Section highlights

• We identified nine high risk findings, compared to eight last year, with two findings repeated from last year. Six of the nine findings related to financial controls and three related to IT controls.
• The proportion of repeat deficiencies has increased from 44 per cent in 2019–20 to 50 per cent in 2020–21. The longer these weaknesses in internal control systems exist, the higher the risk that they may be exploited and consequential impact.

Section highlights

• We continue to see a high number of deficiencies related to IT general controls, particularly those related to user access administration and privileged user access.
• Agencies are increasingly contracting out key IT services to third parties, however, weaknesses in IT service providers' controls can expose an agency to cyber security risks.

Section highlights

• Agencies' self‑assessed cyber maturity levels against the NSW Cyber Security Policy mandatory requirements are low and have not met their target levels. Forty per cent of agencies have not formally accepted the residual risk from gaps between their target and current maturity levels.
• Most agencies have conducted cyber awareness training to staff during 2020–21. Some have further enhanced this training through awareness exercises such as simulated phishing emails to test staff knowledge.
• Registers of security incidents and breaches are not consistent across agencies. Four agencies recorded nil breaches during 2020–21, however, their definition of incidents and breaches was not consistent with other agencies. For instance, they did not include account compromises or denial of service attacks. Only seven agencies' registers included details of actions taken to resolve issues.

Section highlights

• Most agencies have established conflicts of interest policies consistent with the mandatory requirements of the Code of Ethics and Conduct for NSW Government sector employees. Agencies' policies could be strengthened to apply the standard they apply to senior executives to all employees and contractors. Currently, only senior employees are required to make annual declarations of interests, yet the ability to make or influence decisions is delegated to others in the organisation.
• Half of agencies' policies specify units or divisions that are at higher risk of conflicts of interest arising due to the nature of their business. Policies should identify additional measures at the unit/division level to mitigate these risks.
• On average, less than 75 per cent of staff completed annual declarations of interest where required. This could be improved with ongoing staff training and awareness, and follow up on incomplete conflicts of interest.

Section highlights

• Most agencies have established policies or procedures on supplier masterfile management, however, only 56 per cent do for employee masterfile management.
• Less than half of agencies review user access rights to supplier or employee masterfiles which contain sensitive information and are susceptible to fraud. Access to edit the masterfiles should be limited to authorised personnel for whom it is required to perform their duties.

Section highlights

• Less than half of all agencies have a formal policy on monitoring recommendations from performance audits or public inquiries. Agencies should formalise and implement policies on tracking and monitoring the progress of those recommendations.
• 56 per cent of agencies maintain a register of recommendations from performance audits or public inquiries. Registers could be improved to include features such as risk/priority rating, milestone due dates, record of revisions to due dates and explanatory comments.
• Recommendations can take several years to address, with the oldest unactioned items we noted dating back to 2016. Agencies reported completion of a third of recommendations that were raised within the last year.

Section highlights

• Unmodified audit opinions were issued for all completed 30 June 2021 financial statements audits of cluster agencies. Three audits are ongoing.
• An 'Other Matter' paragraph was included in the Independent Planning Commission’s (the IPC) audit opinion because the prior year comparative figures were not audited. Prior to 2020–21, the IPC was not required to prepare separate financial statements under the Public Finance and Audit Act 1983. From 2020–21, the IPC is required to prepare financial statements under the Government Sector Finance Act 2018.
• The 2010–11 to 2019–20 audits of the Water Administration Ministerial Corporation’s (the Corporation) financial statements were incomplete due to insufficient records and evidence to support the transactions of the Corporation, particularly for the earlier years. These audits are currently underway, and the 2020–21 audit will commence shortly.
• The Department of Planning, Industry and Environment's (the department) preliminary assessment indicates that 60 State controlled Crown land managers (CLMs) are required to prepare financial statements in 2020–21. To date, no CLMs have prepared and submitted financial statements for audit in 2020–21. All 120 common trusts have never submitted their financial statements for audit. The department needs to do more to ensure that the CLMs and common trusts meet their statutory reporting obligations.
• Nine agencies that were required to perform early close procedures did not complete a total of 20 mandatory procedures. The most common incomplete early close procedures include the revaluation of property, plant and equipment, documenting all significant management judgments and assumptions, and the implementation of new and updated accounting standards.

Section highlights

• The number of findings reported to management has increased from 135 in 2019–20 to 180 in 2020–21, and 40 per cent were repeat issues.
• Seven high-risk issues were identified in 2020–21, and three high-risk findings were repeat issues.
• There continues to be significant deficiencies in Crown land records. The department should prioritise action to ensure the Crown land database is complete and accurate.

Section highlights

• Unqualified audit opinions were issued for all cluster agencies required to prepare general-purpose financial statements.

• The total gross value of all corrected monetary misstatements for 2020–21 was $250.2 million, of which $226.0 million were related to complexities arising from the COVID-19 pandemic.

• A qualified audit opinion was issued on the Ministry's Annual Prudential Compliance Statement.

Section highlights

• The total number of internal control deficiencies has increased from 112 issues in 2019–20 to 116 in 2020–21. Of the 116 issues raised in 2020–21, three were high (one in 2019–20) and 57 were moderate (47 in 2019–20); with nearly one half of all control deficiencies reported in 2020–21 being repeat issues.
• The complexities arising from accounting for agreements between governments to respond to the COVID-19 pandemic presented three new high risk audit findings with respect to the:
  • expected rate of recoverability of outstanding Hotel Quarantine fees
  • procurement, stocktaking and impairment of COVID-19 inventories
  • valuation and recognition of COVID-19 vaccines received from the Commonwealth Government.
• Management of excessive leave balances and poor quality or lack of documentation supporting key agreements were amongst the repeat issues observed again in the 2020–21 financial reporting period.

Section highlights

• Unqualified audit opinions were issued on all completed cluster agencies' 2020–21 financial statements.
• Monetary misstatements decreased from 49 in 2019–20 to 38 in 2020–21.
• Thirteen agencies were exempt from financial reporting in 2020–21. 

Section highlights

• The 2020–21 audits identified 47 moderate risk issues across the cluster. Sixteen of the moderate risk issues were repeat issues. Many repeat issues related to governance and oversight and information technology.
• The number of moderate risk findings increased by 42 per cent in 2020–21.
• The moderate risk issues included information technology improvements, lack of service level agreements, risk management, contract and procurement and asset management improvements.

Two universities reported retrospective corrections of prior period errors. The University of Sydney reported errors relating to the underpayment of staff entitlements and the fair value of buildings. Charles Sturt University reported an error relating to how it had calculated right‑of‑use assets and lease liabilities on initial application of the new leasing standard in the previous year.

Student enrolments decreased in 2020 compared to 2019 by 10,032 (3.3 per cent). Of this decrease, 8,310 students were from overseas.

The ongoing impact of COVID‑19 in the short‑term, on semester one enrolments for 2021 compared to semester one of 2020, has been mixed:

• all universities in NSW experienced a growth in their domestic student enrolments
• eight universities experienced decreases in overseas student enrolments.

During 2020, universities provided welfare support to students, created student hardship funds, provided accommodation, and flexibility on payment of course fees.

State and Commonwealth governments provided additional support to the sector:

• those university controlled entities eligible to receive JobKeeper payments received a combined amount under the Commonwealth scheme totalling $47.6 million in 2020
• the NSW Government launched a University Loan Guarantee scheme.

Six universities recorded negative net operating results in 2020 (two in 2019). While most universities experienced decreased revenue in 2020, only four had reduced their expenses to a level that was less than revenue.

Universities' revenue streams were impacted in 2020 by the COVID‑19 pandemic, with fees and charges decreasing by $361 million (5.8 per cent).

Government grants as a proportion of total revenue increased for the first time in five years to 34 per cent in 2020.

Nearly 40 per cent of universities' total revenue from course fees in 2020 (40.9 per cent in 2019) came from overseas students from three countries: China, India and Nepal (same in 2019). Students from these countries of origin contributed $2.2 billion ($2.4 billion in 2019) in fees. Some universities continue to be dependent on revenues from students from these destinations and their results are more sensitive to fluctuations in demand as a result.

Overall philanthropic contributions to universities increased by 32.2 per cent in 2020 to $222 million ($167.9 million in 2019). The University of Sydney and the University of New South Wales attracted 75.2 per cent of the total philanthropic contributions in 2020 (69.5 per cent in 2019).

Total research income for universities was $1.4 billion in 2019¹, with the University of Sydney and the University of New South Wales attracting 66.5 per cent of the total research income of all universities in NSW (65.2 per cent in 2018).

Recommendation: Universities should prioritise actions to address repeat findings on internal control deficiencies in a timely manner. Risks associated with unmitigated control deficiencies may increase over time.

Three high risk internal control deficiencies were identified, namely:

• The University of New South Wales should continue work to assess its liability for the underpayment of casual staff entitlements. This issue was also reported last year.
• Two high risk deficiencies were identified at Charles Sturt University. One related to misunderstanding the requirements of the new accounting standard in relation to recognising grant funding revenue for construction work. The second related to resolving issues identified by an ongoing internal review of its employment contracts to enable a reliable quantification as to the university's liability to its employees.

Gaps in information technology (IT) controls comprised the majority of the remaining deficiencies. Deficiencies included a lack of sufficient privileged user access reviews and monitoring, payment files being held in editable formats and accessible by unauthorised persons, and password settings not aligning with the requirements of information security policies.

Except for Macquarie University, all other universities had disaster recovery plans prepared for all of the IT systems that support critical business functions. Macquarie University’s disaster recovery plans were still in progress at 31 December 2020.

Only half of the universities' policies require regular testing of their business continuity plans and six universities' plans do not specify staff must capture, asses and report disruptive incidents.

Six universities were reported as having full‑time employment rates of their postgraduates in 2020 that were greater than the national average.

Seven universities were reported to have increased their enrolments of students from Aboriginal and Torres Strait Islander backgrounds in 2019. The target growth rate for increases in enrolments of Aboriginal and Torres Strait Islander students (to exceed the growth rate of enrolments of non‑indigenous students by at least 50 per cent) was achieved in 2019.

Unqualified audit opinions were issued on the 2019–20 financial statements of central agencies and the Legislature.

The audit opinion on the Social and Affordable Housing NSW Fund's compliance with the payment requirements of the Social and Affordable Housing NSW Fund Act 2016 was qualified.

All agencies met statutory deadlines for submitting
financial statements. 

• Insurance and Care NSW
• New South Wales Government Telecommunications Authority
• Rental Bond Board
• Independent Commission Against Corruption
• NSW Treasury
• Crown Entity
• Department of Premier and Cabinet.

High risk findings include:

• Insurance and Care NSW (icare) allocates service costs to the Workers Compensation Nominal Insurer, and the other schemes it supports. The documentation supporting cost allocations does not demonstrate how these allocations reflect actual costs. There is a risk of the Workers Compensation Nominal Insurer being overcharged.
• New South Wales Government Telecommunications Authority's delay in capitalisation and valuation of material capital projects; and insufficient work performed to implement the new accounting standard AASB 16 ‘Leases’.
• NSW Treasury's four-year plan to transition RailCorp to a for-profit State Owned Corporation called Transport Asset Holding Entity of New South Wales (TAHE) by 1 July 2019, remains to be implemented. On 1 July 2020, RailCorp converted to TAHE. A large portion of the planned arrangements are still to be implemented. As at the time of the audit, the TAHE operating model, Statement of Corporate Intent (SCI) and other key plans and commercial agreements were not finalised. In the absence of commercial arrangements with the public rail operators, there is a lack of evidence to demonstrate TAHE’s ability to create a commercial return in the long term. This matter has been included as a high risk finding in our management letter as there may be financial reporting implications to the State if TAHE does not generate a commercial return for its shareholders in line with the original intent. NSW Treasury and TAHE should ensure the commercial arrangements, operating model and SCI are finalised in 2020–21.

Of the 122 moderate risk issues, 36 per cent were repeat issues. The most common repeat issue related to weaknesses in controls over information technology user access administration, which increases the risk of inappropriate access to systems and records.

GovConnect NSW provides transactional and information technology services to central agencies. It engages an independent service auditor (service auditor) from the private sector to perform annual assurance reviews of controls at service providers, namely Infosys, Unisys and the Department of Customer Service (DCS). The service auditor issued:

• unqualified opinions on information technology and business process controls at Infosys and Unisys, but there was an increase in control deficiencies identified in the user access controls at these service providers
• a qualified opinion on DCS's information technology (IT) security monitoring controls because security tools were not implemented and monitored for the entire financial year. Responsibility for IT security monitoring transitioned from Unisys to DCS in 2019–20. These control deficiencies can increase the risk of fraud and inappropriate use of sensitive data.

These may impact on the ability of agencies to detect and respond to a cyber incident.

Recommendation:

We recommend DCS work with GovConnect service providers to resolve the identified control deficiencies as a matter of priority.

The NSW Cyber Security Policy requires agencies to provide a maturity self-assessment against the Australian Cyber Security Centre (ACSC) Essential 8 to the head of the agency and Cyber Security NSW annually. Completed self-assessment returns highlighted limited progress in implementing the Essential 8.

Repeat recommendation:

Cyber Security NSW and NSW government agencies need to prioritise improvements to their cyber security resilience as a matter of urgency

Costs are incurred by icare as the 'service entity' of the statutory scheme it administers, and then subsequently recovered from the schemes through 'service fees'. In the absence of documentation supported by robust supporting analysis, there is a risk of the schemes being overcharged, and the allocation of costs being in breach of legislative requirements.

Recommendation:

icare should ensure its approach to allocating service fees to the Workers Compensation Nominal Insurer and the other schemes it manages, is transparent and reflects actual costs.

Section highlights

• Unqualified audit opinions were issued on the 2019–20 financial statements of central agencies and the Legislature. All agencies met the statutory deadlines for submitting their financial statements.
• The audit opinion on the Social and Affordable Housing NSW Fund's compliance with the payment requirements of the Social and Affordable Housing NSW Fund Act 2016 was qualified as a result of a payment made without a Treasurer's delegation.
• Agencies were impacted by emergency events during 2019–20. This included additional grants to fund specific deliverables.
• The implementation of new accounting standards was challenging for many agencies. The New South Wales Government Telecommunications Authority was not well-prepared to implement AASB 16 'Leases' and had not completely assessed contracts that contained leases. This resulted in understatements of leased assets and liabilities by $56 million which were subsequently corrected.
• NSW Treasury did not adequately implement the new revenue standard AASB 1058 ‘Income of Not-for-Profit Entities’ for the Crown Entity. This resulted in understatements of $274 million in opening equity and $254 million to current year revenue in the financial statements. These misstatements were due to incorrect revenue calculations performed by the Transport agencies. The Crown Entity relies on information from Transport agencies as they are responsible for carrying out the State’s contractual obligations for Commonwealth funded transport projects. The extent of misstatements could have been reduced with more robust quality review processes in place by Treasury and Transport.

Section highlights

• The 2019–20 audits identified nine high risk and 122 moderate risk issues across the agencies. Of the 122 moderate risk issues, 44 (36 per cent) were repeat issues. The most common repeat issue relates to weaknesses in controls over information technology user access administration.
• Service NSW delivers grants responding to emergency events on behalf of other NSW Public Sector agencies. Since the first grant program commenced in January 2020, Service NSW processed approximately $791 million to NSW citizens and businesses impacted by these emergency events for the financial year ended 30 June 2020.
• GovConnect NSW engaged an independent auditor (the service auditor) from the private sector to evaluate the internal controls of its service providers. DCS's information technology security monitoring controls were qualified by the service auditor because security tools were not implemented and monitored for the entire financial year. These may impact on the ability of agencies to detect and respond to a cyber incident.
• NSW Government agency self-assessment results show that the NSW Public Sector's cyber security resilience needs urgent attention.
• The Workers Compensation Nominal Insurer, NSW Self Insurance Corporation and the Lifetime Care and Support Authority of NSW all had negative net assets at 30 June 2020. The financial statements for these entities continued to be prepared on a going concern basis as their liabilities are not all due for settlement within the next 12 months.
• icare did not comply with the Government Information (Public Access) Act 2009 (GIPA) contract disclosure requirements in 2019–20, and has not complied for several years. A total of 417 contracts were identified by management as not having been published on the NSW Government’s eTendering website. The final upload of these past contracts occurred on 20 August 2020.
• Machinery of Government (MoG) changes impacted the governance and business processes of affected agencies. Our audits identified and reported areas for improvement in the consolidation of corporate functions following MoG changes at Infrastructure NSW and in the Customer Service cluster.

There are 45 separate entities in the cluster. Unqualified audit opinions were issued for 38 cluster agencies' 30 June 2020 financial statements audits. Four financial statements audits are still ongoing, and three agencies were not subject to audit due to NSW Treasury reporting exemptions.

The majority of cluster agencies subject to statutory reporting deadlines met the revised timeline for submitting financial statements. Twenty‑four of the 26 cluster agencies required to submit early close financial statements met the revised timeframe.

Due to issues identified during the audit, 13 financial statements audits were not completed and audit opinions not issued by the statutory deadline.

Significant deficiencies were identified in Property NSW's lease data maintenance and lease calculations.

Recommendation (partially repeat):

Property NSW should:

• review and document the accounting implications for each lease
• ensure the accuracy and validity of lease data used for the lease calculations
• review user access to the leasing system, including privileged users.

Our audits of the cluster agencies identified there was a lack of thorough quality assurance over the accuracy of lease information provided by Property NSW.

Recommendation:

The Department and cluster agencies should:

• quality assure and validate the information provided by Property NSW
• ensure changes made by Property NSW on lease data are supported and that assumptions and judgements applied are appropriate
• document their review of the data supplied.

In 2019–20, the Department resolved an additional 468 Aboriginal land claims compared to the prior year. However, the total number of unprocessed Aboriginal land claims increased by 914 to 36,769 at 30 June 2020. The number of claims remaining unprocessed for more than ten years after lodgement increased by 10.9 per cent from last year. Until claims are resolved, there is an uncertainty over who is entitled to the land and the uses and activities that can be carried out on the land.

Auditor-General's Reports to Parliament since 2007 have recommended action to address the increasing number of unprocessed claims. To date, the Department has not been able to resolve this issue.

During 2020–21, a performance audit will assess the effectiveness and efficiency of the administration of Aboriginal land claims.

The Department will need to provide additional support and guidance to help Crown land managers (CLMs) meet their financial reporting obligations.

Recommendation:

The Department should:

• in consultation with NSW Treasury, develop an appropriate statutory reporting framework for CLMs
• ensure sufficient resources are available to help CLMs meet their reporting obligations.

During 2019–20, NSW Treasury established the reporting exemption criteria for the CLMs. Based on available information, the Department determined 31 CLMs would not meet the exemption criteria and therefore are required to prepare annual financial statements.

Six high‑risk issues were identified across the cluster in 2019–20:

• 5 of those were related to financial reporting issues identified in Property NSW, Wentworth Park Sporting Complex Land Manager, Lord Howe Island Board, Planning Ministerial Corporation and Hunter and Central Coast Development Corporation
• 1 issue was related to Lord Howe Island Board's outdated business continuity plan.

One in three internal control issues identified and reported to management in 2019–20 were repeat issues.

Recommendation:

Management letter recommendations to address internal control weaknesses should be actioned promptly, with a focus on addressing high‑risk and repeat issues.

The unprecedented bushfires and COVID‑19 pandemic presented challenges for the cluster. Agencies established taskforces or response teams to respond to these emergencies.

With more staff working from home, agencies implemented protocols and procedures to manage risks associated with the remote working arrangements, and also needed to address certain technology issues.

The Department is responsible for the new Planning System Acceleration Program, which aims to fast‑track planning assessments, boost the State's economy and keep people in jobs during COVID‑19 pandemic. Between April and October 2020, the Department announced and determined 101 major projects and planning proposals.

Crown land is an important asset of the State. Management and recognition of Crown land assets is weakened when there is confusion over who is responsible for a particular Crown land parcel.

Auditor-General's Reports to Parliament since 2017 have recommended that the Department should ensure the database of Crown land is complete and accurate. Whilst the Department has commenced actions to improve the database, this remained an issue in 2019–20.

Recommendation (repeat issue):

The Department should prioritise action to ensure the Crown land database is complete and accurate. This allows state agencies and local councils to be better informed about the Crown land they control.

Since its creation on 1 July 2019, the Department has largely established its governance arrangements, including setting up the Audit and Risk Committee and internal audit function for the Department and relevant cluster agencies.

The Department still operated three main financial reporting systems in 2019–20, and has commenced the process to consolidate some of the systems.

The recent Regional NSW MoG change led to the transfer of $446 million net assets and $284 million 2019–20 budget from the Department to the newly created Department of Regional NSW on 2 April 2020.

Section highlights

• Unqualified audit opinions were issued for all completed 30 June 2020 financial statements audits. Timeliness of financial reporting remains an issue for 13 agencies.
• Significant deficiencies were identified in Property NSW's lease data maintenance and lease calculations. Cluster agencies can also improve their management of lease information provided by Property NSW.
• The number of unprocessed Aboriginal land claims continued to increase. During 2020–21, a performance audit will assess the effectiveness and efficiency of the administration of Aboriginal land claims.

The Department has not yet developed a statutory reporting framework for Crown land managers and will need to provide additional resources to help Crown land managers meet their financial reporting obligations.

Section highlights

• Six high risk issues were identified during 2019–20 audits. One in three issues identified and reported to management in 2019–20 were repeat issues.
• The Department has fast tracked the assessment and determination of 101 projects as a part of the Planning System Acceleration Program.
• There continues to be significant deficiencies in Crown land records. The Department should ensure the Crown land database is complete and accurate.

Internal control deficiencies increased by 13 per cent compared to last year. This is predominately due to a seven per cent increase in new internal control deficiencies and 24 per cent increase in repeat internal control deficiencies. There were ten high risk findings compared to four last year.

The recent emergencies have consumed agency time and resources and may have contributed to the increase in internal control deficiencies, particularly repeat deficiencies.

Agencies should:

• prioritise addressing high-risk findings
• address repeat internal control deficiencies by re-setting action plans and timeframes and monitoring the implementation status of recommendations.

A number of findings remain common across multiple agencies over the last four years, including:

• out of date or missing policies to guide appropriate decisions
• poor record keeping and document retention
• incomplete or inaccurate centralised registers or gaps in these registers.

We found deficiencies in information security controls over key financial systems including:

• user access administration deficiencies relating to inadequate oversight of the granting, review and removal of user access at 53 per cent of agencies
• privileged users were not appropriately monitored at 43 per cent of agencies
• deficient password controls that did not align to the agency's own password policies at 25 per cent of agencies.

The deficiencies above increase the risk of non-compliance with the NSW Cyber Security Policy, which requires agencies to have processes in place to manage user access, including privileged user access to sensitive information or systems and remove that access once it is not required or employment is terminated.

The response to the recent emergencies and the COVID-19 pandemic has encompassed a wide range of activities, including policy setting, on-going service delivery, safety and availability of staff, availability of IT and other systems and financial management. Agencies were required to activate their business continuity plans in response, and with the continued impact of COVID-19 have not yet returned to a business-as-usual environment.

Our audits focused on the preparedness of agency business continuity and disaster recovery planning arrangements prior to the onset of the COVID-19 pandemic.

We identified deficiencies in agency business continuity and disaster recovery planning arrangements. Twenty-three per cent of agencies had not conducted a business impact analysis (BIA) to identify critical business functions and determine business continuity priorities. Agencies can also improve the content of their BIA. For example, ten per cent of agencies' BIAs did not include recovery time objectives and six per cent of agencies did not identify key IT systems that support critical business functions. Scenario testing improves the effectiveness with which a live crisis is handled, but 40 per cent of agencies had not conducted a business continuity scenario testing exercise in the period from 1 January 2019 to 31 December 2019. There were also opportunities to improve the effectiveness of scenario testing exercises by:

• involving key dependent or inter-dependent third parties who support or deliver critical business functions
• testing one or more high impact scenarios identified in their business continuity plan
• preparing a formalpost-exercise report documenting the outcome of their scenario testing.

Agencies have responded to the recent emergencies but addressing deficiencies will ensure agencies have adequate safeguards in their processes to again respond in the future, if required.

During 2020–21 we plan to conduct a performance audit on 'Business continuity and disaster recovery planning'. This audit will consider the effectiveness of agency business continuity planning arrangements to maintain business continuity through the recent emergencies and/or COVID-19 pandemic and return to a business-as-usual environment. We also plan to conduct a performance audit on whole-of-government 'Coordination of emergency responses'.

We found agencies' governance functions could have been better informed about responses to disruptive incidents that had activated a business continuity or disaster recovery response between 1 January 2019 to 31 December 2019. For instance:

in 89 per cent of instances where a business continuity response was activated, a post-incident review had been performed. In 82 per cent of these instances, the outcomes were reported to a relevant governance or executive management committee

in 95 per cent of instances where a disaster recovery response was activated, a post incident review had been performed. In 86 per cent of these instances, the outcomes were reported to a relevant governance committee or executive management committee.

Examples of recorded incidents included extensive air quality issues and power outages due to bushfires, system and network outages, and infected and hijacked servers.

Agencies should assess their response to the recent emergencies and the COVID-19 pandemic and update business continuity, disaster recovery and other business resilience frameworks to incorporate lessons learned. Agencies should report to those charged with governance on the results and planned actions.

Agency procurement policies did not capture the requirements of several key NSW Procurement Board Directions (the Directions), increasing the risk of non-compliance with the Directions. We noted: 

• 67 per cent of agencies did specify that procurement above $650,000 must be open to market unless exempt or procured through an existing Whole of Government Scheme or contract
• 36 per cent of agencies did specify that procurements above $500,000 payable in foreign currencies must be hedged
• 69 per cent of agencies' policies did specify that the agency head or cluster CFO must authorise the engagement of consultants where the engagement of the supplier does not comply with the standard commercial framework.

Recommendation: Agencies should review their procurement policies and guidelines to ensure they capture the key requirements of the NSW Government Procurement Policy Framework, including NSW Procurement Board Directions.

Eighty-eight per cent of agencies maintain a central contract register to record all details of contracts above $150,000, which is a requirement of GIPA legislation. Of the agencies that maintained registers, 13 per cent did not capture all contracts and eight per cent did not include all relevant contract details.

Sixteen per cent of agencies did not periodically review their contract register. Timely review increases compliance with GIPA legislation, and enhances the effectiveness with which procurement business units monitor contract end dates, contract extensions and commence new procurement.

Ninety-three per cent of agencies provide training to staff involved in procurement processes, and a further 77 per cent of agencies provide this training on an on-going basis. Of the seven per cent of agencies that had not provided training to staff, we noted gaps in aspects of their procurement activity, including:

• not conducting value for money assessments prior to renewing or extending the contract with their existing supplier
• not obtaining approval from a delegated authority to commence the procurement process
• procurement documentation not specifying certain key details such as the conditions for participation including any financial guarantees and dates for the delivery of goods or supply of services.

Training on procurement activities ensures there is effective management of procurement processes to support operational requirements, and compliance with procurement directions.

As at 30 June 2020, agencies within the scope of this report reported conducting 32,239 emergency procurements with a total contract value of $316,908,485. Emergency procurement activities included the purchase of COVID-19 cleaning and hygiene supplies.

The government, through NSW Procurement released the 'COVID-19 Emergency procurement procedure', which relaxed procurement requirements to allow agencies to make COVID-19 emergency procurements. Our review against the emergency procurement measures found most agencies complied with requirements. For example:

• 95 per cent of agencies documented an assessment of the need for the emergency procurement for the good and/or service
• 86 per cent of agencies obtained authorisation of the emergency procurement by the agency head or the nominated employee under Public Works and Procurement Regulation 2019
• 76 per cent of agencies reported the emergency procurement to the NSW Procurement Board.

Complying with the procedure helps to ensure government resources are being efficiently, effectively, economically and in accordance with the law.

Recommendation: Agency procurement frameworks should be reviewed and updated so they can respond effectively to emergency situations that may arise in the future. This includes:

• updating procurement policies and guidelines to define an emergency situation, specify who can approve emergency procurement and capture other key requirements
• using standard templates and documentation to prompt users to capture key requirements, such as needs analysis, supplier selection criteria, price assessment criteria, licence and insurance checks
• having processes for reporting on emergency procurements to those charged with governance and NSW Procurement.

We found that agencies have established financial and human resources delegations, but some had not revisited their delegation manuals following the legislative and machinery of government changes. For those agencies impacted by machinery of government changes we noted:

• 16 per cent of agencies had not updated their financial delegations to reflect the changes
• 16 per cent of agencies did not update their human resources delegations to reflect the changes.

Delegations manuals are not always complete; 16 per cent of agencies had no delegation for writing off bad debts and 26 per cent of agencies had no delegation for writing off capital assets.

Recommendation: Agencies should ensure their financial and human resources delegation manuals contain regular set review dates and are updated to reflect the Government Sector Finance Act 2018, machinery of government changes and their current organisational structure and roles and responsibilities.

Agencies did not understand or correctly apply the requirements of the Government Sector Finance Act 2018 (GSF Act), resulting in non-compliance with the Act. We found that 18 per cent of agencies spent deemed appropriations without obtaining an authorised delegation from the relevant Minister(s), as required by sections 4.6(1) and 5.5(3) of the GSF Act.

Further detail on this issue will be included in our Auditor-General's Reports to Parliament on Central Agencies, Education, Health and Stronger Communities, which will be tabled throughout December 2020.

Recommendation: Agencies should review financial and human resources delegations to ensure they capture all key functions of laws and regulations, and clearly specify the relevant power or function being conferred on the officer.

Recommendations were made last year to improve transparency over reporting on gifts and benefits and improve the visibility management and those charged with governance had over actions taken to address conflicts of interest that may arise. This year, we continue to note:

• 38 per cent of agencies have not updated their gifts and benefits register to include all the key fields required under the minimum standards set by the Public Service Commission
• 56 per cent of agencies have not provided training to staff and 63 per cent of agencies have not implemented an annual attestation process for senior management
• 97 per cent of agencies have not published their gifts and benefits register on their website and 41 per cent of agencies are not reporting on trends in the gifts and benefits register to those charged with governance.

While we acknowledge the significance of the recent emergencies, which have consumed agency time and resources, we note limited progress has been made implementing these recommendations. Further detail on the status of implementing all recommendations is in Appendix 2.

Recommendation: Agencies should re-visit the recommendations made in last year's report on internal controls and governance and action these recommendations.

Section highlights

We identified ten high risk findings, compared to four last year with two findings repeated from the previous year. There was an overall increase of 13 per cent in the number of internal control deficiencies compared to last year due to a seven per cent increase in new internal control deficiencies, and a 24 per cent increase in repeat internal control deficiencies. The recent emergencies have consumed agency time and resources and may have contributed to the increase in internal control deficiencies, particularly repeat deficiencies.

We identified a number of findings that remain common across multiple agencies over the last four years. Some of these findings related to areas that are fundamental to good internal control environments and effective organisational governance. Examples include:

• out of date or missing policies to guide appropriate decisions
• poor record keeping and document retention
• incomplete or inaccurate centralised registers, or gaps in these registers.

Policies, procedures and internal controls should be properly designed, be appropriate for the current organisational structure and its business activities, and work effectively.

Section highlights

Government agencies’ financial reporting is heavily reliant on information technology (IT). We continue to see a high number of deficiencies related to IT general controls, particularly those related to user access administration. These controls are key in adequately protecting IT systems from inappropriate access and misuse.

IT is also important to the delivery of agency services. These systems often provide the data to help monitor the efficiency and effectiveness of agency processes and services they deliver. Our financial audits do not review all agency IT systems. For example, IT systems used to support agency service delivery are generally outside the scope of our financial audit. However, agencies should also consider the relevance of our findings to these systems.

Agencies need to continue to focus on assessing the risks of inappropriate access and misuse and the implementation of controls to adequately protect their systems, focussing on the processes in place to grant, remove and monitor user access, particularly privileged user access.

Section highlights

We identified deficiencies in agency business continuity and disaster recovery planning arrangements and opportunities for agencies to enhance their business continuity management and disaster recovery planning arrangements. This will better prepare them to respond to a disruption to their critical functions, resulting from an emergency or other serious event. Twenty-three per cent of agencies had not conducted a business impact analysis (BIA) to identify critical business functions and determine business continuity priorities and 40 per cent of agencies had not conducted a business continuity scenario testing exercise in the period from 1 January 2019 to 31 December 2019. Scenario testing improves the effectiveness with which a live crisis is handled.

This section focusses on the preparedness of agency business continuity and disaster recovery planning arrangements prior to the onset of the COVID-19 pandemic. While agencies have responded to the recent emergencies, proactively addressing deficiencies will ensure agencies have adequate safeguards in their processes to again respond in the future, if required.

During 2020–21 we plan to conduct a performance audit on 'Business continuity and disaster recovery planning'. This audit will consider the effectiveness of agency business continuity planning arrangements to maintain business continuity through the recent emergencies and/or COVID-19 pandemic and return to a business-as-usual environment. We also plan to conduct a performance audit on whole-of-government 'Coordination of emergency responses'.

Section highlights

We found agencies have procurement policies in place to manage procurement activity, but the content of these policies was not sufficiently detailed to ensure compliance with NSW Procurement Board Directions (the Directions). The Directions aim to ensure procurement activity achieves value for money and meets the principles of probity and fairness.

Agencies have generally implemented controls over their procurement process. In relation to emergency procurement activity, agencies reported conducting 32,239 emergency procurements with a total contract value of $316,908,485 up to 30 June 2020. Our review of emergency procurement activity conducted during 2019–20 identified areas where some agencies did not fully comply with the 'COVID-19 Emergency procurement procedure'.

We also found not all agencies are maintaining complete and accurate contract registers. This not only increases the risk of non-compliance with GIPA legislation, but also limits the effectiveness of procurement business units to monitor contract end dates, contract extensions and commence new procurement in a timely manner. We noted instances where agencies renewed or extended contracts without going through a competitive tender process during the year.

The 2019 financial statements of all ten NSW universities received unmodified audit opinions.

One controlled entity of the Western Sydney University received a qualified audit opinion.

Five NSW universities finalised their audited financial statements this year on or before the date they did last year.

New accounting standards, which changed how universities report income and treat operating leases, became effective from 1 January 2019.

Government grants as a proportion of the total income of NSW universities continued to decrease.

Fee revenue from overseas students continued to grow faster than fees from domestic students. Forty-one per cent of NSW universities' total student revenue came from overseas students from three countries.

Five NSW universities increased the proportion of revenue they receive from overseas students from a single country. Two universities sourced over 73 per cent of their total overseas student revenue from students from a single country of origin in 2019.

All six NSW universities with overseas controlled entities have devolved responsibility for governance and legislative compliance to their overseas controlled entities.

Recommendation (repeat issue): NSW universities should strengthen their governance arrangements to oversight their overseas controlled entities' legal and policy compliance functions.

The 2019 financial results for universities are reported as at 31 December. Consequently, the results for the 2019 year were unaffected by the impact of the COVID-19 pandemic.

NSW universities provided data on the COVID-19 impacted student enrolments for semester one 2020. Overall numbers of student enrolments were 5.8 per cent beneath projections. Overseas student enrolments were 13.8 per cent beneath expectations and domestic student enrolments were 2.4 per cent beneath expectations.

NSW universities are responding to the challenges presented by COVID-19 by moving course delivery online, expanding student support and introducing cost saving measures.

Our audits identified 108 internal control deficiencies in 2019 (99 in 2018).

Gaps in information technology (IT) controls comprised the majority of these deficiencies. Deficiencies included a lack of sufficient user access reviews, inadequate review and approval of change management processes, and issues with password settings.

We identified one high risk financial control deficiency at the University of New South Wales, which resulted in the University providing for a potential underpayment of casual staff salaries.

NSW universities continue to implement recommendations arising from 35 findings raised in previous years.

Five NSW universities still do not have formal processes to internally review and validate performance information published in their annual reports.

Recommendation (repeat issue): NSW universities should strengthen processes to review and validate published performance information.

Two universities have not yet implemented a cyber risk policy and three universities have not formally trained staff in cyber awareness.

Recommendation (repeat issue): NSW universities should strengthen cyber security frameworks and controls to protect sensitive data and prevent financial and reputational losses.

All universities have a procurement policy. Most universities have a documented procurement manual and contact management policy.

Recommendation: NSW universities should review their procurement and contract management policies and procedures to ensure that they are relevant and effective in reducing risk and improving purchasing outcomes.

Five universities in 2018 (five in 2017) met the target enrolment rate for students from low socio-economic status (SES) backgrounds.

Eight universities increased enrolments of students from Aboriginal and Torres Strait Islander backgrounds in 2018.