This report analyses the internal controls and governance of the 25 largest agencies in the NSW public sector, excluding state owned corporations and public financial corporations, for the year ended 30 June 2021.

Our preferred approach is to table the ‘Report on State Finances’ in Parliament before any other cluster report. This is because the ‘Report on State Finances’ focuses on the audit results and observations relating to the Total State Sector Accounts, in effect a consolidation of all government agencies. This year the ‘Report on State Finances’ has been delayed due to significant accounting issues being considered in the Total State Sector Accounts and which may impact the Treasury and Transport clusters.

As there are no matters in this report impacting the Total State Sector Accounts we have decided to break with normal practice and table this report ahead of the ‘Report on State Finances’.

What the report is about

This report analyses the internal controls and governance of the 25 largest agencies in the NSW public sector, excluding state owned corporations and public financial corporations, for the year ended 30 June 2021.

What we found

Internal control trends

The proportion of control deficiencies identified as high risk this year increased to 2.8 per cent (2.5 per cent in 2019–20). Six high risk findings related to financial controls while three related to IT controls. Two were repeat findings from the previous year.

Repeat findings of control deficiencies now represent 49 per cent of all findings (42 per cent in 2019–20).

Information technology

We continue to see a high number of deficiencies relating to IT general controls, particularly around user access administration and privileged user access which affected 82 per cent of agencies.

Cyber security

Agencies' self-assessed maturity levels against the NSW Cyber Security Policy (CSP) mandatory requirements are low. Although agencies are required to demonstrate continuous improvement against the CSP, 20 per cent have not set target levels and of those that have set target levels, 40 per cent have not met their target levels.

Policies, processes and definition around security incidents and data breaches lack consistency. Improvement is required to ensure breaches are recorded in registers and action taken to address the root cause of incidents.

Conflicts of interest

Agencies' policies generally meet the minimum requirements of the Ethical Framework set out in the Government Sector Employment Act 2013. However, few meet the Independent Commission Against Corruption's best practice guidelines. Policies could be strengthened in relation to requirements around annual declarations of interests from employees and contractors.

Masterfile management

Policies governing the management of supplier masterfiles and employee masterfiles existed in 79 per cent and 54 per cent of agencies respectively.

Weaknesses were identified in those policies. Access restriction, segregation of duties and record keeping were the most common opportunities for improvement.

Tracking recommendations

Most agencies do not maintain a register to monitor recommendations from performance audits and public inquiries. Registers of recommendations could be improved to include risk ratings and record revisions to due dates. While recommendations can take several years to fully address, the oldest open items were originally due for completion by June 2016.

What we recommended

Agencies should:

• prioritise actions to address repeat control deficiencies, particularly those that have been repeated findings for a number of years
• prioritise improvements to their cyber security and resilience as a matter of urgency
• formalise and implement policies on tracking and monitoring the progress of implementing recommendations from performance audits and public inquiries.

Internal controls are processes, policies and procedures that help agencies to:

• operate effectively and efficiently
• produce reliable financial reports
• comply with laws and regulations
• support ethical government.

This chapter outlines the overall trends for agency controls and governance issues, including the number of audit findings, the degree of risk those deficiencies pose to the agency, and a summary of the most common deficiencies we found across agencies. The rest of this report presents this year’s controls and governance findings in more detail.

The scope of this year's report covers 25 general government sector agencies. Last year's report covered 40 agencies within the total state sector. For consistency and comparability, we have adjusted the 2020 results to include only the agencies remaining within scope of this year's report. Therefore, the 2020 figures will not necessarily align with those reported in our 2020 report.

This chapter outlines our audit observations, conclusions and recommendations arising from our review of agency controls to manage key financial systems.

This chapter outlines our audit observations, conclusions and recommendations arising from our review of agencies' cyber security planning and governance arrangements.

This chapter outlines our audit observations, conclusions and recommendations arising from our review of agencies' conflicts of interest management processes.

This chapter outlines our audit observations, conclusions and recommendations arising from our review of agency's management of supplier and employee masterfiles.

This chapter outlines our audit observations, conclusions and recommendations arising from our review of agencies' processes to track and monitor the implementation of recommendations from performance audits and public inquiries.

This report analyses the results of our audits of the Regional NSW cluster agencies for the year ended 30 June 2021.

Our preferred approach is to table the ‘Report on State Finances’ in Parliament before any other cluster report. This is because the 'Report on State Finances' focuses on the audit results and observations relating to the Total State Sector Accounts, in effect a consolidation of all government agencies. This year the 'Report on State Finances' has been delayed due to significant accounting issues being considered in the Total State Sector Accounts and which may impact the Treasury and Transport clusters.

As there are no outstanding matters relating to audits in the Regional NSW cluster impacting the Total State Sector Accounts we have decided to break with normal practice and table this cluster report ahead of the ‘Report on State Finances’.

What the report is about

The results of the Regional NSW cluster (the cluster) agencies’ financial statement audits for the year ended 30 June 2021.

What we found

Unmodified audit opinions were issued for all completed 30 June 2021 financial statement audits of cluster agencies. Four audits are ongoing.

The number of misstatements identified in the financial statements of cluster agencies decreased from 27 in 2019–20 to seven in 2020–21.

The Department corrected an understatement of $82.2 million in prepaid income related to the Bushfire Clean-up Program.

What the key issues were

Local Land Services (LLS) undertook a comprehensive revaluation of asset improvements on land reserves used for moving stock (travelling stock reserves).

The revaluation process identified that improvements on land reserves, with a value of $93.0 million, had not been previously recognised in the financial statements. LLS corrected this error by restating the 2019–20 comparative balances in its 2020–21 financial statements.

The Forestry Corporation of NSW revalued its biological assets that comprise approximately 225,000 hectares of softwood plantations and 34,000 hectares of hardwood forests. The current year valuation resulted in $71.4 million decrement in the total biological assets from $824.9 million in 2019–20 to $753.5 million in 2020–21.

The number of matters reported to management decreased from 36 in 2019–20 to 19 in 2020–21. Twelve moderate risk issues were identified and 47 per cent of reported issues were repeat issues.

What we recommended

Cluster agencies should prioritise and action recommendations to address internal control deficiencies.

This report provides Parliament and other users of the Regional NSW cluster agencies’ financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:

• financial reporting
• audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Regional NSW cluster for 2021.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

This chapter outlines our observations and insights from our financial statement audits of agencies in the Regional NSW cluster.

Appendix one - Misstatements in financial statements submitted for audit

Appendix two - Early close procedures

Appendix three - Financial data

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

We issued unqualified audit opinions on the transport entities’ 30 June 2012 financial statements.

Some of the findings of the report include:

• government funding to the public transport operators totalled $4.4 billion in 2011-12 ($3.7 billion in 2010-11)

• passenger services revenue only covered 20 per cent of RailCorp's operating costs

• Transport for NSW has formalised a protocol to mitigate the risk of potential conflicts of interests

• At present, no sustainability framework exists for the transport agencies around environment and sustainability. Transport for NSW should complete its Environment and Sustainability Policy Framework by June 2013 and should publicly report its results annually

• Transport patronage continued to grow with 510 million journeys on train, bus and ferry services

• CityRail had two peak hour periods where only 36 per cent and 39 per cent of services were on time

• On-time running performance for Sydney Ferries was above the NSW 2021 plan target of 98.5 per cent for most routes in 2011-12

• Customer surveys by transport agencies no longer specifically address crowding on public transport. Transport for NSW should observe and report on crowding on all transport modes

• Over 2,500 transport staff, or 8.3 per cent of the workforce, have excessive leave balances. All transport entities should do more to reduce excessive annual leave balances to ensure they will comply with new targets set by the Premier.

The audits of the seven State owned electricity corporations resulted in unqualified audit opinions. The electricity corporations’ end-of-year financial reporting is sound and well established, he added. After tax profits rose to $1.2 billion, up from $1.1 billion in 2010-11 and contributions to Government rose to $1.4 billion, up from $1.2 billion in 2010-11. These figures exclude profits and special dividends from the 2010-11 electricity sale transactions.

A qualified audit opinion was issued on the Total State Sector Accounts for the year ended 30 June 2012. Qualified opinions have been issued every year for the past decade. The key issue contributing to past qualifications has been partially resolved, but new issues have arisen that impact the ability to confirm property, plant and equipment balances in 2011-12.

The following overview of audits from 2011 found agency restructures significantly impacted agency financial reporting processes, agencies are having difficulty establishing and enforcing compliance with their own policies and procedures, agencies experienced problems complying with regulations and providing adequate documentation to support their financial statements, the poor quality of some financial statements with 1,256 misstatements identified, 540 so significant they had to be corrected, deficiencies in information security exist across many agencies, computer system disaster recovery plans for financial systems not existing or outdated, do not align with agencies’ business recovery requirements, do not properly identify and assess critical systems and processes and testing is incomplete.