What the report is about

Results of the Treasury cluster agencies' financial statement audits for the year ended 30 June 2022.

The results of the audit of the NSW Government's consolidated Total State Sector Accounts (TSSA), which is prepared by NSW Treasury, are reported separately in our report on 'State Finances 2022'.

What we found

Unmodified audit opinions were issued on all 30 June 2022 general purpose financial statement audits.

Qualified audit opinions were issued on three of the 25 other engagements prepared by cluster agencies. These related to payments made from Special Deposit Accounts (SDA) that did not comply with the relevant legislation.

What the key issues were

Commercial agreements were signed between TAHE, the operators and Transport for NSW in June 2022, which reflected an expected rate of return of 2.5% on contributed equity. However, it remains critical that the government continue to provide sufficient funding to the operators so they can pay for access and use TAHE assets. These findings are reported in our report on 'State Finances 2022'.

Eight high-risk issues were raised in 2021–22, of which five relate to NSW Treasury.

A number of previously reported audit findings and recommendations with respect to icare continue to be ongoing issues. This includes the Workers Compensation Nominal Insurer continuing to hold less assets than the estimated present value of its future payment obligations, when measured in accordance with the accounting framework.

What we recommended

Our report on 'State Finances 2022' made several recommendations to improve NSW Treasury's processes.

In this report, we recommended icare should ensure:

• it has sufficient controls in place over claim payments, including an effective quality assurance program, to minimise claim payment errors
• that documentation to support PIAWE calculations is appropriately maintained, and that the minimum documentation requirements are set out in a policy.

This report provides Parliament and other users of the Treasury cluster’s financial statements with the results of our audits, analysis, conclusions and recommendations in the following areas:

• financial reporting
• audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision-making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Treasury cluster (the cluster) for 2022.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

This chapter outlines our observations and insights from our financial statement audits of agencies in the Treasury cluster.

Appendix one – Misstatements in financial statements submitted for audit

Appendix two – Early close procedures

Appendix three – Timeliness of financial reporting

Appendix four – Financial data

Appendix five – Acquittals and other opinions

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

What the report is about

Results of the 2021–22 consolidated General Government Sector (GGS) and Total State Sector (TSS) financial statements audits.

What we found

The Independent Auditor’s Report on the 2021–22 GGS and TSS financial statements was modified with a limitation of scope and also contained an emphasis of matter.

The opinion in the TSS Independent Auditor’s Report was modified with a limitation of scope on certain balances consolidated in the TSS financial statements because the Catholic Metropolitan Cemeteries Trust (CMCT) denied access to its management, books and records for the purpose of conducting a financial audit.

The Independent Auditor’s Report also includes an emphasis of matter drawing attention to the significant uncertainties associated with the GGS’s equity investment in Transport Asset Holding Entity (TAHE). The significant uncertainty relates to key assumptions and estimates used to forecast a 2.5% return from GGS investments into TAHE that supports the accounting treatment as an equity injection, including:

• funding to support the Rail Operators to pay TAHE’s contracted and forecast access and licence fees up until 2045–46. The Rail Operators are dependent on funding from the GGS to pay access and licence fees. Forecast modelling notes a requirement of a further $10.2 billion in budget funding to pay TAHE to the end of the ten-year contract period in 2030–31, in addition to the $5.5 billion allocated in the forward estimates and up to $50.8 billion for the period 2032 to 2046
• a significant portion of the projected returns are earnt outside of the ten-year contract period and there is a risk that TAHE may not be able to recontract fees at levels consistent with current projections.

What we recommended

The report includes a number of recommendations including:

• continued monitoring that TAHE controls the reported assets ensuring the CMCT, Category 2 Statutory Land Managers (SLM) and Commons Trusts meet their statutory reporting obligations
• ensuring accounting and audit position papers are sufficiently consulted with key stakeholders and are concluded on a timely basis
• ensuring agencies support the timely conclusion of audits by bringing to the auditors' attention key Cabinet records and identifying references relating to accounting issues impacting the financial statements
• for Special Deposit Accounts (SDA) responsible managers should ensure amounts appropriated under any Act or law for payment into the account are appropriately recorded, ensuring payments from SDAs are allowable and made in accordance with Treasurer's delegations and standing authorisation.

Image

Pursuant to section 52A of the Government Sector Audit Act 1983 I am pleased to present my Auditor-General’s Report on State Finances 2022.

Once again this year has presented considerable challenges for the state sector and my Office as we collectively grapple with uncertainties related to COVID-19 and the disruption of emergency events impacting New South Wales. In addition, there were many recommendations arising from last year’s audit to be addressed.

While there is more to do to ensure good financial stewardship of the State, resolution of matters was helped by constructive engagement with the NSW Treasury at the most senior levels. Personally I wish to thank the Treasurer and Secretary for their commitment to instilling integrity in financial management systems and processes. The support Treasury provided for recent amendments to the Government Sector Audit Act 1983 to provide ‘follow the dollar’ powers and other changes recommended by the Public Accounts Committee quadrennial review of my Office is also acknowledged.

Finally I want to thank the teams that contributed to this year’s audit of the Total State Accounts for their diligence, professionalism and commitment. I am very proud of your work.

Margaret Crawford

Auditor-General for New South Wales

The Independent Auditor's Report was qualified and also included an emphasis of matter

The audit opinion on the State's 2021–22 financial statements was modified. The delayed signing of the NSW Total State Sector Accounts (TSSA) by NSW Treasury was in order to resolve significant accounting issues that were material to the TSSA. The key areas requiring significant audit effort included reviewing the State's accounting for TCorp Investment Management (IM) Funds and responding to the risks related to the Catholic Metropolitan Cemeteries Trust (CMCT) denying access to its management and books and records, which is detailed in this Report.

NSW Treasury aimed to sign the TSSA by 19 October 2022. This was delayed by nearly six weeks and the TSSA audit opinion was subsequently signed on the statutory deadline imposed on the Treasurer for tabling of the TSSA in the Legislative Assembly of 30 November 2022.

The Independent Auditor’s Report was modified due to a limitation of scope on the balances consolidated in the TSSA relating to the CMCT

The opinion in the Independent Auditor’s Report was modified with a limitation of scope due to the inability to access management, books and records of a controlled entity, the CMCT.

This year, NSW Treasury, after reconsidering all facts and the perspectives of the CMCT, reconfirmed that the CMCT is a controlled entity of the State for financial reporting purposes. This means CMCT is a GSF agency under the provisions of the Government Sector Finance Act 2018 (GSF Act). As such NSW Treasury is required by Australian Accounting Standards to consolidate the CMCT into the Total State Sector Accounts (TSSA). The value of assets and liabilities of CMCT consolidated into the TSSA is $310.3 million and $15.1 million, respectively, and the loss of CMCT consolidated into the TSSA for the year is $2.4 million.

To date, CMCT has not met its statutory obligations to prepare financial statements under the GSF Act and give them to the Auditor-General. CMCT has not submitted its financial statements to the Auditor-General for audit as required despite repeated requests and has not provided access to its books and records for the purposes of a financial audit. The Secretary of the Department of Planning and Environment wrote to CMCT to request it work with, and offer full assistance to, the Auditor-General in the exercise of her duties.

NSW Treasury has met with and considered CMCT's perspectives. NSW Treasury’s position remains that CMCT is a controlled entity of the State for financial reporting purposes. Consequently, CMCT has not met its statutory obligations as a controlled entity to submit its financial statements for audit and provide access to its books and records. Therefore, the Audit Office was unable to obtain sufficient appropriate audit evidence about the carrying amount of assets and liabilities consolidated into the Total State Sector Accounts as at 30 June 2022 and of the amount of income and expenses for the year then ended. Accordingly a modified audit opinion was issued on the NSW Government's 2021–22 consolidated financial statements.

Section 3 of this report titled 'Limitation of Scope relating to CMCT' discusses this matter in further detail.

An emphasis of matter drawing attention to uncertainty relating to the General Government Sector's investment in the Transport Asset Holding Entity (TAHE) remains

The Independent Auditor’s Report also includes an emphasis of matter, drawing attention to the significant uncertainties associated with the General Government Sector's (GGS) equity investment in TAHE. The significant uncertainty relates to key assumptions used to forecast returns from investments into TAHE in order to support the recognition of the government's funding of TAHE as an equity injection.

At the time of signing the Independent Auditor's Report, there was significant uncertainty with regards to assumptions and estimates used to forecast a return from the GGS investment into TAHE, which supports the recognition of an equity injection. There is significant uncertainty relating to:

• the 2022–23 Budget committed $5.5 billion to fund TAHE's key customers, Sydney Trains and NSW Trains (the operators), to support their payment of access and licence fees agreed on 23 June 2022. However, this funding only extends out to the end of the forward estimates period in 2025–26, which falls short of the ten-year contractual periods to 2030–31 and the projected period to 2045–46 to achieve a 2.5% return from the government's equity investment. The government will need to fund the operators an additional $10.2 billion in Budget funding so that they can meet their contractual obligations to TAHE from 2026–27 to 2030–31, and a further projected funding of $50.8 billion from 2031 to 2046. This additional funding is not within the government's published Budget figures, leading to uncertainty on whether the government-funded operators can pay access and licence fees beyond the forward estimates period of 2025–26
• a significant portion of the projected returns are earnt outside the ten-year contract period (terminating 30 June 2031) and there is a risk that TAHE will not be able to recontract for access and licence fees at a level that is consistent with current projections. There is also a risk that funding for TAHE's key customers will not be sufficient to fund payment of access and licence fees at a level that is consistent with current projections.

The 'State Finances 2021' report made recommendations regarding the significant accounting issues relating to TAHE. The State's response to these recommendations are detailed in Section 4 of this report titled ‘Investment in the Transport Asset Holding Entity’. Other significant matters related to the TSSA audit are covered in Section 8 titled ‘Key audit findings’.

Other financial reporting matters

All government agencies were granted an extra week to submit financial statements for audit

A one-week extension provided agencies across the sector with additional time to resolve key accounting issues and submit financial statements for audit by 1 August 2022.

Further extensions were approved for the following seven agencies (ten in 2020–21):

• State Insurance Regulatory Authority (3 August 2022)
• Dams Safety NSW (8 August 2022)
• Jenolan Caves Reserve Trust (8 August 2022)
• Transport for NSW (8 August 2022)
• Department of Enterprise, Investment and Trade (22 August 2022)
• Transport Asset Holding Entity (22 August 2022)
• Department of Transport (26 August 2022).

Additional extensions provided agencies with more time to complete:

• asset valuations
• valuations of actuarially assessed liabilities.

An initial draft of the TSSA was provided to audit on 15 September 2022. This version was incomplete and excluded the impact of consolidating the State's TCorp IM funds under the correct Australian Accounting Standards. An additional three versions of the draft TSSA were provided to audit progressively to update the TCorp IM fund consolidated balances. The final complete version of the TSSA was submitted on 27 October 2022 which included all adjustments relating to the TCorp IM fund consolidation. Refer to section 8.1 for more details on the material restatements relating to the consolidation of the TCorp IM funds.

In 2021–22, agency financial statements presented for audit contained 20 errors exceeding $20 million (24 in 2020–21). The total value of these errors was $973 million, a decrease from the previous year ($6.6 billion in 2020–21).

The graph below shows the number of reported errors exceeding $20 million over the past five years in agencies’ financial statements presented for audit.

The errors resulted from:

• incorrect application of Australian Accounting Standards and NSW Treasury policies
• incorrect judgements and assumptions when valuing non-current physical assets and liabilities.

NSW Treasury concluded CMCT is a controlled entity of the State

In response to our recommendation in the ‘State Finances 2021’ report, NSW Treasury reconfirmed that the Catholic Metropolitan Cemeteries Trust (CMCT) is a controlled entity of the State. The Audit Office accepted the position of NSW Treasury.

The reaffirmation of this position means CMCT is a GSF agency under the provisions of the Government Sector Finance Act 2018 (GSF Act). Section 7.6 of the GSF Act places an obligation on CMCT to prepare financial statements and give them to the Auditor-General. Further, section 34 of the Government Sector Audit Act 1983 (the GSA Act) requires the Auditor-General to furnish an audit report on these financial statements.

To date, CMCT has not met its statutory obligations to prepare financial statements under the GSF Act and give them to the Auditor-General. CMCT has not submitted their financial statements to the Auditor-General for audit despite repeated requests and has not provided access to its books and records for the purposes of a financial audit. There was extensive correspondence between the Audit Office of NSW, CMCT, NSW Treasury and the Department of Planning and Environment in 2022 regarding this matter.

In addition, on 10 December 2021, the then Minister for Water, Property and Housing wrote to the Auditor-General requesting a financial and performance audit be performed pursuant to section 27B(3)(c) of the GSA Act. The audit would cover the financial affairs of CMCT, including whether funds have been used for the proper purpose. The Audit Office of New South Wales has written to CMCT on a number of occasions to request the provision of documentation and access to management in order to conduct the performance audit. CMCT has not provided the Audit Office of New South Wales access to its management, books and records for the purpose of the required performance audit.

NSW Treasury has met with and considered CMCT's perspectives. NSW Treasury’s position remains that CMCT is a controlled entity of the State for financial reporting purposes. Consequently, CMCT did not meet its statutory obligations as a controlled entity to submit its financial statements for audit and provide access to its books and records.

The TSSA audit opinion included a limitation of scope

The opinion in the TSSA Independent Auditor’s Report was modified with a limitation of scope due to an inability to access management and the books and records of CMCT. This limitation was appropriately disclosed in Note 1 'Statement of Significant Accounting Policies' of the TSSA. The Statement of Compliance signed by the Secretary of Treasury and the Treasurer on 29 November 2022 was also updated to acknowledge the disclosure in Note 1 regarding CMCT.

The Audit Office was unable to obtain sufficient appropriate audit evidence about the carrying amount of assets and liabilities consolidated into the Total State Sector Accounts as at 30 June 2022 and of the amount of income and expenses for the year then ended. Accordingly a modified audit opinion was issued on the NSW Government's 2021–22 consolidated financial statements.

The process of information sharing by NSW Treasury continues to require improvement

In last year’s ‘State Finances 2021’ report an extreme risk management letter finding was reported for NSW Treasury to ensure it significantly improve its processes so that all relevant information is identified and shared with the Audit Office to support material transactions and balances of the State.

A number of events reconfirmed that NSW Treasury needs to continue improving its process with respect to information sharing with the Audit Office. Notably, NSW Treasury’s finance team had not demonstrated that all available information (on their systems) was considered by them when assessing the State’s control over CMCT.

Critical information relating to CMCT was in the possession of NSW Treasury since late October 2021 but not considered when reconfirming their accounting position on the State's control of CMCT this year. A further reconfirmation of the State's control over CMCT was needed by NSW Treasury to ensure this information was considered in their accounting assessment.

The above demonstrates that more effective consultation is required by NSW Treasury with key stakeholders to ensure all information relevant to forming an accounting position relating to the TSSA is captured. This will ensure new information is not identified late in the audit process and NSW Treasury considers all information when concluding on the accounting position of the State.

Last year's report highlighted that NSW Government actions avoided a qualified opinion in 2020–21 relating to the General Government Sector's $2.4 billion cash contribution to Transport Asset Holding Entity (TAHE). These actions included the NSW Government agreeing to provide additional future funding to TAHE's key government customers Sydney Trains and NSW Trains (the operators) to support increases in access and licence fees to be paid to TAHE.

The additional funding by the government was necessary to demonstrate that a reasonable expectation of a sufficient rate of return would be earned on its equity invested in TAHE. Last year, there was no government policy on what the minimum return should be on investments in other public sector entities, so the long-term inflation rate was used as a benchmark. A recommendation was made in last year's State Finances report that NSW Treasury establish a policy on the minimum expected return from its investments.

On 6 September 2022, NSW Treasury finalised its policy relating to the government’s returns on equity investments. The application of this policy is limited to State Owned Corporations and similar to the Commonwealth framework for commercial businesses, which requires the expected return be at least equal to the long-term inflation rate.

The government's commitment to additional funding was conveyed last year through revised shareholder expectations being published in the 2021–22 'NSW Budget-Half yearly Review' on 16 December 2021, increasing the expected returns on equity from 1.5% to the expected long-term inflation rate of 2.5%. On 18 December 2021, Transport for NSW (TfNSW) and the operators entered into a Heads of Agreement (HoA). This formed the basis of negotiations to revise the pricing within the existing ten-year contracts and deliver upon the shareholders’ expected return of 2.5% on contributed equity to be earned over the estimated weighted average remaining useful lives of TAHE's assets.

Further information on last year's audit of the government’s investment in TAHE can be found in our 'State Finances 2021' report.

Ten-year commercial agreements were signed between TAHE, operators and TfNSW

Last year's State Finances report recommended that NSW Treasury facilitate revised commercial agreements to reflect the access and licence fees detailed in the HoA. As these agreements were not executed by 30 June 2021, last year's audit opinion of the Total State Sector Accounts (TSSA) included an Emphasis of Matter drawing attention to the uncertainty that existed at balance date as these agreements were not finalised.

On 23 June 2022, commercial agreements were signed between TAHE, the operators and Transport for NSW through a deed of variation. The revised access and licence fees for the ten-year period 2021–22 to 2030–31 was $16.6 billion, which is $520 million less than the HoA fees of $17.1 billion.

TAHE's main customers principally rely on government funding to pay access and licence fees

Whilst TAHE has agreed ten-year access and licence fees of $16.6 billion with its two main customers Sydney Trains and NSW Trains, these two operators significantly rely on government funding when making these payments to TAHE. At 30 June 2022, TAHE's expected return of 2.5% is contingent upon the GGS funding the operators to support their payment of access and licence fees that have been agreed with TAHE for the ten-year contracted period and for non-contracted periods from 2031–32 to 2045–46.

The 2022–23 NSW Budget has allocated $5.5 billion to fund the operators, to support their payment of access and licence fees. However, this funding extends to the end of the forward estimates period in 2025–26, which falls short of the ten-year contractual period to 2030–2031 and the projected period to 2045–46 to achieve the 2.5% return.

The government will need to fund the operators an additional $10.2 billion in budget funding to meet their contractual obligations to TAHE from 2026–27 to 2030–2031, and a further projected funding of $50.8 billion from 2032 to 2046. This is needed to ensure the government continues to demonstrate its expected return on investment of 2.5%. This additional funding is not within the government's published 2022–23 NSW Budget figures, leading to uncertainty on whether the government funded operators can pay access and licence fees beyond the forward estimate period of 2025–26.

Significant funding uncertainties remain

While the ten-year access and licence fee agreements were communicated to the NSW Government's Expenditure Review Committee, it is yet to be fully provided for in the government's budget figures. As TAHE's projections are highly dependent on the operators as its key customers, it remains critical that the government continue to provide sufficient funding to the operators so they can pay for access and use of TAHE assets. This means the significant funding uncertainties reported in last year's TSSA audit opinion remain for 2021–22.

The government has estimated $37.9 billion in returns (equivalent to 2.5% on contributed equity) is to be earned from its investment in TAHE over the period from 1 July 2022 to 30 June 2046. As previously reported, TAHE derives most of its revenue from access and licence fee agreements from the operators, who in turn are both funded by grants through TfNSW from the GGS. More than 95% of these returns are estimated to be earned outside of the ten-year contract period (terminating 30 June 2031).

There remains risk that:

• TAHE will not be able to recontract for access and licence fees at a level that is consistent with current projections
• future governments' funding to TAHE's key customers will not be sufficient to fund payment of access and licence fees at a level that is consistent with current projections
• TAHE will be unable to grow its non-government revenues.

This significant funding uncertainty was also reported in last year's TSSA audit opinion and will remain for 2021–22.

In 2021–22, TAHE and NSW Treasury prepared further modelling to support the Government's intent to earn a 2.5% return inclusive of recovering the holding (revaluation) loss of $20.3 billion on its investment in TAHE

Last year's State Finances report highlighted that NSW Treasury, with TAHE, should prepare robust projections and business plans to support the expected returns forecast beyond FY2031.

This year TAHE engaged an expert to help develop a model demonstrating the government's expected returns from its investment in TAHE. The model mathematically forecasts that returns of 2.5% will be achieved by 2046 and this will include recovery of the revaluation losses of $20.3 billion relating to 2020–21.

The current model includes some key assumptions:

• The main source of revenue is the access and licence fees expected from the two public rail operators (Sydney Trains and NSW Trains) contributing to more than 80% of TAHE's projected revenue. The rail operators are largely funded by the government when paying access and licence fees to TAHE.
• For the first ten years, the access and licence fees are based on the signed agreements between TAHE and the public rail operators.
• Beyond the ten-year contracted period, the model assumes existing contractual terms for access and licence fees will continue unchanged allowing for an annual rise for inflation (2.5% per annum), and increased fees to enable a 7.62% return for renewed assets.
• The capital expenditure included in the model is only the amounts approved by the Expenditure Review Committee (ERC) as part of the ten-year forecast. The model beyond ten years includes expected investment in renewed and replacement assets but excludes any forecasts relating to growth capex that is not approved by the ERC, and any related depreciation expenses for growth capex.

While management has developed a 35-year long term financial model to support the returns, we note this will need to be refined over the next few years. Furthermore, these are forecasted figures and we have not seen sufficient evidence of whether this reflects reality (that is, the achievement of dividends representing a return on equity) as it is still very early. Therefore, this will remain a high-risk matter until we have seen sufficient evidence of reality to the forecasted figures.

There is negative net impact on the budget after 2024–25 and this will grow in the future

There are some key points to highlight with this modelling and these are best conveyed with the graph below. This graph shows total cash injections made by the GGS since the government first announced the creation of TAHE as a for-profit entity in the 2015–16 NSW Budget. It also conveys the forecast returns from TAHE to the GGS and the level of funding operators will need from the GGS to pay TAHE's access and licence fees over the 30-year period. These cash flows are key inputs used in the modelling which calculates a 2.5% return from TAHE inclusive of recovering the holding (revaluation) loss of $20.3 billion.

The government continues to respond to the impact of the COVID-19 pandemic on New South Wales through its economic stimulus measures

The COVID-19 pandemic continued to significantly impact the State’s finances, reducing revenue and increasing expenses especially in sectors directly responsible for responding to the COVID-19 pandemic, such as Health. In October 2021, the government announced through the 'COVID-19 Economic Recovery Strategy' an additional $2.8 billion in economic stimulus and response measures following the conclusion of the three-month lockdown due to the Delta COVID-19 outbreak. Measures included:

• $739 million in household and social support, including housing support for Aboriginal communities and survivors of domestic violence, and vouchers to thank parents for their efforts to support learning from home
• $500 million to consumers and businesses including expansion of the 'Dine & Discover' and 'Stay & Rediscover' voucher programs
• $495 million in education support addressing learning gaps for children and helping schools prepare for future learning disruptions
• $487 million in combined funding for tourism, events, sports, and recreation throughout New South Wales
• $130 million to fund mental health services for individuals whose mental health was impacted by the pandemic.

The 2021–22 financial year included $21.9 billion for pandemic response and economic stimulus measures. Of this, $17.9 billion was spent in 2021–22 while a further $1 billion of the budgeted amount from 2021–22 was carried forward into 2022–23. The graph below shows the total allocation and spend by cluster for 2022 compared to target spend.

There were 14 natural disaster declarations including four severe weather events in 2021–22

Natural disasters such as bushfires, storms, floods, and other adverse weather events can have a significant impact on the State's finances. Costs associated with natural disasters include direct response costs such as clean-up and recovery, temporary accommodation, and as well as financial assistance provided to impacted communities such as recovery and business support grants.

The NSW Government can make a natural disaster declaration allowing eligible individuals and communities from impacted Local Government Areas access to a range of special financial assistance measures.

In 2021–22, there were 14 natural disaster declarations announced comparable to 14 in the previous year. These natural disaster declarations largely related to storms and floods throughout the State. In 2021–22, there was a larger number of 'severe weather' events declared, with four in 2021–22 (nil in 2020–21).

Natural disaster expenses increased 143% to $1.4 billion in 2021–22, up from $569 million last year

Over 2021–22, the budgeted cost for declared natural disasters was $1.9 billion ($725 million in 2020–21). Actual expenditure by the State on disaster response increased by $815 million to $1.4 billion. The graph below shows the total allocation and spend by cluster for 2022 compared to their budget spend.

Deficit of $15.3 billion compared with a budgeted deficit of $8.6 billion

The outcomes of the government’s overall activity and policies are reflected in its net operating balance (budget result). This is the difference between the cost of general government service delivery and the revenue earned to fund these sectors.

The General Government Sector, which comprises 196 entities, generally provides goods and services funded centrally by the State.

In addition to the 196 entities within the General Government Sector, a further 85 government controlled businesses are included within the consolidated Total State Sector financial statements. These businesses generally provide goods and services, such as water, electricity and financial services for which consumers pay for directly, and form part of the PNFC (31) and PFC (54) sectors.

The budget result for the 2021–22 financial year was a deficit of $15.3 billion compared to an original forecast of a budget deficit of $8.6 billion.

Revenues increased $16.1 billion to $106.7 billion

The State’s total revenues increased $16.1 billion to $106.7 billion, an increase of 17.8% compared to the previous year. Total revenue growth in 2020–21 was 5.1%. The State's increase in revenue was mostly from $9.2 billion in grants and subsidies and $4.6 billion in taxation.

Taxation revenue increased by 13.3%

Taxation revenue increased by $4.6 billion, mainly due to the net of:

• $4.9 billion higher stamp duties collected from property sales driven by growth in property transaction volumes and prices during 2021–22. This was growth was experienced across residential and commercial property markets
• $296 million lower gambling and betting taxes compared to 2020–21. Decrease was primarily attributed to the ongoing effects of COVID-19 restrictions and venue closures within the first half of 2021–22.

Stamp duties of $16.6 billion remains the largest source of taxation revenue, $7.7 billion higher than payroll tax of $8.9 billion, the second-largest source of taxation revenue.

Assets grew by $53 billion to $571 billion

The State’s assets include physical assets such as land, buildings and infrastructure, and financial assets such as cash, and other financial instruments and equity investments. The value of total assets increased by $53.2 billion or 10.3% to $571 billion. The increase was largely due to increases in the carrying value of land, buildings and infrastructure systems.

Valuing the State’s physical assets

State’s physical assets valued at $437 billion

The value of the State’s physical assets increased by $46.8 billion to $437 billion in 2021–22 ($724 million increase in 2020–21). The State’s physical assets include land and buildings ($198 billion), infrastructure systems ($221 billion), and plant and equipment ($18 billion).

The movement in physical asset values between years includes additions, disposals, depreciation and valuation adjustments. Other movements include assets reclassified to held for sale and other opening balance adjustments.

Appendix one – Prescribed entities

Appendix two – Legal opinions

Appendix three – TSS sectors and entities

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

What the report is about

This report analyses the internal controls and governance of the 25 largest agencies in the NSW public sector, excluding state-owned corporations and public financial corporations, for the year ended 30 June 2022.

What we found

Internal control trends

The proportion of control deficiencies identified as high-risk this year increased to 8.2% (5.9% in 2020–21). Sixteen of the 23 high-risk findings related to financial controls while seven related to IT controls.

Repeat findings of control deficiencies now represent 48% of all findings (47% in 2020–21).

Information technology

There continues to be a high number of deficiencies relating to IT general controls, particularly around user access reviews, which affected 56% of agencies.

Cyber security

Agencies' self-assessed maturity levels against the NSW Cyber Security Policy mandatory requirements are lower than target levels. Overall, maturity levels against the Australian Cyber Security Centre's Essential Eight controls have not improved since last year.

Management of cyber risks relating to third party IT service providers should be improved. IT service providers may pose risks to the agency if the provider's cyber security controls have weaknesses.

Consultants and contractors

Agencies risk over-reliance on the same consultants and contractors. A quarter of agencies have re-engaged the same contractor over the past five years.

Employment screening Twenty-four per cent of agencies have not complied with the employment screening requirements of the Government Sector Employment Act 2013 with regard to citizenship or residency. Screening and induction practices for non-permanent workers are often less stringent than for permanent employees. This can pose increased risks to an entity of not detecting applicants with false credentials or a history of corrupt conduct.

Contract management

Half of all agencies' procurement contract registers are incomplete, which is non-compliant with the Government Information (Public Access) Act 2009.

What we recommended

Agencies should:

• prioritise actions to address repeat control deficiencies
• prioritise improvements to their cyber security and resilience
• reinforce mandatory cyber training to all staff and improve completion rates
• ensure that contractor engagements that have been renewed over multiple years are periodically reassessed against the market.

Internal controls are processes, policies and procedures that help agencies to:

• operate effectively and efficiently
• produce reliable financial reports
• comply with laws and regulations
• support ethical government.

This chapter outlines the overall trends for agency controls and governance issues, including the number of audit findings, the degree of risk those deficiencies pose to the agency, and a summary of the most common deficiencies we found across agencies. The rest of this report presents this year's controls and governance findings in more detail.

For consistency and comparability, we have adjusted the 2021 results to incorporate additional audit findings that were reported after the date of the 'Internal controls and governance 2021' report. Therefore, the 2021 figures will not necessarily align with those reported in our 2021 report.

This section also covers how agencies have complied with TD 21-04 during 2021–22.

This chapter outlines our audit observations, conclusions and recommendations arising from our review of agency controls to manage key financial systems.

This chapter outlines our audit observations, conclusions and recommendations arising from our review of agencies' cyber security planning and governance arrangements.

This chapter outlines our audit observations, conclusions and recommendations arising from our review of agencies' practices in engaging external experts, such as consultants and contractors.

This chapter outlines our audit observations, conclusions and recommendations arising from our review of agencies' employment screening practices.

This chapter outlines our audit observations, conclusions and recommendations arising from our review of agencies' contract management processes.

What the report is about

Result of the Regional NSW cluster agencies' financial statement audits for the year ended 30 June 2022.

What we found

Unmodified audit opinions were issued for Regional NSW cluster agencies. Two audits are ongoing.

What the key issues were

The Department of Regional NSW (the department) and Local Land Services (LLS) accepted changes to their office leasing arrangements managed by Property NSW.

These changes resulted in the collective derecognition of $100.6 million of rights-of-use-assets and $110.4 million of lease liabilities.

In 2021–22, the cluster agencies continued to assist communities in their recovery from recent weather emergencies, including significant flooding in New South Wales.

The Northern Rivers Reconstruction Corporation was established in May 2022 to rebuild communities in the Lismore and Northern Rivers region impacted by floods.

The number of matters reported to management decreased from 36 in 2020–21 to 14 in 2021–22.

Five moderate risk issues were identified and 14% of reported issues were repeat issues.

One moderate risk issue was a repeat issue related to Local Land Services' annual fair value assessment of the asset improvements on land reserves used for moving stock.

This report provides Parliament and other users of the Regional NSW cluster financial statements with the results of our audits, analysis, conclusions and recommendations in the following areas:

• financial reporting
• audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision-making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Regional NSW cluster (the cluster) for 2022.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision-making.

This chapter outlines our observations and insights from our financial statement audits of agencies in the Regional NSW cluster.

Appendix one – Misstatements in financial statements submitted for audit

Appendix two – Early close procedures

Appendix three – Timeliness of financial reporting

Appendix four – Financial data

What the report is about

Result of Health cluster (the cluster) agencies' financial statement audits for the year ended 30 June 2022.

What we found

Unmodified audit opinions were issued for the financial statements for all Health cluster agencies.

The COVID-19 pandemic continued to increase the complexity and number of accounting matters faced by the cluster. The total gross value of corrected misstatements in 2021–22 was $353.3 million, of which $186.7 million related to an increase in the impairment provision for Rapid Antigen Tests (RATs).

A qualified audit opinion was issued on the Annual Prudential Compliance Statement related to five residential aged care facilities. There were 20 instances (19 in 2020–21) of non-compliance with the prudential responsibilities within the Aged Care Act 1997.

What the key issues were

The total number of matters we reported to management across the cluster decreased from 116 in 2020–21 to 67 in 2021–22. Of the 67 issues raised, four were high risk (three in 2020-21) and 37 were moderate risk (57 in 2020–21). Nearly half of all control deficiencies reported in 2021–22 were repeat issues.

Three unresolved high-risk issues were:

• COVID-19 inventories impairment – we continued to identify issues relating to management’s impairment model which relies on anticipated future consumption patterns. RATs had not been assessed for impairment.

• Asset capitalisation threshold – management has not reviewed the appropriateness of the asset capitalisation threshold since 2006.

• Forced-finalisation of HealthRoster time records – we continued to observe unapproved rosters being finalised by system administrators so payroll can be processed on time. 2.6 million time records were processed in this way in 2021–22.

What we recommended

• COVID-19 inventories impairment – ensure consumption patterns are supported by relevant data and plans.

• Assets capitalisation threshold – undertake further review of the appropriateness of applying a $10,000 threshold before capitalising expenditure on property, plant and equipment.

• Forced-finalisation of HealthRoster time records – develop a methodology to quantify the potential monetary value of unapproved rosters being finalised.

This report provides Parliament and other users of Health cluster (the cluster) agencies' financial statements with the results of our audits, analysis, conclusions and recommendations in the following areas:

• financial reporting

• audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision-making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Health cluster (the cluster) for 2022.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision-making.

This chapter outlines our observations and insights from our financial statement audits of agencies in the cluster.

Appendix one – Misstatements in financial statements submitted for audit

Appendix two – Early close procedures

Appendix three – Timeliness of financial reporting

Appendix four – Financial data

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

What the report is about

Result of the Premier and Cabinet cluster financial statement audits for the year ended 30 June 2022. 

What we found

Unmodified audit opinions were issued for all Premier and Cabinet cluster agencies.

The machinery of government changes within the Premier and Cabinet cluster resulted in the transfer of net assets of $1 billion from the Department of Premier and Cabinet.

The Department of Premier and Cabinet, Public Service Commission and Parliamentary Counsel's Office accepted changes to their office leasing arrangements managed by Property NSW. These changes resulted in the collective de-recognition of $167.3 million of right-of-use assets, $225.1 million in lease liabilities and recognition of $47.8 million of other gains/losses. 

What the key issues were

The number of issues we reported to management decreased. 

Forty per cent of issues were repeated from the prior year.

Four moderate risk issues were reported in the management letters for Department of Premier and Cabinet and New South Wales Electoral Commission. Three out of the four moderate risk issues were repeat issues. 

The repeat issues related to internal control deficiencies in agencies' including lack of updated procurement policies and procedures and information technology general controls.

This report provides Parliament and other users of the Premier and Cabinet’s financial statements with the results of our audits, analysis, conclusions and recommendations in the following areas:

• financial reporting
• audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision-making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Premier and Cabinet cluster for 2022.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

This chapter outlines our observations and insights from our financial statement audits of agencies in the Premier and Cabinet cluster.

Appendix one – Early close procedures

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

What the report is about

In this report, we have analysed the key findings and recommendations from our audit reports over the past four years.

This analysis includes financial audits, performance audits, and compliance audits of state and local government entities that were tabled in NSW Parliament between July 2018 and February 2022.

The report is framed by recognition that the past four years have seen significant challenges and emergency events.

The scale of government responses to these events has been wide-ranging, involving emergency response coordination, service delivery, governance and policy.

The report is a resource to support public sector agencies and local government to improve future programs and activities.

What we found

Our analysis of findings and recommendations is structured around six key themes:

• Integrity and transparency
• Performance and monitoring
• Governance and oversight
• Cyber security and data
• System planning for disruption
• Resource management.

The report draws from this analysis to present recommendations for elements of good practice that government agencies should consider in relation to these themes. It also includes relevant examples from recent audit reports.

In this report we particularly call out threats to the integrity of government systems, processes and governance arrangements.

The report highlights the need for balanced advice to government on options and risks, for transparent documentation and reporting of directions and decisions, and for early and open sharing of information with integrity bodies and audit.

A number of the matters highlighted in this report are similar to those described in our previous Insights Report, (Performance Audit Insights: key findings from 2014–2018) specifically in relation to cyber and information security, to performance measurement, reporting and evaluation, and system and workforce planning and capability.

I am pleased to present the Audit Insights 2018–2022 report. This report describes key findings, trends and lessons learned from the last four years of audit. It seeks to inform the New South Wales Parliament of key risks identified and to provide insights and suggestions to the agencies we audit to improve performance across the public sector.

The report is framed by a very clear recognition that governments have been responding to significant events, in number, character and scale, over recent years. Further, it acknowledges that public servants at both state and council levels generally bring their best selves to work and diligently strive to deliver great outcomes for citizens and communities. The role of audit in this context is to provide necessary assurance over government spending, programs and services, and make suggestions for continuous improvement.

A number of the matters highlighted in this report are similar to those described in our previous Insights Report, (Performance Audit Insights: key findings from 2014–2018) specifically in relation to cyber and information security, to performance measurement, reporting and evaluation, and system and workforce planning and capability.

However, in this report we particularly call out threats to the integrity of government systems, processes and governance arrangements. We highlight the need for balanced advice to government on options and risks, for transparent documentation and reporting of directions and decisions, and for early and open sharing of information with integrity bodies and audit. Arguably, these considerations are never more important than in an increasingly complex environment and in the face of significant emergency events and they will be key areas of focus in our future audit program.

While we have acknowledged the challenges of the last few years have required rapid responses to address the short-term impacts of emergency events, there is much to be learned to improve future programs. I trust that the insights developed in this report provide a helpful resource to public sector agencies and local government across New South Wales. I would be pleased to receive any feedback you may wish to offer.

Margaret Crawford
Auditor-General for New South Wales

This report brings together a summary of key findings arising from NSW Audit Office reports tabled in the New South Wales Parliament between July 2018 and February 2022. This includes analysis of financial audits, performance audits, and compliance audits tabled over this period.

• Financial audits provide an independent opinion on the financial statements of NSW Government entities, universities and councils and identify whether they comply with accounting standards, relevant laws, regulations, and government directions.
• Performance audits determine whether government entities carry out their activities effectively, are doing so economically and efficiently, and in accordance with relevant laws. The activities examined by a performance audit may include a selected program or service, all or part of an entity, or more than one government entity. Performance audits can consider issues which affect the whole state and/or the local government sectors.
• Compliance audits and other assurance reviews are audits that assess whether specific legislation, directions, and regulations have been adhered to.

This report follows our earlier edition titled 'Performance Audit Insights: key findings from 2014–2018'. That report sought to highlight issues and themes emerging from performance audit findings, and to share lessons common across government. In this report, we have analysed the key findings and recommendations from our reports over the past four years. The full list of reports is included in Appendix 1. The analysis included findings and recommendations from 58 performance audits, as well as selected financial and compliance reports tabled between July 2018 and February 2022. The number of recommendations and key findings made across different areas of activity and the top issues are summarised at Exhibit 1.

The past four years have seen unprecedented challenges and several emergency events, and the scale of government responses to these events has been wide-ranging involving emergency response coordination, service delivery, governance and policy. While these emergencies are having a significant impact today, they are also likely to continue to have an impact into the future. There is much to learn from the response to those events that will help the government sector to prepare for and respond to future disruption. The following chapters bring together our recommendations for core elements of good practice across a number of areas of government activity, along with relevant examples from recent audit reports.

This 'Audit Insights 2018–2022' report does not make comparative analysis of trends in public sector performance since our 2018 Insights report, but instead highlights areas where government continues to face challenges, as well as new issues that our audits have identified since our 2018 report. We will continue to use the findings of our Insights analysis to shape our future audit priorities, in line with our purpose to help Parliament hold government accountable for its use of public resources in New South Wales.

Appendix one – Included reports, 2018–2022

Appendix two – About this report

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

This report analyses the internal controls and governance of the 25 largest agencies in the NSW public sector, excluding state owned corporations and public financial corporations, for the year ended 30 June 2021.

Our preferred approach is to table the ‘Report on State Finances’ in Parliament before any other cluster report. This is because the ‘Report on State Finances’ focuses on the audit results and observations relating to the Total State Sector Accounts, in effect a consolidation of all government agencies. This year the ‘Report on State Finances’ has been delayed due to significant accounting issues being considered in the Total State Sector Accounts and which may impact the Treasury and Transport clusters.

As there are no matters in this report impacting the Total State Sector Accounts we have decided to break with normal practice and table this report ahead of the ‘Report on State Finances’.

What the report is about

This report analyses the internal controls and governance of the 25 largest agencies in the NSW public sector, excluding state owned corporations and public financial corporations, for the year ended 30 June 2021.

What we found

Internal control trends

The proportion of control deficiencies identified as high risk this year increased to 2.8 per cent (2.5 per cent in 2019–20). Six high risk findings related to financial controls while three related to IT controls. Two were repeat findings from the previous year.

Repeat findings of control deficiencies now represent 49 per cent of all findings (42 per cent in 2019–20).

Information technology

We continue to see a high number of deficiencies relating to IT general controls, particularly around user access administration and privileged user access which affected 82 per cent of agencies.

Cyber security

Agencies' self-assessed maturity levels against the NSW Cyber Security Policy (CSP) mandatory requirements are low. Although agencies are required to demonstrate continuous improvement against the CSP, 20 per cent have not set target levels and of those that have set target levels, 40 per cent have not met their target levels.

Policies, processes and definition around security incidents and data breaches lack consistency. Improvement is required to ensure breaches are recorded in registers and action taken to address the root cause of incidents.

Conflicts of interest

Agencies' policies generally meet the minimum requirements of the Ethical Framework set out in the Government Sector Employment Act 2013. However, few meet the Independent Commission Against Corruption's best practice guidelines. Policies could be strengthened in relation to requirements around annual declarations of interests from employees and contractors.

Masterfile management

Policies governing the management of supplier masterfiles and employee masterfiles existed in 79 per cent and 54 per cent of agencies respectively.

Weaknesses were identified in those policies. Access restriction, segregation of duties and record keeping were the most common opportunities for improvement.

Tracking recommendations

Most agencies do not maintain a register to monitor recommendations from performance audits and public inquiries. Registers of recommendations could be improved to include risk ratings and record revisions to due dates. While recommendations can take several years to fully address, the oldest open items were originally due for completion by June 2016.

What we recommended

Agencies should:

• prioritise actions to address repeat control deficiencies, particularly those that have been repeated findings for a number of years
• prioritise improvements to their cyber security and resilience as a matter of urgency
• formalise and implement policies on tracking and monitoring the progress of implementing recommendations from performance audits and public inquiries.

Internal controls are processes, policies and procedures that help agencies to:

• operate effectively and efficiently
• produce reliable financial reports
• comply with laws and regulations
• support ethical government.

This chapter outlines the overall trends for agency controls and governance issues, including the number of audit findings, the degree of risk those deficiencies pose to the agency, and a summary of the most common deficiencies we found across agencies. The rest of this report presents this year’s controls and governance findings in more detail.

The scope of this year's report covers 25 general government sector agencies. Last year's report covered 40 agencies within the total state sector. For consistency and comparability, we have adjusted the 2020 results to include only the agencies remaining within scope of this year's report. Therefore, the 2020 figures will not necessarily align with those reported in our 2020 report.

This chapter outlines our audit observations, conclusions and recommendations arising from our review of agency controls to manage key financial systems.

This chapter outlines our audit observations, conclusions and recommendations arising from our review of agencies' cyber security planning and governance arrangements.

This chapter outlines our audit observations, conclusions and recommendations arising from our review of agencies' conflicts of interest management processes.

This chapter outlines our audit observations, conclusions and recommendations arising from our review of agency's management of supplier and employee masterfiles.

This chapter outlines our audit observations, conclusions and recommendations arising from our review of agencies' processes to track and monitor the implementation of recommendations from performance audits and public inquiries.

This report analyses the results of our audits of the Health cluster agencies for the year ended 30 June 2021.

Our preferred approach is to table the ‘Report on State Finances’ in Parliament before any other cluster report. This is because the 'Report on State Finances' focuses on the audit results and observations relating to the Total State Sector Accounts, in effect a consolidation of all government agencies. This year the 'Report on State Finances' has been delayed due to significant accounting issues being considered in the Total State Sector Accounts and which may impact the Treasury and Transport clusters.

As there are no outstanding matters relating to audits in the Health cluster impacting the Total State Sector Accounts we have decided to break with normal practice and table this cluster report ahead of the ‘Report on State Finances’.

What the report is about

The results of Health cluster (the cluster) agencies' financial statements audits for the year ended 30 June 2021.

What we found

Unmodified audit opinions were issued for the financial statements of all Health cluster agencies.

The COVID-19 pandemic increased the complexity and number of accounting matters faced by the cluster. The total gross value of corrected misstatements in 2020–21 was $250.2 million, of which $226.0 million were pandemic related.

A qualified audit opinion was issued on the Annual Prudential Compliance Statement. The basis of the qualification related to 19 instances (18 in 2018–19) of non-compliance relating to three of the 20 prudential requirements across five aged care facilities.

What the key issues were

The total number of matters we reported to management across the cluster increased from 112 in 2019–20 to 116 in 2020–21. Of the 116 issues raised in 2020–21, three were high risk (one in 2019–20) and 57 were moderate risk (47 in 2019–20). Nearly one half of the issues were repeat issues.

The three new high-risk issues identified were:

Hotel Quarantine (HQ) fees

The absence of a tailored debt recovery strategy, data integrity issues and uncertainties around future HQ arrangements increased risks around the recoverability of HQ fees from travellers.

COVID-19 inventories

Data errors and anomalies in the impairment model and difficulties forecasting key factors impacting the management of Personal Protective Equipment (PPE) increased uncertainty associated with the valuation and impairment of COVID-19 inventories.

COVID-19 vaccines

The Commonwealth did not provide information about the cost of vaccines provided to NSW free of charge, which required the performance of internal valuations to reflect the consumption of vaccines in the financial statements.

What we recommended

Hotel Quarantine (HQ) fees

Develop a tailored assessment methodology to estimate recoverability of HQ fees and work with Revenue NSW to develop a tailored debt recovery strategy.

COVID-19 inventories

Review the current stocktaking and impairment methodology to incorporate validation of data key to the management of COVID-19 related PPE.

COVID-19 vaccines

Work with the Commonwealth to obtain primary price information on COVID-19 vaccines.

This report provides Parliament and other users of the Health cluster’s financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:

• financial reporting
• audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision-making are enhanced when financial reporting is accurate and timely. This chapter outlines our audit observations related to the financial reporting of agencies in the Health cluster (the cluster) for 2021.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision-making. This chapter outlines our observations and insights from our financial statement audits of agencies in the Health cluster.

Findings reported to management

The number of findings reported to management has increased, with 47.4 per cent of all issues being repeat issues

Breakdowns and weaknesses in internal controls increase the risk of fraud and error. Deficiencies in internal controls, matters of governance interest and unresolved issues were reported to management and those charged with governance of cluster agencies. The Audit Office does this through our management letters, which include observations, implications, recommendations and risk ratings.

In 2020–21, there were 116 findings raised across the cluster (112 in 2019–20). 47.4 per cent of all issues were repeat issues (38.4 per cent in 2019–20).

A delay in implementing audit recommendations increases the risk of intentional and accidental errors in processing information, producing management reports and generating financial statements. This can impair decision-making, affect service delivery and expose agencies to fraud, financial loss and reputational damage. Poor controls may also mean agency staff are less likely to follow internal policies, inadvertently causing the agency not to comply with legislation, regulation and central agency policies.

The table below describes the common issues identified across the cluster by category and risk rating.

Complexities arising from the COVID-19 response

The 2020–21 audit identified three new high-risk findings

COVID-19 has presented the cluster with several new accounting challenges. New and evolving matters arose from changes to operating conditions, which characterised the 2020–21 financial reporting period. Issues with a high degree of estimation uncertainty will require ongoing attention as the strategies employed to deal with the COVID-19 pandemic evolve.

Expected rate of recovery of outstanding Hotel Quarantine invoices

The estimation of the amount likely to be recovered is complicated not only by the uncertainties that exist regarding the assumptions those estimations rely upon, but also the debt collection processes and strategies put into place to manage the accumulated debtors' balance. Debt collection is not administered by the cluster, but rather Revenue NSW. We observed an absence of a methodology to assess the likelihood of recovery. Instead, Sydney Local Health District was relying on Revenue NSW to develop and execute on a collection strategy. Sydney Local Health District was using the same approach to hotel quarantine debts as it did to other Health receivables. As the approach to managing international borders evolves over time, so too will the cluster's need to develop robust estimation models to assess the likely collectability of debtors. 

Procurement, management and impairment of COVID-19 inventories

$656.2 million of COVID-19 inventories were procured in 2020–21, with $220.2 million consumed; $558.7 million impaired and a further $217.1 million written off. Estimates of the degree to which inventories are expired, not fit for purpose or are faulty is often based on management judgement at all stages in the procurement cycle.

With respect to the stocktaking methodology applied, the following issues were identified:

• discrepancies noted in the stock bin listing provided for audit
• discrepancies in the recount sheet generated
• inconsistent application of the stocktake methodology
• inconsistent labelling of quarantined stock
• a lack of an approach for validating stock expiry dates, which is a key input to the impairment calculations.

Although management had developed processes and a methodology to count as well as to assess the level of inventory that was not fit for purpose, ongoing attention to the operating environment that emerges post pandemic will be important in assessing the degree to which existing COVID-19 inventories can be integrated into a ‘business as usual’ model going forward. Further refinement of the key elements of the stocktaking methodology will also be required to ensure that key inputs upon which management relies to calculate the year-end inventory impairment provision can be appropriately validated.

Valuation and recognition of COVID-19 vaccines received from the Commonwealth Government

The 2020–21 financial reporting period saw the Commonwealth acquire COVID-19 vaccines and provide these to state jurisdictions to dispense to their communities. The vaccines, although provided free of charge require recognition. However, Health entities were not responsible for acquiring the vaccines and data on the vaccines' cost was not shared by the Commonwealth. Management undertook a valuation using publicly available data to estimate the value to attribute to the vaccine inventory; developed new systems and leveraged existing pharmacy systems to track physical quantities received from the Commonwealth and ultimately distributed to NSW citizens. As the response to the pandemic evolves, larger quantities, and new lines of vaccine stock will be dealt with, and policy settings will need to adapt when patterns of distribution of those vaccines (e.g., timing of third booster shots) emerge. The Ministry of Health will need to ensure that the valuations applied to the prices of inventory distributed and held in stock are as accurate as possible. This can be done through further refinement of the existing valuation methodology, obtaining price information from the Commonwealth and engaging specialist pharmaceutical valuers.

Emerging trends

Recognition of provisions without sufficient support

Several NSW Health entities raised accruals and provisions in 2020–21, which did not have an appropriate basis for recognition. Liabilities can only be recognised where there is a present obligation to make a payment arising from a past event. A number of these errors remain uncorrected in the financial statements of those entities as they are not material, individually or in aggregate to the financial statements as a whole. Increased training and guidance are required to ensure that treatment within the cluster is consistent and reflects events that have occurred and give rise to obligations.

Treatment of Commonwealth funding

In the 2020–21 and 2019–20 financial reporting periods, we observed prior period errors arising from the treatment of Commonwealth funding. These errors related to recognising revenue under funding agreements entered into with the Commonwealth in the incorrect period. The conditions of these funding arrangements, the transactional information requiring validation and the circumstances when revenue should be recognised are not always clear and can be complex. Early and continuous engagement with the Commonwealth is required to ensure that revenue recognition principles are consistently applied across the cluster.

Key repeat issues

Management of excessive annual leave

NSW Treasury guidelines stipulate annual leave balances exceeding 30 days are considered excess annual leave balances. Managing excess annual leave balances has been reported as an issue for the cluster for more than five years, with the average percentage of employees with excessive leave balances over the last five years being 36.1 per cent (35.5 per cent over five years covering 2015–16 to 2019–20).

The operational demands required to manage the COVID-19 pandemic have presented new challenges for the cluster in trying to manage its excessive leave balances. 39.2 per cent of employees now have excess leave balances at 30 June 2021 (35.4 per cent at 30 June 2020).

The state's leave policy C2020-12 Managing Accrued Recreation Leave Balances requires agencies to manage excessive leave balances to 30 days or less to maintain their workforces physical and mental health.

Accurate time recording

Forced-finalisation of time records by system administrators within HealthRoster remains an issue and we continue to observe time records forced-finalised by system administrators so pay runs can be finalised on a timely basis. During 2020–21, a total of two million (2.2 million in 2019–20) time records were force approved, which represents 5.7 per cent of total time records (6.9 per cent in 2019–20).

Existence, completeness and accuracy of key agreements

Delivery of major capital projects

Health Infrastructure (a division of the Health Administration Corporation) is responsible for the delivery of major capital projects with a budgeted spend of more than $10.0 million. Health Infrastructure oversee the planning, design, procurement, and construction phases. Capital works in progress are recognised in the financial statements of the health entity that intends to use those assets upon completion. The health entities recognise both the capital work in progress and the revenue associated with the capital funding from the Ministry for the construction of the assets. Capital funding is currently agreed with health entities as part of the annual Service Agreement. The assumption that the health entities control the assets during their construction is consistent with Health Infrastructure's role as an agent for the health entity and the Ministry's policy directive PD2020-033 'Management and control of Health Administration Corporation owned Real Property'.

We continued to observe a lack of clarity regarding agreements between Health Infrastructure, the Ministry and the cluster agency that will eventually receive the completed asset. This can lead to confusion and uncertainty around the rights and obligations of each party to the transaction.

Cross border patient funding arrangements

When patients require medical care in a jurisdiction where they are not generally domiciled, there are arrangements in place to provide funding to support cross border patient treatments. We have previously observed that agreements between NSW and other jurisdictions have not been finalised, and this continues to be the case. In the case of Victoria, no agreement has been finalised for the past seven years.

We continue to note that the cluster has long outstanding receivables and payables with other states. The absence of formal agreements between the states hampers the settlement of the debts relating to the treatment of cross border patients. The following table shows the status of Cross Border Agreements between NSW and other jurisdictions:

Albury Base Hospital

Albury Base hospital is located on the border of NSW and Victoria and services residents of both states. Documentation supporting the extension of the expired Intergovernmental Agreement 2009–2017 between NSW and Victoria in relation to the integration of health services in Wodonga and Albury could not be located.

Appendix one – Misstatements in financial statements submitted for audit

Appendix two – Early close procedures

Appendix three – Timeliness of financial reporting

Appendix four – Financial data

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

What the report is about

This audit assessed nine agencies’ compliance with the NSW Cyber Security Policy (CSP) including whether, during the year to 30 June 2020, the participating agencies:

• met their reporting obligations under the CSP
• reported accurate self-assessments of their level of maturity implementing the CSP’s requirements including the Australian Cyber Security Centre’s (ACSC) Essential 8.

What we found

Key elements to strengthen cyber security governance, controls and culture are not sufficiently robust and not consistently applied. The CSP is not achieving the objectives of improved cyber governance, controls and culture because:

• the CSP does not specify a minimum level for agencies to achieve in implementing the 'mandatory requirements' or the Essential 8
• the CSP does not require agencies to report their target levels, nor does it require risk acceptance decisions to be documented or formally endorsed
• each participating agency had implemented one or more of the mandatory requirements in an ad hoc or inconsistent basis
• none of the participating agencies had implemented all of the Essential 8 controls
• agencies tended to over-assess their cyber security maturity - all nine participating agencies were unable to support all of their self-assessments with evidence
• there is no monitoring of the adequacy or accuracy of agencies' self-assessments.

What we recommended

In this report, we repeat recommendations made in the 2019 and 2020 Central Agencies reports, that Cyber Security NSW and NSW Government agencies need to prioritise improvements to cyber security resilience as a matter of urgency.

Cyber Security NSW should:

• monitor and report compliance with the CSP
• require agencies to report the target and achieved levels of maturity
• require agencies to justify why it is appropriate to target a low level of maturity
• require the agency head to formally accept the residual risk
• challenge agencies' target maturity levels.

Agencies should resolve discrepancies between their reported level of maturity and the level they are able to support with evidence.

Separately, the agencies we audited requested that we not disclose our audit findings. We reluctantly agreed to anonymise our findings, even though they are more than 12 months old. We are of the view that transparency and accountability to the Parliament of New South Wales are part of the solution, not the problem.

The poor levels of agency cyber security maturity are a significant concern. Improvement requires leadership and resourcing.

This report assesses whether state government agencies are complying with the NSW Cyber Security Policy. The audit was based on the level of compliance reported at 30 June 2020.

Our audit identified non-compliance and significant weaknesses against the government’s policy.

Audited agencies have requested that we not report the findings of this audit to the Parliament of New South Wales, even though the findings are more than 12 months old, believing that the audit report would expose their weaknesses to threat actors.

I have reluctantly agreed to modify my report to anonymise agencies and their specific failings because the vulnerabilities identified have not yet been remedied. Time, leadership and prioritised action should have been sufficient for agencies to improve their cyber safeguards. I am of the view that transparency and accountability to the Parliament is part of the solution, not the problem.

The poor levels of cyber security maturity are a significant concern. Improvement requires dedicated leadership and resourcing. To comply with some elements of the government’s policy agencies will have to invest in technical uplift and some measures may take time to implement. However, other elements of the policy do not require any investment in technology. They simply require leadership and management commitment to improve cyber literacy and culture. And they require accountability and transparency. Transparent reporting of performance is a key means to improve performance.

Cyber security is increasingly a focus of governments around Australia. The Australian Cyber Security Centre (ACSC) is the Australian Government’s lead agency for cyber security and is part of the Australian Signals Directorate, a statutory authority within the Australian Government’s Defence portfolio. The ACSC has advised that government agencies at all levels, as well as individuals and other organisations were increasingly targeted over the 2021 financial year¹. The ACSC received over 67,500 cybercrime reports, a 13 per cent increase on the previous year. This equates to one reported cyber attack every eight minutes. They also noted that attacks by cyber criminals and state actors are becoming increasingly sophisticated and complex and that the attacks are increasingly likely to be categorised as ‘substantial’ in impact.

High profile attacks in Australia and overseas have included a sustained malware campaign targeted at the health sector², a phishing campaign deploying emotet malware, spear phishing campaigns targeting people with administrator or other high-level access, and denial of service attacks. The continuing trend towards digital delivery of government services has increased the vulnerability of organisations to cyber threats.

The COVID-19 pandemic has increased these risks. It has increased Australian dependence on the internet – to work remotely, to access services and information, and to communicate and continue our daily lives. Traditional security policies within an organisation’s perimeter are harder to enforce in networks made up of home and other private networks, and assets the organisation does not manage. This has increased the cyber risks for NSW Government agencies.

In March 2020, Service NSW suffered two cyber security incidents in short succession. Technical analysis undertaken by the Department of Customer Service (DCS) concluded that these cyber breaches resulted from a phishing exercise through which external threat actors gained access to the email accounts of 47 staff members. These attacks resulted in the breach of a large amount of personal customer information contained in these email accounts. These attacks were the subject of the Auditor-General's report on Service NSW's handling of personal information tabled on 18 December 2020.

This audit also follows two significant performance audits. Managing cyber risks, tabled on 13 July 2021 found Transport for NSW and Sydney Trains were not effectively managing their cyber security risks. Integrity of data in the Births, Deaths and Marriages Register, tabled 7 April 2020 found that although there are controls in place to prevent and detect unauthorised access to, and activity in the register, there were significant gaps in these controls.

The NSW Cyber Security Policy (CSP) was issued by Cyber Security NSW, a business unit within the Department of Customer Service, and took effect from 1 February 2019. It applies to all NSW Government departments and public service agencies, including statutory authorities. Of the 104 agencies in the NSW public sector that self-assessed their maturity implementing the mandatory requirements, only five assessed their maturity at level three or above (on the five point maturity scale). This means that, according to their own self-assessments, 99 agencies practiced requirements within the framework in what the CSP’s maturity model describes as an ad hoc manner, or they did not practice the requirement at all. Cyber Security NSW and NSW Government agencies need to prioritise improvements to their cybersecurity and resilience as a matter of priority.

This audit looks specifically at the compliance of nine key agencies with the CSP. It looks at their achievement implementing the requirements of the policy, the accuracy of their self-assessments and the attestations they made as to their compliance with the CSP.

The CSP outlines the mandatory requirements to which all NSW Government departments and public service agencies must adhere. It seeks to ensure cyber security risks to agencies’ information and systems are appropriately managed. The key areas of responsibility for agencies are:

• Lead - Agencies must implement cyber security planning and governance and report against the requirements outlined in the CSP and other cyber security measures.
• Prepare - Agencies must build and support a cyber security culture across their agency and NSW Government more broadly.
• Prevent - Agencies must manage cyber security risks to safeguard and secure their information and systems.
• Detect/Respond/Recover - Agencies must improve their resilience including their ability to rapidly detect cyber incidents and respond appropriately.
• Report - Agencies must report against the requirements outlined in the CSP and other cyber security measures.

DCS has only recommended, but not mandated the CSP for state owned corporations, local councils and universities.

NSW Government agencies must include an attestation on cyber security in their annual report and provide a copy to Cyber Security NSW by 31 August each year stating whether, for the preceding financial year, the agency has:

• assessed its cyber security risks
• appropriately addressed cyber security at agency governance forums
• a cyber incident response plan that is integrated with the security components of business continuity arrangements, and the response plan has been tested during the previous 12 months (involving senior business executives)
• certified the agency’s Information Security Management System (ISMS) or confirmed the agency’s Cyber Security Framework (CSF)
• a plan to continuously improve the management of cyber security governance and resilience.

The purpose of the attestation is to focus the agency's attention on its cyber risks and the mitigation of those risks.

Agencies assess their level of compliance in accordance with a maturity model. The CSP does not mandate a minimum maturity threshold for any requirement, including implementation of the Australian Cyber Security Centre's (ACSC) Essential 8 Strategies to Mitigate Cyber Security Incidents (Essential 8).

Agencies are required to set a target maturity level based on their risk appetite for each requirement, seek continual improvement in their maturity, and annually assess their maturity on an ascending scale of one to five for all requirements (refer to Appendix two for the maturity model). Each control within the Essential 8 is assessed on an ascending scale of zero to three reflecting the agency's level of alignment with the strategy (refer to Appendix three for the maturity model).

Scope of this audit

We assessed whether agencies had provided accurate reporting on their level of maturity implementing the requirements of the CSP in a documented way and covering all their systems.

The scope of this audit covered nine agencies (the participating agencies). These agencies were selected because they are the lead agency in their cluster, or have a significant digital presence within their respective cluster. The list of participating agencies is in section 1.2. The audit aimed to determine whether, during the year to 30th June 2020, the participating agencies:

• met their reporting obligations under the CSP
• provided accurate reporting in self-assessments against the CSP’s mandatory requirements, including their implementation of the Australian Cyber Security Centre’s (ACSC) Essential 8
• achieved implementation of mandatory requirements at maturity levels which meet or exceed the ‘level three - defined’ threshold (i.e. are documented and practiced on a regular and consistent basis).

While the audit does assess the accuracy of agency self-assessed ratings, the audit did not assess the appropriateness of the maturity ratings.

1. Key findings

The CSP allows agencies to determine their own level of maturity to implement the 'mandatory requirements', which can include not practicing a policy requirement or implementing a policy requirement on an ad hoc basis. These determinations do not need to be justified

Agencies can decide not to implement requirements of the CSP, or they can decide to implement them only in an informal or ad-hoc manner. The CSP allows agencies to determine their desired level of maturity in implementing the requirements on a scale of one to five - level one being 'initial – not practiced' and level five being 'optimised'. The desired level of maturity is determined by the agency based on their own assessment of the risk of the services they provide and the information they hold.

The reporting template for the 2019 version of the CSP stated that level three maturity - where a policy requirement is practiced on a regular and consistent basis and its processes are documented - was required for compliance with the CSP. This requirement was removed in the 2020 revision of the reporting template.

This CSP does not require the decisions on risk tolerance, or the timeframes agencies have set to implement requirements to be documented or formally endorsed by the agency head. There is no requirement to report these decisions to Cyber Security NSW.

Some comparable jurisdictions require formal risk acceptance decisions where requirements are not implemented. The NSW CSP does not have a similar formal requirement

Some jurisdictions, with a similar policy framework to NSW, require agencies to demonstrate reasons for not implementing requirements, and require agency heads to formally acknowledge the residual risk. The NSW CSP does not require these considerations to be documented, nor does it require an explicit acknowledgement and acceptance of the residual risk by the agency head or Cyber Security NSW. The NSW CSP does not require that the records of how agencies considered and decided which measures to adopt to be documented and auditable, limiting transparency and accountability of decisions made.

All of the participating agencies had implemented one or more of the mandatory requirements in an ad hoc or inconsistent basis

All of the participating agencies had implemented one or more of the mandatory requirements at level one or two. Maturity below level three typically means not all elements of the requirement have been implemented, or the requirements have been implemented on an ad-hoc or inconsistent basis.

None of the participating agencies has implemented all of the Essential 8 controls at level one – that is, only partly aligned with the intent of the mitigation strategy

Eight of the nine agencies we audited had not implemented any of the Essential 8 strategies to level three – that is, fully aligned with the intent of the mitigation strategy. At the time of this audit the ACSC advised that:

as a baseline organisations should aim to reach to reach Maturity Level Three for each mitigation strategy³.

The Australian Signals Directorate⁴ currently advises that, with respect to the Essential 8:

[even] level three maturity will not stop adversaries willing and able to invest enough time, money and effort to compromise a target. As such, organisations still need to consider the remainder of the mitigation strategies from the Strategies to Mitigate Cyber Security Incidents and the Australian Government Information Security Manual

All agencies failed to reach even level one maturity for at least three of the Essential 8.

Cyber Security NSW modified the ACSC model for implementation of the Essential 8

The NSW maturity model used for the Essential 8 does not fully align with the ACSC’s model. At the time of this audit the major difference was the inclusion of level zero in the NSW CSP maturity scale. Level zero broadly means that the relevant cyber mitigation strategy is not implemented or is not applied consistently. Level zero had been removed by the ACSC in February 2019 and was not part of the framework at the time of this audit. It was re-introduced in July 2021 when the ACSC revised the detailed criteria for each element of the essential 8 maturity model. The indicators to reach level one on the new ACSC model are more detailed, specific and rigorous than those currently prescribed for NSW Government agencies. Cyber Security NSW asserted the level zero on the CSP maturity scale:

is not identical to the level zero of the ACSC’s previous Essential 8 maturity model, but is a NSW-specific inclusion designed to prevent agencies incorrectly assessing as level one when they have not achieved that level.

Attestations did not accurately reflect whether agencies implemented the requirements

Of the nine participating agencies, seven did not modify the proforma wording in their attestation to reflect their actual situation. Despite known gaps in their implementation of mandatory requirements, these agencies stated that they had 'managed cyber security risks in a manner consistent with the Mandatory Requirements set out in the NSW Government Cyber Security Policy'. Only two agencies modified the wording of the attestation to reflect their actual situation.

Attestations should be accurate so that agencies’ and the government’s response to the risk of cyber attack is properly informed by an understanding of the gaps in agency implementation of the policy requirements and the Essential 8. Without accurate information about these gaps, subsequent decisions as to prioritisation of effort and deployment of resources are unlikely to effectively mitigate the risks faced by NSW Government agencies.

Participating agencies were not able to support all of their self-assessments with evidence and had overstated their maturity assessments, limiting the effectiveness of agency risk management approaches

Seven of the nine participating agencies reported levels of maturity against both the mandatory requirements and the Essential 8 that were not supported by evidence.

Each of the nine participating agencies for this audit had overstated their level of maturity against at least one of the 20 mandatory requirements. Seven agencies were not able to provide evidence to support their self-assessed ratings for the Essential 8 controls.

Where agency staff over-assess the current state of their cyber resilience, it can undermine the effectiveness of subsequent decision making by Agency Heads and those charged with governance. It means that actions taken in mitigating cyber risks are less likely to be appropriate and that gaps in implementing cyber security measures will remain, exposing them to cyber attack.

Agencies' self-assessments across government exposed poor levels of maturity in implementing the mandatory requirements and the Essential 8 controls

We reviewed the data 104 NSW agencies provided to Cyber Security NSW. The 104 agencies includes nine audited agencies referred to in more detail in this report. Our review of the 104 agency self-assessment returns submitted to Cyber Security NSW highlighted that, consistent with previous years, there remains reported poor levels of cyber security maturity. We reported the previous years’ self-assessments in the Central Agencies 2019 Report to Parliament and the Central Agencies 2020 Report to Parliament.

Only five out of the 104 agencies self-assessed that they had implemented all of the mandatory requirements at level three or above (against the five point scale). Fourteen agencies self-assessed that they had implemented each of the Essential 8 controls at level one maturity or higher (using Cyber NSW’s four point scale). The remainder reported at level zero for implementation of one or more of the Essential 8 controls, meaning that for the majority of agencies the cyber mitigation strategy has not been implemented, or is applied inconsistently.

Where agencies had reported in both 2019 and 2020, agencies’ self-assessments showed little improvement over the previous year’s self-assessments:

• 14 agencies reported improvement across both the Essential 8 and the mandatory requirements
• 8 agencies reported a net decline in both the Essential 8 and the mandatory requirements.

The poor levels of maturity in implementing the Essential 8 over the last couple of years is an area of significant concern that requires better leadership and resourcing to prioritise the required significant improvement in agency cyber security measures.

2. Recommendations

Cyber Security NSW should:

1. monitor and report compliance with the CSP by:

• obtaining objective assurance over the accuracy of self-assessments
• requiring agencies to resolve inaccurate or anomalous self-assessments where these are apparent

2. require agencies to report:

• the target level of maturity for each mandatory requirement they have determined appropriate for their agency
• the agency head's acceptance of the residual risk where the target levels are low

3. identify and challenge discrepancies between agencies' target maturity levels and the risks of the information they hold and services they provide

4. more closely align their policy with the most current version of the ACSC model.

Participating agencies should:

5. resolve the discrepancies between their reported level of maturity and the level they are able to demonstrate with evidence, and:

• compile and retain in accessible form the artefacts that demonstrate the basis of their self-assessments
• refer to the CSP guidance when determining their current level of maturity
• ensure the attestations they make refer to departures from the CSP
• have processes whereby the agency head and those charged with governance formally accept the residual cyber risks.

Repeat recommendation from the 2019 Central Agencies report and the 2020 Central Agencies report

6. Cyber Security NSW and NSW Government agencies need to prioritise improvements to their cyber security and resilience as a matter of urgency.

The objective of the CSP is to ensure cyber security risks are appropriately managed. However, meeting this objective depends on the requirements being implemented at all agencies to a level of maturity that addresses their specific cyber security risks. Agency systems and data are increasingly interconnected. If an agency does not implement the requirements, or implements them only in an ad-hoc or informal way, an agency is more susceptible to their systems and data being compromised, which may affect the confidentiality of citizens' data and the reliability of services, including critical infrastructure services.

Agencies determine their own target level of maturity, which may mean the requirement is not addressed, or is addressed in an ad hoc or inconsistent way

While the CSP is mandatory for all agencies, it does not set a minimum maturity threshold for agencies to meet.

The reporting template issued in 2019 stated that agencies were required to reach level three maturity in order to comply with the CSP. The 2020 revision⁶ of the CSP and guidance indicates that level three maturity may not be sufficient to mitigate risks. It advises the agency may determine the level to which it believes it is suitable to implement the requirements, and allows for an agency to aim for a target level of maturity less than level three. The agency can set its optimal maturity level with reference to its risk tolerance with the objective that that aim ‘to be as high as possible’. However, ‘as high as possible’ does not necessarily mean ‘fully implemented’. The CSP contemplates that a lower level of maturity is sufficient if it aligns with the agency's risk tolerance.

The Department of Customer Service asserts that while the quotes above were part of their annual templates and policy documents, their documents were incorrect. They assert that the policy has never required a minimum level of maturity to be reached. They have responded to our enquiries that:

…a level three maturity was not a requirement of the Policy or Maturity Model’ and ‘it is misleading to suggest it was a requirement of the Policy.

This audit found that, based on the 2020 reporting template there is no established minimum baseline. Consequently, because the Department of Customer Service had not established a minimum baseline agencies are able to target lower levels (providing they were within the agency’s own risk appetite), which includes targeting to not practice a CSP policy requirement, or to practice a CSP policy requirement on an ad hoc basis.

Where requirements are not implemented, documentation of formal acceptance of the residual risks by the agency head is not required

The New Zealand Government has an approach that is not dissimilar to NSW, in that it also identifies 20 mandatory requirements and allows for a risk based approach to implementation. However, the New Zealand approach puts more rigor around risk acceptance decisions.

The New Zealand Government requires that agencies that do not implement the requirements must demonstrate that a measure is not relevant for them. It requires agencies to document the rationale for not implementing the measure, including explicit acknowledgement of the residual risk by the agency head. They require these records to be auditable.

A security measure with a ‘must’ or ‘must not’ compliance requirement is mandatory. You must implement or follow mandatory security measures unless you can demonstrate that a measure is not relevant in your context.

Not using a security measure without due consideration may increase residual risk for your organisation. This residual risk needs to be agreed and acknowledged by your organisation head.

A formal auditable record of how you considered and decided which measures to adopt is required as part of the governance and assurance processes within your organisation.

The NSW CSP does not require these considerations to be documented or auditable and does not require an explicit acknowledgement or acceptance of the residual risk by the agency head.

None of the participating agencies achieved level three implementation for all mandatory risk prevention and mitigation requirements

Maturity level three is the minimum level whereby an agency has implemented documented processes that are practiced on a regular basis across their environment. An agency has not reached level three if the requirement is implemented on an ad-hoc or inconsistent basis, or if not all elements of the requirement have been implemented.

None of the participating agencies achieved level three implementation for all mandatory requirements.

The requirements of the CSP are organised into five sections. Agency implementation of these requirements is discussed in the next five sections of this report.

• Lead: Planning and governance requirements. Section 2.1
• Prepare: Cyber security culture requirements. Section 2.2
• Prevent: Managing cyber incident prevention requirements. Section 2.3
• Detect/Respond/Recover: Resilience requirements. Section 2.4
• Report: Reporting requirements. Section 2.5.

Appendix one – Response from agencies

Appendix two – The maturity model for the mandatory requirements

Appendix three – Essential 8 maturity model

Appendix four – About the audit

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.