Reports
Report on Local Government 2017
Under section 421C of the Local Government Act 1993, I am pleased to present our first report on the statutory financial audits of councils, to NSW Parliament.
My appointment as the auditor of local government in New South Wales is the most significant change to the Auditor-General's mandate in nearly three decades.
Moving to the new audit arrangements over the past 18 months has been challenging but rewarding. It has confirmed my appreciation of local government – a sector passionate about the community and focused on delivering local services.
The unique relationship each council has with its community differentiates it from other tiers of government.
Our audits
I am pleased to report that we completed 139 out of 140 financial statement audits for the 2016–17 audit cycle. The remaining council received an extension to lodge its financial statements.
We have also released a performance audit report on council reporting on service delivery. We will soon release another report on fraud controls in local councils and a report on council shared services later this year.
- While the new audit mandate brings immense responsibility, my office has embraced the challenges involved and the objectives that NSW Parliament gave us:
- strengthening governance and financial oversight in local government
- providing greater consistency in external audit
- ensuring reliable financial information is available to assess council performance
- improving financial management, fiscal responsibility and public accountability in how councils use citizens’ funds.
This report
This report is rich in data extracted from the results of the 2016–17 financial audits. For the first time, it presents a consistent view of financial performance across the New South Wales local government landscape. The report also provides guidance and includes recommendations to councils and the Office of Local Government aimed at strengthening financial reporting, asset management, governance and internal controls.
The report will help NSW Parliament understand the common challenges that councils face. It provides points of comparison for councils and signposts matters that will be the focus of future audits. Importantly, this report and the data visualisation that accompanies it, provides comprehensive and accessible information to citizens regarding the management and performance of their councils.
I would like to acknowledge the cooperation of councils throughout the audit process and our partnerships with the contract audit firms that helped us to deliver the audits. Together we can learn from each other and work towards improving outcomes for the community.
| 1. Introduction | |
| Local government sector | NSW has 140 councils: 128 local councils serving a geographic area and 12 county councils formed for a specific purpose. We completed audits of 139 councils' 2016–17 financial statements and eight councils' 2015–16 financial statements. Bayside Council received a lodgement extension from the Office of Local Government (OLG) and has not yet presented their 2016–17 financial statements for audit. |
| Service delivery | Each council provides a range of services, influenced by population density, demographics, the local economy, geographic and climatic characteristics. These differences influence the financial profile of councils. |
| 2. Financial reporting | |
| Quality of financial reporting |
The overall quality of financial reporting needs to improve:
OLG guidance for council year-end financial reporting needs to align with Australian Accounting Standards and be issued earlier. |
| Timeliness of financial reporting | Timeliness of financial reporting needs to improve. Forty councils required lodgement extensions past the 31 October 2017 statutory reporting deadline. |
| 3. Financial performance and sustainability | |
| Operating revenue | Eighteen councils operating expenses exceed current operating revenue. Fifty-nine councils do not meet OLG’s target of 60 per cent for own source operating revenue. |
| Liquidity and working capital | Most councils have sufficient liquidity and working capital. However, there are indicators that:
|
| Asset management measures | Reporting against OLG’s asset management performance measures highlights that councils need to consider whether spending on existing infrastructure assets is sufficient to ensure they continue to meet service delivery standards:
|
| 4. Asset management | |
| High risk issues | We reported ten high risk issues relating to councils’ asset management and accounting practices. |
| Asset reporting | The accuracy of asset registers requires improvement and all assets need to be reported in the financial statements. At 30 June 2017, 62 councils did not record all rural fire-fighting equipment in their financial statements. A large proportion of rural fire-fighting equipment is not reported in either State government or local government financial statements. |
| Asset valuation | We reported seven high risk matters related to asset valuations, including two that resulted in qualified audit opinions. |
| Asset useful life estimates | We identified that accounting for the useful lives of similar assets varied across councils, resulting in variable depreciation expense for these assets. In addition, the useful lives of assets need to be reviewed annually. This review should be supported by current condition assessments. |
| Asset policy and planning | Thirteen councils do not have an asset management strategy, policy and plan, as required by the Office of Local Government’s Integrated Planning and Reporting Framework. |
| 5. Governance and internal controls | |
| High risk issues | We reported 17 high risk issues relating to governance, financial accounting, purchasing and payables and payroll matters. |
| Governance | There is currently no requirement for councils to have an audit, risk and improvement committee and internal audit function. Consequently, 53 councils do not have an audit committee and 52 councils do not have an internal audit function. The Office of Local Government has incomplete information on the number of entities established by councils. There is no financial reporting framework for the variety of entities established by councils. Councils can strengthen policies and procedures to support critical business processes, practices for risk management and compliance with key laws and regulations. |
| Internal controls | Councils can improve internal controls over manual journals, reconciliations, purchasing and payables and payroll. |
| 6. Information technology | |
| High risk issues | We reported nine high risk issues relating to information technology. |
| Access to IT systems | Controls over user access to IT systems need to be strengthened. |
| Information Technology governance | IT governance benefits from appropriate policies, standards and guidelines across all critical IT processes. We identified that:
|
Accurate and timely financial statements are an important element of sound financial management. They bring accountability and transparency to the way councils use public resources. Our financial audits assessed the following aspects of councils’ financial reporting:
- quality of financial reporting
- timeliness of financial reporting.
| Observation | Conclusion or recommendation |
| 2.1 Quality of financial reporting | |
|
Qualified audit opinions
|
The councils that received unmodified audit opinions prepared financial statements that fairly present their financial position and results. |
|
We issued modified (qualified) opinions on the:
|
Councils with modified opinions should address the issues that give rise to the audit qualification. |
| Significant audit matters We reported 39 significant matters in 29 councils. They included material accounting issues and significant deficiencies in internal controls. Seventy-seven per cent of the matters related to assets. |
Significant issues with the quality of financial reporting delayed the completion of a number of audits. Improving the reporting on assets should be a priority. |
| Prior period errors We found 33 material errors worth $9.1 billion in the previous audited financial statements of 22 councils. These all required prior-year audited balances to be corrected. Eighty eight per cent of these were asset related. |
The high number of asset-related prior-period errors reinforces the need for councils to improve the way they value and account for assets. |
| Financial statements We reported 43 moderate risk findings where councils can improve the way they complete their financial statements. |
Recommendation Councils can improve the quality of financial reporting by reviewing their financial statements close processes to identify areas for improvements. |
| Of the councils that had an audit, risk and improvement committee, 55 per cent of these did not review the financial statements before audit. | Recommendation Councils can improve the quality of financial reporting by involving an audit, risk and improvement committee in the review of financial statements. |
| OLG guidance To support councils in preparing 30 June 2017 financial statements, OLG issued guidance documents in June 2017 and September 2017. This limited the time councils had to prepare financial statements in the prescribed form and resolve financial reporting and audit issues. |
Recommendation The Office of Local Government should release the Local Government Code of Accounting Practice and Financial Reporting and the End of Year Financial Reporting Circular earlier in the audit cycle, ideally by 30 April each year. |
| The Code applicable for the 2016–17 financial reporting period provided options and guidance that in some instances did not fully align with Australian Accounting Standards. | Recommendation The Local Government Code of Accounting Practice and Financial Reporting should align with Australian Accounting Standards. |
| 2.2 Timeliness of financial reporting | |
| Statutory deadlines One hundred councils submitted audited financial statements to OLG by the statutory deadline of 31 October 2017. Thirty-nine councils received reporting extensions up to 28 February, including 16 of the 20 newly amalgamated councils. Bayside Council received a reporting extension to 31 May 2018 and has not yet presented their financial statements for audit. |
Councils need to improve their financial reporting processes in order to lodge their financial statements by the statutory reporting deadline. |
| Early close procedures Councils currently do not use early close procedures to resolve accounting issues before the end of the financial year. |
Recommendation The Office of Local Government should introduce early close procedures with an emphasis on asset valuations. |
3 The Auditor‑General was appointed statutory auditor of eight councils for the 2015–16 reporting period at the specific request of councils, due to the failure by councils to appoint an auditor, or the inability of the previous auditor to complete the audit due to external investigation or auditor retirement.
Strong and sustainable financial performance provides the platform for councils to deliver services and respond to the needs of their community. This chapter outlines our audit observations on the performance of councils against the Office of Local Government's (OLG) performance indicators, grouped in three areas:
- operating revenue performance measures
- liquidity and working capital performance measures
- asset management performance measures.
Our analysis indicates that some councils face challenges in meeting these performance and sustainability measures.
| Observations | Conclusions |
| 3.1 Operating revenue performance measures | |
|
Operating performance Another 20 councils would not have met OLG’s operating performance benchmark without the receipt of 2017–18 financial assistance grants which was recorded as revenue during 2016–17. Eleven councils have not met OLG’s operating performance benchmark for the last three years. |
It is important that councils have financial management strategies that support their financial sustainability and ability to meet OLG’s operating performance benchmark over the long term. |
| Operating performance measures how well councils contain operating expenses within operating revenue. OLG has prescribed a benchmark of greater than zero. | |
|
Own source operating revenue |
Rural councils have high-value infrastructure assets that cover large areas with smaller populations and less capacity to raise revenue from alternative sources compared with metropolitan councils. |
| Own source operating revenue measures a council’s fiscal flexibility and the degree to which it can generate revenue from own sources compared with total revenue from all sources. OLG has prescribed a benchmark of more than 60 per cent of total revenue. | |
| 3.2 Liquidity and working capital performance measures | |
|
Unrestricted current ratio |
Most councils can meet short-term obligations as they fall due. |
| The unrestricted current ratio represents a council’s ability to meet its short-term obligations as they fall due. OLG has prescribed a benchmark of greater than 1.5 times. | |
|
Debt service cover ratio Regional councils have 56 per cent of the value of all borrowings in the sector. |
Most councils have sufficient operating cash available to service their borrowings. Regional councils borrow more heavily than metropolitan councils to deliver water and sewerage infrastructure. Metropolitan councils do not have the responsibility to provide water and sewerage infrastructure. |
| The debt service cover ratio measures the operating cash available to service debt including interest, principal and lease payments. OLG has prescribed a benchmark of greater than two times. | |
|
Rates and annual charges outstanding These councils also did not meet the infrastructure backlog ratio. |
Most councils are collecting rates and annual charges levied. Councils with higher levels of uncollected rates and charges can experience increased pressure on the working capital available to fund operations. |
| The rates and annual charges outstanding measure assesses the impact of uncollected rates and annual charges on a council’s liquidity and the adequacy of debt recovery efforts. OLG has prescribed a benchmark of less than five per cent for metropolitan and less than ten per cent for other councils. | |
|
Cash expense cover ratio |
Most councils have the capacity to cover more than three months of operating expenses. |
| The cash expense cover ratio indicates the number of months a council can continue paying its expenses without additional cash inflows. OLG has prescribed a benchmark of greater than three months. | |
|
This measure does not exclude externally and internally restricted funds. If externally restricted funds are excluded, all councils would still meet OLG’s benchmark. If both externally and internally restricted funds are excluded:
|
Councils with a higher proportion of restricted funds may have less flexibility to pay operational expenses than the cash expense cover ratio suggests. However, councils can resolve to lift internal restriction if required. |
|
3.3. Asset management performance measures (not audited) |
|
|
Building and infrastructure renewals ratio Most councils included expenditure related to work-in-progress in calculating this ratio. OLG are of the view that work-in-progress should be excluded and as a result identified that a further 23 councils do not meet the benchmark. |
These councils appear to not be renewing assets in line with the rate they are depreciating them. This raises questions as to whether council asset management plans are adequate to determine whether assets are being kept up to agreed standards. Uncertainty on the inclusion of work-in-progress assets does need to be is clarified in order to ensure consistency in determining whether councils are adequately renewing their assets. |
| The building and infrastructure renewals ratio represents the rate at which assets are being renewed relative to the rate at which they are depreciating. OLG has prescribed a benchmark of greater than 100 per cent. | |
|
Infrastructure backlog ratio |
These councils may not be maintaining their infrastructure backlog at a manageable level. |
| The infrastructure backlog ratio represents the proportion of infrastructure backlog relative to the total net book value of a council's infrastructure assets. OLG has prescribed a benchmark of less than two per cent. | |
|
Asset maintenance ratio |
These councils’ maintenance expenditure may be insufficient to sustain their assets in a functional state so they reach their predicted useful life. |
| The asset maintenance ratio represents the rate at which assets are being maintained relative to the rate at which they are required to be maintained. OLG has prescribed a benchmark of greater than 100 per cent. | |
|
Costs to bring assets to agreed service level |
There is variability between councils in the amount of outstanding renewal works to be completed. |
| This ratio represents the estimated cost to renew or rehabilitate existing infrastructure assets that have reached the condition-based interval level adopted by a council, relative to the gross replacement cost of all infrastructure assets. OLG has not prescribed a benchmark for this performance measure. | |
OLG’s benchmarks for financial performance and sustainability
Each local council has unique characteristics such as its size, location and services provided to their communities. These differences affect the nature of each council's assets and liabilities, revenue and expenses, and in turn the financial performance measures against which it reports.
The Office of Local Government prescribes performance indicators for council reporting
The analysis in this chapter is based on performance measures prescribed in OLG’s Code of Accounting Practice and Financial Reporting (the Code). Councils report against these measures in their annual report, which includes the audited financial statements and other unaudited information. In the audited financial statements, councils report performance against six financial sustainability measures:
- operating performance
- own source operating revenue
- unrestricted current ratio
- debt service cover ratio
- rates and annual charges outstanding percentage
- cash expense cover ratio.
Councils also include the unaudited Special Schedule 7 'Report on Infrastructure Assets' in their annual reports. In this schedule, councils report to OLG on performance against four further measures:
- building and infrastructure renewals ratio
- infrastructure backlog ratio
- asset maintenance ratio
- cost to bring assets to agreed service level.
Each audited measure and three of the four unaudited measures has a prescribed benchmark. OLG’s benchmarks are the same for metropolitan, regional, rural and county councils, with the exception of the rates and annual charges outstanding percentage. Regional, rural and county councils have a different benchmark to metropolitan councils for this measure.
Three rural councils did not meet three of the audited OLG benchmarks
Most councils met OLG’s benchmarks for at least five or all of the six audited performance measures. Eight rural, four regional, four metropolitan and two county councils did not meet OLG’s benchmarks for two out of the six audited performance measures. Three rural councils did not meet OLG’s benchmarks for three out of the six audited performance measures.
The following table summarises how the councils performed across the six audited performance measures.
| Number of OLG benchmarks met by councils | Number of councils | |||
| Metropolitan | Regional | Rural | County | |
| 6 | 12 | 12 | 29 | 5 |
| 5 | 17 | 21 | 17 | 5 |
| 4 | 4 | 4 | 8 | 2 |
| 3 | -- | -- | 3 | -- |
| Not available* | 1 | -- | -- | -- |
| Total | 34 | 37 | 57 | 12 |
Source: Audited Financial Statements for 2016–17.
Appendix ten lists the performance of each council against all performance measures.
NSW councils own and manage a significant range of assets, including infrastructure, property, plant and equipment with a total value of $136 billion.
Many of the issues that our local government audits identified related to asset management. This chapter discusses some of the asset accounting issues we found, focusing on five areas:
- overall asset management issues
- asset registers
- asset valuation
- recognition and asset useful life estimates
- asset policy and planning.
| Observations | Conclusion or recommendation |
| 4.1 High risk issues | |
|
Significant matters reported to those charged with council governance |
High risk issues affect council’s ability to maintain their assets in the condition required to deliver essential services. |
| 4.2 Asset reporting | |
|
Accuracy of asset registers |
Maintaining accurate asset records is important as it enables councils to manage their assets effectively and report on finances appropriately. |
|
Unrecorded land and infrastructure assets |
Assets not captured in council records is at risk of not being subject to their care and control, nor recorded in the financial statements. |
|
Rural fire-fighting equipment |
Recommendation In doing so, the Office of Local Government should work with NSW Treasury to ensure there is a whole‑of‑government approach. |
|
4.3 Asset valuation |
|
|
Restricted assets Nine councils corrected the land values in their 2016–17 financial statements, reducing the reported value of community land and land under roads by $12.1 billion. |
The valuation of community land and land under roads should reflect the physical and legislative restrictions on these assets as required by Australian Accounting Standards. The impact of restrictions can be significant. Councils should consider engaging experts to assist with the determination of asset fair values, as necessary. |
| Asset revaluations Our audits found many cases where councils did not review valuation results, comply with applicable codes, or work effectively with valuers to obtain accurate asset valuations. |
Valuing large infrastructure assets is a complex process. Councils would benefit if the process is started earlier and there is a clear plan to ensure valuations are appropriately managed and documented. |
|
4.4 Asset useful life estimates |
|
|
Asset useful life estimates In some cases, the useful lives of assets are not reviewed annually or supported by regular condition assessment. |
Depreciation is a significant expense for councils and therefore impacts on reported financial results and key performance indicators. To comply with Australian Accounting Standards, councils need to reassess the useful lives of all assets annually. Regular condition assessments are essential to identify maintenance requirements and maintain service delivery. |
|
4.5 Asset policy and planning |
|
| Asset management strategy Thirteen councils do not have an asset management policy, strategy and plan, as required by OLG's Integrated Planning and Reporting Framework. Newly amalgamated councils have until 30 June 2018 to implement this. |
An effective asset management strategy, policy and plan helps councils to manage their assets appropriately over their life cycle and to make informed decisions on the allocation of resources. |
Asset overview
NSW councils own and manage a significant range of assets, including infrastructure, property, plant and equipment.
At 30 June 2017, the combined carrying value of NSW council assets was as follows.
Good governance systems help councils to operate effectively and comply with relevant laws and standards. Internal controls assist councils to operate reliably and produce effective financial statements.
This chapter highlights the high risk issues we found and reports on a range of governance and control areas. Governance and control issues relating to asset management and information technology are covered in separate chapters.
| Observation | Conclusion or recommendation |
| 5.1 High risk issues | |
| Significant matters reported to those charged with council governance | |
| Our 2016–17 audits identified 36 high risk governance and internal control deficiencies across 17 councils. | Asset practices accounted for the highest number of high risk issues and information technology accounted for the largest overall number of control deficiencies. These matters are covered in chapters four and six respectively. |
We reported:
|
High risk issues affect council’s ability to achieve their objectives and increase the risk of fraud and error. |
| 5.2 Governance | |
| Audit committees | |
| Councils are currently not required to have an audit, risk and improvement committee. Consequently, 53 councils do not have an audit committee. |
Proposed legislative changes will require councils to establish an audit, risk and improvement committee by March 2021. Recommendation |
|
Internal audit |
Recommendation |
|
Council entities |
Recommendation |
| The Local Government Act 1993 does not stipulate a financial reporting framework for council entities. |
Recommendation |
|
Policies and procedures |
It is important there are current policies, standards and guidelines available to staff and contractors across all critical business processes. |
|
Legislative compliance frameworks |
Councils can improve practices in monitoring compliance with key laws and regulations. This includes implementing a legislative compliance framework, register and policy. |
|
Risk management |
Council risk management practices are enhanced when there is a fit-for-purpose risk management framework, register and policy to outline how risks are identified, managed and monitored. |
| 5.3 Internal controls | |
|
Financial accounting We identified 51 high and moderate risk issues across 39 councils where reconciliation processes need to improve to support the preparation of accurate financial statements |
Sound financial accounting processes include controls to ensure:
|
| Purchasing and payables We found 102 high and moderate risk deficiencies in purchasing and payable controls across 64 councils. Sound purchasing controls are important to minimise error, unauthorised purchases, fraud and waste. |
As councils spend a substantial amount each year to procure goods and services, strong controls over purchasing and payment practices are critical. These include:
|
|
Payroll Managing excess annual leave balances was a challenge for 32 councils. |
Effective payroll controls are important because employee expenses represent a large portion of council expenditure. These controls include segregation of duties in the review of payroll master file data, timesheets, leave forms, payroll exception reports and termination payments. Excessive annual leave balances can have implications on employee costs, disrupts service delivery and affect work, health and safety. Excess annual leave balances should be continuously monitored and managed. |
Like most public sector agencies, councils increasingly rely on information technology (IT) to deliver services and manage sensitive information. While IT delivers considerable benefits, it also presents risks that councils need to address.
Our review of council IT systems focused on understanding the processes and controls that support the integrity, availability and security of the data used to prepare financial statements. This chapter outlines issues in three broad areas:
- high risk issues
- access to IT systems
- IT governance.
| Issues | Conclusion |
| 6.1 High risk issues | |
| Significant matters reported to those charged with council governance | |
| Our 2016–17 audits identified nine high risk IT control deficiencies across seven councils. The issues related to user access controls, privileged access controls and user developed applications. | High risk issues affect council’s ability to achieve their objectives and increase the risk of fraud and error. |
| 6.2 Access to IT systems | |
| User access controls We identified 107 issues across 56 councils where user access controls could be strengthened. |
Inadequate IT policies and controls around user access, including privileged access, increases the risk of individuals having excessive or unauthorised access to critical financial systems and data. |
|
Privileged access |
|
|
User developed applications Our audits found 22 councils using spreadsheets for business operations, decision making and financial reporting that were not adequately secured, with changes that were not tracked, tested or reviewed. We also identified five councils where finance staff and senior management use database query tools to directly modify financial data, circumventing system-based business process controls. |
It is important councils are aware of all circumstances they are relying on UDAs to limit the risk of errors and potential misuse. This allows councils to:
|
| 6.3 IT Governance | |
|
Strategy, policies and procedures Sixty-six councils do not have an adequate information security policy. |
IT governance is enhanced where there is:
|
|
Disaster recovery and business continuity The ability to restore data from backups is critical to ensure business continuity in the face of a system disaster. We also found that 15 councils do not periodically test their ability to restore backups of data relevant to financial reporting. |
Sound management of disaster recovery and business continuity includes:
We expect to focus on these areas in our future audits. |
Appendix one - Response from the Office of Local Government
Appendix two - List of recommendations
Appendix three - Sources of information and council classifications
Appendix four - Councils amalgamated in 2016
Appendix five - Status of audits
Appendix seven - OLG’s performance indicators from the audited financial statement - Descriptions
Appendix eight - OLG’s performance indicators from the unaudited special schedule 7 - Descriptions
Appendix nine - Financial information
Detecting and responding to cyber security incidents
A report released today by the Auditor-General for New South Wales, Margaret Crawford, found there is no whole-of-government capability to detect and respond effectively to cyber security incidents. There is very limited sharing of information on incidents amongst agencies, and some agencies have poor detection and response practices and procedures.
The NSW Government relies on digital technology to deliver services, organise and store information, manage business processes, and control critical infrastructure. The increasing global interconnectivity between computer networks has dramatically increased the risk of cyber security incidents. Such incidents can harm government service delivery and may include the theft of information, denial of access to critical technology, or even the hijacking of systems for profit or malicious intent.
This audit examined cyber security incident detection and response in the NSW public sector. It focused on the role of the Department of Finance, Services and Innovation (DFSI), which oversees the Information Security Community of Practice, the Information Security Event Reporting Protocol, and the Digital Information Security Policy (the Policy).
The audit also examined ten case study agencies to develop a perspective on how they detect and respond to incidents. We chose agencies that are collectively responsible for personal data, critical infrastructure, financial information and intellectual property.
Some of our case study agencies had strong processes for detection and response to cyber security incidents but others had a low capability to detect and respond in a timely way.
Most agencies have access to an automated tool for analysing logs generated by their IT systems. However, coverage of these tools varies. Some agencies do not have an automated tool and only review logs periodically or on an ad hoc basis, meaning they are less likely to detect incidents.
Few agencies have contractual arrangements in place for IT service providers to report incidents to them. If a service provider elects to not report an incident, it will delay the agency’s response and may result in increased damage.
Most case study agencies had procedures for responding to incidents, although some lack guidance on who to notify and when. Some agencies do not have response procedures, limiting their ability to minimise the business damage that may flow from a cyber security incident. Few agencies could demonstrate that they have trained their staff on either incident detection or response procedures and could provide little information on the role requirements and responsibilities of their staff in doing so.
Most agencies’ incident procedures contain limited information on how to report an incident, who to report it to, when this should occur and what information should be provided. None of our case study agencies’ procedures mentioned reporting to DFSI, highlighting that even though reporting is mandatory for most agencies their procedures do not require it.
Case study agencies provided little evidence to indicate they are learning from incidents, meaning that opportunities to better manage future incidents may be lost.
Recommendations
The Department of Finance, Services and Innovation should:
- assist agencies by providing:
- better practice guidelines for incident detection, response and reporting to help agencies develop their own practices and procedures
- training and awareness programs, including tailored programs for a range of audiences such as cyber professionals, finance staff, and audit and risk committees
- role requirements and responsibilities for cyber security across government, relevant to size and complexity of each agency
- a support model for agencies that have limited detection and response capabilities
- revise the Digital Information Security Policy and Information Security Event Reporting Protocol by
- clarifying what security incidents must be reported to DFSI and when
- extending mandatory reporting requirements to those NSW Government agencies not currently covered by the policy and protocol, including State owned corporations.
DFSI lacks a clear mandate or capability to provide effective detection and response support to agencies, and there is limited sharing of information on cyber security incidents.
DFSI does not currently have a clear mandate and the necessary resources and systems to detect, receive, share and respond to cyber security incidents across the NSW public sector. It does not have a clear mandate to assess whether agencies have an acceptable detection and response capability. It is aware of deficiencies in agencies and across whole‑of‑government, and has begun to conduct research into this capability.
Intelligence gathering across the public sector is also limited, meaning agencies may not respond to threats in a timely manner. DFSI has not allocated resources for gathering of threat intelligence and communicating it across government, although it has begun to build this capacity.
Incident reporting to DFSI is mandatory for most agencies, however, most of our case study agencies do not report incidents to DFSI, reducing the likelihood of containing an incident if it spreads to other agencies. When incidents have been reported, DFSI has not provided dedicated resources to assess them and coordinate the public sector’s response. There are currently no formal requirements for DFSI to respond to incidents and no guidance on what it is meant to do if an incident is reported. The lack of central coordination in incident response risks delays and increased damage to multiple agencies.
DFSI's reporting protocol is weak and does not clearly specify what agencies should report and when. This makes agencies less likely to report incidents. The lack of a standard format for incident reporting and a consistent method for assessing an incident, including the level of risk associated with it, also make it difficult for DFSI to determine an appropriate response.
There are limited avenues for sharing information amongst agencies after incidents have been resolved, meaning the public sector may be losing valuable opportunities to improve its protection and response.
Recommendations
The Department of Finance, Services and Innovation should:
- develop whole‑of‑government procedure, protocol and supporting systems to effectively share reported threats and respond to cyber security incidents impacting multiple agencies, including follow-up and communicating lessons learnt
- develop a means by which agencies can report incidents in a more effective manner, such as a secure online template, that allows for early warnings and standardised details of incidents and remedial advice
- enhance NSW public sector threat intelligence gathering and sharing including formal links with Australian Government security agencies, other states and the private sector
- direct agencies to include standard clauses in contracts requiring IT service providers report all cyber security incidents within a reasonable timeframe
- provide assurance that agencies have appropriate reporting procedures and report to DFSI as required by the policy and protocol by:
- extending the attestation requirement within the DISP to cover procedures and reporting
- reviewing a sample of agencies' incident reporting procedures each year.
Appendix one - Response from agency
Appendix two - ISMS maturity model
Appendix three - About the audit
Appendix four - Performance auditing
Parliamentary reference - Report number #297 - released 2 March 2018
Volume Ten 2011 Focusing on Health
This report includes comments on financial audits of government agencies in the Health sector. In 2010-11, Ambulance Officers spent an extra 77,200 hours waiting at emergency departments for patients to transfer to hospital care. In 2010-11, only 66 per cent of patients were moved from the emergency department to an inpatient bed within eight hours of their arrival. This is significantly down on last year’s 73 per cent and well below the 80 per cent target.
Volume Eight 2011 Focus on Transport and Ports
The report includes comments on financial audits of government agencies in the Transport and Ports sectors. The audit of corporations’ financial statements for the year ended 30 June 2011 resulted in unmodified audit opinions within the Independent Auditor’s Reports. A key recommendation from the report is that Sydney Ports Corporation should continue working with other government authorities and industry stakeholders to improve the effectiveness of program initiatives for increasing container freight movements by rail. The Corporation should review the underlying causes hindering growth in the rail mode and develop and implement strategies to address the unfavourable trend.
Volume Seven 2011 focus on Law, Order and Emergency Services
The audits of these agencies’ financial statements for the year ended 30 June 2011 resulted in unmodified audit opinions within the Independent Auditor’s Reports. It is recommended that emergency services agencies continue to develop and implement comprehensive volunteer workforce management plans to ensure they have the right volunteer resources.
Volume Six 2011 focus on Environment, Water and Regional Infrastructure
The Environment Protection Authority’s expenditure for the financial year 2010/11 was $92 million - $76 million of this was for environment protection and regulation. The Office of Environment and Heritage and the Environment Protection Authority commenced 145 prosecutions for environmental offences and 106 were completed in the financial year 2010/11, down from the 134 prosecutions completed in 2009/10. Financial penalties for 2010/11 totalled $969,000 down from $1,403,000 in 2009/10. The average fine decreased from $10,468 in 2009/10 to $9,141 in 2010/11.
Volume Five 2011 focus on Superannuation, Compensation and Housing
The audits of the New South Wales Government controlled superannuation entities financial statements for the year ended 30 June 2011 resulted in unmodified audit opinions within the Independent Auditor’s Reports. Findings show that Treasury should review the structure and number of public sector superannuation funds and consider whether efficiencies and cost savings could be achieved through consolidation.
Volume Four 2011 focusing on Electricity
The sale of the State’s electricity retail and trading rights raised $5.3 billion. The electricity retail businesses sold for a $3.08 billion profit with the electricity generation output sold for a $1.85 billion loss, delivering a overall profit of $1.23 billion. One recommendation is that The Treasurer should consider releasing the Energy Reform Strategy relating to the development and ownership of the Cobbora Coal Project for public scrutiny to ensure transparency of the energy reform process. There should be a clearly articulated business plan to demonstrate to the people of New South Wales the benefits from the project.
Volume One 2011
The level of non compliance with the requirements of this Premier’s Memorandum is concerning, particularly considering the NSW Procurement Reforms were effective since 2006. The implementation strategy for procurement reform was announced as early as 2001. We recommend the governing bodies of agencies and management review, not only the processes their agencies have in place to comply with procurement reforms and requirements, but also more broadly how agencies identify and comply with laws, regulations, Treasury policy pronouncements, Premier’s memoranda and other obligations.
The Police Assistance Line: Follow-up audit
In this 2006 follow-up audit, we found that NSW Police had addressed most of the key areas for improvement we identified in 2003. The contact centre which operates the Police Assistance Line (PAL) is well managed, and has implemented several improvements since our 2003 audit. The centre’s speed in answering and handling PAL calls is better than in 2003. Caller satisfaction with PAL services is high, and NSW Police calculate it releases 200 police for frontline duty. The centre also receives around 4,000 enquiry calls each week further reducing the load on local police.
Parliamentary reference - Report number #161 - released 6 December 2006
