Refine search

Reports

21 March 2024

Published

Regulation insights

Environment

Finance

Health

Local Government

Planning

Whole of Government

Compliance

Cyber security

Internal controls and governance

Management and administration

Procurement

Regulation

Risk

What this report is about

In this report, we present findings and recommendations relevant to regulation from selected reports between 2018 and 2024.

This analysis includes performance audits, compliance audits and the outcomes of financial audits.

Effective regulation is necessary to ensure compliance with the law as well as to promote positive social and economic outcomes and minimise risks with certain activities.

The report is a resource for public sector leaders. It provides insights into the challenges and opportunities for more effective regulation.

Audit findings

The analysis of findings and recommendations is structured around four key themes related to effective regulation:

governance and accountability
processes and procedures
data and information management
support and guidance.

The report draws from this analysis to present insights for agencies to promote effective regulation. It also includes relevant examples from recent audit reports.

In this report, we also draw out insights for agencies that provide a public sector stewardship role.

The report highlights the need for agencies to communicate a clear regulatory approach. It also emphasises the need to have a consistent regulatory approach, supported by robust information about risks and accompanied with timely and proportionate responses.

The report highlights the need to provide relevant support to regulated parties to facilitate compliance and the importance of transparency through reporting of meaningful regulatory information.

Read the PDF report

29 November 2023

Published

Regional NSW 2023

Industry

Environment

Planning

Whole of Government

Asset valuation

Compliance

Cyber security

Financial reporting

Fraud

Information technology

Infrastructure

Procurement

Regulation

Risk

Service delivery

Shared services and collaboration

What this report is about

Results of the Regional NSW financial statements audits for the year ended 30 June 2023.

What we found

Unqualified audit opinions were issued on all completed audits in the Regional NSW portfolio agencies.

The number of monetary misstatements identified in our audits increased from 28 in 2021–22 to 30 in 2022–23.

What the key issues were

Effective 1 July 2023, staff employed in the Northern Rivers Reconstruction Corporation Division of the Department of Regional NSW transferred to the NSW Reconstruction Authority Staff Agency.

The Regional NSW portfolio agencies were migrated into a new government wide enterprise resourcing planning system.

The total number of audit management letter findings across the portfolio of agencies decreased from 36 to 23.

A high risk matter was raised for the NSW Food Authority to improve the internal controls in the information technology environment including monitoring and managing privilege user access.

What we recommended

Local Land Services should prioritise completing all mandatory early close procedures.

Portfolio agencies should:

ensure any changes to employee entitlements are assessed for their potential financial statements impact under the relevant Australian Accounting Standards
prioritise and address internal control deficiencies identified in audit management letters.

This report provides Parliament and other users of the Regional NSW portfolio of agencies financial statements with the results of our audits, analysis, conclusions and recommendations in the following areas:

financial reporting
audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision-making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Regional NSW portfolio of agencies (the portfolio) for 2023.

Section highlights

Unqualified audit opinions were issued on all completed 30 June 2023 financial statements audits of the portfolio agencies. Two audits are ongoing.
The total number of errors (including corrected and uncorrected) in the financial statements increased compared to the prior year.
Portfolio agencies met the statutory deadline for submitting their 2022–23 early close financial statements and other mandatory procedures.
Portfolio agencies continue to provide financial assistance to communities affected by natural disasters.
A change to the NSW paid parental leave scheme, effective October 2023, created a new legal obligation that needed to be recognised by impacted government agencies. Impact to the agencies' financial statements were not material.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision-making.

This chapter outlines our observations and insights from our financial statement audits of agencies in the Regional NSW portfolio.

Section highlights

The 2022–23 audits identified one high risk and nine moderate risk issues across the portfolio. Of these, one was a moderate risk repeat issue.
The total number of findings decreased from 36 to 23 which mainly related to deficiencies in internal controls.
The high risk matter relates to the monitoring and managing of privilege user access at NSW Food Authority.

Appendix one – Misstatements in financial statements submitted for audit

Appendix two – Early close procedures

Appendix three – Timeliness of financial reporting

Appendix four – Financial data

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

28 November 2023

Published

Stronger Communities 2023

Community Services

Whole of Government

Asset valuation

Compliance

Cyber security

Financial reporting

Information technology

Internal controls and governance

Management and administration

Procurement

Project management

Shared services and collaboration

What this report is about

Results of the Stronger Communities financial statement audits for the year ended 30 June 2023.

What we found

Unqualified audit opinions were issued on all completed Stronger Communities portfolio agencies.

Machinery of government changes during the year returned the sports-related agencies to the Stronger Communities portfolio.

Resilience NSW was abolished on 16 December 2022 with most of its functions transferred to the newly created NSW Reconstruction Authority.

The Trustee for the First Australian Mortgage Acceptance Corporation (FANMAC) is a prescribed entity under the Government Sector Finance Regulation 2018. The Trustee should have presented the FANMAC's financial statements for audit after it became a GSF agency on 1 July 2020.

The number of monetary misstatements identified in our audits decreased from 42 in 2021–22 to 29 in 2022–23.

What the key issues were

In 2022–23, agencies in the portfolio recorded net revaluation uplifts to land and buildings totalling $643 million.

Out of home care and permanency support grant expenditure has increased by 27% since 2019–20. An upcoming performance audit report will focus on the timeliness and quality of the child protection services provided by the department and its non-government service providers.

A high-risk matter was raised for the department over segregation of duties deficiencies in the Justice Link system.

Four high-risk matters reported in 2021–22 have been resolved.

Thirty-three agencies were onboarded into a new government-wide enterprise resource planning system. Additional agencies will be onboarded in three tranches from April 2024 through to October 2024.

What we recommended

Portfolio agencies should:

ensure any changes to employee entitlements are assessed for their financial statement impact under the relevant Australian Accounting Standards
prioritise and address internal control deficiencies identified in our management letters.

This report provides Parliament and other users of the Stronger Communities portfolio of agencies’ financial statements with the results of our audits, analysis, conclusions and recommendations in the following areas:

financial reporting
audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision-making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Stronger Communities portfolio of agencies (the portfolio) for 2023.

Section highlights

Unqualified audit opinions were issued on all completed 30 June 2023 financial statements audits of portfolio agencies, including the audit of the Crown Solicitor's Office's Trust Account for compliance with clause 14 of the Legal Profession Uniform Law Application Regulation 2015.
The financial statement audits of the NSW Trustee and Guardian Common Funds (the common funds) – year ended 30 June 2022 were certified by management on 6 December 2022 and independent auditor's reports issued 21 December 2022. The 30 June 2023 financial statements audits of the common funds are ongoing.
A variation to an agreement between the Commonwealth Attorney-General and the Legal Aid Commission of New South Wales for legal services to support the Royal Commission into Violence, Neglect and Exploitation of people with disability program extended the reporting period from 30 June 2023 to 29 September 2023 – the conclusion of the Royal Commission. The audit of the financial report acquitting expenditure under the agreement is expected to be completed before 28 February 2024.
The audit of the Home Purchase Assistance Fund's (the fund) 30 June 2022 financial statements remains incomplete. Those charged with governance of the fund have not provided sufficient and appropriate evidence to support the carrying value of material investments reported in the fund's financial statements. The financial audit of the fund's 2023 financial statements remain incomplete as a result.
The Trustee for the First Australian Mortgage Acceptance Corporation Master and Pooled Super Trusts had not prepared general purpose financial statements since 30 June 2021 when the financial reporting provisions of the Government Finance Sector Act 2018 were enacted and the Trustee was prescribed as a GSF agency under the regulations. The audits of these financial statements are ongoing.
Reported corrected misstatements decreased from 28 in 2021–22 to six with a gross value of $8.8 million in 2022–23 ($277 million in 2021–22).
Portfolio agencies met the statutory deadline for submitting their 2022–23 early close financial statements and other mandatory procedures.
In 2022–23, portfolio agencies collectively recorded net revaluation uplifts to the carrying values of land and buildings totalling $643 million (2021–22: $993 million) initiated through a combination of comprehensive and desktop valuations.
The Department of Communities and Justice (the department) had previously deferred performing a comprehensive revaluation of its land and building portfolio relating to the Corrective Services and Youth Justice functions. The deferral was due to the challenges in providing valuers sufficient access to the facilities due to the pandemic. The department is scheduled to perform a comprehensive revaluation of its full land and building portfolio in 2023–24.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision-making.

This chapter outlines our observations and insights from our financial statement audits of agencies in the Stronger Communities portfolio.

Section highlights

The number of findings reported to management has decreased from 142 in 2021–22, to 71 in 2022–23, and 35% were repeat issues (36% in 2021–22). Repeat issues related to non-compliance with key legislation and/or agency policies, information technology and internal control deficiencies.
A long-standing issue about segregation of duties over the JusticeLink system managed by the department has been elevated from moderate to high risk.
Four out of six high-risk issues reported in the prior year have been addressed.
Of the 15 newly identified moderate risk issues, 11 related to information technology and internal control deficiencies.

Appendix one – Misstatements in financial statements submitted for audit

Appendix two – Early close procedures

Appendix three – Timeliness of financial reporting

Appendix four – Financial data

28 November 2023

Published

Education 2023

Education

Whole of Government

Asset valuation

Compliance

Cyber security

Financial reporting

Information technology

Internal controls and governance

Procurement

Project management

Risk

What this report is about

Results of the Education portfolio of agencies’ financial statements audits for the year ended 30 June 2023.

What we found

Unqualified audit opinions were issued for all Education portfolio agencies.

An ‘other matter’ paragraph was included in the TAFE Commission’s independent auditor’s report as it did not have a delegation or sub-delegation from the Minister for Education and Early Learning to incur expenditure on grants from other portfolio agencies.

What the key issues were

Comprehensive valuations of buildings at the Department of Education (the department) and at the TAFE Commission found that certain assumptions applied in previous years needed to be updated, resulting in prior period restatements.

The department prepaid a building contractor for early works on a project and some of the prepayment is in legal dispute.

The department duplicated a claim for project funding from Restart NSW in 2021.

New parental leave legislation increased employee liabilities for portfolio agencies. The department and the NSW Education Standards Authority (the Authority) updated their financial statements to record parental leave liabilities.

A high risk matter was raised for the Authority to improve the quality and timeliness of information to support their financial statement close process.

What we recommended

Portfolio agencies should ensure any changes to employee entitlements are assessed for their potential financial statements impact under the relevant Australian Accounting Standards.

The department should:

improve processes to ensure project claims are not duplicated
assess the risks associated with providing prepayments to contractors.

This report provides Parliament and other users of the Education portfolio of agencies’ financial statements with the results of our audits, analysis, conclusions and recommendations in the following areas:

financial reporting
audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision-making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Education portfolio (the portfolio) for 2023.

Section highlights

Unqualified audit opinions were issued on all the portfolio agencies 2022–23 financial statements.
An ‘other matter’ paragraph was included in the independent auditor’s report for the Technical and Further Education Commission (the TAFE Commission) as it did not have a delegation or sub-delegation from the Minister for Education and Early Learning to incur expenditure on grants from other portfolio agencies.
Comprehensive valuations of buildings in the current year identified that certain assumptions applied in previous years were incorrect. The effects of these corrections are disclosed as prior period errors in the financial statements of the Department of Education (the department) and the TAFE Commission.
The department made corrections to its financial statements to reflect increases to NSW teachers’ wages announced post balance date. This impacted amounts recorded as liabilities for a range of employee benefits and entitlements totalling $225.4 million, of which $147.9 million is accepted by the Crown and $77.5 million is borne by the department.
A change to the NSW paid parental leave scheme, effective October 2022, created a new legal obligation that needed to be recognised by impacted government agencies. Of the three affected portfolio agencies, only the department and the NSW Education Standards Authority recognised a liability to account for this change. The aggregated unrecorded liabilities of other agencies in the portfolio totalled $2.4 million. The errors within the individual agencies’ financial statements were not material.
The total number of errors (including corrected and uncorrected) in the financial statements increased compared to the prior year.
The NSW Childcare and Economic Opportunity Fund should prepare financial statements unless NSW Treasury releases a Treasurer’s Direction under section 7.8 of the GSF Act that will exempt the SDA from financial reporting requirements.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision-making.

This chapter outlines our observations and insights from our financial statement audits of agencies in the Education portfolio.

Section highlights

The 2022–23 audits identified one high risk and 20 moderate risk issues across the portfolio. Of these, one was a high risk repeat issue and four were moderate risk repeat issues.
The total number of findings increased from 29 to 36, which mainly related to deficiencies in financial reporting, information technology, payroll and purchasing controls.
The high risk matter relates to the lack of quality and timely information to support the financial statement close process at the NSW Education Standards Authority.

Appendix one – Early close procedures

Appendix two – Financial data

13 December 2022

Published

Stronger Communities 2022

Justice

Community Services

Asset valuation

Compliance

Cyber security

Financial reporting

Information technology

Internal controls and governance

Management and administration

Procurement

Project management

Risk

What the report is about

Results of the Stronger Communities cluster agencies' financial statement audits for the year ended 30 June 2022.

What we found

Unqualified audit opinions were issued on all completed 30 June 2022 financial statement audits. One audit is ongoing.

All 13 cluster agencies that have accommodation arrangements with Property NSW derecognised right-of-use assets and lease liabilities of $917 million and $1 billion respectively. The agencies also collectively recorded a gain on derecognition of $136 million.

The Department of Communities and Justice (the department) assumed the responsibility for delivery of the Process and Technology Harmonisation program from the Department of Customer Service. In 2021–22, the department incurred costs of $42.8 million in relation to the project, which remains ongoing.

The number of monetary misstatements identified during the audits decreased from 50 in 2020–21 to 48 in 2021–22.

What the key issues were

Six of the 15 cluster agencies required to submit 2021–22 mandatory early close procedures did not meet the statutory deadlines. One agency did not complete all mandatory procedures.

Five high-risk findings were identified in 2021–22. They related to deficiencies in:

user access administration at the department, NSW Rural Fire Service and New South Wales Aboriginal Land Council (NSWALC)
segregation of duties at the NSW Trustee and Guardian and NSWALC.

Recommendations were made to those agencies to address these control deficiencies.

This report provides Parliament and other users of the Stronger Communities cluster’s financial statements with the results of our audits, analysis, conclusions and recommendations in the following areas:

financial reporting
audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Stronger Communities cluster (the cluster) for 2022.

Section highlights

Unqualified audit opinions were issued on all completed 30 June 2022 financial statement audits of cluster agencies, including the acquittal and compliance audits for the Legal Aid Commission of New South Wales and Crown Solicitor's Office. One audit is ongoing.
Reported corrected misstatements decreased from 30 in 2020–21 to 23 with a gross value of $187 million in 2021–22 ($101 million in 2020–21). Reported uncorrected misstatements increased from 20 in 2020–21 to 25 with a gross value of $92.3 million in 2021–22 ($107 million in 2020–21).
Six of the 15 cluster agencies required to submit 2021–22 early close financial statements and all other mandatory procedures did not meet the statutory deadlines. One agency did not complete all mandatory procedures.
All 13 cluster agencies that have accommodation arrangements with Property NSW accepted the changes in the Client Acceptance Letters, resulting in the derecognition of right-of-use assets and lease liabilities of $917 million and $1 billion respectively. The agencies also collectively recorded a gain on derecognition of $136 million.
The Department of Communities and Justice (the department) assumed the responsibility to deliver the Process and Technology Harmonisation program from the Department of Customer Service. In 2021–22, the department incurred costs of $42.8 million in relation to the project.
In 2021–22, the department continued to implement the International Financial Reporting Standards Interpretations Committee's agenda decision on 'Configuration or customisation costs in a cloud computing arrangement'. The department's review of the remaining arrangements, with a net book value of $233 million at 30 June 2021, resulted in the recognition as an expense (through accumulated funds at 1 July 2020) of previously capitalised intangible assets totalling $106 million.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

This chapter outlines our observations and insights from our financial statement audits of agencies in the Stronger Communities cluster.

Section highlights

The number of issues reported to management has decreased from 130 in 2020–21, to 110 in 2021–22, and 43% were repeat issues (51% in 2020–21). Many repeat issues related to information technology, governance and oversight controls, and non-compliance with key legislation and/or agency policies.
Five high-risk issues were identified in 2021–22, all of which are repeat issues and related to user access administration and segregation of duties.
Of the 24 newly identified moderate risk issues, 11 related to information technology. The rest related to governance and oversight controls and internal control deficiencies or improvements in payroll, asset management and other processes.

Appendix one – Misstatements in financial statements submitted for audit

Appendix two – Early close procedures

Appendix three – Timeliness of financial reporting

Appendix four – Financial data

Copyright notice

6 December 2022

Published

Education 2022

Education

Asset valuation

Compliance

Cyber security

Financial reporting

Information technology

Internal controls and governance

Procurement

Risk

What the report is about

Result of the Education cluster financial statement audits for the year ended 30 June 2022.

What we found

Unmodified audit opinions were issued for Education cluster agencies.

An 'other matter' paragraph was included in the TAFE Commission's independent auditor's report as it did not have a delegation or sub-delegation from the Minister for Education and Early Learning to incur expenditure from cluster grants.

What the key issues were

Annual fair value assessments of land and buildings showed material differences in their carrying values. As a result, the Department of Education and the TAFE Commission completed desktop revaluations of land and buildings, collectively increasing the value of these assets by $1.2 billion and $4.7 billion respectively.

The Department of Education and the NSW Education Standards Authority accepted changes to their office leasing arrangements managed by Property NSW. These changes resulted in the collective derecognition of $270.6 million of right-of-use assets and $382.9 million in lease liabilities.

What we recommended

A high-risk matter was reported in the management letter for the TAFE Commission highlighting non-compliance with policies and procedures guiding appropriate use of purchasing cards.

We recommended cluster agencies prioritise and address internal control deficiencies.

This report provides Parliament and other users of the Education cluster’s financial statements with the results of our audits, analysis, conclusions and recommendations in the following areas:

financial reporting
audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision-making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Education cluster (the cluster) for 2022.

Section highlights

Unqualified audit opinions were issued on the financial statements of cluster agencies.
An 'other matter' paragraph was included in the independent auditor's report for the Technical and Further Education Commission (TAFE Commission) as they did not have a delegation or sub-delegation from the Minister for Education and Early Learning to incur expenditure from cluster grants.
The Department of Education and the TAFE Commission's land and buildings were revalued upwards by a collective $5.9 billion. These uplifts were the result of managerial fair value assessments showing that the carrying values of land and buildings had materially departed from fair value.
Changes to accommodation arrangements managed by Property NSW on behalf of the department and the NSW Education Standards Authority resulted in the collective derecognition of approximately $270.6 million in right-of-use assets and corresponding lease liabilities totalling $382.9 million from the balance sheets of these agencies.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision-making.

This chapter outlines our observations and insights from our financial statement audits of agencies in the Education cluster.

Section highlights

The 2021–22 audits identified 18 moderate issues across the cluster. Seven moderate risk issues were repeat issues related to general and application information technology controls and control deficiencies in key transactional systems used in preparing financial statements.
Of the 11 newly identified moderate risk issues, five related to information technology controls deficiencies; and five related to internal control deficiencies in key transactional systems used in preparing financial statements.
A high-risk matter was raised at the TAFE Commission relating to identified instances of non-compliance with policies and procedures guiding purchasing card use.

The number of findings reported to management has increased, and 31% were repeat issues

Breakdowns and weaknesses in internal controls increase the risk of fraud and error. Deficiencies in internal controls, matters of governance interest and unresolved issues were reported to management and those charged with governance of agencies. The Audit Office does this through management letters, which include observations, related implications, recommendations and risk ratings.

In 2021–22, there were 29 findings raised across the cluster (28 in 2020–21). Thirty-one per cent of all issues were repeat issues (50% in 2020–21).

The most common new and repeat issues related to internal control deficiencies in agencies’ information technology general controls, application controls, and procurement and payroll practices.

A delay in implementing audit recommendations increases the risk of intentional and accidental errors in processing information, producing management reports and generating financial statements. This can impair decision-making, affect service delivery and expose agencies to fraud, financial loss and reputational damage. Poor controls may also mean agency staff are less likely to follow internal policies, inadvertently causing the agency not to comply with legislation, regulation and central agency policies.

A high-risk matter was reported at the TAFE Commission highlighting instances of non-compliance with policies and procedures guiding appropriate purchasing card use

As part of our audit of the TAFE Commission, we integrated the use of data analytics into the audit approach. We performed data analytics over aspects of payroll, procurement and accounts payable activities. This helped us to highlight anomalies or risks in those data sets that are relevant to the audit of the TAFE Commission and plan testing procedures to address those risks. Data analytics also assisted us in providing an insight into the internal control environment of the TAFE Commission, highlighting areas where key controls are not in place or are not operating as management intended.

Our analysis over purchasing card data supplied by the TAFE Commission for the period July 2021 to March 2022 found deficiencies in the provisioning, use and cancellation of purchasing cards. This included identified instances of:

controls effectively bypassed when a purchasing card surrendered by a former employee had been used by another employee
split payments, circumventing delegation / cardholder limits
delays in the submission and approval of purchasing card transactions.

The table below describes the common issues identified across the cluster by category and risk rating:

Risk rating

Issue

Information technology

High: 0 new, 0 repeat ¹

Moderate: 5 new, 3 repeat ²

Low: 2 new, 1 repeat ³

The financial audits identified areas for agencies to improve information technology processes and controls that support the integrity of financial data used to prepare agencies' financial statements. Of note were deficiencies identified in:

agencies' user access administration and change management procedures, notably in the timing and frequency of managerial reviews over the granting and revocation of access to key systems relevant to financial reporting
the level of cyber security maturity
the monitoring of privileged user activities.

Internal control deficiencies or improvements

High: 1 new, 0 repeat ¹

Moderate: 5 new, 3 repeat ²

Low: 4 new, 1 repeat ³

The financial audits identified internal control weaknesses across key business processes relevant to financial reporting. Of note were deficiencies identified in:

the adequacy of monitoring and oversight activities over the use of multiple financial delegation configurations in finance systems for specific users
the timely recording and approval of overtime claims and higher duties allowances
the timely finalisation of policies and procedures
the management of excessive annual leave balances
formalisation of service-provider arrangements between government agencies
non-compliance with policies and procedures to guide secondary employment and pecuniary interest declarations
non-compliance with policies and procedures to guide the appropriate use of purchasing cards.

Financial reporting

High: 0 new, 0 repeat ¹

Moderate: 1 new, 1 repeat ²

Low: 2 new, 0 repeat ³

The financial audits identified:

opportunities for agencies to strengthen their financial preparation processes to facilitate a timelier and more efficient year-end audit
matters in respect of the timely capitalisation of work-in-progress
the need for agencies with non-financial assets subject to fair value to reconsider policy settings governing the frequency of revaluations
refinements in considering the outcomes of interim fair value assessments to ensure asset carrying values reflect fair value at each balance date.

¹ High risk from the consequence and/or likelihood of an event that has had, or may have a negative impact on the entity.
² Moderate risk from the consequence and/or likelihood of an event that has had, or may have a negative impact on the entity.
³ Low risk from the consequence and/or likelihood of an event that has had, or may have a negative impact on the entity.

Note: Management letter findings are based either on final management letters issued to agencies, or draft letters where findings have been agreed with management.

Recommendation

We recommend cluster agencies prioritise and action recommendations to address the internal control deficiencies outlined above.

Appendix one – Early close procedures

30 June 2022

Published

Audit Insights 2018-2022

Community Services

Education

Environment

Finance

Health

Industry

Justice

Local Government

Premier and Cabinet

Planning

Transport

Treasury

Universities

Whole of Government

Asset valuation

Cross-agency collaboration

Compliance

Cyber security

Financial reporting

Fraud

Information technology

Infrastructure

Internal controls and governance

Management and administration

Procurement

Project management

Regulation

Risk

Service delivery

Shared services and collaboration

Workforce and capability

What the report is about

In this report, we have analysed the key findings and recommendations from our audit reports over the past four years.

This analysis includes financial audits, performance audits, and compliance audits of state and local government entities that were tabled in NSW Parliament between July 2018 and February 2022.

The report is framed by recognition that the past four years have seen significant challenges and emergency events.

The scale of government responses to these events has been wide-ranging, involving emergency response coordination, service delivery, governance and policy.

The report is a resource to support public sector agencies and local government to improve future programs and activities.

What we found

Our analysis of findings and recommendations is structured around six key themes:

Integrity and transparency
Performance and monitoring
Governance and oversight
Cyber security and data
System planning for disruption
Resource management.

The report draws from this analysis to present recommendations for elements of good practice that government agencies should consider in relation to these themes. It also includes relevant examples from recent audit reports.

In this report we particularly call out threats to the integrity of government systems, processes and governance arrangements.

The report highlights the need for balanced advice to government on options and risks, for transparent documentation and reporting of directions and decisions, and for early and open sharing of information with integrity bodies and audit.

A number of the matters highlighted in this report are similar to those described in our previous Insights Report, (Performance Audit Insights: key findings from 2014–2018) specifically in relation to cyber and information security, to performance measurement, reporting and evaluation, and system and workforce planning and capability.

Fast facts

72 audits included in the Audit Insights 2018–2022 analysis
4 years of audits tabled by the Auditor-General for New South Wales
6 key themes for Audit Insights 2018–2022.

picture of Margaret Crawford Auditor-General for New South Wales in black dress with city skyline as background I am pleased to present the Audit Insights 2018–2022 report. This report describes key findings, trends and lessons learned from the last four years of audit. It seeks to inform the New South Wales Parliament of key risks identified and to provide insights and suggestions to the agencies we audit to improve performance across the public sector.

The report is framed by a very clear recognition that governments have been responding to significant events, in number, character and scale, over recent years. Further, it acknowledges that public servants at both state and council levels generally bring their best selves to work and diligently strive to deliver great outcomes for citizens and communities. The role of audit in this context is to provide necessary assurance over government spending, programs and services, and make suggestions for continuous improvement.

However, in this report we particularly call out threats to the integrity of government systems, processes and governance arrangements. We highlight the need for balanced advice to government on options and risks, for transparent documentation and reporting of directions and decisions, and for early and open sharing of information with integrity bodies and audit. Arguably, these considerations are never more important than in an increasingly complex environment and in the face of significant emergency events and they will be key areas of focus in our future audit program.

While we have acknowledged the challenges of the last few years have required rapid responses to address the short-term impacts of emergency events, there is much to be learned to improve future programs. I trust that the insights developed in this report provide a helpful resource to public sector agencies and local government across New South Wales. I would be pleased to receive any feedback you may wish to offer.

Margaret Crawford
Auditor-General for New South Wales

Integrity and transparency	Performance and monitoring	Governance and oversight	Cyber security and data	System planning	Resource management
Insufficient documentation of decisions reduces the ability to identify, or rule out, misconduct or corruption.	Failure to apply lessons learned risks mistakes being repeated and undermines future decisions on the use of public funds.	The control environment should be risk-based and keep pace with changes in the quantum and diversity of agency work.	Building effective cyber resilience requires leadership and committed executive management, along with dedicated resourcing to build improvements in cyber security and culture.	Priorities to meet forecast demand should incorporate regular assessment of need and any emerging risks or trends. Absence of an overarching strategy to guide decision-making results in project-by-project decisions lacking coordination.	Governments must weigh up the cost of reliance on consultants at the expense of internal capability, and actively manage contracts and conflicts of interest.
Government entities should report to the public at both system and project level for transparency and accountability.	Government activities benefit from a clear statement of objectives and associated performance measures to support systematic monitoring and reporting on outcomes and impact.	Management of risk should include mechanisms to escalate risks, and action plans to mitigate risks with effective controls.	In implementing strategies to mitigate cyber risk, agencies must set target cyber maturity levels, and document their acceptance of cyber risks consistent with their risk appetite.	Service planning should establish future service offerings and service levels relative to current capacity, address risks to avoid or mitigate disruption of business and service delivery, and coordinate across other relevant plans and stakeholders.	Negotiations on outsourced services and major transactions must maintain focus on integrity and seeking value for public funds.
Entities must provide balanced advice to decision-makers on the benefits and risks of investments.	Benefits realisation should identify responsibility for benefits management, set baselines and targets for benefits, review during delivery, and evaluate costs and benefits post-delivery.	Active review of policies and procedures in line with current business activities supports more effective risk management.	Governments hold repositories of valuable data and data capabilities that should be leveraged and shared across government and non-government entities to improve strategic planning and forecasting.	Formal structures and systems to facilitate coordination between agencies is critical to more efficient allocation of resources and to facilitate a timely response to unexpected events.	Transformation programs can be improved by resourcing a program management office.
Clear guidelines and transparency of decisions are critical in distributing grant funding.	Quality assurance should underpin key inputs that support performance monitoring and accounting judgements.	Governance arrangements can enable input into key decisions from both government and non-government partners, and those with direct experience of complex issues.			Workforce planning should consider service continuity and ensure that specialist and targeted roles can be resourced and allocated to meet community need.
Governments must ensure timely and complete provision of information to support governance, integrity and audit processes.
Read more	Read more	Read more	Read more	Read more	Read more

This report brings together a summary of key findings arising from NSW Audit Office reports tabled in the New South Wales Parliament between July 2018 and February 2022. This includes analysis of financial audits, performance audits, and compliance audits tabled over this period.

Financial audits provide an independent opinion on the financial statements of NSW Government entities, universities and councils and identify whether they comply with accounting standards, relevant laws, regulations, and government directions.
Performance audits determine whether government entities carry out their activities effectively, are doing so economically and efficiently, and in accordance with relevant laws. The activities examined by a performance audit may include a selected program or service, all or part of an entity, or more than one government entity. Performance audits can consider issues which affect the whole state and/or the local government sectors.
Compliance audits and other assurance reviews are audits that assess whether specific legislation, directions, and regulations have been adhered to.

This report follows our earlier edition titled 'Performance Audit Insights: key findings from 2014–2018'. That report sought to highlight issues and themes emerging from performance audit findings, and to share lessons common across government. In this report, we have analysed the key findings and recommendations from our reports over the past four years. The full list of reports is included in Appendix 1. The analysis included findings and recommendations from 58 performance audits, as well as selected financial and compliance reports tabled between July 2018 and February 2022. The number of recommendations and key findings made across different areas of activity and the top issues are summarised at Exhibit 1.

The past four years have seen unprecedented challenges and several emergency events, and the scale of government responses to these events has been wide-ranging involving emergency response coordination, service delivery, governance and policy. While these emergencies are having a significant impact today, they are also likely to continue to have an impact into the future. There is much to learn from the response to those events that will help the government sector to prepare for and respond to future disruption. The following chapters bring together our recommendations for core elements of good practice across a number of areas of government activity, along with relevant examples from recent audit reports.

This 'Audit Insights 2018–2022' report does not make comparative analysis of trends in public sector performance since our 2018 Insights report, but instead highlights areas where government continues to face challenges, as well as new issues that our audits have identified since our 2018 report. We will continue to use the findings of our Insights analysis to shape our future audit priorities, in line with our purpose to help Parliament hold government accountable for its use of public resources in New South Wales.

Appendix one – Included reports, 2018–2022

Appendix two – About this report

Copyright notice

24 November 2020

Published

Internal controls and governance 2020

Education

Environment

Community Services

Finance

Health

Industry

Justice

Premier and Cabinet

Transport

Treasury

Compliance

Cyber security

Information technology

Internal controls and governance

Management and administration

Procurement

The Auditor-General for New South Wales, Margaret Crawford today released her report on the findings and recommendations from the 2019–20 financial audits that relate to internal controls and governance at 40 of the largest agencies in the NSW public sector.

The bushfire and flood emergencies and the COVID‑19 pandemic continue to have a significant impact on the people and public sector of New South Wales. The scale of the government response to these events has been significant. The report focuses on the effectiveness of internal controls and governance processes, including relevant agencies’ response to the emergencies. In particular, the report focuses on:

financial and information technology controls
business continuity and disaster recovery planning arrangements
procurement, including emergency procurement
delegations that support timely and effective decision-making.

Due to the ongoing impact of COVID‑19 agencies have not yet returned to a business‑as‑usual environment. ‘Agencies will need to assess their response to the recent emergencies and update their business continuity, disaster recovery and other business resilience frameworks to reflect the lessons learnt from these events’ the Auditor-General said.

The report noted that special procurement provisions were put in place to allow agencies to better respond to the COVID-19 pandemic. The Auditor-General recommended agencies update their procurement policies to reflect the current requirements of the NSW Procurement Framework and the emergency procurement requirements.

Read the PDF report

This report analyses the internal controls and governance of 40 of the largest agencies in the NSW public sector for the year ended 30 June 2020. These 40 agencies constitute an estimated 85 per cent of total expenditure for all NSW public sector agencies.

1. Internal control trends

New, repeat and high risk findings

Internal control deficiencies increased by 13 per cent compared to last year. This is predominately due to a seven per cent increase in new internal control deficiencies and 24 per cent increase in repeat internal control deficiencies. There were ten high risk findings compared to four last year.

The recent emergencies have consumed agency time and resources and may have contributed to the increase in internal control deficiencies, particularly repeat deficiencies.

Agencies should:

prioritise addressing high-risk findings
address repeat internal control deficiencies by re-setting action plans and timeframes and monitoring the implementation status of recommendations.

Common findings

A number of findings remain common across multiple agencies over the last four years, including:

out of date or missing policies to guide appropriate decisions
poor record keeping and document retention
incomplete or inaccurate centralised registers or gaps in these registers.

2. Information technology controls

IT general controls

We found deficiencies in information security controls over key financial systems including:

user access administration deficiencies relating to inadequate oversight of the granting, review and removal of user access at 53 per cent of agencies
privileged users were not appropriately monitored at 43 per cent of agencies
deficient password controls that did not align to the agency's own password policies at 25 per cent of agencies.

The deficiencies above increase the risk of non-compliance with the NSW Cyber Security Policy, which requires agencies to have processes in place to manage user access, including privileged user access to sensitive information or systems and remove that access once it is not required or employment is terminated.

3. Business continuity and disaster recovery planning

Assessing risks to business continuity and Scenario testing

The response to the recent emergencies and the COVID-19 pandemic has encompassed a wide range of activities, including policy setting, on-going service delivery, safety and availability of staff, availability of IT and other systems and financial management. Agencies were required to activate their business continuity plans in response, and with the continued impact of COVID-19 have not yet returned to a business-as-usual environment.

Our audits focused on the preparedness of agency business continuity and disaster recovery planning arrangements prior to the onset of the COVID-19 pandemic.

We identified deficiencies in agency business continuity and disaster recovery planning arrangements. Twenty-three per cent of agencies had not conducted a business impact analysis (BIA) to identify critical business functions and determine business continuity priorities. Agencies can also improve the content of their BIA. For example, ten per cent of agencies' BIAs did not include recovery time objectives and six per cent of agencies did not identify key IT systems that support critical business functions. Scenario testing improves the effectiveness with which a live crisis is handled, but 40 per cent of agencies had not conducted a business continuity scenario testing exercise in the period from 1 January 2019 to 31 December 2019. There were also opportunities to improve the effectiveness of scenario testing exercises by:

involving key dependent or inter-dependent third parties who support or deliver critical business functions
testing one or more high impact scenarios identified in their business continuity plan
preparing a formalpost-exercise report documenting the outcome of their scenario testing.

Agencies have responded to the recent emergencies but addressing deficiencies will ensure agencies have adequate safeguards in their processes to again respond in the future, if required.

During 2020–21 we plan to conduct a performance audit on 'Business continuity and disaster recovery planning'. This audit will consider the effectiveness of agency business continuity planning arrangements to maintain business continuity through the recent emergencies and/or COVID-19 pandemic and return to a business-as-usual environment. We also plan to conduct a performance audit on whole-of-government 'Coordination of emergency responses'.

Responding to disruptions

We found agencies' governance functions could have been better informed about responses to disruptive incidents that had activated a business continuity or disaster recovery response between 1 January 2019 to 31 December 2019. For instance:

in 89 per cent of instances where a business continuity response was activated, a post-incident review had been performed. In 82 per cent of these instances, the outcomes were reported to a relevant governance or executive management committee

in 95 per cent of instances where a disaster recovery response was activated, a post incident review had been performed. In 86 per cent of these instances, the outcomes were reported to a relevant governance committee or executive management committee.

Examples of recorded incidents included extensive air quality issues and power outages due to bushfires, system and network outages, and infected and hijacked servers.

Agencies should assess their response to the recent emergencies and the COVID-19 pandemic and update business continuity, disaster recovery and other business resilience frameworks to incorporate lessons learned. Agencies should report to those charged with governance on the results and planned actions.

Management review and oversight

Eighty-two per cent and 86 per cent of agencies report to their audit and risk committees (ARC) on their business continuity and disaster recovery planning arrangements, respectively. Only 18 per cent and five per cent of ARCs are briefed on the results of respective scenario testing. Briefing ARCs on the results of scenario testing exercises helps inform their decisions about whether sound and effective business continuity and disaster recovery arrangements have been established.

4. Procurement, including emergency procurement

Policy framework	Agency procurement policies did not capture the requirements of several key NSW Procurement Board Directions (the Directions), increasing the risk of non-compliance with the Directions. We noted: 67 per cent of agencies did specify that procurement above $650,000 must be open to market unless exempt or procured through an existing Whole of Government Scheme or contract 36 per cent of agencies did specify that procurements above $500,000 payable in foreign currencies must be hedged 69 per cent of agencies' policies did specify that the agency head or cluster CFO must authorise the engagement of consultants where the engagement of the supplier does not comply with the standard commercial framework. Recommendation: Agencies should review their procurement policies and guidelines to ensure they capture the key requirements of the NSW Government Procurement Policy Framework, including NSW Procurement Board Directions.
Managing contracts	Eighty-eight per cent of agencies maintain a central contract register to record all details of contracts above $150,000, which is a requirement of GIPA legislation. Of the agencies that maintained registers, 13 per cent did not capture all contracts and eight per cent did not include all relevant contract details. Sixteen per cent of agencies did not periodically review their contract register. Timely review increases compliance with GIPA legislation, and enhances the effectiveness with which procurement business units monitor contract end dates, contract extensions and commence new procurement.
Training and support	Ninety-three per cent of agencies provide training to staff involved in procurement processes, and a further 77 per cent of agencies provide this training on an on-going basis. Of the seven per cent of agencies that had not provided training to staff, we noted gaps in aspects of their procurement activity, including: not conducting value for money assessments prior to renewing or extending the contract with their existing supplier not obtaining approval from a delegated authority to commence the procurement process procurement documentation not specifying certain key details such as the conditions for participation including any financial guarantees and dates for the delivery of goods or supply of services. Training on procurement activities ensures there is effective management of procurement processes to support operational requirements, and compliance with procurement directions.
Procurement activities	While agencies had implemented controls for tender activities above $650,000, 43 per cent of unaccredited agencies did not comply with the NSW Procurement Policy Framework because they had not had their procurement endorsed by an accredited agency within the cluster or by NSW Procurement. This endorsement aims to ensure the procurement is properly planned to deliver a value for money outcome before it commences.
Emergency procurement	As at 30 June 2020, agencies within the scope of this report reported conducting 32,239 emergency procurements with a total contract value of $316,908,485. Emergency procurement activities included the purchase of COVID-19 cleaning and hygiene supplies. The government, through NSW Procurement released the 'COVID-19 Emergency procurement procedure', which relaxed procurement requirements to allow agencies to make COVID-19 emergency procurements. Our review against the emergency procurement measures found most agencies complied with requirements. For example: 95 per cent of agencies documented an assessment of the need for the emergency procurement for the good and/or service 86 per cent of agencies obtained authorisation of the emergency procurement by the agency head or the nominated employee under Public Works and Procurement Regulation 2019 76 per cent of agencies reported the emergency procurement to the NSW Procurement Board. Complying with the procedure helps to ensure government resources are being efficiently, effectively, economically and in accordance with the law. Recommendation: Agency procurement frameworks should be reviewed and updated so they can respond effectively to emergency situations that may arise in the future. This includes: updating procurement policies and guidelines to define an emergency situation, specify who can approve emergency procurement and capture other key requirements using standard templates and documentation to prompt users to capture key requirements, such as needs analysis, supplier selection criteria, price assessment criteria, licence and insurance checks having processes for reporting on emergency procurements to those charged with governance and NSW Procurement.

5. Delegations

Instruments of delegation

We found that agencies have established financial and human resources delegations, but some had not revisited their delegation manuals following the legislative and machinery of government changes. For those agencies impacted by machinery of government changes we noted:

16 per cent of agencies had not updated their financial delegations to reflect the changes
16 per cent of agencies did not update their human resources delegations to reflect the changes.

Delegations manuals are not always complete; 16 per cent of agencies had no delegation for writing off bad debts and 26 per cent of agencies had no delegation for writing off capital assets.

Recommendation: Agencies should ensure their financial and human resources delegation manuals contain regular set review dates and are updated to reflect the Government Sector Finance Act 2018, machinery of government changes and their current organisational structure and roles and responsibilities.

Compliance with delegations

Agencies did not understand or correctly apply the requirements of the Government Sector Finance Act 2018 (GSF Act), resulting in non-compliance with the Act. We found that 18 per cent of agencies spent deemed appropriations without obtaining an authorised delegation from the relevant Minister(s), as required by sections 4.6(1) and 5.5(3) of the GSF Act.

Further detail on this issue will be included in our Auditor-General's Reports to Parliament on Central Agencies, Education, Health and Stronger Communities, which will be tabled throughout December 2020.

Recommendation: Agencies should review financial and human resources delegations to ensure they capture all key functions of laws and regulations, and clearly specify the relevant power or function being conferred on the officer.

6. Status of 2019 recommendations

Progress implementing last year's recommendations

Recommendations were made last year to improve transparency over reporting on gifts and benefits and improve the visibility management and those charged with governance had over actions taken to address conflicts of interest that may arise. This year, we continue to note:

38 per cent of agencies have not updated their gifts and benefits register to include all the key fields required under the minimum standards set by the Public Service Commission
56 per cent of agencies have not provided training to staff and 63 per cent of agencies have not implemented an annual attestation process for senior management
97 per cent of agencies have not published their gifts and benefits register on their website and 41 per cent of agencies are not reporting on trends in the gifts and benefits register to those charged with governance.

While we acknowledge the significance of the recent emergencies, which have consumed agency time and resources, we note limited progress has been made implementing these recommendations. Further detail on the status of implementing all recommendations is in Appendix 2.

Recommendation: Agencies should re-visit the recommendations made in last year's report on internal controls and governance and action these recommendations.

Internal controls are processes, policies and procedures that help agencies to:

operate effectively and efficiently
produce reliable financial reports
comply with laws and regulations
support ethical government.

This chapter outlines the overall trends for agency controls and governance issues, including the number of audit findings, the degree of risk those deficiencies pose to the agency, and a summary of the most common deficiencies we found across agencies. The rest of this report presents this year’s controls and governance findings in more detail.

Section highlights

We identified ten high risk findings, compared to four last year with two findings repeated from the previous year. There was an overall increase of 13 per cent in the number of internal control deficiencies compared to last year due to a seven per cent increase in new internal control deficiencies, and a 24 per cent increase in repeat internal control deficiencies. The recent emergencies have consumed agency time and resources and may have contributed to the increase in internal control deficiencies, particularly repeat deficiencies.

We identified a number of findings that remain common across multiple agencies over the last four years. Some of these findings related to areas that are fundamental to good internal control environments and effective organisational governance. Examples include:

out of date or missing policies to guide appropriate decisions
poor record keeping and document retention
incomplete or inaccurate centralised registers, or gaps in these registers.

Policies, procedures and internal controls should be properly designed, be appropriate for the current organisational structure and its business activities, and work effectively.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency controls to manage key financial systems.

Section highlights

Government agencies’ financial reporting is heavily reliant on information technology (IT). We continue to see a high number of deficiencies related to IT general controls, particularly those related to user access administration. These controls are key in adequately protecting IT systems from inappropriate access and misuse.

IT is also important to the delivery of agency services. These systems often provide the data to help monitor the efficiency and effectiveness of agency processes and services they deliver. Our financial audits do not review all agency IT systems. For example, IT systems used to support agency service delivery are generally outside the scope of our financial audit. However, agencies should also consider the relevance of our findings to these systems.

Agencies need to continue to focus on assessing the risks of inappropriate access and misuse and the implementation of controls to adequately protect their systems, focussing on the processes in place to grant, remove and monitor user access, particularly privileged user access.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency business continuity and disaster recovery planning arrangements.

Section highlights

We identified deficiencies in agency business continuity and disaster recovery planning arrangements and opportunities for agencies to enhance their business continuity management and disaster recovery planning arrangements. This will better prepare them to respond to a disruption to their critical functions, resulting from an emergency or other serious event. Twenty-three per cent of agencies had not conducted a business impact analysis (BIA) to identify critical business functions and determine business continuity priorities and 40 per cent of agencies had not conducted a business continuity scenario testing exercise in the period from 1 January 2019 to 31 December 2019. Scenario testing improves the effectiveness with which a live crisis is handled.

This section focusses on the preparedness of agency business continuity and disaster recovery planning arrangements prior to the onset of the COVID-19 pandemic. While agencies have responded to the recent emergencies, proactively addressing deficiencies will ensure agencies have adequate safeguards in their processes to again respond in the future, if required.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of procurement agency procurement policies and procurement activity.

Section highlights

We found agencies have procurement policies in place to manage procurement activity, but the content of these policies was not sufficiently detailed to ensure compliance with NSW Procurement Board Directions (the Directions). The Directions aim to ensure procurement activity achieves value for money and meets the principles of probity and fairness.

Agencies have generally implemented controls over their procurement process. In relation to emergency procurement activity, agencies reported conducting 32,239 emergency procurements with a total contract value of $316,908,485 up to 30 June 2020. Our review of emergency procurement activity conducted during 2019–20 identified areas where some agencies did not fully comply with the 'COVID-19 Emergency procurement procedure'.

We also found not all agencies are maintaining complete and accurate contract registers. This not only increases the risk of non-compliance with GIPA legislation, but also limits the effectiveness of procurement business units to monitor contract end dates, contract extensions and commence new procurement in a timely manner. We noted instances where agencies renewed or extended contracts without going through a competitive tender process during the year.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency compliance with financial and human resources delegations.

Section highlights

We found that agencies are not always regularly reviewing and updating their financial and human resources delegations when there are changes to legislation or other organisational changes within the agency or from machinery of government changes. For example, agencies did not understand or correctly apply the requirements of the GSF Act, resulting in non-compliance with the Act. We found that 18 per cent of agencies spent deemed appropriations without obtaining an authorised delegation from the relevant Minister(s), as required by sections 4.6(1) and 5.5(3) of the GSF Act.

In order for agencies to operate efficiently, make necessary expenditure and human resource decisions quickly and lawfully, particularly in emergency situations, it is important that delegations are kept up to date, provide clear authority to decision makers and are widely communicated.

Appendix one – List of 2020 recommendations

Appendix two – Status of 2019 recommendations

Appendix three – Cluster agencies

Copyright notice

11 December 2019

Published

Planning, Industry and Environment 2019

Planning

Industry

Environment

Asset valuation

Cyber security

Financial reporting

Information technology

Infrastructure

Internal controls and governance

Management and administration

Service delivery

Workforce and capability

This report outlines the results of audits of the financial statements of agencies now grouped in the NSW Planning, Industry and Environment cluster.

Unqualified audit opinions were issued for 56 of the 66 cluster agencies’ 30 June 2019 financial statements. Ten audits remain incomplete. The cluster agencies need to improve the timeliness of financial reporting.

The Audit Office continued to identify issues regarding unprocessed Aboriginal land claims and the recognition of Crown land. ‘Auditor-General’s reports to parliament have recommended action to reduce the level of unprocessed land claims since 2007. However, the number of unprocessed claims continued to increase’, Margaret Crawford said.

One in five internal control findings were repeat issues. Key themes included information technology, asset management and improvements required to expense and payroll controls.

The report makes several recommendations including:

Property NSW should urgently address the deficiencies in the lease data used to calculate the impact of the new leasing standard effective from 1 July 2019
the Department of Planning, Industry and Environment should prioritise action to reduce unprocessed Aboriginal land claims
the Department of Planning, Industry and Environment should ensure the Crown land database is complete and accurate so state agencies and local government councils are better informed about the Crown land they control.

This report analyses the results of our audits of financial statements of the Planning, Industry and Environment cluster agencies for the year ended 30 June 2019. The table below summarises our key observations.

1. Machinery of Government changes

Creation of the Planning, Industry and Environment cluster

The Machinery of Government (MoG) changes abolished the former Planning and Environment cluster and former Industry cluster, and created the Planning, Industry and Environment cluster on 1 July 2019.

The Department of Planning and Environment (DPE), the Department of Industry (DOI), the Office of Environment and Heritage, and the Office of Local Government were abolished and the majority of their functions were transferred to the new Department of Planning, Industry and Environment (DPIE).

The Department of Planning, Industry and Environment is still in the process of implementing changes

The MoG changes bring risks and challenges to the cluster. A MoG Steering Committee, with the support of various project control groups and working groups, identified and developed responses to key risks arising from the changes.

However, the DPIE will take some time to fully integrate the policies, systems and processes of the abolished Departments and agencies.

2. Financial reporting

Audit opinions	Unqualified audit opinions were issued for 56 of the 66 cluster agencies' 30 June 2019 financial statements audits. Ten financial statements audits are still ongoing.
Timeliness of financial reporting	Fifty-five of the 57 agencies subject to statutory deadlines submitted their financial statements on time. Due to issues identified during the audit, 13 financial statements audits were not completed and audit opinions issued by the statutory deadline. Agencies prepared and submitted their early close procedures in accordance with the mandatory timeframe set by NSW Treasury. However, 17 of the 49 agencies where we reviewed early close procedures were assessed as either partially addressing or not addressing one or more of the mandatory requirements. The cluster agencies could benefit from an increased focus on early close procedures.
Introduction of AASB 16 'Leases'	We noted errors in the lease data used in Property NSW's AASB 16 impact calculations, which affect both Property NSW and other government agencies. These errors were significant enough to present a risk of material misstatements to the financial statements of Property NSW and other government agencies in future reporting periods. We had similar findings in our recent performance audit on 'Property Asset Utilisation', which highlighted issues with the quality of Property NSW's records. Recommendation: Property NSW should urgently address the deficiencies in the lease data used to calculate the impact of the new leasing standard effective from 1 July 2019.
Unprocessed Aboriginal land claims have continued to increase	Despite an increase in the number of claims resolved, the number of unprocessed Aboriginal land claims increased by 7.2 per cent from the prior year to 35,855 at 30 June 2019. Claims can be made over Crown land assets of the DPIE or other government agencies. Until claims are resolved, there is an uncertainty over who is entitled to the land and the uses and activities that can be carried out on the land. We first recommended action to address unprocessed claims in 2007. Recommendation (repeat issue): The DPIE should prioritise action to reduce unprocessed Aboriginal land claims.

3. Audit observations

Internal controls	One in five internal control issues identified and reported to management in 2018–19 were repeat issues. The lack of user access review was the most common IT general control issue in the cluster.
Drought relief	The NSW Government announced an emergency drought relief package of $500 million in 2018, in addition to other financial assistance measures already in place. Limited documentation and written agreements between relevant delivery agencies resulted in a $31.0 million misstatement relating to grant revenue.
Recognition of Crown land	Crown land is an important asset of the state. Management and recognition of Crown land assets is weakened when there is confusion over who is responsible for a particular Crown land parcel. Last year we recommended the DOI should ensure the database of Crown land is complete and accurate. While the DOI has commenced actions to improve the database, this continued to be an issue in 2018–19. Recommendation (repeat issue): The DPIE should ensure the Crown land database is complete and accurate so state agencies and local government councils are better informed about the Crown land they control.
Developer contributions	The former DPE continued to accumulate more developer contributions revenues than it spent on infrastructure projects. Total unspent funds increased to $274 million at 30 June 2019.

This report provides parliament and other users of the Planning, Industry and Environment cluster agencies financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:

financial reporting
audit observations.

This cluster was created by the Machinery of Government changes on 1 July 2019. This report is focused on agencies in the Planning, Industry and Environment cluster from 1 July 2019. However, these agencies were all in other clusters during 2018–19. Please refer to the section on Machinery of Government changes for more details.

Machinery of Government (MoG) refers to how the government organises the structures and functions of the public service. MoG changes are where the government reorganises these structures and functions that are given effect by Administrative orders.

The MoG changes, announced following the NSW State election on 23 March 2019, created the Planning, Industry and Environment (PIE) cluster. The Administrative Changes Orders issued on 2 April 2019, 1 May 2019 and 28 June 2019 gave effect to these changes. These orders became effective on 1 July 2019.

Section highlights

The 2019 MoG changes significantly impacted the former Planning and Environment, and Industry clusters and agencies.

The PIE cluster combines most of the functions and agencies of the former Planning and Environment and Industry clusters from 1 July 2019.
The Department of Planning, Industry and Environment is the principal agency in the PIE cluster.
The MoG changes bring risks and challenges to the PIE cluster.
A MoG Steering Committee was established to oversee the transitional processes.
The full integration of the systems and processes will not be completed in the near future.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Planning, Industry and Environment (PIE) cluster for 2019. In this chapter, the Department of Planning, Industry and Environment is referred to as DPIE, the former Department of Planning and Environment as DPE, and the former Department of Industry as DOI.

Section highlights

Unqualified audit opinions were issued for all completed 30 June 2019 financial statements audits. However, some cluster agencies can further enhance the quality of financial reporting.
Timeliness of financial reporting remains an issue for 13 agencies.
Deficiencies were identified in the data used to calculate the impact of AASB 16 ‘Leases’ effective from 1 July 2019. Property NSW should urgently address these deficiencies.
Unprocessed Aboriginal land claims continue to increase. DPIE should prioritise action to reduce unprocessed Aboriginal land claims.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

This chapter outlines our audit observations and insights from our financial statement audits of agencies in the Planning, Industry and Environment (PIE) cluster for 2019. In this chapter, the Department of Planning, Industry and Environment is referred to as DPIE, the former Department of Planning and Environment as DPE, and the former Department of Industry as DOI.

Section highlights

One in five issues identified and reported to management in 2018–19 were repeat issues.
The lack of user access review was the most common IT general control issue in the PIE cluster.
The PIE cluster provided significant financial assistance for drought relief.
There continues to be significant deficiencies in Crown land records. The DPIE should ensure the Crown land database is complete and accurate.
Unspent developer contributions funds continued to build up in 2018–19.

Appendix one – List of 2019 recommendations

Appendix two – Status of 2018 recommendations

Appendix three – Cluster agencies

Appendix four – Financial data

Appendix five – Management letter findings

Appendix six – Timeliness of financial reporting

Copyright notice

5 November 2019

Published

Internal Controls and Governance 2019

Education

Community Services

Finance

Health

Industry

Justice

Planning

Premier and Cabinet

Transport

Treasury

Whole of Government

Compliance

Cyber security

Fraud

Information technology

Internal controls and governance

Management and administration

Procurement

Project management

This report covers the findings and recommendations from the 2018–19 financial audits that relate to internal controls and governance at 40 of the largest agencies in the NSW public sector. The 40 agencies selected for this report constitute around 84 per cent of total expenditure for all NSW public sector agencies.

The report provides insights into the effectiveness of controls and governance processes across the NSW public sector. It evaluates how agencies identify, mitigate and manage risks related to:

financial controls
information technology controls
gifts and benefits
internal audit
contingent labour
sensitive data.

The Auditor-General recommended that agencies do more to prioritise and address vulnerabilities in their internal controls and governance. The Auditor-General also recommended agencies increase the transparency of their management of gifts and benefits by publishing their registers on their websites.

This report analyses the internal controls and governance of 40 of the largest agencies in the NSW public sector for the year ended 30 June 2019.

1. Internal control trends

New, repeat and high risk findings

There was an increase in internal control deficiencies of 12 per cent compared to last year. The increase is predominately due to a 100 per cent increase in repeat financial and IT control deficiencies.

Agencies need to ensure they are actively managing the risks associated with having these vulnerabilities in internal control systems unaddressed for extended periods of time.

Common findings

A number of findings were common to multiple agencies. These findings often related to areas that are fundamental to good internal control environments and effective organisational governance, such as:

out of date policies or an absence of policies to guide appropriate decisions
poor record keeping and document retention
incomplete or inaccurate centralised registers or gaps in these registers
policies, procedures or controls no longer suited to the current organisational structure or business activities.

2. Information technology controls

IT general controls

We examined information security controls over key financial systems that support the preparation of agency financial statements. We found:

user access administration deficiencies at 58 per cent of agencies related to granting, review and removal of user access
an absence of privileged user activity reviews at 35 per cent of agencies
password controls that did not align to password policies at 20 per cent of agencies.

We also found 20 per cent of agencies had deficient IT program change controls, mainly related to segregation of duties in approval and authorisation processes, and user acceptance testing of program changes prior to deployment into production environments. User acceptance testing helps identify potential issues with software incompatibility, operational workflows, absent controls and software issues, as well as areas where training or user support may be required.

3. Gifts and benefits

Gifts and benefits registers

All agencies had a gifts and benefits policy and 90 per cent of agencies maintain a gifts and benefits register. However, 51 per cent of the gifts and benefits registers we examined contained incomplete declarations, such as missing details for the approving officer, value of the gift and/or benefit offered and reasons supporting the decision.

In some cases, gaps in recorded information meant the basis for decisions around gifts and benefits was not always clear, making it difficult to determine whether decisions in those instances were appropriate, compliant with policy and were not direct or indirect inducements to the recipients to favour suppliers or service providers.

Agencies should ensure their gifts and benefits register includes all key fields specified in the Public Service Commission's minimum standards for gifts and benefits. Agencies should also perform regular reviews of the register to ensure completeness and ensure any gift or benefit accepted by a staff member meets the public's expectations for ethical behaviour.

Managing gifts and benefits

We found opportunities to improve gifts and benefits processes and enhance transparency. For example, only three per cent of agencies publish their gifts and benefits registers on their websites.

Agencies can improve management of gifts and benefits by:

ensuring agency policies comprehensively cover the elements necessary to make it effective in an operational environment, such as identifying risks specific to the agency and actions that will be taken in the event of a policy breach
establishing and publishing a statement of business ethics on the agency's website to clearly communicate expected behaviours to clients, customers, suppliers and contractors
providing on-going training, awareness activities and support to employees, not just at induction
publishing their gifts and benefits registers on their websites to demonstrate a commitment to a transparently ethical environment.

Reporting and monitoring

Only 35 per cent of agencies reported trends in the number and nature of gifts and benefits recorded in their registers to the agency's senior executive management and/or a governance committee.

Agencies should regularly report to the agency executive or other governance committee on trends in the offer and acceptance of gifts and benefits.

4. Internal audit

Obtaining value from the internal audit function

Agencies have established and maintained internal audit functions to provide assurance on the effectiveness of agency controls and governance systems. However, we identified areas where agencies' internal audit functions could improve their processes to add greater value. For example, only 73 per cent of CAEs regularly attend meetings of the agency board or executive management committee.

Internal audit functions can add greater value by involving the CAE more extensively in executive forums as an observer.

Internal audit functions should also consider producing an annual report on internal audit. An annual report allows the internal audit function to report on their performance and add value by drawing to the attention of audit and risk committees and senior management strategic issues, thematic trends and emerging risks.

Role of the Chief Audit Executive

Forty-five per cent of agencies assigned responsibilities to the Chief Audit Executive (CAE) that were broader than internal audit, but 17 per cent of these had not documented safeguards to protect the independence of the CAE.

The reporting lines and status of the CAE at some agencies also needs review. At two agencies, the CAE reported to the CFO.

Agencies should ensure:

the reporting lines for the CAE comply with the NSW Treasury policy, and the CAE does not report functionally or administratively to the finance function or other significant recipients of internal audit services
the CAE's duties are compatible with preserving their independence and where threats to independence exist, safeguards are documented and approved.

Quality assurance and improvement program

Thirty-five per cent of agencies did not have a documented quality assurance and improvement program for its internal audit function.

The policy and the International Standards for the Professional Practice of Internal Auditing require agencies to have a documented quality assurance and improvement program. The results of this program should be reported annually.

Agencies should ensure there is a documented and operational Quality Assurance and Improvement Program for the internal audit function that covers both internal and external assessments.

5. Managing contingent labour

Obtaining value for money from contingent labour

According to NSW Procurement data, spend on contingent labour has increased by 75 per cent over the last five years, to $1.5 billion in 2018–19. Improvements in internal processes and a renewed focus on agency monitoring and oversight of contingent labour can help ensure agencies get the best value for money from their contingent workforces.

Agencies can improve their management of contingent labour by:

preparing workforce plans to inform their resourcing strategy and ensure that engaging contingent labour aligns with the strategy and best meets business needs
involving agency human resources units in decisions about engaging contingent labour
regularly reporting on contingent labour use and tenure to agency executive teams
strengthening on-boarding and off-boarding processes.

We also found 57 per cent of the 23 agencies we examined with contingent labour spend of more than $5 million in 2018–19 have implemented the government's vendor management system and service provider 'Contractor Central'.

6. Managing sensitive data

Identifying and assessing sensitive data

Sixty-eight per cent of agencies maintain an inventory of their sensitive data and where it resides. However, these inventories are not always complete and risks may be overlooked.

Agencies can improve processes to manage sensitive data by:

identifying and maintaining an inventory of sensitive data through a comprehensive and structured process
assessing the criticality and sensitivity of the data so that protection of high risk data can be prioritised.

Managing data breaches

Eighty-eight per cent of agencies have established policies to respond to potential data breaches when they are identified and 70 per cent of agencies maintain a register to record key information in relation to identified data breach incidents.

Agencies should maintain a data breach register to effectively manage the actions undertaken to contain, evaluate and remediate each data breach.

This report covers the findings and recommendations from our 2018–19 financial audits that relate to internal controls and governance at 40 of the largest agencies (refer to Appendix three) in the NSW public sector. The 40 agencies selected for this volume constitute around 84 per cent of total expenditure for all NSW public sector agencies.

Although the report includes several agencies that have changed as a result of the Machinery of Government changes that were effective from 1 July 2019, its focus on sector wide issues and insights means that its findings remain relevant to NSW public sector agencies, including newly formed agencies that have assumed the functions of abolished agencies.

This report offers insights into internal controls and governance in the NSW public sector

This is the third report dedicated to internal controls and governance at NSW State Government agencies. The report provides insights into the effectiveness of controls and governance processes in the NSW public sector by:

highlighting the potential risks posed by weaknesses in controls and governance processes
helping agencies benchmark the adequacy of their processes against their peers
focusing on new and emerging risks, and the internal controls and governance processes that might address those risks.

Without strong governance systems and internal controls, agencies increase the risks associated with effectively managing their finances and delivering services to citizens. For example, if they do not have strong information technology controls, sensitive information may be at risk of unauthorised access and misuse.

Areas of specific focus of the report have changed since last year

Last year's report topics included transparency and performance reporting, management of purchasing cards and taxi use, and fraud and corruption control. We are reporting on new topics this year and re-visiting agency management of gifts and benefits, which we first covered in our 2017 report. Re-visiting topics from prior years provides a baseline to show the NSW public sectors’ progress implementing appropriate internal controls and governance processes to mitigate existing, new and emerging risks in the public sector.

Our audits do not review all aspects of internal controls and governance every year. We select a range of measures and report on those that present heightened risks for agencies to mitigate. This year the report focusses on:

internal control trends
information technology controls, including access to agency systems
protecting sensitive information held within agencies
managing large and diverse workforces (controls around employing and managing contingent workers)
maintaining an ethical culture (management of gifts and benefits)
effectiveness of internal audit function and its oversight by Audit and Risk Committees.

The findings in this report should not be used to draw conclusions on the effectiveness of individual agency control environments and governance arrangements. Specific financial reporting, internal controls and audit observations are included in the individual 2019 cluster financial audit reports, which will be tabled in parliament from November to December 2019.

Internal controls are processes, policies and procedures that help agencies to:

operate effectively and efficiently
produce reliable financial reports
comply with laws and regulations
support ethical government.

Key conclusions and sector wide learnings

We identified four high risk findings, compared to six last year. None of the findings are common with those in the previous year. There was an overall increase of 12 per cent in the number of internal control deficiencies compared to last year. The increase is predominately due to a 100 per cent increase in the number of repeat financial and IT control deficiencies.

Some agencies attributed the delay in actioning repeat findings to the diversion of staff from their regular activities to implement and operationalise the recent Machinery of Government changes. As a result, actions to address audit recommendations have been deferred or re-prioritised, as the changes are implemented. Agencies need to ensure they are actively managing the risks associated with having these vulnerabilities in internal control systems unaddressed for extended periods of time.

We also identified a number of findings that were common to multiple agencies. These common findings often related to areas that are fundamental to good internal control environments and effective organisational governance. Examples include:

out of date policies or an absence of policies to guide appropriate decisions
poor record keeping and document retention
incomplete or inaccurate centralised registers or gaps in these registers.

Policies, procedures and internal controls should be properly designed, be appropriate for the current organisational structure and its business activities, and work effectively.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency controls to manage key financial systems.

Key conclusions and sector wide learnings

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency controls to manage gifts and benefits.

Key conclusions and sector wide learnings

We found most agencies have implemented the Public Service Commission's minimum standards for gifts and benefits. All agencies had a gifts and benefits policy and 90 per cent of agencies maintained a gifts and benefits register and provided some form of training to employees on the treatment of gifts and benefits.

Based on our analysis of agency registers, we found some areas where opportunities existed to make processes more effective. In some cases, gaps in recorded information meant the basis for decisions around gifts and benefits was not always clear, making it difficult to determine whether decisions in those instances were appropriate and compliant with policy. Fifty-one per cent of the gifts and benefits registers reviewed contained declarations where not all fields of information had been completed. Seventy-seven per cent of agencies that maintained a gifts and benefits register did not include all key fields suggested by the minimum standards.

Areas where agencies can improve their management of gifts and benefits include:

ensuring agency policies comprehensively cover the elements necessary to make it effective in an operational environment, such as identifying risks specific to the agency and actions that will be taken in the event of a policy breach
establishing and publishing a statement of business ethics on the agency's website to clearly communicate expected behaviours to clients, customers,suppliers and contractors
updating gifts and benefits registers to include all key fields suggested by the minimum standards, as well as performing regular reviews of the register to ensure completeness
providing on-going training, awareness activities and support to employees, not just at induction
regularly reporting gifts and benefits to executive management and/or a governance committee such as the audit and risk committee, focussing on trends in the number and types of gifts and benefits offered to and accepted by agency staff
publishing their gifts and benefits registers on their websites to demonstrate a commitment to a transparently ethical environment.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency internal audit functions.

Key conclusions and sector wide learnings

We found agencies have established and maintained internal audit functions to provide assurance on the effectiveness of agency controls and governance systems as required by TPP15-03 'Internal Audit and Risk Management Policy for the NSW Public Sector'. However, we identified areas where agencies' internal audit functions could improve their processes to add greater value, including:

documenting and implementing safeguards to address conflicting roles performed by the Chief Audit Executive (CAE)
ensuring the reporting lines for the CAE comply with the NSW Treasury policy, and the CAE reports neither functionally or administratively to the finance function or other significant recipients of internal audit services
involving the CAE more extensively in executive forums as an observer
documenting a Quality Assurance and Improvement Program for the internal audit function and performing both internal and external performance assessments to identify opportunities for continuous improvement
reporting against key performance indicators or a balanced scorecard and producing an annual report on internal audit to bring to the attention of the audit and risk committee and senior management strategic issues, thematic trends and emerging risks that may require further attention or resources.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency controls to on-board, manage and off-board contingent labour.

Key conclusions and sector wide learnings

Agencies have implemented controls to manage contingent labour and most agencies have some level of reporting and oversight of contingent labour at an executive level. However, the increasing trend in spend on contingent labour warrants a renewed focus on agency monitoring and oversight of their use of contingent labour. Over the last five years spend on contingent labour has increased by 75 per cent, to $1.5 billion in 2018–19.

There are also some key gaps that limit the ability of agencies to effectively manage contingent labour. Key areas where agencies can improve their management of contingent labour include:

preparing workforce plans to inform their resourcing strategy, and confirm prior to engaging contingent labour, that this solution aligns with the strategy and best meets business needs
involving agency human resources units in decisions about engaging contingent labour
regularly reporting on contingent labour use to agency executive teams, particularly in terms of trends in agency spend, tenure and compliance with policies and procedures
strengthening on-boarding and off-boarding processes, including establishing checklists to on-board and off-board contingent labour, making provisions for knowledge transfer, and assessing, documenting and capturing performance information.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of governance and processes in relation to the management of sensitive data.

Key conclusions and sector wide learnings

Information technology risks are rapidly increasing. More interfaces between agencies and greater connectivity means the amounts of data agencies generate, access, store and share continue to increase. Some of this information is sensitive information, which is protected by the Privacy Act 1988.

It is important that agencies understand what sensitive data they hold, the risks associated with the inadvertent release of this information and how they are mitigating those risks. We found that agencies need to continue to identify and record their sensitive data, as well as expand the methods they use to identify sensitive data. This includes data held in unstructured repositories, such as network shared drives and by agency service providers.

Key areas where agencies can improve their management of sensitive data include:

identifying sensitive data, based on a comprehensive and structured process and maintaining an inventory of the data
assessing the criticality and sensitivity of the data so that the protection of high risk data can be prioritised
developing comprehensive data breach management policies to ensure data breaches are appropriately managed
maintaining a data breach incident register to record key information in relation to identified data breaches incidents, including the estimated cost of the breach
providing on-going training and awareness activities to employees in relation to sensitive data and managing data breaches.

Appendix one – List of 2019 recommendations

Appendix two – Status of 2018 recommendations

Appendix three – In-scope agencies

Audit progress

Sector

Year

Report type

Topic

Reports

What this report is about

Audit findings

What this report is about

What we found

What the key issues were

What we recommended

Section highlights

Section highlights

What this report is about

What we found

What the key issues were

What we recommended

Section highlights

Section highlights

What this report is about

What we found

What the key issues were

What we recommended

Section highlights

Section highlights

What the report is about

What we found

What the key issues were

Section highlights

Section highlights

Copyright notice

What the report is about

What we found

What the key issues were

What we recommended

Section highlights

Section highlights

The number of findings reported to management has increased, and 31% were repeat issues

A high-risk matter was reported at the TAFE Commission highlighting instances of non-compliance with policies and procedures guiding appropriate purchasing card use

Recommendation

What the report is about

What we found

Fast facts

Copyright notice

1. Internal control trends

2. Information technology controls

3. Business continuity and disaster recovery planning

4. Procurement, including emergency procurement

5. Delegations

6. Status of 2019 recommendations

1. Machinery of Government changes

2. Financial reporting

3. Audit observations

This report offers insights into internal controls and governance in the NSW public sector

Areas of specific focus of the report have changed since last year

Key conclusions and sector wide learnings

Key conclusions and sector wide learnings

Key conclusions and sector wide learnings

Key conclusions and sector wide learnings

Key conclusions and sector wide learnings