Reports
Actions for Procurement management in Local Government
Procurement management in Local Government
The Auditor‑General for New South Wales, Margaret Crawford, released a report today examining procurement management in Local Government.
The audit assessed the effectiveness of procurement management practices in six councils. All six councils had procurement management policies that were consistent with legislative requirements, but the audit found compliance gaps in some councils. The audit also identified opportunities for councils to address risks to transparency and accountability, and to ensure value for money is achieved when undertaking procurement.
The Auditor‑General recommended that the Department of Planning, Industry and Environment review the Local Government (General) Regulation 2005 and publish updated and more comprehensive guidance on procurement management for the Local Government sector. The report also generated insights for the Local Government sector on opportunities to strengthen procurement practices.
Effective procurement is important in ensuring councils achieve their objectives, demonstrate value for money and deliver benefits to the community when purchasing goods and services. Procurement also comes with risks and challenges in ensuring the purchased goods and services deliver to expectations. The risks of fraud and conflicts of interest also need to be mitigated.
The legislative requirements related to procurement in the Local Government sector are focused on sourcing and assessing tender offers. These requirements are included in the Local Government Act 1993 (the Act), the Local Government Amendment Act 2019 (the Amendment), the Local Government (General) Regulation 2005 (the Regulation), the Tendering Guidelines for NSW Local Government 2009 (the Tendering Guidelines), the Government Information (Public Access) Act 2009 (the GIPA Act) and the State Records Act 1998.
General requirements and guidance relevant to councils are also available in the Model Code of Conduct for Local Councils in NSW 2018 (the Model Code), the NSW Government Procurement Policy Framework 2019 and in publications by the Independent Commission Against Corruption (ICAC).1
Individual councils have developed their own procurement policies and procedures to expand on the legislative requirements. Understandably, these vary to reflect each council’s location, size and procurement needs. Nevertheless, the general principles of effective procurement management (such as transparency and accountability) and risk-mitigating practices (such as segregation of duties and the provision of training) are relevant to all councils.
The Audit Office of New South Wales Report on Local Government 2018 provided a sector-wide summary of aspects of procurement management in Local Government (see Section 2.1 of this report). This audit builds on this state-wide view by examining in detail the effectiveness of procurement management practices in six councils. This report also provides insights on opportunities to strengthen procurement management in the sector.
The selected councils for this audit were Cumberland City Council, Georges River Council, Lockhart Shire Council, Tweed Shire Council, Waverley Council and Wollongong City Council. They were selected to provide a mix of councils of different geographical classifications, sizes, priorities and levels of resourcing.
All six councils had procurement management policies and procedures that were consistent with the legislative requirements for sourcing and assessing tender offers. Their policies and procedures also extended beyond the legislative requirements to cover key aspects of procurement, from planning to completion. In terms of how these policies were applied in practice, the six councils were mostly compliant with legislative requirements and their own policies and procedures, but we found some gaps in compliance in some councils and made specific recommendations on closing these gaps.
There were also opportunities for councils to improve procurement management to mitigate risks to transparency, accountability and value for money. Common gaps in the councils’ procurement management approaches included not requiring procurement needs to be documented at the planning stage, not providing adequate staff training on procurement, not requiring procurement outcomes to be evaluated, and having discrepancies in contract values between contract registers and annual reports. These gaps expose risks to councils’ ability to demonstrate their procurements are justified, well managed, delivering to expectations, and achieving value for money. Chapter three of this report provides insights for the audited councils and the Local Government sector on ways to address these risks
Recommendations
- By June 2022, the Department of Planning, Industry and Environment should:
- publish comprehensive and updated guidance on effective procurement practices – including electronic tender submissions and procurements below the tender threshold
- review and update the Local Government (General) Regulation 2005 to reflect the increasing use of electronic tender submissions rather than paper copies.
- By December 2021, the six audited councils should consider the opportunities to improve procurement management in line with the improvement areas outlined in chapter three of this report.
- Cumberland City Council should immediately:
- ensure contract values are consistent between the contract register and the annual report
- introduce procedures to ensure supplier performance reviews are conducted as per the council’s policy
- Georges River Council should immediately:
- ensure contract values are consistent between the contract register and the annual report
- introduce procedures to ensure all the steps up to the awarding of a contract are documented as per the council’s policy
- introduce procedures to ensure outcome evaluations are conducted as per the council’s policy.
- Lockhart Shire Council should immediately:
- include additional information in the council’s contract register to ensure compliance with Section 29(b), (f), (g), (h) and (i) of the GIPA Act
- ensure contract values are consistent between the contract register and the annual report.
- Waverley Council should immediately ensure contracts are disclosed in the annual report as per Section 217(1)(a2) of the Regulation.
While all six councils had procurement policies in place and were generally compliant with legislative requirements, this report has identified common gaps in processes and practices that expose risks to transparency, accountability and value for money.
This section discusses how councils can mitigate risks and ensure the best outcomes are achieved from their procurements.
Documented justification of procurement needs
The ICAC notes that determining what goods and services an agency requires is the first step of procurement, and the scope for corruption in how need is determined is significant. Without documenting how procurement needs have been justified, councils cannot demonstrate that they fulfill business needs, nor how the procurements may link to the councils’ strategic plans to deliver to the community.
This audit found that none of the six councils’ policies required them to document justification of procurement needs, and none did so consistently in practice. Councils can address this gap by building into their procurement planning process a requirement for staff to document the justification of procurement needs. For higher value procurements, this could be extended to include analysis of options, an assessment of risks and defining intended outcomes. Similarly, clearly establishing and documenting how relevant procurements relate to a council’s community strategic plans or operational plans helps ensure transparency.
Although a formal business case may not be required for many procurements (for example, low-value procurements or routine replacements), some form of documented justification for the expenditure should still be kept on record to demonstrate that the procurement relates to business purposes and is needed.
Segregation of duties
Segregation of duties is an effective control for reducing risks of error, fraud and corruption in procurement. It works on the principle that one person should not have end-to-end control of a procurement. Effective segregation of duties also often involves managerial or independent oversight that is built into the process. Four of the audited councils (Cumberland City Council, Georges River Council, Lockhart Shire Council and Wollongong City Council) appropriately addressed segregation of duties in their procurement frameworks. For example:
-
All procurements in Cumberland City Council required a delegated officer’s approval before commencing, and the requisitioning department is responsible for ensuring the completion of the goods, works or services associated with each contract. For contracts over $50,000, a specific ‘Authority to Procure’ form had to be completed by the requesting staff, signed by an approver and then forwarded to the procurement team.
- Reflecting its small size, all procurements in Lockhart Shire Council were managed by one senior staff member. Nevertheless, this staff member had to bring contract management plans to the rest of the Executive Leadership Team for review and discussion, with large contracts such as those above the tender threshold referred to Council for approval.
The ICAC notes that segregation of duties helps to control discretion, which has particular risk implications for some types of procurement.2 This includes those involving low-value and high-volume transactions, restricted tenders, long-standing procurements and ‘pet projects’ (projects advocated by individual staff members). In cases where corruption risks are low, ICAC notes that monitoring staff’s involvement in procurement may be a cost-effective alternative to total segregation of duties.
Assessment of supplier performance
Councils need to monitor and assess supplier performance to ensure suppliers deliver the goods and services as agreed. The audit found that all six councils consistently monitored progress in capital works and for externally funded projects. Contract monitoring in these cases included ensuring timelines, funding, and legislative requirements were met. This is positive, as capital works made up the bulk of procurements (in terms of volume) in all of the audited councils.
That said, in all six councils, the level of scrutiny was lower for other types of procurements, and there is scope for improvement. For instance, the approach to monitoring capital works or externally funded projects could be replicated across other procurements of a similar nature and value. Conducting assessments and keeping records of supplier performance on all procurements does not need to be onerous, but instead provides useful information to inform future decision-making—including by helping ensure supplier pricing remains competitive, and avoiding re-engaging underperforming suppliers.
The NSW Government Procurement Policy Framework requires that NSW Government agencies establish systems and processes jointly with the suppliers to ensure compliance with contract terms and performance requirements. It also advises that agencies should drive continuous improvement and encourage innovation in coordination with suppliers and key stakeholders.
Centralised contract register
Centrally registering a contract provides improved transparency of procurement activities and facilitates monitoring and compliance checks. While councils are already required to maintain a contract register for all contracts above the reporting threshold (as per the GIPA Act), given the threshold is set at a relatively high benchmark ($150,000), there is merit in councils extending the practice to procurements below the reporting threshold. A central and comprehensive register of contracts helps avoid duplication of procurements and re-contracting of underperforming suppliers.
Three of the audited councils (Georges River Council, Tweed Shire Council and Wollongong City Council) had contract register policies that applied to procurements below the reporting threshold during the audited period. For example, Georges River Council required contracts valued at $10,000 or above to be registered with the procurement team, and Tweed Shire Council had a threshold of $50,000.
Evaluation of community outcomes and value for money
Councils may be progressing procurements to fulfill their strategic and business plans, or using them to fulfill commitments to the community. In these instances, outcomes evaluation is an important way to demonstrate to the community that the intended benefits and value for money have been delivered.
Five of the six audited councils did not require evaluations of community outcomes and value for money. While Georges River Council required contracts valued at $50,000 or more to be monitored, evaluated and reported on at least annually throughout the contract and also at its conclusion, in the procurements we examined the only ‘outcome evaluations’ that the council had conducted were community surveys that did not refer to individual procurements. Councils can miss opportunities to understand the impact of their work on the local community if evaluations of procurement outcomes are not completed. Evaluation findings are also valuable in guiding future resource allocation decisions.
Value for money in the procurement of goods and services is more than just having the specified goods delivered or services carried out. The NSW Government Procurement Policy Framework requires that state government agencies track and report benefits to demonstrate how value for money is being delivered. The framework notes that value for money is not necessarily the lowest price, nor the highest quality good or service, but requires a balanced assessment of a range of financial and non-financial factors, such as: quality, cost, fitness for purpose, capability, capacity, risk, total cost of ownership or other relevant factors.
Procurement training
Effective procurement management relies on the capability of staff involved in various stages of the process. Guidance can be provided through training, which is an important element of any procurement management framework. It ensures that staff members are aware of the councils' policies and procedures. If structured appropriately and provided in a timely manner, training can help to standardise practices, ensure compliance, reduce chances of error, and mitigate risks of fraud or corruption.
The ICAC notes that effective procurement management depends on the competence of staff undertaking procurements and the competence of those who oversee procurement activities. As the public sector is characterised by varying levels of procurement expertise, the ICAC notes that the sector would benefit from a structured approach to training and the application of minimum standards.3
At the time of this audit, only Wollongong City Council addressed staff training requirements in its procurement management framework. Exhibit 8 details its approach.
|
|
|
|
Two of the audited councils have now also introduced procurement training:
- Georges River Council implemented online training, which is mandatory for new staff and serves as refresher training for existing staff. The council also provides in-person training for selected staff (covering contract management, contract specification writing and contractor relationship management) and has developed quick reference cards for all staff to increase awareness of the council's procurement processes.
- Tweed Shire Council implemented mandatory online training for all staff members. The training covers the council's procurement policy and protocol as well as relevant legislation. It is linked to relevant council documents such as the Procurement Toolkit on the council's intranet, and includes a quiz for which training participants must score at least 80 per cent to have the training marked as completed.
Appendix one – Responses from councils and the Department of Planning, Industry and Environment
Appendix two – Councils’ procurement contracts
Appendix three – About the audit
Appendix four – Performance auditing
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Parliamentary reference - Report number #345 - released 17 December 2020
Actions for Credit card management in Local Government
Credit card management in Local Government
The Auditor-General for New South Wales, Margaret Crawford, released a report today examining credit card management in Local Government.
The audit was in response to a letter from the then Minister for Local Government in November 2018. The audit assessed the effectiveness of credit card management practices in six councils, including in the areas of policies, procedures, compliance and monitoring.
The audit found that all six councils had gaps in their credit card policies and procedures. The Auditor-General recommended that the Department of Planning, Industry and Environment publish guidelines on credit card management for the Local Government sector. The report also generated insights for the Local Government sector with respect to credit card management.
In 2018–19, all councils responding to an Audit Office survey (representing over 90 per cent of the sector) indicated they issued credit cards to staff members to make work-related purchases. As there are no sector-wide requirements or policies for credit card use and management in Local Government, councils have developed their credit card management frameworks to suit their own needs. The quality of credit card policies and procedures may therefore vary across the sector.
Credit cards are an efficient means of payment, especially for low-value purchases. Compared to the use of petty cash, credit card transactions provide better transparency and accountability for expenditure. By using credit cards, councils only need to make one payment each month, which can reduce the time spent on paying separate vendors, as in the case of purchase orders.
This audit assessed the effectiveness of credit card management practices in six councils: Dubbo Regional Council, Junee Shire Council, Lane Cove Council, Nambucca Valley Council, Penrith City Council and Shellharbour City Council. The councils selected represent a mix of rural, regional and metropolitan councils. They were also among the top ten users of credit cards within their geographical classification, in terms of the number of credit cards issued or the number of transactions per credit card.
This audit referenced the NSW Treasury's Policy and Guidelines Paper TPP17–09 'Use and Management of NSW Government Purchasing Cards', as its principles and recommendations for NSW Government agencies are relevant for councils.
The Audit Office of New South Wales Report on Local Government 2019 provided a high-level overview of credit card management across the sector. While over 90 per cent of councils reported that they had a credit card policy and a credit card acquittal process, the quality of these policies and procedures may vary across the sector as there is no standardised or recommended approach to credit card management for Local Government. This audit complements the Report on Local Government 2019 by providing a detailed discussion of the effectiveness of credit card management practices in councils.
Audit conclusionAll six audited councils had important gaps in their credit card policies and procedures. Their reconciliation of credit card transactions needs to be enhanced to enable detection of potential misuse or fraud.
The audit found important gaps in each of the six audited councils' credit card management practices. Their policies and procedures covered the essential aspects of credit card use and management, but a lack of coverage or clarity in some areas could lead to inconsistent and inappropriate use of credit cards. These areas included: eligibility to hold a credit card, aligning credit card limits with financial delegations, and the reconciliation procedures.
While all six councils conducted reconciliations of credit card transactions, the processes need to be enhanced to enable detection of potential misuse or fraud. Reconciliations had focused solely on verifying receipts, and did not require evidence of business-related purposes, even for transactions such as alcohol purchases or spending at entertainment venues. Five of the six councils also did not include compliance checks in their reconciliation process, such as checking that purchases were not for restricted items.
The level of senior management involvement in monitoring credit card use varied across the six councils. Three of the six councils did not generate regular reports for management oversight. Five of the six councils had no plans for internal audits or targeted reviews of credit card management and use.
|
Council staff provided with a credit card can purchase from a wide range of businesses, including online transactions with overseas vendors. However, councils may limit the types of purchases that staff can make through their policies and procedures or by setting controls that block certain transaction types such as cash advances. To examine credit card usage, the audit obtained credit card transaction data from 1 July 2016 to 30 June 2019 for the six councils in this review. The data included:
- transaction date
- amount
- merchant category code (MCC)
- merchant name.
The audit analysed the number and value of transactions by each council, and the types of purchases made using credit cards.
The existence of a documented approach to managing credit cards ensures transparency and consistency of use within the council. A credit card management framework that contains preventative and detective controls can also minimise risks of fraud, misuse and wastage.
There is no prescribed credit card management framework for Local Government, but typical components of a credit card management framework include:
- policies and procedures
- guidance for staff
- monitoring and reporting.
With no detailed guidance notes similar to those in TPP17–09 for NSW Government, councils have developed their own credit card management framework based on their size, structure, resources and intended credit card usage. For instance, the size of a council has implications for the number of credit cards issued, which in turn influences the arrangements for training and guidance provided to cardholders and approvers.
The intended level of credit card usage may determine whether a council adopts a manual or electronic credit card management system and councils should identify the system that best meets their needs. For instance, a council with few credit cards may not be able to justify investment in an electronic system. On the other hand, a manual system may only be viable for councils with a low number of credit cards and a low number of transactions.
Among the six councils audited, the three councils with fewer cards and a lower number of transactions had a manual credit card management system, while the three councils with more cards and a higher number of transactions used an electronic system.
Exhibit 10 summarises the six councils' policies on use of credit cards.
Council | Audit Office classification | Number of staff (full-time equivalent) | Number of credit cards issued (current at August 2019) | Policy on credit card use |
Dubbo Regional Council | Regional | 453 | 77 | Purchase cards are used for official council business up to $5,000 and the policy allows cardholders to delegate the use of their purchase cards to other staff members. |
Junee Shire Council | Rural | 71 | 1 | Corporate credit cards are for council business activities and minor purchases where a purchase order is not accepted. Items that can be purchased via a purchase order should not be purchased on a corporate credit card. |
Lane Cove Council | Metropolitan | 192 | 6 | Corporate credit cards are for official council business, but should not be used when there is an alternative form of payment that aligns with the council's purchasing process. |
Nambucca Valley Council | Rural | 110 | 37 | Purchase cards are used for the payment of goods and services associated with council businesses. |
Penrith City Council | Metropolitan | 1,031 | 167 | Purchase cards are used for ‘low value and low risk procurement of goods and services’, while corporate cards are held by senior staff for ‘non-routine low value work related purchases’. |
Shellharbour City Council | Regional | 372 | 65 | Credit cards are for purchases up to $9,999 and the preferred payment method for transactions under $1,000. |
While it is important for councils to have an established credit card management framework, it is equally important that they ensure compliance in practice. This chapter examines councils' credit card management practices – how well staff members were complying with policies and procedures, and how effective their credit card controls were. The chapter is structured to cover:
- preventative controls (embedded in the issuance, use and cancellation of cards) that prevent fraud and misuse
- detective controls (embedded in reconciliation and record keeping) that assist in detecting fraud and misuse.
Where ineffective credit card management practices are identified, councils should reflect on whether they need to more closely monitor compliance, or whether there are fundamental deficiencies in their policies and procedures that need to be refined.
Dubbo Regional Council had gaps in its credit card policy and procedures. It allowed cardholders to share their credit card with other staff members, which complicated credit card management, increased the risk of misuse and fraud, and breached its agreement with the credit card issuer. The council's reconciliation of credit card transactions needs to be enhanced to ensure it can review compliance with policy and detect potential misuse or fraud.Dubbo Regional Council had 77 credit cards at the time of the audit. The council's policy on credit card sharing violated its agreement with the card issuer that each credit card should be for the respective cardholder's use only. Credit card sharing also increases the risk of misuse and fraud. The council's credit card policy and procedures lacked clarity in several areas. The eligibility criteria were broad and there was a risk of inconsistency in granting approvals, especially since the council gave approval delegations to multiple senior staff members. The policy and procedures also lacked guidance on the reconciliation of the general manager's credit card and the management of Cabcharge. The audit identified gaps in the council's credit card management practices. While the council had a clear policy on financial delegations, there was no evidence that credit card limits were monitored in line with financial delegations. The credit card register contained inaccurate information, and the council was also unable to provide records of certain transactions requested for review by the audit. The council's credit card reconciliation process needs to be enhanced to enable detection of potential misuse or fraud. It did not include compliance checks or reviewing the business-related purpose of transactions. Purchases of restricted items such as fuel, meals and entertainment were not accompanied by evidence of need or exemption. Travel expenses were not checked against travel pre-approval forms. The audit also identified instances of split transactions. The council provided no evidence of the finance team's involvement in the reconciliation of credit card transactions. Senior management oversight of credit card use was lacking, as the council did not produce reports on credit card use. There was also no evidence that the internal auditor had undertaken monitoring activities as required in the credit card policy. RecommendationsDubbo Regional Council should immediately: 1. amend its credit card policy to prevent cardholders from sharing their credit card with other staff. By December 2020, Dubbo Regional Council should: 2. clarify in the credit card policy and procedures:
3. ensure that credit card management practices include:
4. ensure reconciliation involves:
5. ensure there is ongoing senior management oversight of credit card use 6. ensure the internal auditor undertakes monitoring activities as specified in the credit card policy. |
Junee Shire Council had gaps in its credit card policy and procedures. The council's reconciliation of credit card transactions needs to be enhanced to ensure it can review compliance with policy and detect potential misuse or fraud. Junee Shire Council had only one credit card, held by the general manager, at the time of the audit. Staff members could seek approval from the general manager to purchase using the credit card. This raises concerns of credit card sharing, which would be a violation of the council's agreement with its credit card issuer. Credit card sharing also increases the risk of misuse and fraud. The council had fuel cards and store cards for use by staff members. However, its credit card policy and procedures did not cover the management of these types of cards. The lack of documented rules and guidance increases the risk of misuse and fraud. The audit identified other gaps in the council's credit card management practices:
The council's credit card reconciliation process needs to be enhanced to enable detection of potential misuse or fraud. It did not include reviewing the business-related purpose of transactions. The council also provided no evidence of the finance team's involvement in the reconciliation of credit card transactions. As the cardholder, the general manager reviewed all transactions every month. As the approver, the mayor (or deputy mayor) had to sign off on these transactions. Hence, there was sufficient management oversight of the council's credit card use. However, there was a lack of periodic review of the council's credit card use, as it was not included in the council's forward program of internal audits. RecommendationsJunee Shire Council should immediately: 1. amend its credit card policy to prevent cardholders from sharing their credit card with other staff. By December 2020, Junee Shire Council should: 2. clarify in the credit card policy and procedures:
3. ensure that credit card management practices include:
4. ensure reconciliation involves:
5. develop a plan for periodic reviews (e.g. internal audit) of credit card use and management 6. ensure its credit card policy and procedures are reviewed according to schedule. |
Lane Cove Council had gaps in its credit card policy and procedures. The council's reconciliation of credit card transactions needs to be enhanced to ensure it can review compliance with policy and detect potential misuse or fraud.Lane Cove Council had six credit cards, held by the most senior staff members, at the time of the audit. During our interviews, cardholders advised that they had shared their credit card with reporting staff. Credit card sharing is a violation of the council's agreement with its credit card issuer, and it also increases the risk of misuse and fraud. The council's credit card policy lacked clarity in several areas. While the general manager had delegation to authorise the issue of credit cards, the policy did not specify any eligibility criteria. The policy and procedures also lacked guidance on the reconciliation of the general manager's credit card and the management of fuel cards and store cards. The audit identified gaps in the council's credit card management practices. There was no evidence that credit card limits were monitored in line with financial delegations. The credit card register contained inaccurate information, and the council was also unable to provide records of certain transactions requested for review by the audit. The council's credit card reconciliation process needs to be enhanced to enable detection of potential misuse or fraud. The process also did not include compliance checks or reviewing the business-related purpose of transactions. Purchases of restricted items such as fuel and fine payments were not accompanied by adequate justification. There was a lack of targeted guidance for approvers in reconciliation, and the council only evidenced the finance team's involvement in an administrative capacity (i.e. entering data into the journals). Senior management oversight of credit card use was lacking. Although the credit card policy referred to management reporting, the council had not been producing such reports at the time of the audit. Management reporting was implemented in December 2019 following our discussions. There was a lack of periodic review of the council's credit card use, as it was not included in the council's forward program of internal audits. The council has adopted a new Management Directive in January 2020, which has clarified the eligibility criteria for credit cards. RecommendationsLane Cove Council should immediately: 1. amend its credit card policy to prevent cardholders from sharing their credit card with other staff. By December 2020, Lane Cove Council should: 2. clarify in the credit card policy and procedures:
3. ensure that credit card management practices include:
4. ensure reconciliation involves:
5. develop a plan for periodic reviews (e.g. internal audit) of credit card use and management. |
Nambucca Valley Council had gaps in its credit card policy and procedures. The council's reconciliation of credit card transactions needs to be enhanced to ensure it can review compliance with policy and detect potential misuse or fraud.Nambucca Valley Council had 37 credit cards at the time of the audit. During our interviews, cardholders described instances of credit card sharing within the council. Credit card sharing is a violation of the council's agreement with its credit card issuer, and it also increases the risk of misuse and fraud. The council's credit card policy lacked clarity in several areas. While the general manager had delegation to authorise the issue of credit cards, the policy did not specify any eligibility criteria. The policy and procedures lacked guidance on the management of fuel cards, store cards and Cabcharge. The policy also lacked coverage of the reconciliation arrangements for the general manager's credit card as the general manager did not hold a credit card. While the policy did not preclude the mayor and the general manager from holding a credit card, both opted not to do so. The audit identified gaps in the council's credit card management practices. There was no evidence that credit card limits were monitored in line with financial delegations. The credit card register contained inaccurate information, and there was insufficient control in handling staff departures, as the audit identified one incident where a credit card was returned after the staff member's last day. The council's credit card reconciliation process needs to be enhanced to enable detection of potential misuse or fraud. The process also did not include adequate compliance checks or reviewing the business-related purpose of transactions. Purchases of restricted items such as fuel and the use of third-party travel websites were not accompanied by adequate justification. Travel expenses were not checked against travel pre-approval forms. The audit also identified instances of split transactions. Senior management oversight of credit card use was insufficient, as the council had been producing reports for only one manager for his department at the time of the audit. Management reporting for the Chief Finance Officer was implemented following our discussions. There was a lack of periodic review of the council's credit card use, as it was not included in the council's forward program of internal audits. The audit acknowledges that the council had revised its credit card procedures following our discussions to address our preliminary findings. The council has also set additional credit card blocks in response to this audit. The recommendations below contain only the outstanding items. RecommendationsNambucca Valley Council should immediately: 1. ensure cardholders stop sharing their credit card with other staff. By December 2020, Nambucca Valley Council should: 2. clarify in the credit card policy and procedures:
3. ensure that credit card management practices include:
4. ensure reconciliation involves:
5. develop a plan for periodic reviews (e.g. internal audit) of credit card use and management. |
Penrith City Council had gaps in its credit card policy and procedures. The council's reconciliation of credit card transactions needs to be enhanced to ensure it can review compliance with policy and detect potential misuse or fraud.Penrith City Council had 167 credit cards at the time of the audit. During our interviews, cardholders described instances of credit card sharing within the council. Credit card sharing is a violation of the council's agreement with its credit card issuer, and it also increases the risk of misuse and fraud. The audit identified gaps in the council's credit card policy and procedures. There was no documented arrangement for the reconciliation of the general manager's credit card. There was also no guidance on the management of Cabcharge. The credit card register contained inaccurate information, and the council was also unable to provide records of certain transactions requested for review by the audit. The council's credit card reconciliation process needs to be enhanced to enable detection of potential misuse or fraud. The process did not include adequate compliance checks or reviewing the business-related purpose of transactions. The council's policy required prior approval for conferences, accommodation or meal expenses. However, there was no evidence that such approvals were checked during credit card reconciliation. The audit also identified instances of split transactions. The council implemented monthly reporting for managers in July 2019. There was a lack of periodic review of the council's credit card use, as it was not included in the council's forward program of internal audits. RecommendationsPenrith City Council should immediately: 1. ensure cardholders stop sharing their credit card with other staff. By December 2020, Penrith City Council should: 2. clarify in the credit card policy and procedures
3. ensure that credit card management practices include:
4. ensure reconciliation involves:
5. develop a plan for periodic reviews (e.g. internal audit) of credit card use and management. |
Shellharbour City Council had gaps in its credit card policy and procedures. The council's reconciliation of credit card transactions needs to be enhanced to ensure it can review compliance with policy and detect potential misuse or fraud.Shellharbour City Council had 65 credit cards at the time of the audit. During our interviews, cardholders described instances of credit card sharing within the council. Credit card sharing is a violation of the council's agreement with its credit card issuer, and it also increases the risk of misuse and fraud. The council's credit card policy lacked clarity in several areas. While the general manager had delegation to authorise the issue of credit cards, the policy did not specify any eligibility criteria. The council did not align credit card limits with financial delegations, and while blocking codes were used, there was no explanation in the policy or procedures. Although the mayor and general manager's credit card transactions were reviewed during the council's monthly Executive Leadership Team meetings, the policy and procedures lacked guidance on the reconciliation of their credit cards. The council also did not have sufficiently detailed documentation for the management of fuel cards. The audit identified gaps in the council's credit card management practices:
The council's credit card reconciliation process needs to be enhanced to enable detection of potential misuse or fraud. The process did not include compliance checks or reviewing the business-related purpose of transactions. Purchases of restricted items, such as fuel and fine payments, were not accompanied by adequate justification. The audit identified instances of split transactions, and travel or conference approval forms were also not checked during reconciliation. There was a lack of targeted guidance for approvers in reconciliation, and the council also provided no evidence of the finance team's involvement in the reconciliation of credit card transactions. The council's Executive Leadership Team was involved in the monthly review of credit card transactions, hence there was management oversight of credit card use. However, there was a lack of periodic review of the council's credit card use, as it was not included in the council's forward program of internal audits. RecommendationsShellharbour City Council should immediately: 1. ensure cardholders stop sharing their credit card with other staff. By December 2020, Shellharbour City Council should: 2. clarify in the credit card policy and procedures:
3. ensure that credit card management practices include:
4. ensure reconciliation involves:
5. develop a plan for periodic reviews (e.g. internal audit) of credit card use and management 6. ensure its credit card policy and procedures are reviewed according to schedule. |
Appendix one – Responses from councils and the Department of Planning, Industry and Environment
Appendix two – About the audit
Appendix three – Performance auditing
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Parliamentary reference - Report number #340 - released 3 September 2020
Actions for CBD South East Sydney Light Rail: follow-up performance audit
CBD South East Sydney Light Rail: follow-up performance audit
This is a follow-up to the Auditor-General's November 2016 report on the CBD South East Sydney Light Rail project. This follow-up report assessed whether Transport for NSW has updated and consolidated information about project costs and benefits.
The audit found that Transport for NSW has not consistently and accurately updated project costs, limiting the transparency of reporting to the public.
The Auditor-General reports that the total cost of the project will exceed $3.1 billion, which is above the revised cost of $2.9 billion published in November 2019. $153.84 million of additional costs are due to omitted costs for early enabling works, the small business assistance package and financing costs attributable to project delays.
The report makes four recommendations to Transport for NSW to publicly report on the final project cost, the updated expected project benefits, the benefits achieved in the first year of operations and the average weekly journey times.
The CBD and South East Light Rail is a 12 km light rail network for Sydney. It extends from Circular Quay along George Street to Central Station, through Surry Hills to Moore Park, then to Kensington and Kingsford via Anzac Parade and Randwick via Alison Road and High Street.
Transport for NSW (TfNSW) is responsible for planning, procuring and delivering the Central Business District and South East Light Rail (CSELR) project. In December 2014, TfNSW entered into a public private partnership with ALTRAC Light Rail as the operating company (OpCo) responsible for delivering, operating and maintaining the CSELR. OpCo engaged Alstom and Acciona, who together form its Design and Construct Contractor (D&C).
On 14 December 2019, passenger services started on the line between Circular Quay and Randwick. Passenger services on the line between Circular Quay and Kingsford commenced on 3 April 2020.
In November 2016, the Auditor-General published a performance audit report on the CSELR project. The audit found that TfNSW would deliver the CSELR at a higher cost with lower benefits than in the approved business case, and recommended that TfNSW update and consolidate information about project costs and benefits and ensure the information is readily accessible to the public.
In November 2018, the Public Accounts Committee (PAC) examined TfNSW's actions taken in response to our 2016 performance audit report on the CSELR project. The PAC recommended that the Auditor-General consider undertaking a follow-up audit on the CSELR project. The purpose of this follow-up performance audit is to assess whether TfNSW has effectively updated and consolidated information about project costs and benefits for the CSELR project.
Conclusion
Transport for NSW has not consistently and accurately updated CSLER project costs, limiting the transparency of reporting to the public. In line with the NSW Government Benefits Realisation Management Framework, TfNSW intends to measure benefits after the project is completed and has not updated the expected project benefits since April 2015.Between February 2015 and December 2019, Transport for NSW (TfNSW) regularly updated capital expenditure costs for the CSELR in internal monthly financial performance and risk reports. These reports did not include all the costs incurred by TfNSW to manage and commission the CSELR project.
Omitted costs of $153.84 million for early enabling works, the small business assistance package and financing costs attributable to project delays will bring the current estimated total cost of the CSELR project to $3.147 billion.
From February 2015, TfNSW did not regularly provide the financial performance and risk reports to key CSELR project governance bodies. TfNSW publishes information on project costs and benefits on the Sydney Light Rail website. However, the information on project costs has not always been accurate or current.
TfNSW is working with OpCo partners to deliver the expected journey time benefits. A key benefit defined in the business plan was that bus services would be reduced owing to transfer of demand to the light rail - entailing a saving. However, TfNSW reports that the full expected benefit of changes to bus services will not be realised due to bus patronage increasing above forecasted levels.
Appendix one – Response from agency
Appendix two – Governance and reporting arrangements for the CSELR
Appendix three – 2018 CSELR governance changes
Appendix four – About the audit
Appendix five – Performance auditing
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Parliamentary reference - Report number #335 - released 11 June 2020
Actions for Funding enhancements for police technology
Funding enhancements for police technology
This report focuses on how the NSW Police Force managed a $100 million program to acquire new technology. The program invested in technologies intended to make police work safer and quicker. These included body-worn video (BWV) cameras, smart phone devices, mobile fingerprint scanners and hand-held drug testing devices.
The audit found that while the NSW Police Force mostly managed the ‘Policing for Tomorrow’ program effectively, investment decision making could be improved in the future. The NSW Police Force missed an opportunity to take a whole-of-organisation approach to identify capability gaps and target the acquired technologies to plug these.
The NSW Police Force has processes in place to monitor the benefits of some of the larger technology, but it does not do this consistently for all procured technology. It could not demonstrate that smaller projects are improving the efficiency or effectiveness of policing.
The audit also found that the NSW Police Force does not routinely engage with external stakeholders on the use or impacts of new technology that changes how officers interact with the public, noting that this will not always be possible for particularly sensitive procurements that involve covert technologies or methodologies.
The Auditor-General made three recommendations to guide improvement of NSW Police Force ICT procurement, benefits management and stakeholder engagement processes.
Ahead of the March 2015 election, the NSW Government announced a $100 million Policing for Tomorrow fund for the NSW Police Force to acquire technology intended to make police work safer and quicker. The announcement committed the NSW Police Force to several investment priorities, including body-worn video (BWV) cameras, smart phone devices (MobiPOL), mobile fingerprint scanners and hand-held drug testing devices. Otherwise, the NSW Police Force was allowed flexibility in identifying and resourcing suitable projects.
This audit assessed whether the Policing for Tomorrow fund was effectively managed to improve policing in New South Wales. We addressed the audit objective with the following audit questions:
- Did the NSW Police Force efficiently and effectively identify, acquire, implement and maintain technology resourced by the fund?
- Did the NSW Police Force establish effective governance arrangements for administering the fund, and for monitoring expected benefits and unintended consequences?
- Did technology implemented under the fund improve the efficiency and effectiveness of policing in New South Wales?
Conclusion The NSW Police Force's management of the Policing for Tomorrow fund was mostly effective. There are measures in place to assess the impact of the technologies on the efficiency and effectiveness of policing in NSW. However, these measures are not in place for all technologies funded by Policing for Tomorrow. A strategic whole-of-organisation approach to identifying and filling technology capability gaps may have assisted in better targeting funds and managing expected benefits. The NSW Police Force identified, acquired, implemented and maintained a range of technologies resourced by the fund in an efficient and effective way. The election announcement committed the NSW Police Force to four specific projects which made up over three quarters of the fund value. Investment decisions for remaining funds were driven by the availability of funding and individual technology requirements rather than targeting improved policing outcomes and the capability necessary to achieve these. The NSW Police Force missed an opportunity to take a whole-of-organisation approach to selecting technology projects for the remainder of the funds where it had discretion. This may have included considering less obvious back office technology or making different investment decisions driven by gaps in the agency's technology capabilities. The NSW Police Force used effective governance arrangements for administering the Policing for Tomorrow fund, including using its existing ICT Executive Board. The NSW Police Force has adequate processes in place to drive benefits and monitor the impact of technology on the efficiency and effectiveness of policing for the larger projects funded by Policing for Tomorrow. Further work is required to ensure this for smaller projects. The NSW Police Force tends to consider only impacts on the organisation in managing benefits and identifying unintended consequences. It does not routinely engage proactively with stakeholders, including partner criminal justice agencies and members of the community, on new technology that changes how police interact with the public. |
We examined how effectively the NSW Police Force governed the Policing for Tomorrow fund, to ensure that key accountability and decision-making arrangements were in place to direct the $100 million spend to appropriate technologies. We also assessed how the NSW Police Force acquired, implemented and maintained technology funded by Policing for Tomorrow to determine the effectiveness of the relevant asset management.
The Policing for Tomorrow election commitment aimed to invest in technology to ‘make police work safer and quicker – meaning more time on the street combatting crime’. We assessed whether the NSW Police Force ensured that funded technologies have improved policing efficiency and effectiveness. We did not seek to independently assure the benefits or outcomes resulting from the technologies.
Appendix one – Response from agency
Appendix two – Policing for Tomorrow projects and expenditure
Appendix three – About the audit
Appendix four – Performance auditing
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Parliamentary reference - Report number #334 - released 2 June 2020
Actions for Integrity of data in the Births, Deaths and Marriages Register
Integrity of data in the Births, Deaths and Marriages Register
This report outlines whether the Department of Customer Service (the department) has effective controls in place to ensure the integrity of data in the Births, Deaths and Marriages Register (the register), and to prevent unauthorised access and misuse.
The audit found that the department has processes in place to ensure that the information entered in the register is accurate and that any changes to it are validated. Although there are controls in place to prevent and detect unauthorised access to, and activity in the register, there were significant gaps in these controls. Addressing these gaps is necessary to ensure the integrity of information in the register.
The Auditor-General made nine recommendations to the department, aimed at strengthening controls to prevent and detect unauthorised access to, and activity in the register. These included increased monitoring of individuals who have access to the register and strengthening security controls around the databases that contain the information in the register.
The NSW Registry of Births Deaths and Marriages is responsible for maintaining registers of births, deaths and marriages in New South Wales as well as registering adoptions, changes of names, changes of sex and relationships. Maintaining the integrity of this information is important as it is used to confirm people’s identity and unauthorised access to it can lead to fraud or identity theft.
The NSW Registry of Births Deaths and Marriages (BD&M) is responsible for maintaining registers of births, deaths and marriages in New South Wales. BD&M is also responsible for registering adoptions, changes of name, changes of sex and relationships. These records are collectively referred to as 'the Register'. The Births, Deaths and Marriages Registration Act 1995 (the BD&M Act) makes the Registrar (the head of BD&M) responsible for maintaining the integrity of the Register and preventing fraud associated with the Register. Maintaining the integrity of the information held in the Register is important as it is used to confirm people's identity. Unauthorised access to, or misuse of the information in the Register can lead to fraud or identity theft. For these reasons it is important that there are sufficient controls in place to protect the information.
BD&M staff access, add to and amend the Register through the LifeLink application. While BD&M is part of the Department of Customer Service, the Department of Communities and Justice (DCJ) manages the databases that contain the Register and sit behind LifeLink and is responsible for the security of these databases.
This audit assessed whether BD&M has effective controls in place to ensure the integrity of data in the Births, Deaths and Marriages Register, and to prevent unauthorised access and misuse. It addressed the following:
- Are relevant process and IT controls in place and effective to ensure the integrity of data in the Register and the authenticity of records and documents?
- Are security controls in place and effective to prevent unauthorised access to, and modification of, data in the Register?
ConclusionBD&M has processes and controls in place to ensure that the information entered in the Register is accurate and that amendments to the Register are validated. BD&M also has controls in place to prevent and detect unauthorised access to, and activity in the Register. However, there are significant gaps in these controls. Addressing these gaps is necessary to ensure the integrity of the information in the Register. BD&M has detailed procedures for all registrations and amendments to the Register, which include processes for entering, assessing and checking the validity and adequacy of source documents. Where BD&M staff have directly input all the data and for amendments to the Register, a second person is required to check all information that has been input before an event can be registered or an amendment can be made. BD&M carries out regular internal audits of all registration processes to check whether procedures are being followed and to address non-compliance where required. BD&M authorises access to the Register and carries out regular access reviews to ensure that users are current and have the appropriate level of access. There are audit trails of all user activity, but BD&M does not routinely monitor these. At the time of the audit, BD&M also did not monitor activity by privileged users who could make unauthorised changes to the Register. Not monitoring this activity created a risk that unauthorised activity in the Register would not be detected. BD&M has no direct oversight of the database environment which houses the Register and relies on DCJ's management of a third-party vendor to provide the assurance it needs over database security. The vendor operates an Information Security Management System that complies with international standards, but neither BD&M nor DCJ has undertaken independent assurance of the effectiveness of the vendor's IT controls. |
Appendix one – Response from agency
Appendix two – About the audit
Appendix three – Performance auditing
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Parliamentary reference - Report number #330 - released 7 April 2020.
Actions for CBD and South East Light Rail Project
CBD and South East Light Rail Project
Transport for NSW did not effectively plan and procure the CBD and South East Light Rail (CSELR) project to achieve best value for money according to a report released today by NSW Auditor-General, Margaret Crawford.
Transport for NSW is on track to deliver the project, but it will come at a higher cost with lower benefits than in the approved business case.
Parliamentary reference - Report number #278 - released 30 November 2016
Actions for Early childhood education
Early childhood education
Enrolments in quality early childhood education programs in New South Wales are increasing but are below the national benchmark, according to a report released today by the NSW Auditor-General, Margaret Crawford.
Ninety-five per cent of children should be enrolled in at least 600 hours in the year before school, but according to the latest NSW figures 77 per cent of children were enrolled in quality early childhood education programs. This 2015 figure is below the benchmark, but is a significant improvement on 2013 when 59 per cent were enrolled.
Parliamentary reference - Report number #271 - released 26 May 2016
Actions for Supporting students with disability in NSW public schools
Supporting students with disability in NSW public schools
The Department of Education is doing a reasonable job in managing how well students with disability transition to a new school and supporting teachers to improve these students’ educational outcomes, according to a report released today by the NSW Auditor-General, Margaret Crawford.
The level of support provided to students with disability can vary between schools. This is partly due to cultural resistance in some schools and teachers not always having the necessary skills to support children with disability.
Parliamentary reference - Report number #270 - released 12 May 2016
Actions for Franchising of Sydney Ferries Network services
Franchising of Sydney Ferries Network services
Franchising services on the Sydney Ferries Network was justified, and Transport for NSW’s management of the franchise has been largely effective according to a report released today by the NSW Acting Auditor-General, Tony Whitfield.
'Franchising has resulted in cost savings, good service performance, and effective risk transfer from government to the private sector operator', said Mr Whitfield.
Parliamentary reference - Report number #265 - released 4 February 2016
Actions for The Police Assistance Line: Follow-up audit
The Police Assistance Line: Follow-up audit
In this 2006 follow-up audit, we found that NSW Police had addressed most of the key areas for improvement we identified in 2003. The contact centre which operates the Police Assistance Line (PAL) is well managed, and has implemented several improvements since our 2003 audit. The centre’s speed in answering and handling PAL calls is better than in 2003. Caller satisfaction with PAL services is high, and NSW Police calculate it releases 200 police for frontline duty. The centre also receives around 4,000 enquiry calls each week further reducing the load on local police.
Parliamentary reference - Report number #161 - released 6 December 2006