Section highlights

• Unqualified audit opinions were issued for all cluster agencies required to prepare general-purpose financial statements.

• The total gross value of all corrected monetary misstatements for 2020–21 was $250.2 million, of which $226.0 million were related to complexities arising from the COVID-19 pandemic.

• A qualified audit opinion was issued on the Ministry's Annual Prudential Compliance Statement.

Section highlights

• The total number of internal control deficiencies has increased from 112 issues in 2019–20 to 116 in 2020–21. Of the 116 issues raised in 2020–21, three were high (one in 2019–20) and 57 were moderate (47 in 2019–20); with nearly one half of all control deficiencies reported in 2020–21 being repeat issues.
• The complexities arising from accounting for agreements between governments to respond to the COVID-19 pandemic presented three new high risk audit findings with respect to the:
  • expected rate of recoverability of outstanding Hotel Quarantine fees
  • procurement, stocktaking and impairment of COVID-19 inventories
  • valuation and recognition of COVID-19 vaccines received from the Commonwealth Government.
• Management of excessive leave balances and poor quality or lack of documentation supporting key agreements were amongst the repeat issues observed again in the 2020–21 financial reporting period.

Section highlights

• Unqualified audit opinions were issued on all completed cluster agencies' 2020–21 financial statements.
• Monetary misstatements decreased from 49 in 2019–20 to 38 in 2020–21.
• Thirteen agencies were exempt from financial reporting in 2020–21. 

Section highlights

• The 2020–21 audits identified 47 moderate risk issues across the cluster. Sixteen of the moderate risk issues were repeat issues. Many repeat issues related to governance and oversight and information technology.
• The number of moderate risk findings increased by 42 per cent in 2020–21.
• The moderate risk issues included information technology improvements, lack of service level agreements, risk management, contract and procurement and asset management improvements.

Unqualified audit opinions were issued on the 2019–20 financial statements of central agencies and the Legislature.

The audit opinion on the Social and Affordable Housing NSW Fund's compliance with the payment requirements of the Social and Affordable Housing NSW Fund Act 2016 was qualified.

All agencies met statutory deadlines for submitting
financial statements. 

• Insurance and Care NSW
• New South Wales Government Telecommunications Authority
• Rental Bond Board
• Independent Commission Against Corruption
• NSW Treasury
• Crown Entity
• Department of Premier and Cabinet.

High risk findings include:

• Insurance and Care NSW (icare) allocates service costs to the Workers Compensation Nominal Insurer, and the other schemes it supports. The documentation supporting cost allocations does not demonstrate how these allocations reflect actual costs. There is a risk of the Workers Compensation Nominal Insurer being overcharged.
• New South Wales Government Telecommunications Authority's delay in capitalisation and valuation of material capital projects; and insufficient work performed to implement the new accounting standard AASB 16 ‘Leases’.
• NSW Treasury's four-year plan to transition RailCorp to a for-profit State Owned Corporation called Transport Asset Holding Entity of New South Wales (TAHE) by 1 July 2019, remains to be implemented. On 1 July 2020, RailCorp converted to TAHE. A large portion of the planned arrangements are still to be implemented. As at the time of the audit, the TAHE operating model, Statement of Corporate Intent (SCI) and other key plans and commercial agreements were not finalised. In the absence of commercial arrangements with the public rail operators, there is a lack of evidence to demonstrate TAHE’s ability to create a commercial return in the long term. This matter has been included as a high risk finding in our management letter as there may be financial reporting implications to the State if TAHE does not generate a commercial return for its shareholders in line with the original intent. NSW Treasury and TAHE should ensure the commercial arrangements, operating model and SCI are finalised in 2020–21.

Of the 122 moderate risk issues, 36 per cent were repeat issues. The most common repeat issue related to weaknesses in controls over information technology user access administration, which increases the risk of inappropriate access to systems and records.

GovConnect NSW provides transactional and information technology services to central agencies. It engages an independent service auditor (service auditor) from the private sector to perform annual assurance reviews of controls at service providers, namely Infosys, Unisys and the Department of Customer Service (DCS). The service auditor issued:

• unqualified opinions on information technology and business process controls at Infosys and Unisys, but there was an increase in control deficiencies identified in the user access controls at these service providers
• a qualified opinion on DCS's information technology (IT) security monitoring controls because security tools were not implemented and monitored for the entire financial year. Responsibility for IT security monitoring transitioned from Unisys to DCS in 2019–20. These control deficiencies can increase the risk of fraud and inappropriate use of sensitive data.

These may impact on the ability of agencies to detect and respond to a cyber incident.

Recommendation:

We recommend DCS work with GovConnect service providers to resolve the identified control deficiencies as a matter of priority.

The NSW Cyber Security Policy requires agencies to provide a maturity self-assessment against the Australian Cyber Security Centre (ACSC) Essential 8 to the head of the agency and Cyber Security NSW annually. Completed self-assessment returns highlighted limited progress in implementing the Essential 8.

Repeat recommendation:

Cyber Security NSW and NSW government agencies need to prioritise improvements to their cyber security resilience as a matter of urgency

Costs are incurred by icare as the 'service entity' of the statutory scheme it administers, and then subsequently recovered from the schemes through 'service fees'. In the absence of documentation supported by robust supporting analysis, there is a risk of the schemes being overcharged, and the allocation of costs being in breach of legislative requirements.

Recommendation:

icare should ensure its approach to allocating service fees to the Workers Compensation Nominal Insurer and the other schemes it manages, is transparent and reflects actual costs.

Section highlights

• Unqualified audit opinions were issued on the 2019–20 financial statements of central agencies and the Legislature. All agencies met the statutory deadlines for submitting their financial statements.
• The audit opinion on the Social and Affordable Housing NSW Fund's compliance with the payment requirements of the Social and Affordable Housing NSW Fund Act 2016 was qualified as a result of a payment made without a Treasurer's delegation.
• Agencies were impacted by emergency events during 2019–20. This included additional grants to fund specific deliverables.
• The implementation of new accounting standards was challenging for many agencies. The New South Wales Government Telecommunications Authority was not well-prepared to implement AASB 16 'Leases' and had not completely assessed contracts that contained leases. This resulted in understatements of leased assets and liabilities by $56 million which were subsequently corrected.
• NSW Treasury did not adequately implement the new revenue standard AASB 1058 ‘Income of Not-for-Profit Entities’ for the Crown Entity. This resulted in understatements of $274 million in opening equity and $254 million to current year revenue in the financial statements. These misstatements were due to incorrect revenue calculations performed by the Transport agencies. The Crown Entity relies on information from Transport agencies as they are responsible for carrying out the State’s contractual obligations for Commonwealth funded transport projects. The extent of misstatements could have been reduced with more robust quality review processes in place by Treasury and Transport.

Section highlights

• The 2019–20 audits identified nine high risk and 122 moderate risk issues across the agencies. Of the 122 moderate risk issues, 44 (36 per cent) were repeat issues. The most common repeat issue relates to weaknesses in controls over information technology user access administration.
• Service NSW delivers grants responding to emergency events on behalf of other NSW Public Sector agencies. Since the first grant program commenced in January 2020, Service NSW processed approximately $791 million to NSW citizens and businesses impacted by these emergency events for the financial year ended 30 June 2020.
• GovConnect NSW engaged an independent auditor (the service auditor) from the private sector to evaluate the internal controls of its service providers. DCS's information technology security monitoring controls were qualified by the service auditor because security tools were not implemented and monitored for the entire financial year. These may impact on the ability of agencies to detect and respond to a cyber incident.
• NSW Government agency self-assessment results show that the NSW Public Sector's cyber security resilience needs urgent attention.
• The Workers Compensation Nominal Insurer, NSW Self Insurance Corporation and the Lifetime Care and Support Authority of NSW all had negative net assets at 30 June 2020. The financial statements for these entities continued to be prepared on a going concern basis as their liabilities are not all due for settlement within the next 12 months.
• icare did not comply with the Government Information (Public Access) Act 2009 (GIPA) contract disclosure requirements in 2019–20, and has not complied for several years. A total of 417 contracts were identified by management as not having been published on the NSW Government’s eTendering website. The final upload of these past contracts occurred on 20 August 2020.
• Machinery of Government (MoG) changes impacted the governance and business processes of affected agencies. Our audits identified and reported areas for improvement in the consolidation of corporate functions following MoG changes at Infrastructure NSW and in the Customer Service cluster.

Unqualified financial audit opinions

The financial statements of NSW Health and its 25 controlled entities received unqualified opinions.

The number of corrected and uncorrected misstatements increased from the prior year. Misstatements related predominantly to the implementation of new accounting standards, asset revaluations and accounting for new revenue streams to cover the cost of HSW Health’s response to the COVID-19 pandemic.

Qualified compliance audit opinion

We issued a qualified audit opinion for the Ministry of Health’s Annual Prudential Compliance Statement for aged care facilities operated by NSW Health. We identified 18 instances of material non-compliance with the Fees and Payments Principles 2014 (No. 2) (the Principles) in 2019–20 (30 in 2018–19).

NSW Health received an additional $3.3 billion in funding to cover costs associated with its response to the COVID-19 pandemic.

The impacts of the COVID-19 pandemic on the cluster were significant for health entities and included changes to operations, increased revenues, expenditure, assets and liabilities. Cancellation of elective surgery and decreased emergency department presentations meant that despite the pandemic, activity levels at many health entities decreased. Health Pathology and HealthShare were notable exceptions.

In the period to the 30 June 2020, NSW Health reported that over 900,000 COVID-19 tests were conducted. Health Pathology conducted over 500,000 of these tests. Health Pathology's surge requirements were enhanced through arrangements with 13 private sector providers. HealthShare purchased $864.2 million of personal protective equipment.

Overall, NSW Health recorded an operating surplus of $3.1 billion in 2019–20, an increase of $2.0 billion from 2018–19. As in previous years, the surplus largely resulted from additional revenue received to fund capital projects including the construction of new facilities, upgrades and redevelopments. In 2019–20 additional Commonwealth and State funding for the purchase and stockpiling of personal protective equipment also contributed to the operating surplus.

We identified more internal control deficiencies in 2019–20. The number of repeat issues from prior years also remains high.

NSW Health addressed 18 out of the 25 information system control deficiencies during the year.

Several key agreements lacked formal documentation. This included agreements between the Ministry and health entities, between health entities and agencies in other clusters and between the Ministry and health departments in other jurisdictions.

• establish an operating model in line with the original intent of a commercial return
• finalise commercial agreements with the public rail operators
• confirm forecast financial information to assess valuation of TAHE infrastructure
• finalise asset and safety management plans.

Resolution of the above matters are critical as they may significantly impact the financial reporting arrangements for TAHE for 2020–21, in particular, accounting policies adopted as well as measurement principles of its significant infrastructure asset base.

• agencies are fully aware of contractual and other obligations
• appropriate assessment of financial reporting implications
• ongoing assessments of accounting standards, in particular AASB 16 ‘Leases’, AASB 15 'Revenue from Contract with Customers', AASB 1058 'Income of Not-for-Profit Entities' and new accounting standard AASB 1059 'Service Concession Arrangements: Grantors' are accurate and complete.

Section highlights

• Total patronage and revenue for public transport decreased by approximately 18 per cent in 2019–20 due to COVID-19.
• Unqualified audit opinions were issued on all Transport agencies' financial statements.
• Transport cluster agencies continued to experience challenges with accounting of land and infrastructure assets.

Section highlights

• While there was a decrease in findings on internal controls across the Transport cluster, 43 per cent of all issues were repeat issues. Many repeat issues related to information technology controls around user access management.
• RailCorp transitioned to TAHE on 1 July 2020. TAHE's operating model and commercial arrangements with public rail operators has not been finalised despite government original plans to be operating from 1 July 2019. TAHE management should finalise its operating model and commercial agreements with public rail operators as they may significantly impact the financial reporting arrangements for TAHE for 2020–21.
• Completeness and accuracy of contracts registers remains an ongoing issue for the Transport cluster.

Internal control deficiencies increased by 13 per cent compared to last year. This is predominately due to a seven per cent increase in new internal control deficiencies and 24 per cent increase in repeat internal control deficiencies. There were ten high risk findings compared to four last year.

The recent emergencies have consumed agency time and resources and may have contributed to the increase in internal control deficiencies, particularly repeat deficiencies.

Agencies should:

• prioritise addressing high-risk findings
• address repeat internal control deficiencies by re-setting action plans and timeframes and monitoring the implementation status of recommendations.

A number of findings remain common across multiple agencies over the last four years, including:

• out of date or missing policies to guide appropriate decisions
• poor record keeping and document retention
• incomplete or inaccurate centralised registers or gaps in these registers.

We found deficiencies in information security controls over key financial systems including:

• user access administration deficiencies relating to inadequate oversight of the granting, review and removal of user access at 53 per cent of agencies
• privileged users were not appropriately monitored at 43 per cent of agencies
• deficient password controls that did not align to the agency's own password policies at 25 per cent of agencies.

The deficiencies above increase the risk of non-compliance with the NSW Cyber Security Policy, which requires agencies to have processes in place to manage user access, including privileged user access to sensitive information or systems and remove that access once it is not required or employment is terminated.

The response to the recent emergencies and the COVID-19 pandemic has encompassed a wide range of activities, including policy setting, on-going service delivery, safety and availability of staff, availability of IT and other systems and financial management. Agencies were required to activate their business continuity plans in response, and with the continued impact of COVID-19 have not yet returned to a business-as-usual environment.

Our audits focused on the preparedness of agency business continuity and disaster recovery planning arrangements prior to the onset of the COVID-19 pandemic.

We identified deficiencies in agency business continuity and disaster recovery planning arrangements. Twenty-three per cent of agencies had not conducted a business impact analysis (BIA) to identify critical business functions and determine business continuity priorities. Agencies can also improve the content of their BIA. For example, ten per cent of agencies' BIAs did not include recovery time objectives and six per cent of agencies did not identify key IT systems that support critical business functions. Scenario testing improves the effectiveness with which a live crisis is handled, but 40 per cent of agencies had not conducted a business continuity scenario testing exercise in the period from 1 January 2019 to 31 December 2019. There were also opportunities to improve the effectiveness of scenario testing exercises by:

• involving key dependent or inter-dependent third parties who support or deliver critical business functions
• testing one or more high impact scenarios identified in their business continuity plan
• preparing a formalpost-exercise report documenting the outcome of their scenario testing.

Agencies have responded to the recent emergencies but addressing deficiencies will ensure agencies have adequate safeguards in their processes to again respond in the future, if required.

During 2020–21 we plan to conduct a performance audit on 'Business continuity and disaster recovery planning'. This audit will consider the effectiveness of agency business continuity planning arrangements to maintain business continuity through the recent emergencies and/or COVID-19 pandemic and return to a business-as-usual environment. We also plan to conduct a performance audit on whole-of-government 'Coordination of emergency responses'.

We found agencies' governance functions could have been better informed about responses to disruptive incidents that had activated a business continuity or disaster recovery response between 1 January 2019 to 31 December 2019. For instance:

in 89 per cent of instances where a business continuity response was activated, a post-incident review had been performed. In 82 per cent of these instances, the outcomes were reported to a relevant governance or executive management committee

in 95 per cent of instances where a disaster recovery response was activated, a post incident review had been performed. In 86 per cent of these instances, the outcomes were reported to a relevant governance committee or executive management committee.

Examples of recorded incidents included extensive air quality issues and power outages due to bushfires, system and network outages, and infected and hijacked servers.

Agencies should assess their response to the recent emergencies and the COVID-19 pandemic and update business continuity, disaster recovery and other business resilience frameworks to incorporate lessons learned. Agencies should report to those charged with governance on the results and planned actions.

Agency procurement policies did not capture the requirements of several key NSW Procurement Board Directions (the Directions), increasing the risk of non-compliance with the Directions. We noted: 

• 67 per cent of agencies did specify that procurement above $650,000 must be open to market unless exempt or procured through an existing Whole of Government Scheme or contract
• 36 per cent of agencies did specify that procurements above $500,000 payable in foreign currencies must be hedged
• 69 per cent of agencies' policies did specify that the agency head or cluster CFO must authorise the engagement of consultants where the engagement of the supplier does not comply with the standard commercial framework.

Recommendation: Agencies should review their procurement policies and guidelines to ensure they capture the key requirements of the NSW Government Procurement Policy Framework, including NSW Procurement Board Directions.

Eighty-eight per cent of agencies maintain a central contract register to record all details of contracts above $150,000, which is a requirement of GIPA legislation. Of the agencies that maintained registers, 13 per cent did not capture all contracts and eight per cent did not include all relevant contract details.

Sixteen per cent of agencies did not periodically review their contract register. Timely review increases compliance with GIPA legislation, and enhances the effectiveness with which procurement business units monitor contract end dates, contract extensions and commence new procurement.

Ninety-three per cent of agencies provide training to staff involved in procurement processes, and a further 77 per cent of agencies provide this training on an on-going basis. Of the seven per cent of agencies that had not provided training to staff, we noted gaps in aspects of their procurement activity, including:

• not conducting value for money assessments prior to renewing or extending the contract with their existing supplier
• not obtaining approval from a delegated authority to commence the procurement process
• procurement documentation not specifying certain key details such as the conditions for participation including any financial guarantees and dates for the delivery of goods or supply of services.

Training on procurement activities ensures there is effective management of procurement processes to support operational requirements, and compliance with procurement directions.

As at 30 June 2020, agencies within the scope of this report reported conducting 32,239 emergency procurements with a total contract value of $316,908,485. Emergency procurement activities included the purchase of COVID-19 cleaning and hygiene supplies.

The government, through NSW Procurement released the 'COVID-19 Emergency procurement procedure', which relaxed procurement requirements to allow agencies to make COVID-19 emergency procurements. Our review against the emergency procurement measures found most agencies complied with requirements. For example:

• 95 per cent of agencies documented an assessment of the need for the emergency procurement for the good and/or service
• 86 per cent of agencies obtained authorisation of the emergency procurement by the agency head or the nominated employee under Public Works and Procurement Regulation 2019
• 76 per cent of agencies reported the emergency procurement to the NSW Procurement Board.

Complying with the procedure helps to ensure government resources are being efficiently, effectively, economically and in accordance with the law.

Recommendation: Agency procurement frameworks should be reviewed and updated so they can respond effectively to emergency situations that may arise in the future. This includes:

• updating procurement policies and guidelines to define an emergency situation, specify who can approve emergency procurement and capture other key requirements
• using standard templates and documentation to prompt users to capture key requirements, such as needs analysis, supplier selection criteria, price assessment criteria, licence and insurance checks
• having processes for reporting on emergency procurements to those charged with governance and NSW Procurement.

We found that agencies have established financial and human resources delegations, but some had not revisited their delegation manuals following the legislative and machinery of government changes. For those agencies impacted by machinery of government changes we noted:

• 16 per cent of agencies had not updated their financial delegations to reflect the changes
• 16 per cent of agencies did not update their human resources delegations to reflect the changes.

Delegations manuals are not always complete; 16 per cent of agencies had no delegation for writing off bad debts and 26 per cent of agencies had no delegation for writing off capital assets.

Recommendation: Agencies should ensure their financial and human resources delegation manuals contain regular set review dates and are updated to reflect the Government Sector Finance Act 2018, machinery of government changes and their current organisational structure and roles and responsibilities.

Agencies did not understand or correctly apply the requirements of the Government Sector Finance Act 2018 (GSF Act), resulting in non-compliance with the Act. We found that 18 per cent of agencies spent deemed appropriations without obtaining an authorised delegation from the relevant Minister(s), as required by sections 4.6(1) and 5.5(3) of the GSF Act.

Further detail on this issue will be included in our Auditor-General's Reports to Parliament on Central Agencies, Education, Health and Stronger Communities, which will be tabled throughout December 2020.

Recommendation: Agencies should review financial and human resources delegations to ensure they capture all key functions of laws and regulations, and clearly specify the relevant power or function being conferred on the officer.

Recommendations were made last year to improve transparency over reporting on gifts and benefits and improve the visibility management and those charged with governance had over actions taken to address conflicts of interest that may arise. This year, we continue to note:

• 38 per cent of agencies have not updated their gifts and benefits register to include all the key fields required under the minimum standards set by the Public Service Commission
• 56 per cent of agencies have not provided training to staff and 63 per cent of agencies have not implemented an annual attestation process for senior management
• 97 per cent of agencies have not published their gifts and benefits register on their website and 41 per cent of agencies are not reporting on trends in the gifts and benefits register to those charged with governance.

While we acknowledge the significance of the recent emergencies, which have consumed agency time and resources, we note limited progress has been made implementing these recommendations. Further detail on the status of implementing all recommendations is in Appendix 2.

Recommendation: Agencies should re-visit the recommendations made in last year's report on internal controls and governance and action these recommendations.

Section highlights

We identified ten high risk findings, compared to four last year with two findings repeated from the previous year. There was an overall increase of 13 per cent in the number of internal control deficiencies compared to last year due to a seven per cent increase in new internal control deficiencies, and a 24 per cent increase in repeat internal control deficiencies. The recent emergencies have consumed agency time and resources and may have contributed to the increase in internal control deficiencies, particularly repeat deficiencies.

We identified a number of findings that remain common across multiple agencies over the last four years. Some of these findings related to areas that are fundamental to good internal control environments and effective organisational governance. Examples include:

• out of date or missing policies to guide appropriate decisions
• poor record keeping and document retention
• incomplete or inaccurate centralised registers, or gaps in these registers.

Policies, procedures and internal controls should be properly designed, be appropriate for the current organisational structure and its business activities, and work effectively.

Section highlights

Government agencies’ financial reporting is heavily reliant on information technology (IT). We continue to see a high number of deficiencies related to IT general controls, particularly those related to user access administration. These controls are key in adequately protecting IT systems from inappropriate access and misuse.

IT is also important to the delivery of agency services. These systems often provide the data to help monitor the efficiency and effectiveness of agency processes and services they deliver. Our financial audits do not review all agency IT systems. For example, IT systems used to support agency service delivery are generally outside the scope of our financial audit. However, agencies should also consider the relevance of our findings to these systems.

Agencies need to continue to focus on assessing the risks of inappropriate access and misuse and the implementation of controls to adequately protect their systems, focussing on the processes in place to grant, remove and monitor user access, particularly privileged user access.

Section highlights

We identified deficiencies in agency business continuity and disaster recovery planning arrangements and opportunities for agencies to enhance their business continuity management and disaster recovery planning arrangements. This will better prepare them to respond to a disruption to their critical functions, resulting from an emergency or other serious event. Twenty-three per cent of agencies had not conducted a business impact analysis (BIA) to identify critical business functions and determine business continuity priorities and 40 per cent of agencies had not conducted a business continuity scenario testing exercise in the period from 1 January 2019 to 31 December 2019. Scenario testing improves the effectiveness with which a live crisis is handled.

This section focusses on the preparedness of agency business continuity and disaster recovery planning arrangements prior to the onset of the COVID-19 pandemic. While agencies have responded to the recent emergencies, proactively addressing deficiencies will ensure agencies have adequate safeguards in their processes to again respond in the future, if required.

During 2020–21 we plan to conduct a performance audit on 'Business continuity and disaster recovery planning'. This audit will consider the effectiveness of agency business continuity planning arrangements to maintain business continuity through the recent emergencies and/or COVID-19 pandemic and return to a business-as-usual environment. We also plan to conduct a performance audit on whole-of-government 'Coordination of emergency responses'.

Section highlights

We found agencies have procurement policies in place to manage procurement activity, but the content of these policies was not sufficiently detailed to ensure compliance with NSW Procurement Board Directions (the Directions). The Directions aim to ensure procurement activity achieves value for money and meets the principles of probity and fairness.

Agencies have generally implemented controls over their procurement process. In relation to emergency procurement activity, agencies reported conducting 32,239 emergency procurements with a total contract value of $316,908,485 up to 30 June 2020. Our review of emergency procurement activity conducted during 2019–20 identified areas where some agencies did not fully comply with the 'COVID-19 Emergency procurement procedure'.

We also found not all agencies are maintaining complete and accurate contract registers. This not only increases the risk of non-compliance with GIPA legislation, but also limits the effectiveness of procurement business units to monitor contract end dates, contract extensions and commence new procurement in a timely manner. We noted instances where agencies renewed or extended contracts without going through a competitive tender process during the year.

The NSW Government announced its intention to integrate Roads and Maritime Services (RMS) into Transport for NSW (TfNSW) as part of the Machinery of Government changes.

This change was not included in the Administrative Orders as the Transport Administration Act 1988 No. 109 governs the composition of the Transport cluster. The Transport Administration Amendment (RMS Dissolution) Act 2019 (the Act) received assent on 22 November 2019. The Act dissolves RMS and transfers the assets, rights and liabilities of RMS to TfNSW. As at the date of this Report, the Act is not yet in force.

Transport is considering the impact of the changes on its operating model and financial reporting.

Unqualified audit opinions were issued on the 2018–19 financial statements of all agencies in the Transport cluster.

TfNSW and Sydney Metro obtained a three-week extension from NSW Treasury to submit their financial statements for audit to resolve accounting issues surrounding the valuation of property, plant and equipment.

The Department of Transport reported total consolidated property, plant and equipment of $158 billion at 30 June 2019. In 2018–19, there were issues with asset valuations at TfNSW, RMS, Sydney Metro and Rail Corporation New South Wales (RailCorp), resulting in adjustments after the submission of financial statements for audit and the correction of a prior period error.

There was also a prior period error resulting from an agreement between TfNSW and the former UrbanGrowth Development Corporation due to a lack of assessment of the financial reporting implications at the time of signing the agreement.

Recommendation: Agency finance teams need to be consulted on major business decisions and commercial transactions to assess their accounting impacts at the time of their execution, rather than at the end of a financial year. Agencies also need to resolve all key accounting issues such as valuations as part of the early close procedures.

This would improve the quality of financial reporting and avoid the need for extensions for agencies to submit their financial statements for audit.

Whilst agencies complied with the requirements of the accounting standards and NSW Treasury policies on valuations, the Audit Office identified some deficiencies in relation to asset valuations across the cluster.

TfNSW reported a retrospective correction of a prior period error at 1 July 2017 which resulted in a reduction in the valuation of its Country Rail Network earthworks by $2.1 billion. This was due to survey results which identified the earthworks were flatter and lower than estimated in the valuation at 30 June 2017.

RMS made several adjustments during the year to correct asset values due to changes to valuation assumptions or data improvements. This included:

• reduction of $318 million in the value of land under roads
• decrease of $84.9 million to the value of land and buildings
• changes to the value of traffic control and traffic signal network assets, due to data improvements.

Sydney Metro North West officially opened in May 2019 and reported total assets of $9.1 billion. Sydney Metro derecognised $322 million in assets constructed to facilitate its operation but transferred to councils and utilities.

There was an inconsistency identified in the cluster relating to the valuation of substratum land. In 2018–19, RailCorp derecognised $109 million of substratum land to ensure consistency in its approach with other Transport agencies.

As the parent entity, the Department of Transport needs to ensure accounting policies are consistently applied across all controlled entities for consolidation purposes. Inconsistencies in the application of accounting standards across agencies will impact comparability of financial reporting and decision making across the Transport cluster.

Recommendation: The Department of Transport should ensure consistent accounting policies are applied across its controlled entities.

Public transport passenger revenue increased by $89.0 million (5.9 per cent) in 2018–19, and patronage increased by 37.8 million (4.9 per cent) across all modes of transport based on data provided by TfNSW.

The increase in revenue is mainly due to an increase in patronage as well as the annual increase in fares.

Negative balance Opal cards resulted in $2.9 million in revenue not collected in 2018–19 ($10.4 million since the introduction of Opal).

In January 2019, Transport made a change to the Sydney Airport stations to prevent customers with high negative balances exiting the station. In addition, in late 2018, Transport increased the minimum top up values for new cards at the airport stations.

Recommendation (repeat): TfNSW should implement further measures to prevent the loss of revenue from passengers tapping off with negative balance Opal cards.

Twenty-six per cent of Transport employees have annual leave balances exceeding 30 days. Of the employees with excess leave balances, 732 (10.3 per cent) did not take any annual leave in 2018–19.

Recommendation (repeat): Transport entities should further review the approach to managing excess annual leave in 2019–20. They should:

• monitor current and projected leave balances to the end of the financial year each month
• agree formal leave plans with employees to reduce leave balances over an acceptable timeframe
• ensure leave plans are actioned appropriately
• encourage all staff with excess leave balances take a minimum two-week period of leave per year.

There are no centralised processes to record all significant contracts and agreements in a register across the Transport cluster.

Across the Transport cluster, contracts and agreements are maintained by the individual agencies using disparate registers. Agencies must perform detailed assessments of their existing contracts and agreements to quantify the impact of the new accounting standards (AASB 16 ‘Leases’, AASB 15 ‘Revenue from Contracts with Customers’, AASB 1058 ‘Income of Not-for-Profit Entities’ and AASB 1059 'Service Concession Arrangements: Grantors').

In 2018–19, there was also a prior period error resulting from an agreement between TfNSW and another government agency due to a lack of assessment of the financial reporting implications at the time of signing the agreement.

A lack of a complete register of all contracts and agreements increases the risk that agencies may not be able to assess the full impact of the new accounting standards, as well as perform a complete assessment of the financial reporting implications of contracts and agreements.

Recommendation: Transport agencies should implement a process to centrally capture all significant contracts and agreements entered. This will ensure:

• agencies are fully aware of contractual and other obligations
• appropriate assessment of financial reporting implications
• assessment of new accounting standards, in particular AASB 16 ‘Leases’, AASB 15 'Revenue from Contract with Customers', AASB 1058 'Income of Not-for-Profit Entities ' and AASB 1059 'Service Concession Arrangements: Grantors' are accurate and complete.

The financial statements of NSW Health and its controlled entities received unqualified audit opinions before the legislative deadline.

The number of corrected and uncorrected misstatements decreased from the prior year.

Management implemented more robust processes for its oversight of complex asset revaluations in 2018–19. We found no significant errors in 2018–19.

Managing excess annual leave remains a challenge for NSW Health, 36.9 per cent of the workforce have excess annual leave balances.

Recommendation: Health entities should further review their approach to managing excess annual leave in 2019–20, and:

• monitor current and projected leave balances to the end of the financial year on a monthly basis
• agree formal leave plans with employees to reduce leave balances over an acceptable timeframe
• encourage staff who perform key control functions to take at least two consecutive weeks’ leave a year to mitigate fraud risks.

There was an increase in internal control deficiencies of 12 per cent compared to last year. The increase is predominately due to a 100 per cent increase in repeat financial and IT control deficiencies.

Some agencies attributed the delay in actioning repeat findings to the diversion of staff from their regular activities to implement and operationalise the recent Machinery of Government changes. As a result, actions to address audit recommendations have been deferred or re prioritised, as the changes are implemented.

Agencies need to ensure they are actively managing the risks associated with having these vulnerabilities in internal control systems unaddressed for extended periods of time.

A number of findings were common to multiple agencies. These findings often related to areas that are fundamental to good internal control environments and effective organisational governance, such as:

• out of date policies or an absence of policies to guide appropriate decisions
• poor record keeping and document retention
• incomplete or inaccurate centralised registers or gaps in these registers
• policies, procedures or controls no longer suited to the current organisational structure or business activities.

We examined information security controls over key financial systems that support the preparation of agency financial statements. We found:

• user access administration deficiencies at 58 per cent of agencies related to granting, review and removal of user access
• an absence of privileged user activity reviews at 35 per cent of agencies
• password controls that did not align to password policies at 20 per cent of agencies.

We also found 20 per cent of agencies had deficient IT program change controls, mainly related to segregation of duties in approval and authorisation processes, and user acceptance testing of program changes prior to deployment into production environments. User acceptance testing helps identify potential issues with software incompatibility, operational workflows, absent controls and software issues, as well as areas where training or user support may be required.

All agencies had a gifts and benefits policy and 90 per cent of agencies maintain a gifts and benefits register. However, 51 per cent of the gifts and benefits registers we examined contained incomplete declarations, such as missing details for the approving officer, value of the gift and/or benefit offered and reasons supporting the decision.

In some cases, gaps in recorded information meant the basis for decisions around gifts and benefits was not always clear, making it difficult to determine whether decisions in those instances were appropriate, compliant with policy and were not direct or indirect inducements to the recipients to favour suppliers or service providers.

Agencies should ensure their gifts and benefits register includes all key fields specified in the Public Service Commission's minimum standards for gifts and benefits. Agencies should also perform regular reviews of the register to ensure completeness and ensure any gift or benefit accepted by a staff member meets the public's expectations for ethical behaviour.

We found opportunities to improve gifts and benefits processes and enhance transparency. For example, only three per cent of agencies publish their gifts and benefits registers on their websites.

Agencies can improve management of gifts and benefits by:

• ensuring agency policies comprehensively cover the elements necessary to make it effective in an operational environment, such as identifying risks specific to the agency and actions that will be taken in the event of a policy breach
• establishing and publishing a statement of business ethics on the agency's website to clearly communicate expected behaviours to clients, customers, suppliers and contractors
• providing on-going training, awareness activities and support to employees, not just at induction
• publishing their gifts and benefits registers on their websites to demonstrate a commitment to a transparently ethical environment.

Only 35 per cent of agencies reported trends in the number and nature of gifts and benefits recorded in their registers to the agency's senior executive management and/or a governance committee.

Agencies should regularly report to the agency executive or other governance committee on trends in the offer and acceptance of gifts and benefits.

Agencies have established and maintained internal audit functions to provide assurance on the effectiveness of agency controls and governance systems. However, we identified areas where agencies' internal audit functions could improve their processes to add greater value. For example, only 73 per cent of CAEs regularly attend meetings of the agency board or executive management committee.

Internal audit functions can add greater value by involving the CAE more extensively in executive forums as an observer.

Internal audit functions should also consider producing an annual report on internal audit. An annual report allows the internal audit function to report on their performance and add value by drawing to the attention of audit and risk committees and senior management strategic issues, thematic trends and emerging risks.

Forty-five per cent of agencies assigned responsibilities to the Chief Audit Executive (CAE) that were broader than internal audit, but 17 per cent of these had not documented safeguards to protect the independence of the CAE.

The reporting lines and status of the CAE at some agencies also needs review. At two agencies, the CAE reported to the CFO.

Agencies should ensure:

• the reporting lines for the CAE comply with the NSW Treasury policy, and the CAE does not report functionally or administratively to the finance function or other significant recipients of internal audit services
• the CAE's duties are compatible with preserving their independence and where threats to independence exist, safeguards are documented and approved.

Thirty-five per cent of agencies did not have a documented quality assurance and improvement program for its internal audit function.

The policy and the International Standards for the Professional Practice of Internal Auditing require agencies to have a documented quality assurance and improvement program. The results of this program should be reported annually.

Agencies should ensure there is a documented and operational Quality Assurance and Improvement Program for the internal audit function that covers both internal and external assessments.

According to NSW Procurement data, spend on contingent labour has increased by 75 per cent over the last five years, to $1.5 billion in 2018–19. Improvements in internal processes and a renewed focus on agency monitoring and oversight of contingent labour can help ensure agencies get the best value for money from their contingent workforces.

Agencies can improve their management of contingent labour by:

• preparing workforce plans to inform their resourcing strategy and ensure that engaging contingent labour aligns with the strategy and best meets business needs
• involving agency human resources units in decisions about engaging contingent labour
• regularly reporting on contingent labour use and tenure to agency executive teams
• strengthening on-boarding and off-boarding processes.

We also found 57 per cent of the 23 agencies we examined with contingent labour spend of more than $5 million in 2018–19 have implemented the government's vendor management system and service provider 'Contractor Central'.

Sixty-eight per cent of agencies maintain an inventory of their sensitive data and where it resides. However, these inventories are not always complete and risks may be overlooked.

Agencies can improve processes to manage sensitive data by:

• identifying and maintaining an inventory of sensitive data through a comprehensive and structured process
• assessing the criticality and sensitivity of the data so that protection of high risk data can be prioritised.

Eighty-eight per cent of agencies have established policies to respond to potential data breaches when they are identified and 70 per cent of agencies maintain a register to record key information in relation to identified data breach incidents.

Agencies should maintain a data breach register to effectively manage the actions undertaken to contain, evaluate and remediate each data breach.