-risk and repeat issues.

The department should prioritise action to ensure the Crown land database is complete and accurate. This will allow the department and CLMs to be better informed about the Crown land they control.

Fast facts

The Planning, Industry and Environment cluster aims to make the lives of people in New South Wales better by developing well-connected communities, preserving the environment, supporting industries and contributing to a strong economy.

There are 54 agencies, 609 State controlled Crown land managers that predominantly manage small parcels of Crown land and 120 common trusts in the cluster.

  • 42% of the area of NSW is Crown land
  • $33.2b water and electricity infrastructure as at 30 June 2021
  • 100% unqualified audit opinions were issued for all completed 30 June 2021 financial statements audits
  • 7 high-risk management letter findings were identified
  • 54 monetary misstatements were reported in 2020–21
  • 40% of reported issues were repeat issues

This report provides parliament and other users of the Planning, Industry and Environment cluster (the cluster) agencies’ financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:

  • financial reporting
  • audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision-making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Planning, Industry and Environment cluster (the cluster) for 2021.

Section highlights

  • Unmodified audit opinions were issued for all completed 30 June 2021 financial statements audits of cluster agencies. Three audits are ongoing.
  • An 'Other Matter' paragraph was included in the Independent Planning Commission’s (the IPC) audit opinion because the prior year comparative figures were not audited. Prior to 2020–21, the IPC was not required to prepare separate financial statements under the Public Finance and Audit Act 1983. From 2020–21, the IPC is required to prepare financial statements under the Government Sector Finance Act 2018.
  • The 2010–11 to 2019–20 audits of the Water Administration Ministerial Corporation’s (the Corporation) financial statements were incomplete due to insufficient records and evidence to support the transactions of the Corporation, particularly for the earlier years. These audits are currently underway, and the 2020–21 audit will commence shortly.
  • The Department of Planning, Industry and Environment's (the department) preliminary assessment indicates that 60 State controlled Crown land managers (CLMs) are required to prepare financial statements in 2020–21. To date, no CLMs have prepared and submitted financial statements for audit in 2020–21. All 120 common trusts have never submitted their financial statements for audit. The department needs to do more to ensure that the CLMs and common trusts meet their statutory reporting obligations.
  • Nine agencies that were required to perform early close procedures did not complete a total of 20 mandatory procedures. The most common incomplete early close procedures include the revaluation of property, plant and equipment, documenting all significant management judgments and assumptions, and the implementation of new and updated accounting standards.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision-making.

This chapter outlines our observations and insights from our financial statements audits of agencies in the Planning, Industry and Environment cluster.

Section highlights

  • The number of findings reported to management has increased from 135 in 2019–20 to 180 in 2020–21, and 40 per cent were repeat issues.
  • Seven high-risk issues were identified in 2020–21, and three high-risk findings were repeat issues.
  • There continues to be significant deficiencies in Crown land records. The department should prioritise action to ensure the Crown land database is complete and accurate.

Appendix one - Misstatements in financial statements submitted for audit

Appendix two – Early close procedures

Appendix three – Timeliness of financial reporting

Appendix four – Financial data

 

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Published

Customer Service 2021

Finance
Asset valuation
Cyber security
Financial reporting
Information technology
Internal controls and governance
Shared services and collaboration

This report analyses the results of our audits of the Customer Service cluster agencies for the year ended 30 June 2021.

Our preferred approach is to table the ‘Report on State Finances’ in Parliament before any other cluster report. This is because the ‘Report on State Finances’ focuses on the audit results and observations relating to the Total State Sector Accounts, in effect a consolidation of all government agencies. This year the ‘Report on State Finances’ has been delayed due to significant accounting issues being considered in the Total State Sector Accounts and which may impact the Treasury and Transport clusters.

As there are no outstanding matters relating to audits in the Customer Service cluster impacting the Total State Sector Accounts we have decided to break with normal practice and table this cluster report ahead of the ‘Report on State Finances’.

What the report is about

The results of Customer Service cluster agencies' financial statement audits for the year ended 30 June 2021.

What we found

Unmodified audit opinions were issued for all Customer Service cluster agencies.

The number of monetary misstatements decreased from 48 in 2019–20 to 46 in 2020–21.

Seven out of eight agencies did not complete all mandatory early close procedures.

What the key issues were

Upon the implementation of AASB 1059 'Service Concession Arrangements: Grantors', the Department of Customer Service (the department) recognised a service concession asset, the land titling database, totalling $845 million for the first time at 1 July 2019.

The department reported several retrospective corrections of prior period errors.

The 2020–21 audits identified three high-risk and 59 moderate risk issues across the cluster. The high-risk issues were related to:

  • the Department of Customer Service – internal control qualifications and control deviations in GovConnect service providers
  • the Department of Customer Service – significant control deficiencies in information technology change management controls
  • Rental Bond Board – uncertainties in the accounting treatment of rental bonds.

The percentage of repeat issues we report to management and those charged with governance in management letters increased from 29 per cent in prior year to 42 per cent in 2020–21 while the number of items decreased from 94 to 93.

The magnitude and number of internal control exceptions in GovConnect service providers increased resulting in additional audit procedures to address the risks of fraud and errors in the financial statements.

What we recommended

The department should improve the validation process of key valuation assumptions and inputs provided by the private operator NSW Land Registry Services. It should revisit its accounting treatment of new land titling records.

The department should ensure GovConnect service providers prioritise the remediation of control deficiencies in information technology services.

The department should continue to improve controls in cyber security management.

Cyber Security NSW and NSW Government agencies need to prioritise improvements to their cyber security resilience as a matter of urgency.

The New South Wales Government Telecommunications Authority should improve its fixed assets management and financial reporting process to accommodate its growing fixed assets profile.

Fast facts

The Customer Service cluster aims to plan, prioritise, fund and drive digital transformation and customer service across every cluster in the NSW Government.

  • $3.9b total expenditure incurred in 2020–21 
  • $34.1b total administered income managed on behalf of the NSW Government in 2020–21
  • 100% unqualified audit opinions were issued on agencies' 30 June 2021 financial statements 
  • 3 high-risk management letter findings were identified
  • 46 monetary misstatements were reported in 2020–21
  • 42% of reported issues were repeat issues.

This report provides Parliament and other users of the Customer Service cluster’s financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:

  • financial reporting
  • audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision-making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Customer Service cluster (the cluster) for 2021.

Section highlights

  • Unqualified audit opinions were issued on the financial statements of cluster agencies.
  • The number of reported misstatements has decreased from 48 in 2019–20 to 46 in 2020–21.
  • Agencies could do more work to improve the quality and timeliness of completing mandatory early close procedures.
  • The Department of Customer Service implemented the new accounting standard AASB 1059 'Service Concession Arrangements: Grantors', which resulted in recognition of a service concession asset of $845 million at 1 July 2019. The valuation of land titling database requires significant judgements and estimations.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision-making.

This chapter outlines our observations and insights from our financial statement audits of agencies in the Customer Service.

Section highlights

  • The 2020–21 audits identified three high-risk and 59 moderate risk issues across the cluster. Twenty-six moderate risk issues were repeat issues. The most common repeat issues related to information technology controls around user access management.
  • The magnitude and number of internal control qualification issues from GovConnect service providers have increased. Ineffective controls at service providers increase the risk of fraud, error and security to data. Urgent attention is required to remediate the internal control exceptions in information and technology services.
  • The NSW Public Sector's cyber security resilience needs urgent attention. Cyber Security NSW and NSW Government agencies need to prioritise improvements to their cyber security resilience as a matter of urgency.

Findings reported to management

Forty-two per cent of findings reported to management were repeat issues

Breakdowns and weaknesses in internal controls increase the risk of fraud and error. Deficiencies in internal controls, matters of governance interest and unresolved issues were reported to management and those charged with governance of agencies. The Audit Office does this through management letters, which include observations, related implications, recommendations and risk ratings.

In 2020–21, there were 93 findings raised across the cluster (94 in 2019–20). Forty-two per cent of all issues were repeat issues (29 per cent in 2019–20).

The most common repeat issues related to weaknesses in controls over information technology user access administration.

A delay in implementing audit recommendations increases the risk of intentional and accidental errors in processing information, producing management reports and generating financial statements. This can impair decision-making, affect service delivery and expose agencies to fraud, financial loss and reputational damage. Poor controls may also mean agency staff are less likely to follow internal policies, inadvertently causing the agency not to comply with legislation, regulation and central agency policies.

The table below describes the common issues identified across the cluster by category and risk rating. 

Risk rating Issue
Information technology
High3
1 new,
1 repeat

The financial audits identified the need for agencies to improve information technology processes and controls that support the integrity of financial data used to prepare agencies' financial statements. Of particular concern are issues associated with:

  • internal control exceptions in information and technology services provided by GovConnect service providers
  • inadequate change management controls
  • poor user access administration and no monitoring of privileged user activities
  • insufficient cybersecurity controls and processes.

High-risk issues are discussed later in the chapter.

Moderate2
5 new,
8 repeat

Low1
7 new,
5 repeat
Internal control deficiencies or improvements

Moderate2
5 new,
3 repeat

The financial audits identified internal control weaknesses across key business processes, including:

  • lack of documentation support for payroll transactions
  • untimely removal of unused transaction negotiation authority facility and old bank signatories
  • inadequate fixed asset management controls including timely capitalisation of project overhead costs.

 Low1
3 new,
2 repeat
Financial reporting

High3
1 new

The financial audits identified opportunities for agencies to strengthen financial reporting, including:

  • uncertainties in legislation to support accounting of rental bonds as funds held in trust
  • improvements required in lease accounting including the review of extension options, assessing indicators of impairment and reviewing the lease reports for completeness and accuracy 
  • the removal of fully depreciated assets in the fixed asset register was not timely
  • the quality and timeliness of completing early close procedures required improvement.

High-risk issues are discussed later in the chapter.

Moderate2
9 new,
8 repeat

Low1
7 new,
3 repeat
Governance and oversight
Moderate2
10 new,
3 repeat

The financial audits identified opportunities for agencies to improve governance and oversight processes, including:

  • renewing or finalising service arrangement agreements between agencies were required 
  • lack of formalised documentation regarding arrangements with external providers for leasing and use of assets.
Low1
3 new
Non-compliance with key legislation and/or central agency policies
Moderate2
4 new,
4 repeat

The financial audits identified the need for agencies to improve its compliance with key legislation and central agency policies, including:

  • non-compliance with contract and procurement management policy, including the use of purchasing cards
  • non-compliance with TC 21-02 'Statutory Act of Grace Payments'
  • annual leave in excess of 30 days where Circular 2020-12 requires agency heads to reduce employee recreation leave balances to 30 days or less.
Low1
1 repeat
4 Extreme risk from the consequence and/or likelihood of an event that has had, or may have a negative impact on the entity.
3 High-risk from the consequence and/or likelihood of an event that has had, or may have a negative impact on the entity.
2 Moderate risk from the consequence and/or likelihood of an event that has had, or may have a negative impact on the entity.
1 Low risk from the consequence and/or likelihood of an event that has had, or may have a negative impact on the entity.
Note: Management letter findings are based on management letters issued to agencies.

2020–21 audits identified three high-risk findings

High-risk findings, including repeat findings, were reported at the following cluster agencies. One of the 2019–20 high-risk findings were not resolved.

Agency Description
2020–21 findings  
Department of Customer Service
Repeat finding:
Qualifications and control deviations in GovConnect NSW controls assurance reports

The GovConnect information technology general controls (ITGC) provided by the department, Infosys and Unisys were qualified in 2020–21. The key controls over user access, system changes and batch process failed in all ITGC reports. Most of these deviations were not mitigated or sufficiently mitigated to address the risk of unauthorised user access.

The control deficiencies in ITGC increase:

  • the risk of unauthorised transactions, system and configuration changes (workflow approvals, three-way match etc.) and modifications to the system reports
  • incomplete, invalid and inappropriate system access, segregation of duties controls and system reports for the customers using the SAPConnect.

The role of the department has changed significantly from a coordinating agency on behalf of GovConnect customers to a GovConnect IT service provider. It is leading a new IT operating model called ‘Service Integration and Application Management’ (SIAM) to strengthen governance and improve performance of GovConnect service providers. The Department is responsible for the remediation of control deficiencies and continuous improvement in the GovConnect environment.

This matter was assessed as high-risk, if not adequately addressed, it had the potential to result in material fraud and error in the department's financial statements and reputation damages.

This issue is further discussed later in this chapter.
2020–21 findings  
Department of Customer Service
New finding:
Change management significant control deficiencies

Revenue NSW, a division of the department has a key role in managing the State’s finances. It administers State taxes, manages fines, recovers State debt and administers grants and subsidies.

The audit team found significant control deficiencies in change management controls:

  •  appropriate system controls were not in place to restrict developers from releasing changes to the live business systems
  • 8 developers had direct access to the business application servers used for calculating and administering State taxes.

We have included this matter as a high-risk management letter finding, as the audit team could not identify mitigating controls. The system activity of these developers was also not being independently logged and monitored. This increases the risk of unauthorised system change. This can significantly affect the integrity of tax calculation, business process approvals, invalid changes to bank accounts, unauthorised refunds and write-offs. The audit team conducted a risk analysis over the relevant business processes affected by this issue and performed additional audit procedures to address the audit risk.
Rental Bond Board
Repeat finding: Accounting treatment of rental bonds held in trust

The Rental Bond Board (the Board) holds rental bonds totalling $1.7 billion at 30 June 2021. The Board treated the rental bonds off-balance sheet and disclosed the rental bonds as ‘trust funds’. This treatment is based on management’s judgement that the Board does not have control of these funds.

Previously the Board obtained advices from the Crown Solicitors who stated that in their view the rental bond funds held in the rental bond account were not moneys held in trust and the Residential Tenancies Act 2010 (the Act) should be reviewed and amended to better support its accounting treatment of rental bonds. The Board has initiated the need to amend the Act, however the implementation of the legislative amendments is still pending.

This matter was assessed as high-risk, if not adequately supported, it had the potential to result in material misstatements in the Board's financial statements.

The number of moderate risk findings increased from prior year

Fifty-nine moderate risk findings were reported in 2020–21, which was a 11.3 per cent increase from 2019–20. Of these, 26 were repeat findings, and 33 were new issues.

Moderate risk findings include:

  • weaknesses in user access management, such as untimely access removal for terminated staff, and a lack of periodic user access review
  • accounting for leases such as the review of extension options, assessing indicators of impairment and reviewing the lease reports for completeness and accuracy
  • formalising arrangements between agencies including corporate service arrangements, funding arrangements, leases, use of SAP system and computer assets
  • use of purchasing cards where our data analytics performed indicated potential gaps and controls and non-compliance with government policies.

The magnitude and number of internal control exceptions in GovConnect service providers have increased

In 2015, the NSW Government selected Unisys Australia Pty Limited’s (Unisys) as an information technology (IT) outsourced service provider and Infosys Limited (Infosys) as a business process outsourced service provider. The outsourced services arrangement was branded GovConnect NSW (GovConnect). The Department of Customer Service (the department) is the contract authority for the NSW Government. In 2019, the NSW Government transitioned a number of Unisys’ IT services progressively to the department and ceased all Unisys's IT services in May 2021. In 2020-21, Infosys, Unisys and the Department were co-providers of business processes and information technology services that constitute the GovConnect environment.

The role of the department has changed significantly from a coordinating agency on behalf of GovConnect customers to a GovConnect IT service provider. The department is responsible for the remediation of control deficiencies and continuous improvement in GovConnect internal control environment.

The department leads the project management of GovConnect services, including the arrangement to provide internal control assurance reports to customers in 2020–21. It engages an independent service auditor (service auditor) from the private sector to perform annual assurance reviews of controls at GovConnect service providers in accordance with Australian Standard on Assurance Engagements 3402 'Assurance Reports on Controls at a Service Organisation' (ASAE 3402). The service auditor reports on the internal controls at a service organisation, which are relevant to a user entity's internal control environment.

The service auditor issued eight ASAE 3402 reports covering business processes controls and information technology general controls (ITGC) provided by the service providers. Four out of eight reports were qualified, a significant increase from previous years.

The table below shows the service auditor's ASAE 3402 opinions issued in various business processes and information technology services provided by service providers for the last five years.

ASAE 3402 controls report# 2015–16^ 2016–17 2017–18 2018–19 2019–20 2020–21
Infosys Accounts receivable Qualified Unqualified Unqualified Unqualified Unqualified Qualified
Infosys Accounts payable Qualified Qualified Unqualified Unqualified Unqualified Unqualified
Infosys Fixed assets Qualified Unqualified Unqualified Unqualified Unqualified Unqualified
Infosys General ledger Qualified Qualified Unqualified Unqualified Unqualified Unqualified
Infosys Payroll Adverse Qualified Unqualified Unqualified Unqualified Unqualified
Infosys ITGC Qualified Qualified Unqualified Unqualified Unqualified Qualified
Unisys ITGC Qualified Unqualified Qualified Qualified Unqualified Qualified
The department ITGC* -- -- -- -- Qualified Qualified
ServiceFirst** Disclaimer -- -- -- -- --
# The ASAE 3402 controls reports were issued by an independent private sector service auditor appointed by the Department of Customer Service.
* Information technology services were transitioned from Unisys to the department in phases from 2019–20 to 2020–21.
** ServiceFirst was the shared service centre and its last reporting period was from 1 July 2015 to 13 December 2015.
^ GovConnect first reporting period from 14 December 2015 to 30 June 2016.

In 2020–21, the information technology services controls reports issued to the department, Infosys and Unisys were qualified. Infosys' accounts receivable business process controls report was also qualified. The audit qualifications were because:

  • the service auditor did not get access to the complete set of records processed during the financial year for several ITGC controls. The system that stored these records was hosted at Unisys. From December 2019 to 28 May 2021, the services at Unisys were progressively migrated to the department's IT environment but this system could not be migrated to the department in the required format, resulting in audit scope limitation for service auditors
  • of the deviations identified during sample testing of ITGC controls
  • the monthly follow up of outstanding receivables was not performed regularly, which was the only key control to address the timely collection of accounts receivable.

Internal control exceptions in GovConnect information and technology services require urgent remediations

The relevant controls over user access, system changes and password controls failed in all three ASAE 3402 GovConnect ITGC reports. These control failures can lead to unauthorised system access, system and configuration changes (workflow approvals, three-way match, etc.) and modifications to key reports. It increases the risk of:

  • fraud and error in the financial statements
  • ineffective segregation of duties controls
  • accuracy and completeness of system generated reports for the agencies using the SAPConnect system.

The table shows the number of ITGC control deviations compared to prior year:

Year ended 30 June 2021 2020
  Total controls tested Total number of control deviations and findings Total controls tested Total number of control deviations and findings
Infosys ITGC 41 16 35 8
Unisys ITGC 25 11 33 4
DCS ITGC 31 9 10 5

Most of these deviations were not mitigated or sufficiently mitigated to address the risk of unauthorised user access.

The service auditor identified significant areas for remediation:

  • governance arrangement of the IT services
  • user access management controls
  • SAP database controls
  • logical access
  • incident management.

In response to the internal control qualifications, the audit teams performed data analytics over payroll and accounts payable. The data analytics identified several terminated employees that were paid long after their termination dates which resulted in salary overpayments during 2020–21. While management had put processes in place to recover these overpayments, the payroll processing controls need to be improved to prevent such overpayments.

The Department of Customer Service advised that it established a ‘Control Reframe Project’ (the project) to address the internal control exceptions at GovConnect service providers. The objective of the project is to ensure the GovConnect assurance model is aligned with clear lines of responsibility and remediation actions are in place to support the delivery of services and achieve an improved outcome for future years.

Recommendation

We recommend the Department of Customer Service:

  • improve governance and internal control environment over the information technology services
  • ensure GovConnect service providers prioritise remediation actions to address internal control exceptions
  • perform a post-implementation review of the transition of the Unisys arrangement to identify lessons learnt and continuous improvement
  • develop data analytics to help analyse and identify high-risk patterns and anomalies in GovConnect key transaction systems, augmenting their existing monitoring and detective controls.

The NSW Public Sector's cyber security resilience needs urgent attention

The 2020 'Central Agencies' Report to Parliament highlighted the need for Cyber Security NSW, a business unit within the Department of Customer Service, and NSW Government agencies to prioritise improvements to their cyber security resilience as a matter of urgency. A status update of the 2020 recommendation is included in Appendix five of this report.

The Audit Office's Annual Work Program identifies cyber security as a focus area for the Audit Office in 2021–24. It outlines a three-pronged approach to auditing cyber security in this period:

  • considering how agencies are responding to the risks associated with cyber security across our financial audits across the NSW public sector
  • examining the effectiveness of cyber security planning and governance arrangements for large NSW state government agencies for our Internal Controls and Governance report
  • conducting deep-dive performance audits of the effectiveness of specific agency activities in preparing for, and responding to cyber security risks.

A performance audit 'Managing cyber risks' was tabled in Parliament in July 2021. The audit made several recommendations to audited agencies to uplift their cyber security management. It also recommended the Department of Customer Service to:

  • clarify the requirement of the NSW Cyber Security Policy (CSP) reporting to all systems
  • require agencies to report the target level of maturity for each mandatory requirement.

A compliance audit 'Compliance with the NSW Cyber Security Policy' was tabled in October 2021. The audit examined whether agencies are complying with the NSW Cyber Security Policy to ensure all NSW Government departments and public service agencies are managing cyber security risks to their information and systems.

The report found that key elements to strengthen cyber security governance, controls and culture are not sufficiently robust and not consistently applied. There has been insufficient progress to improve cyber security safeguards across NSW Government agencies. The poor levels of cyber security maturity are a significant concern. Improvement requires dedicated leadership and resourcing. To comply with some elements of the government’s policy agencies will have to invest in technical uplift and some measures may take time to implement. However, other elements of the policy do not require any investment in technology. They simply require leadership and management commitment to improve cyber literacy and culture. And they require accountability and transparency. Transparent reporting of performance is a key means to improve performance.

The report noted that the CSP was not achieving the objective of improved cyber governance, controls and culture. The compliance audit made several recommendations to Cyber Security NSW and other NSW Government agencies.

The 2021 maturity self-assessment results against the Australian Cyber Security Centre Essential 8 for the 25 largest NSW State Government agencies are reported in the 2021 'Internal Control and Governance' Report to Parliament.

Repeat recommendation

Cyber Security NSW and NSW Government agencies need to prioritise improvements to their cyber security resilience as a matter of urgency.

Management of cyber security risk

Our 2020-21 financial audit assessed whether cyber security risks represent a risk of material misstatement to the department's own financial statements. A request performance audit 'Service NSW's handling of personal information' was tabled on 18 December 2020. The audit followed two cyber security incidents that resulted in data breaches of customer information. As part of our audit procedures, we obtained an understanding of the controls the department has in place to address the risk of cyber security incidents and respond to any incidences which may have occurred during the year, including its impact on the audit.

Our assessment of the department’s own cyber risk management shows that:

  • an approved security incident response plan was not in place during the reporting period. There was a lack of testing over incident detection and monitoring process
  • a formal process over patch management that includes assessment, determining relevance and priority, timely rollout and escalation and reporting of long outstanding patches to senior management is being established.

The department provides information security services including cyber security management to cluster agencies. We found that there were insufficient communications within the Customer Service cluster over the controls and assurance over cyber security risk management. Some cluster agencies had put in place limited controls over cyber security risk management.

Recommendation

We recommend the Department of Customer Service:

  • establish an approved security incident response plan and formal process over patch management
  • improve communications with cluster agencies over the controls and assurance in cyber security management.

Appendix one – Misstatements in financial statements submitted for audit

Appendix two – Early close procedures

Appendix three – Timeliness of financial reporting

Appendix four – Financial data

Appendix five – Status of 2020 recommendations

 

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Published

Stronger Communities 2021

Justice
Community Services
Financial reporting
Internal controls and governance

This report analyses the results of our audits of the Stronger Communities cluster agencies for the year ended 30 June 2021.

Our preferred approach is to table the ‘Report on State Finances’ in Parliament before any other cluster report. This is because the 'Report on State Finances' focuses on the audit results and observations relating to the Total State Sector Accounts, in effect a consolidation of all government agencies. This year the 'Report on State Finances' has been delayed due to significant accounting issues being considered in the Total State Sector Accounts and which may impact the Treasury and Transport clusters.

As there are no outstanding matters relating to audits in the Stronger Communities cluster impacting the Total State Sector Accounts we have decided to break with normal practice and table this cluster report ahead of the ‘Report on State Finances’.

What the report is about

The results of the Stronger Communities cluster agencies' financial statement audits for the year ended 30 June 2021.

What we found

Unqualified audit opinions were issued for all 30 June 2021 financial statements of cluster agencies.

Eleven of the 15 cluster agencies required to submit 2020–21 early close financial statements and other mandatory procedures did not meet the statutory deadline. Five agencies did not perform all mandatory procedures.

The implementation of AASB 1059 'Service Concession Arrangements: Grantors' had a significant impact on the Department of Communities and Justice's (the department) 2020–21 financial statements. The department applied a modified retrospective approach upon initial adoption at 1 July 2020 and recognised service concession assets and liabilities of $1.0 billion and $1.2 billion respectively (relating to three correctional centres with private sector operators).

The department was, this year for the first time, able to reliably measure Incurred But Not Reported (IBNR) claims relating to its Victims Support Scheme. The department recorded a liability of $200 million at 30 June 2021. Liabilities for Child Sexual Assault IBNR claim continue to be not recorded on the basis they are unable to be reliably measured.

The number of monetary misstatements identified during the audit of the financial statements for the cluster increased from 61 in 2019–20 to 72 in 2020–21.

What the key issues were

The number of issues reported to management decreased from 191 in 2019–20 to 172 in 2020–21. However, 45 per cent were repeat issues related to information technology, governance and oversight controls.

Seven high risk issues were identified in 2020–21, an increase of five compared to last year. High risk issues related to deficiencies in IT access controls at Sydney Cricket and Sports Ground Trust; a lack of a formal agreement between the Office of Sport and Planning Ministerial Corporation over the management of a sporting venue; asset revaluations at both Fire and Rescue NSW and the Trustees of the Anzac Memorial Building; and three issues related to revenue recognition control deficiencies at New South Wales Aboriginal Land Council and two of its subsidiaries.

What we recommended

Cluster agencies should ensure all applicable mandatory early close procedures are completed and the outcomes provided to the audit team in accordance with the deadlines set by NSW Treasury.

We recommend cluster agencies action recommendations to address internal control weaknesses promptly. Focus should be given to addressing high risk and repeat issues.

Fast facts

The Stronger Communities cluster, consisting of 28 agencies, aims to deliver community services that support a safe and just New South Wales.

  • $14.0b property, plant and equipment as at 30 June 2021 
  • $20.9b total expenditure incurred in 2020–21
  • 100% unqualified audit opinions were issued for all 30 June 2021 financial statements
  • 7 high risk management letter findings were identified
  • 72 monetary misstatements were reported in 2020–21
  • 45% of reported issues were repeat issues.

This report provides Parliament and other users of the Stronger Communities cluster’s financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:

  • financial reporting
  • audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Stronger Communities cluster (the cluster) for 2021.

Section highlights

  • Unqualified audit opinions were issued for all 30 June 2021 financial statements of cluster agencies including the acquittal and compliance audits for the Legal Aid Commission of New South Wales and Crown Solicitor's Office.
  • An 'Other Matter' paragraph was included within the Multicultural NSW and Office of the Ageing and Disability Commissioner’s Independent Auditor's Report. While the paragraph did not modify the audit opinion, it noted the agencies did not have a signed instrument of delegation from their responsible Minister(s) to incur expenditure for the 2020–21 financial year and therefore were non‑compliant with section 5.5 of the Government Sector Finance Act 2018 .
  • 11 of the 15 cluster agencies required to submit 2020–21 early close financial statements and all other mandatory procedures did not meet the statutory deadlines. The agencies cited changes in key staff, delays in finalising actuarial and valuation work and the timing of Audit and Risk Committee meetings as the main reasons for not meeting the deadlines. Five agencies did not complete all mandatory procedures.
  • The Department of Communities and Justice (the department) was, for the first time, able to reliably measure and record a liability of $200 million at 30 June 2021 for Incurred But Not Reported (IBNR) claims relating to its Victims Support Scheme. Child Sexual Assault IBNR claim liabilities continue to be not recorded on the basis they are still unable to be reliably measured.
  • The International Financial Reporting Standards Interpretations Committee released an agenda decision on 'Configuration or customisation costs in a cloud computing arrangement' (the IFRIC agenda decision). The department treated the financial impacts of the IFRIC agenda decision as a change in accounting policy and retrospectively recorded prepaid assets and expenses of $52.3 million and $90.5 million respectively relating to intangible assets they had previously capitalised.
  • The implementation of AASB 1059 'Service Concession Arrangements: Grantors' had a significant impact on the department's 2020–21 financial statements. The department applied a modified retrospective approach upon initial adoption at 1 July 2020 and recognised service concession assets and liabilities of $1.0 billion and $1.2 billion respectively in relation to three correctional centres with private sector operators.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

This chapter outlines our observations and insights from our financial statement audits of agencies in the Stronger Communities cluster.

Section highlights

  • The number of issues reported to management has decreased from 191 in 2019–20 to 172 in 2020–21, and 45 per cent were repeat issues. Many repeat issues related to information technology, governance and oversight controls.
  • Seven high risk issues were identified in 2020–21, an increase of five compared to last year.
  • The two high risk issues identified in 2019–20 relating to New South Wales Institute of Sport were resolved.

Findings reported to management

The overall number of findings has decreased, but the level of repeat issues increased

Breakdowns and weaknesses in internal controls increase the risk of fraud and error. Deficiencies in internal controls, matters of governance interest and unresolved issues were reported to management and those charged with governance of agencies. The Audit Office does this through management letters, which include observations, related implications, recommendations and risk ratings.

In 2020–21, there were 172 findings raised across the cluster (191 in 2019–20). 45 per cent of all issues were repeat issues (32 per cent in 2019–20).

Repeat issues largely related to weaknesses in controls over information technology (IT), governance and oversight.

A delay in implementing audit recommendations increases the risk of intentional and accidental errors in processing information, producing management reports and generating financial statements. This can impair decision‑making, affect service delivery and expose agencies to fraud, financial loss and reputational damage. Poor controls may also mean agency staff are less likely to follow internal policies, inadvertently causing the agency not to comply with legislation, regulation and central agency policies.

2020–21 audits identified seven high risk findings

High risk findings were reported at the following cluster agencies. Two high risk findings reported in 2019–20 were resolved.

Agency Description
2020–21 findings
Sydney Cricket and Sports Ground Trust (new finding) * The audit of Sydney Cricket and Sports Ground Trust's IT access controls identified:
  • activity (audit) logs of privileged access within iPOS (purchasing system) and Microsoft Dynamics (sales system) are not maintained and periodically reviewed by an independent officer
  • the review of privileged activity logs of booking system Event Business Management Software (EBMS) is not formally documented
  • 8 generic super user accounts are being shared across four IT systems including iPOS, Microsoft Dynamics, EBMS and SUN (accounting system).
The matter has been included as a high risk finding in the management letter as there is an increased risk of:
  • unauthorised transactions and changes to financial data
  • unauthorised users gaining access to financial systems
  • data breaches or financial loss.
Fire and Rescue NSW (new finding) Fire and Rescue NSW (FRNSW) completed a comprehensive revaluation of its fire appliances in 2020–21. The audit of the revaluation found there was inadequate analysis and quality control by management over the valuation process prior to the outcomes being included in the financial statements.
FRNSW had 57 fleet assets that have not been revalued due to problems with data supplied by the valuer. The written down value:
  • did not agree to the valuer's calculations for 28 assets
  • was provided by the valuer for 29 assets, but there were no supporting calculations.
These assets have been left at their previous book values of $3.0 million. The accounting standards require the entire class of assets to be revalued when a revaluation is performed.
The review also found:
  • inconsistent valuation of vehicles of the same make, model, age and specifications
  • errors had been made when the previous valuation was uploaded into the fixed asset register
  • the valuer incorrectly included additional equipment in the replacement cost estimate for vehicles that did not have that equipment.
The matter has been included as a high risk finding as it resulted in monetary misstatements and caused delays to the overall timeframes for the audit.
New South Wales Aboriginal Land Council (NSWALC) (new finding) The audit of NSWALC's revenue identified there was no formal assessment of relevant contracts for the nature, amount and timing of revenue recognition before preparing the financial statements.
This matter has been included as a high risk finding as it contributed to material monetary misstatements and disclosure deficiencies relating to revenue transactions.
NSWALC Employment and Training Limited (new finding) The audit of NSWALC Employment and Training Limited's revenue found:
  • there was no formal assessment of relevant contracts for the nature, amount and timing of revenue recognition before preparing the financial statements
  • the financial statements' preparation did not include updated accounting policies reflecting the requirements of AASB 15 'Revenue from Contracts with Customers' (AASB 15) and AASB 1058 'Income of Not-for-Profit Entities' (AASB 1058).
This matter has been included as a high risk finding as it contributed to material monetary misstatements and disclosure deficiencies relating to revenue transactions.
NSWALC Housing Limited (new finding) The audit of NSWALC Housing Limited's revenue identified it:
  • did not perform formal assessments of relevant contracts for the nature, amount and timing of revenue recognition before preparing the financial statements
  • deferred revenue recognition for funding received from NSWALC  (the parent entity). There are no sufficiently specific performance obligations in the funding letter, hence revenue should be recognised on receipt of the funding
  • recognised rental income from managing properties from the Aboriginal Housing Office (AHO) without considering the agreement, which requires remittance of profit to the AHO
  • the financial statements did not include updated accounting policies according to the requirements of AASB 15 and AASB 1058.
This matter has been included as a high risk finding as it contributed to material monetary misstatements and disclosure deficiencies relating to revenue transactions.
Office of Sport (new finding)

The Olympic Co-ordination Authority Dissolution Act 2002 transferred the assets, rights and liabilities relating to the Sydney International Regatta Centre (SIRC) to the Planning Ministerial Corporation (the Corporation) effective from 1 July 2002. The Corporation recognised the related land assets but did not recognise any of the built assets at the time of transfer. The total value of the land and built assets at 30 June 2021 was
$13.8 million and $11.2 million (written down value) respectively.

The SIRC has been managed by the Office of Sport (the Office) for many years in accordance with a not yet executed management agreement.

It appears there was a clear intention in 2005 that the control of SIRC built assets was to be transferred from the then Department of Planning to the then Department of Tourism, Sport and Recreation (a predecessor of the Office), through the exchange of letters between the relevant Ministers and an Administrative Order (the Order). The Order transferred the SIRC staff from the then Department of Planning to the then Department of Tourism, Sport and Recreation. However, it was silent on whether the relevant built assets were transferred.

Currently, the Office recognises the SIRC built assets in the financial statements whilst the Corporation recognises the land assets as the legal owner of the property.

This matter has been included as a high risk finding as the lack of a formal management agreement casts doubt over the accounting treatment of SIRC property.
The Trustees of the Anzac Memorial Building (new finding)

The audit of the Trustees of the Anzac Memorial Building's property, plant and equipment identified:

  • the fixed assets register for plant and equipment had not previously included sufficient detail about the individual assets to which costs related to reconcile it to the work performed by management's valuation expert
  • the financial statements did not meet the requirement of AASB 108 ‘Accounting Policies, Changes in Accounting Estimates and Errors’  to disclose the nature and reason why it corrected a prior period error of $778,000.

This matter has been included as a high risk finding as it contributed to material monetary misstatements and disclosure deficiencies relating to property, plant and equipment.
*         The finding related to the former Sydney Cricket and Sports Ground Trust (based on the completion audit for the period 1 March 2020 to 30 November 2020). This agency was dissolved and transferred to Venues NSW on 1 December 2020.
 

Recommendation (repeat issue)

We recommend cluster agencies action recommendations to address internal control weaknesses promptly. Focus should be given to addressing high risk and repeat issues.

The table below describes issues commonly identified across the cluster by category and risk rating.

Risk rating Issue
Information technology

High3
1 new

The financial audits identified weaknesses in information technology processes and controls that support the integrity of financial data used to prepare agencies' financial statements. Of particular concern are issues with:

  • user access administration
  • cyber security including governance arrangements, monitoring of third-party system access and patch management
  • password security and policy parameters
  • development, review and testing of disaster recovery plans.

Moderate2
8 new,
22 repeat
Low1
5 new,
6 repeat
Internal control deficiencies or improvements

High3
1 new

The financial audits identified internal control weaknesses across the following key business processes: 

  • expenditure, including the approval of purchase requisitions and review of open purchase orders
  • supplier and employee masterfile maintenance
  • segregation of duties.

Moderate2
6 new,
3 repeat

 Low1
23 new,
7 repeat
Financial reporting

High3
4 new

The financial audits identified weaknesses in financial reporting processes, including:

  • fully depreciated assets still in use, indicating the need to perform more frequent assessments of useful lives of assets
  • robustness of property, plant and equipment asset revaluations
  • incomplete or inaccurate recording of balances in the financial statements.

Moderate2
9 new,
1 repeat

Low1
11 new,
5 repeat
Governance and oversight
High3
1 new

The financial audits identified areas where agencies could strengthen governance and oversight processes, including:

  • review and update of policies and procedures
  • formalising existing key business arrangements
  • records management practices.
Moderate2
5 new,
11 repeat
Low1
12 new,
8 repeat
Non-compliance with key legislation and/or central agency policies
Moderate2
7 new,
6 repeat

The financial audits identified the need for agencies to improve their compliance with key legislation and/or central agency policies, including:

  • management of excessive annual leave balances
  • existence of and compliance with financial delegations
  • related party transactions disclosures from key management personnel.
Low1
2 new,
8 repeat
4 Extreme risk from the consequence and/or likelihood of an event that has had, or may have a negative impact on the entity.
3 High risk from the consequence and/or likelihood of an event that has had, or may have a negative impact on the entity.
2 Moderate risk from the consequence and/or likelihood of an event that has had, or may have a negative impact on the entity.
1 Low risk from the consequence and/or likelihood of an event that has had, or may have a negative impact on the entity.
Note: Management letter findings are based either on final management letters issued to agencies, or draft letters where findings have been agreed with management.

The number of moderate risk findings decreased from prior year

Seventy‑eight moderate risk findings were reported in 2020–21, representing a 22 per cent decrease from 2019–20. Of these, 43 were repeat findings, and 35 were new issues.

Moderate risk findings reported in 2020–21 include:

  • weaknesses in governance arrangements, including outdated policies and procedures and arrangements that do not align with NSW Government guidelines, such as the NSW Government Procurement Policy Framework and NSW Cyber Security Policy
  • weaknesses in user access administration including:
    • user access reviews
    • monitoring of privileged user access and activities
    • password policy configuration
  • cyber security improvements including:
    • implementation and update of governance arrangements
    • monitoring of third‑party system access
    • patch management improvement
  • outdated instruments of financial delegation and non‑compliance with established financial delegations
  • weaknesses in supplier and employee masterfile maintenance.

Appendix one – Misstatements in financial statements submitted for audit

Appendix two – Early close procedures

Appendix three – Timeliness of financial reporting

Appendix four – Financial data

 

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

 

Published

Premier and Cabinet 2021

Premier and Cabinet
Whole of Government
Asset valuation
Financial reporting
Infrastructure
Internal controls and governance
Shared services and collaboration

This report analyses the results of our audits of the Premier and Cabinet cluster agencies for the year ended 30 June 2021.

Our preferred approach is to table the ‘Report on State Finances’ in Parliament before any other cluster report. This is because the 'Report on State Finances' focuses on the audit results and observations relating to the Total State Sector Accounts, in effect a consolidation of all government agencies. This year the 'Report on State Finances' has been delayed due to significant accounting issues being considered in the Total State Sector Accounts and which may impact the Treasury and Transport clusters.

As there are no outstanding matters relating to audits in the Premier and Cabinet cluster impacting the Total State Sector Accounts we have decided to break with normal practice and table this cluster report ahead of the ‘Report on State Finances’.

What the report is about

The results of the Premier and Cabinet cluster (the cluster) agencies' financial statement audits for the year ended 30 June 2021.

What we found

Unmodified audit opinions were issued for all Premier and Cabinet cluster agencies.

The number of monetary misstatements decreased from 49 in 2019–20 to 38 in 2020–21.

The Library Council of New South Wales corrected a prior period error of $325 million. In 2017, the council split its collection assets into six asset classes, but not the related asset revaluation reserves. To correct this error, some revaluation decrements previously recognised in asset revaluation reserves were reclassified to accumulated funds.

Eight agencies did not complete all of the mandatory early close procedures.

What the key issues were

The Premier and Cabinet cluster was impacted by three Machinery of Government (MoG) changes during 2020–21.

The changes resulted in the transfer of activities and functions in and out of the cluster and the creation of a new entity - Investment NSW.

The transferor entities continued to provide services to Investment NSW subsequent to 30 June 2021. There were no formal service level agreements in place for the provision of these services.

The New South Wales Electoral Commission (the Commission) and Sydney Opera House Trust obtained letters of financial support from their relevant Minister and/or NSW Treasury in 2020–21. The postponement of local government elections impacted the Commission's operations due to increased planned expenditure to support a COVID-safe election. Sydney Opera House Trust's ability to generate revenue was impacted due to the closure of the Concert Hall partly due to COVID-19 and planned renovations.

The number of repeated audit issues raised with management and those charged with governance increased from 22 in 2019–20 to 24 in 2020–21.

There were 47 moderate risk and 28 low risk findings identified. Of the total findings there were 24 repeat issues.

What we recommended

Investment NSW should ensure services received from other agencies are governed by service level agreements.

Fast facts

The Department of Premier and Cabinet supports the Premier and Cabinet to deliver the government's objectives, infrastructure, preparedness for disaster, incident recovery, arts and culture.

  • $11.9b of property, plant and equipment as at 30 June 2021
  • $4.4b total expenditure incurred in 2020-21
  • 100% unqualified audit opinions were issued on agencies' 30 June 2021 financial statements
  • 47 moderate risk findings were reported to management 
  • 38 monetary misstatements were reported in 2020-21
  • 32% of all reported issues were repeat issues.

This report provides Parliament and other users of the Premier and Cabinet’s financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:

  • financial reporting
  • audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Premier and Cabinet cluster (the cluster) for 2021.

Section highlights

  • Unqualified audit opinions were issued on all completed cluster agencies' 2020–21 financial statements.
  • Monetary misstatements decreased from 49 in 2019–20 to 38 in 2020–21.
  • Thirteen agencies were exempt from financial reporting in 2020–21. 

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

This chapter outlines our observations and insights from our financial statement audits of agencies in the Premier and Cabinet cluster.

Section highlights

  • The 2020–21 audits identified 47 moderate risk issues across the cluster. Sixteen of the moderate risk issues were repeat issues. Many repeat issues related to governance and oversight and information technology.
  • The number of moderate risk findings increased by 42 per cent in 2020–21.
  • The moderate risk issues included information technology improvements, lack of service level agreements, risk management, contract and procurement and asset management improvements.

Appendix one – Misstatements in financial statements submitted for audit

Appendix two – Early close procedures

Appendix three – Timeliness of financial reporting

Appendix four – Financial data

 

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Published

Universities 2020 audits

Universities
Cyber security
Financial reporting
Internal controls and governance

What the report is about

Results of the financial statement audits of the public universities in NSW for the year ended 31 December 2020.

What we found

Unqualified audit opinions were issued for all ten universities.

Two universities reported retrospective corrections of prior period errors.

Universities were impacted by the COVID-19 pandemic with student enrolments decreasing in 2020 compared to 2019 by 10,032 (3.3 per cent). Of this decrease 8,310 students were from overseas.

In response to the pandemic, each university provided welfare support, created student hardship funds, provided accommodation and flexibility on payment of course fees. State and Commonwealth governments provided additional support to the sector.

Six universities recorded negative net operating results in 2020 (two in 2019). The combined revenues of the ten universities from fees and charges decreased by $361 million (5.8 per cent).

Despite the impact of the COVID-19 pandemic, which will continue to impact the financial results of universities in 2021, enrolments of overseas students in semester one of 2021 increased at two universities. This growth meant that total overseas student enrolments increased by 7,944 or 5.8 per cent across the sector as a whole. However, eight universities experienced decreases in overseas student enrolments compared to semester one of 2020. All universities have experienced growth in domestic student enrolments.

What the key issues were

There were 110 findings reported to universities in audit management letters.

Three high risk findings were identified. One related to the continued work by the University of New South Wales to assess its liability for underpayment of casual staff entitlements. The other two deficiencies were at Charles Sturt University, relating to financial reporting implications of major contracts, and resolving issues identified by an internal review of its employment contracts to reliably quantify the university’s liability to its employees.

What we recommended

Universities should prioritise actions to address repeat findings. Forty-five findings were repeated from 2019, of which 23 related to information technology.

Fast facts

There are ten public universities in NSW with 51 local controlled entities and 23 overseas controlled entities.

  • $10.9bn Total combined revenue in 2020, a decrease of $538.5 million (4.7 per cent) from 2019.
  • 106,984 Overseas student enrolments in 2020, a decrease of 8,310 students (7.2 per cent) from 2019.
  • 3 High risk management letter findings were identified.
  • $11.0bn Total combined expenditure in 2020, a decrease of $147.8 million (0.9 per cent) from 2019.
  • 182,683 Domestic student enrolments in 2020, a decrease of 1,722 students (0.9 per cent) from 2019.
  • 41% Of reported issues were repeat issues.

Further information

Please contact Ian Goodwin, Deputy Auditor-General on 9275 7347 or by email.

This report analyses the results of our audits of the financial statements of the ten universities in NSW for the year ended 31 December 2020. The table below summarises our key observations.

1. Financial reporting

Financial reporting The 2020 financial statements of all ten universities received unmodified audit opinions.

Two universities reported retrospective corrections of prior period errors. The University of Sydney reported errors relating to the underpayment of staff entitlements and the fair value of buildings. Charles Sturt University reported an error relating to how it had calculated right‑of‑use assets and lease liabilities on initial application of the new leasing standard in the previous year.
Impacts of COVID‑19

Student enrolments decreased in 2020 compared to 2019 by 10,032 (3.3 per cent). Of this decrease, 8,310 students were from overseas.

The ongoing impact of COVID‑19 in the short‑term, on semester one enrolments for 2021 compared to semester one of 2020, has been mixed:

  • all universities in NSW experienced a growth in their domestic student enrolments
  • eight universities experienced decreases in overseas student enrolments.

During 2020, universities provided welfare support to students, created student hardship funds, provided accommodation, and flexibility on payment of course fees.

State and Commonwealth governments provided additional support to the sector:

  • those university controlled entities eligible to receive JobKeeper payments received a combined amount under the Commonwealth scheme totalling $47.6 million in 2020
  • the NSW Government launched a University Loan Guarantee scheme.
Financial results

Six universities recorded negative net operating results in 2020 (two in 2019). While most universities experienced decreased revenue in 2020, only four had reduced their expenses to a level that was less than revenue.
Revenue from operations

Universities' revenue streams were impacted in 2020 by the COVID‑19 pandemic, with fees and charges decreasing by $361 million (5.8 per cent).

Government grants as a proportion of total revenue increased for the first time in five years to 34 per cent in 2020.

Nearly 40 per cent of universities' total revenue from course fees in 2020 (40.9 per cent in 2019) came from overseas students from three countries: China, India and Nepal (same in 2019). Students from these countries of origin contributed $2.2 billion ($2.4 billion in 2019) in fees. Some universities continue to be dependent on revenues from students from these destinations and their results are more sensitive to fluctuations in demand as a result.
Other revenues

Overall philanthropic contributions to universities increased by 32.2 per cent in 2020 to $222 million ($167.9 million in 2019). The University of Sydney and the University of New South Wales attracted 75.2 per cent of the total philanthropic contributions in 2020 (69.5 per cent in 2019).

Total research income for universities was $1.4 billion in 20191, with the University of Sydney and the University of New South Wales attracting 66.5 per cent of the total research income of all universities in NSW (65.2 per cent in 2018).
Expenditure Universities initiated cost saving measures in response to the COVID‑19 pandemic. The cost of redundancy programs increased employee related expenses in 2020 by 4.4 per cent to $6.5 billion ($6.2 billion in 2019). The cost of redundancies offered in 2020 across the universities totalled $293.9 million. Combined other expenses decreased to $2.8 billion in 2020, a reduction of $436 million (13.4 per cent).

2. Internal controls and governance

Internal control findings One hundred and ten internal control deficiencies were identified in 2020 (108 in 2019). Forty‑five findings were repeated from 2019, of which 23 related to information technology.

Recommendation: Universities should prioritise actions to address repeat findings on internal control deficiencies in a timely manner. Risks associated with unmitigated control deficiencies may increase over time.

Three high risk internal control deficiencies were identified, namely:

  • The University of New South Wales should continue work to assess its liability for the underpayment of casual staff entitlements. This issue was also reported last year.
  • Two high risk deficiencies were identified at Charles Sturt University. One related to misunderstanding the requirements of the new accounting standard in relation to recognising grant funding revenue for construction work. The second related to resolving issues identified by an ongoing internal review of its employment contracts to enable a reliable quantification as to the university's liability to its employees.

Gaps in information technology (IT) controls comprised the majority of the remaining deficiencies. Deficiencies included a lack of sufficient privileged user access reviews and monitoring, payment files being held in editable formats and accessible by unauthorised persons, and password settings not aligning with the requirements of information security policies.
Business continuity and disaster recovery planning All universities have a business continuity policy supported with a business impact analysis.

Except for Macquarie University, all other universities had disaster recovery plans prepared for all of the IT systems that support critical business functions. Macquarie University’s disaster recovery plans were still in progress at 31 December 2020.

Only half of the universities' policies require regular testing of their business continuity plans and six universities' plans do not specify staff must capture, asses and report disruptive incidents.

3. Teaching and research

Graduate employment outcomes Eight out of ten universities were reported as having full‑time employment rates of their undergraduates in 2020 that were greater than the national average.

Six universities were reported as having full‑time employment rates of their postgraduates in 2020 that were greater than the national average.
Student enrolments by field of education Enrolments at universities in NSW decreased the most in Management and Commerce courses and Engineering and Related Technologies courses. The largest increase in enrolments was in Society and Culture courses.
Achieving diversity outcomes Five universities in 2019 were reported as meeting the target enrolment rate for students from low socio‑economic status (SES) backgrounds.

Seven universities were reported to have increased their enrolments of students from Aboriginal and Torres Strait Islander backgrounds in 2019. The target growth rate for increases in enrolments of Aboriginal and Torres Strait Islander students (to exceed the growth rate of enrolments of non‑indigenous students by at least 50 per cent) was achieved in 2019.
 1 2020 data, which is compiled by the Australian Department of Education and Training, is not yet available.

This report provides Parliament with the results of our financial audits of universities in NSW and their controlled entities in 2020, including our analysis, observations and recommendations in the following areas:

  • financial reporting
  • internal controls and governance
  • teaching and research.

Financial reporting is an important element of governance. Confidence and transparency in university sector decision making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations on the financial reporting of universities in NSW for 2020.

Financial results

The graph below shows the net results of individual universities for 2020.

Appropriate and robust internal controls help reduce risks associated with managing finances, compliance and administration of universities.

This chapter outlines the internal controls related observations and insights across universities in NSW for 2020, including overall trends in findings, level of risk and implications.

Our audits do not review all aspects of internal controls and governance every year. The more significant issues and risks are included in this chapter. These along with the less significant matters are reported to universities for management to address.

Universities' primary objectives are teaching and research. They invest most of their resources to achieve quality outcomes in academia and student experience. Universities have committed to achieving certain government targets and compete to advance their reputation and their standing in international and Australian rankings.

This chapter outlines teaching and research outcomes for universities in NSW for 2020.

Appendix one – Status of 2019 recommendations

Appendix two – Universities' controlled entities

View our audit program
View audit program
EXPLORE
upcoming audits
Have your say
CONTRIBUTE