Reports
Actions for Internal Controls and Governance 2017
Internal Controls and Governance 2017
Agencies need to do more to address risks posed by information technology (IT).
Effective internal controls and governance systems help agencies to operate efficiently and effectively and comply with relevant laws, standards and policies. We assessed how well agencies are implementing these systems, and highlighted opportunities for improvement.
1. Overall trends
New and repeat findings |
The number of reported financial and IT control deficiencies has fallen, but many previously reported findings remain unresolved. |
High risk findings |
Poor systems implementations contributed to the seven high risk internal control deficiencies that could affect agencies. |
Common findings |
Poor IT controls are the most commonly reported deficiency across agencies, followed by governance issues relating to cyber security, capital projects, continuous disclosure, shared services, ethics and risk management maturity. |
2. Information Technology
IT security |
Only two-thirds of agencies are complying with their own policies on IT security. Agencies need to tighten user access and password controls. |
Cyber security |
Agencies do not have a common view on what constitutes a cyber attack, which limits understanding the extent of the cyber security threat. |
Other IT systems |
Agencies can improve their disaster recovery plans and the change control processes they use when updating IT systems. |
3. Asset Management
Capital investment |
Agencies report delays delivering against the significant increase in their budgets for capital projects. |
Capital projects |
Agencies are underspending their capital budgets and some can improve capital project governance. |
Asset disposals |
Eleven per cent of agencies were required to sell their real property through Property NSW but didn’t. And eight per cent of agencies can improve their asset disposal processes. |
4. Governance
Governance arrangements |
Sixty-four per cent of agencies’ disclosure policies support communication of key performance information and prompt public reporting of significant issues. |
Shared services |
Fifty-nine per cent of agencies use shared services, yet 14 per cent do not have service level agreements in place and 20 per cent can strengthen the performance standards they set. |
5. Ethics and Conduct
Ethical framework |
Agencies can reinforce their ethical frameworks by updating code‑of‑conduct policies and publishing a Statement of Business Ethics. |
Conflicts of interest |
All agencies we reviewed have a code of conduct, but they can still improve the way they update and manage their codes to reduce the risk of fraud and unethical behaviour. |
6. Risk Management
Risk management maturity |
All agencies have implemented risk management frameworks, but with varying levels of maturity. |
Risk management elements |
Many agencies can improve risk registers and strengthen their risk culture, particularly in the way that they report risks to their lead agency. |
This report covers the findings and recommendations from our 2016–17 financial audits related to the internal controls and governance of the 39 largest agencies (refer to Appendix three) in the NSW public sector. These agencies represent about 95 per cent of total expenditure for all NSW agencies and were considered to be a large enough group to identify common issues and insights.
The findings in this report should not be used to draw conclusions on the effectiveness of individual agency control environments and governance arrangements. Specific financial reporting, controls and service delivery comments are included in the individual 2017 cluster financial audit reports tabled in Parliament from October to December 2017.
This new report offers strategic insight on the public sector as a whole
In previous years, we have commented on internal control and governance issues in the volumes we published on each ‘cluster’ or agency sector, generally between October and December. To add further value, we then commented more broadly about the issues identified for the public sector as a whole at the start of the following year.
This year, we have created this report dedicated to internal controls and governance. This will help Parliament to understand broad issues affecting the public sector, and help agencies to compare their own performance against that of their peers.
Without strong control measures and governance systems, agencies face increased risks in their financial management and service delivery. If they do not, for example, properly authorise payments or manage conflicts of interest, they are at greater risk of fraud. If they do not have strong information technology (IT) systems, sensitive and trusted information may be at risk of unauthorised access and misuse.
These problems can in turn reduce the efficiency of agency operations, increase their costs and reduce the quality of the services they deliver.
Our audits do not review every control or governance measure every year. We select a range of measures, and report on those that present the most significant risks that agencies should mitigate. This report divides these into the following six areas:
- Overall trends
- Information technology
- Asset management
- Governance
- Ethics and conduct
- Risk management.
Internal controls are processes, policies and procedures that help agencies to:
- operate effectively and efficiently
- produce reliable financial reports
- comply with laws and regulations.
This chapter outlines the overall trends for agency controls and governance issues, including the number of findings, level of risk and the most common deficiencies we found across agencies. The rest of this volume then illustrates this year’s controls and governance findings in more detail.
Issues |
Recommendations |
1.1 New and repeat findings |
|
The number of internal control deficiencies reduced over the past three years, but new higher-risk information technology (IT) control deficiencies were reported in 2016–17. Deficiencies repeated from previous years still make up a sizeable proportion of all internal control deficiencies. |
Recommendation Agencies should focus on emerging IT risks, but also manage new IT risks, reduce existing IT control deficiencies, and address repeat internal control deficiencies on a more timely basis. |
1.2 High risk findings |
|
We found seven high risk internal control deficiencies, which might significantly affect agencies. |
Recommendation Agencies should rectify high risk internal control deficiencies as a priority |
1.3 Common findings |
|
The most common internal control deficiencies related to poor or absent IT controls. We found some common governance deficiencies across multiple agencies. |
Recommendation Agencies should coordinate actions and resources to help rectify common IT control and governance deficiencies. |
Information technology (IT) has become increasingly important for government agencies’ financial reporting and to deliver their services efficiently and effectively. Our audits reviewed whether agencies have effective controls in place over their IT systems. We found that IT security remains the source of many control weakness in agencies.
Issues | Recommendations |
2.1 IT security |
|
User access administration While 95 per cent of agencies have policies about user access, about two-thirds were compliant with these policies. Agencies can improve how they grant, change and end user access to their systems. |
Recommendation Agencies should strengthen user access administration to prevent inappropriate access to sensitive systems. Agencies should:
|
Privileged access Sixty-eight per cent of agencies do not adequately manage who can access their information systems, and many do not sufficiently monitor or restrict privileged access. |
Recommendation Agencies should tighten privileged user access to protect their information systems and reduce the risks of data misuse and fraud. Agencies should ensure they:
|
Password controls Forty-one per cent of agencies did not meet either their own standards or minimum standards for password controls. |
Recommendation Agencies should review and enforce password controls to strengthen security over sensitive systems. As a minimum, password parameters should include:
|
2.2 Cyber Security |
|
Cyber security framework Agencies do not have a common view on what constitutes a cyber attack, which limits understanding the extent of the cyber security threat. |
Recommendation The Department of Finance, Services and Innovation should revisit its existing framework to develop a shared cyber security terminology and strengthen the current reporting requirements for cyber incidents. |
Cyber security strategies While 82 per cent of agencies have dedicated resources to address cyber security, they can strengthen their strategies, expertise and staff awareness. |
Recommendations The Department of Finance, Services and Innovation should:
Agencies should ensure they adequately resource staff dedicated to cyber security. |
2.3 Other IT systems |
|
Change control processes Some agencies need to improve change control processes to avoid unauthorised or inaccurate system changes. |
Recommendation Agencies should consistently perform user acceptance testing before system upgrades and changes. They should also properly approve and document changes to IT systems. |
Disaster recovery planning Agencies can do more to adequately assess critical business systems to enforce effective disaster recovery plans. This includes reviewing and testing their plans on a timely basis. |
Recommendation Agencies should complete business impact analyses to strengthen disaster recovery plans, then regularly test and update their plans. |
Agency service delivery relies on developing and renewing infrastructure assets such as schools, hospitals, roads, or public housing. Agencies are currently investing significantly in new assets. Agencies need to manage the scale and volume of current capital projects in order to deliver new infrastructure on time, on budget and realise the intended benefits. We found agencies can improve how they:
- manage their major capital projects
- dispose of existing assets.
Issues | Recommendations or conclusions |
3.1 Capital investment |
|
Capital asset investment ratios Most agencies report high capital investment ratios, but one-third of agencies’ capital investment ratios are less than one. |
Recommendation Agencies with high capital asset investment ratios should ensure their project management and delivery functions have the capacity to deliver their current and forward work programs. |
Volume of capital spending Most agencies have significant forward spending commitments for capital projects. However, agencies’ actual capital expenditure has been below budget for the last three years. |
Conclusion The significant increase in capital budget underspends warrant investigation, particularly where this has resulted from slower than expected delivery of projects from previous years. |
3.2 Capital projects |
|
Major capital projects Agencies’ major capital projects were underspent by 13 percent against their budgets. |
Conclusion The causes of agency budget underspends warrant investigation to ensure the NSW Government’s infrastructure commitment is delivered on time. |
Capital project governance Agencies do not consistently prepare business cases or use project steering committees to oversee major capital projects. |
Conclusion Agencies that have project management processes that include robust business cases and regular updates to their steering committees (or equivalent) are better able to provide those projects with strategic direction and oversight. |
3.3. Asset disposals |
|
Asset disposal procedures Agencies need to strengthen their asset disposal procedures. |
Recommendations Agencies should have formal processes for disposing of surplus properties. Agencies should use Property NSW to manage real property sales unless, as in the case for State owned corporations, they have been granted an exemption. |
Governance refers to the high-level frameworks, processes and behaviours that help an organisation to achieve its objectives, comply with legal and other requirements, and meet a high standard of probity, accountability and transparency.
This chapter sets out the governance lighthouse model the Audit Office developed to help agencies reach best practice. It then focuses on two key areas: continuous disclosure and shared services arrangements. The following two chapters look at findings related to ethics and risk management.
Issues | Recommendations or conclusions |
4.1 Governance arrangements |
|
Continuous disclosure Continuous disclosure promotes improved performance and public trust and aides better decision-making. Continuous disclosure is only mandatory for NSW Government Businesses such as State owned corporations. |
Conclusion Some agencies promote transparency and accountability by publishing on their websites a continuous disclosure policy that provides for, and encourages:
|
4.2 Shared services |
|
Service level agreements Some agencies do not have service level agreements for their shared service arrangements. Many of the agreements that do exist do not adequately specify controls, performance or reporting requirements. This reduces the effectiveness of shared services arrangements. |
Conclusion Agencies are better able to manage the quality and timeliness of shared service arrangements where they have a service level agreement in place. Ideally, the terms of service should be agreed before services are transferred to the service provider and:
|
Shared service performance Some agencies do not set performance standards for their shared service providers or regularly review performance results. |
Conclusion Agencies can achieve better results from shared service arrangements when they regularly monitor the performance of shared service providers using key measures for the benefits realised, costs saved and quality of services received. Before agencies extend or renegotiate a contract, they should comprehensively assess the services received and test the market to maximise value for money. |
All government sector employees must demonstrate the highest levels of ethical conduct, in line with standards set by The Code of Ethics and Conduct for NSW government sector employees.
This chapter looks at how well agencies are managing these requirements, and where they can improve their policies and processes.
We found that agencies mostly have the appropriate codes, frameworks and policies in place. But we have highlighted opportunities to improve the way they manage those systems to reduce the risks of unethical conduct.
Issues | Recommendations or conclusions |
5.1 Ethical framework |
|
Code of conduct All agencies we reviewed have a code of conduct, but they can still improve the way they update and manage their codes to reduce the risk of fraud and unethical behaviour. |
Recommendation Agencies should regularly review their code-of-conduct policies and ensure they keep their codes of conduct up-to-date. |
Statement of business ethics Most agencies maintain an ethical framework, but some can enhance their related processes, particularly when dealing with external clients, customers, suppliers and contractors. |
Conclusion Agencies can enhance their ethical frameworks by publishing a Statement of Business Ethics, which communicates their values and culture. |
5.2 Potential conflicts of interest |
|
Conflicts of interest All agencies have a conflicts-of-interest policy, but most can improve how they identify, manage and avoid conflicts of interest. |
Recommendation Agencies should improve the way they manage conflicts of interest, particularly by:
|
Gifts and benefits While all agencies already have a formal gifts-and-benefits policy, we found gaps in the management of gifts and benefits by some that increase the risk of unethical conduct. |
Recommendation Agencies should improve the way they manage gifts and benefits by promptly updating registers and providing annual training to staff. |
Risk management is an integral part of effective corporate governance. It helps agencies to identify, assess and prioritise the risks they face and in turn minimise, monitor and control the impact of unforeseen events. It also means agencies can respond to opportunities that may emerge and improve their services and activities.
This year we looked at the overall maturity of the risk management frameworks that agencies use, along with two important risk management elements: risk culture and risk registers.
Issues | Recommendations or conclusions |
6.1 Risk management maturity |
|
All agencies have implemented risk management frameworks, but with varying levels of maturity in their application. Agencies’ averaged a score of 3.1 out of five across five critical assessment criteria for risk management. While strategy and governance fared best, the areas that most need to improve are risk culture, and systems and intelligence. |
Conclusion Agencies have introduced risk management frameworks and practices as required by the Treasury’s:
However, more can be done to progress risk management maturity and embed risk management in agency culture. |
6.2 Risk management elements |
|
Risk culture Most agencies have started to embed risk management into the culture of their organisation. But only some have successfully done so, and most agencies can improve their risk culture.
|
Conclusion Agencies can improve their risk culture by:
|
Risk registers and reporting Some agencies do not report their significant risks to their lead agency, which may impair the way resources are allocated in their cluster. Some agencies do not integrate risk registers at a divisional and whole-of-enterprise level. |
Conclusion Agencies not reporting significant risks at the cluster level increases the likelihood that significant risks are not being mitigated appropriately. |
Effective risk management can improve agency decision-making, protect reputations and lead to significant efficiencies and cost savings. By embedding risk management directly into their operations, agencies can also derive extra value for their activities and services.
Actions for Report on Education 2017
Report on Education 2017
The Auditor-General, Margaret Crawford released her report on the results of the financial audits of agencies in the Education cluster. The report focuses on key observations and findings from the most recent audits of these agencies.
'I am pleased to report that unqualified audit opinions were issued on the financial statements for all agencies in the Education cluster', the Auditor-General said. 'The quality and timeliness of financial reporting remains strong'.
Actions for Central Agencies 2017
Central Agencies 2017
This report highlights the results of the financial audits of NSW Government central agencies. The report focuses on key observations and findings from the most recent financial statement audits of agencies in the Treasury, Premier and Cabinet, and Finance, Services and Innovation clusters.
The report includes a range of findings in respect to service delivery. One repeat finding is that while the Government regularly reports on the 12 Premier's priorities, there is no comprehensive reporting on the 18 State priorities.
1. Financial reporting and controls
Audit Opinions | Unqualified audit opinions were issued for all agencies' 30 June 2017 financial statements. |
Early close | Early close procedures continue to facilitate the timely preparation of financial statements and completion of audits, but agencies can make further improvement. |
Deficient user administration access | User access administration over financial systems remains an area of weakness. Agencies need to strengthen user access administration to critical systems. |
Transitioning to outsourced service providers | Transitioning of services to outsourced service providers can be improved. Outsourcing services can lead to better outcomes, which may include lower transaction costs and improved services, but it also introduces new risks. |
2. Service delivery
Premier and State Priorities | A comprehensive report of performance against the 18 State Priorities is yet to be published. While some measures are publicly reported through agency annual reports or other sources, a comprehensive report of performance against the 18 State Priorities would ensure all State Priorities are publicly reported, provide a single and easily accessible source of reference and improve transparency. |
ICT and digital government | The Digital Government Strategy was released in May 2017. Targets will need to be set to assess and monitor progress against the Strategy. |
Digital information security | Not all agencies are complying with the NSW Government's information security policy. This increases the risk of noncompliance with legislation, information security breaches and difficulty restoring data or maintaining business continuity in the event of a disaster or disruption. |
Property and asset utilisation | Property NSW's performance reporting would be enhanced by developing and reporting on customer satisfaction, reporting against set targets and benchmarking cost of service to the private sector. |
3. Government financial services
Prudential oversight of NSW Government superannuation funds |
Prudential oversight of SAS Trustee Corporation Pooled Fund and Parliamentary Contributory Superannuation Fund has not been prescribed. Structured and comprehensive prudential oversight of these funds remains important as they operate in a specialised, complex and continuously changing investment market sector, have over 106,000 members and manage investments in excess of $42.4 billion. |
Green slip scheme affordability | Currently, Green Slips in NSW are the most expensive in Australia. However, CTP reforms are expected to reduce the cost of Green Slips. |
This report sets out the results of the 30 June 2017 financial statement audits of NSW Government's central agencies and their cluster agencies.
Central agencies play a key role in ensuring policy coordination, good administrative and people management practices and prudent fiscal management. The central agencies and their key responsibilities are set out below.
Confidence in public sector decision‑making and transparency is enhanced when financial reporting is accurate and timely. Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. This chapter outlines our audit observations, conclusions or recommendations related to financial reporting and controls of agencies for 2016–17.
Observation | Conclusion or recommendation |
2.1 Quality of financial reporting | |
Unqualified audit opinions were issued for all agency financial statements. | The quality of financial reporting continues to remain strong across the clusters. |
2.2 Timeliness of financial reporting | |
Most agencies complied with the statutory timeframes for completion of early close procedures and preparation and audit of financial statements. | Early close procedures continue to facilitate the timely preparation of financial statements and completion of audits, but agencies can make further improvement. |
2.3 Financial performance and sustainability | |
We assessed the performance of agencies listed in Appendix six against some key financial sustainability indicators. This highlighted two agencies with negative operating margins of more than ten per cent and one agency with a liquidity ratio of less than 0.5. | These agencies have strategies in place to remain financially sustainability and manage their liquidity. Our analysis found that, overall, the agencies are not at high risk of sustainability concerns. |
2.4 Internal Controls | |
User access administration over financial systems remains an area of weakness. Sixteen moderate risk and ten low risk issues related to user access administration across eight agencies were identified. |
Recommendation: Agencies should review user access administration to critical systems to ensure:
|
Transitioning of services to outsourced service providers can be improved. Our 2016–17 audits identified one high risk issue relating to Property NSW's outsourcing of property and facility management services to the private sector. While a high risk issue was identified in 2015–16 from the Department of Finance, Services and Innovation's outsourcing of transactional and information technology services to GovConnect there has been an improvement in GovConnect's internal control environment throughout |
Outsourcing services can lead to better outcomes, which may include lower transaction costs and improved services, but it also introduces new risks. The transition needs to be carefully managed and requires thorough planning and effective project governance. This should be supported by oversight and direction from senior management and independent project assurance. |
2.5 Human Resources | |
The percentage of full‑time equivalent staff with annual leave greater than 30 days in the Finance, Services and Innovation, Premier and Cabinet and the Treasury clusters is 7.9 per cent, 17.1 per cent and 18.4 per cent respectively. | Agencies have strategies in place to reduce annual leave balances that are greater than 30 days. The effectiveness of these strategies will need to be monitored to ensure they are helping to achieve the desired outcome. |
This chapter outlines our audit observations, conclusions and recommendations relating to service delivery for 2016–17.
Observation | Conclusion or recommendation |
3.1 Premier and State priorities | |
The Department of Premier and Cabinet monitors the achievement of targets and the implementation of initiatives to deliver the 12 Premier’s Priorities. Responsible ministers and agencies manage the 18 State Priorities. A comprehensive report of performance against the 18 State Priorities is yet to be published. |
While some measures are publicly reported through agency annual reports or other sources, a comprehensive report of performance against the 18 State Priorities would ensure all State Priorities are publicly reported, provide a single and easily accessible source of reference and improve transparency. Where possible, independent sources are used to measure performance, however without independent assurance there is an increased risk that the target measures are inaccurate, not relevant or do not fairly represent actual performance. |
Performance against the State Priority to make NSW the easiest state to start a business is not currently published. |
Initiatives, such as easy to do business and red tape reduction are in place to help achieve this priority. The regulatory policy framework is under review following an October 2016 performance audit on ‘Red tape reduction’ that found the regulatory burden of legislation had increased. |
3.2 Financial management | |
Revenue NSW earned record crown revenue of $30.0 billion in 2016–17 to support the state's finances. | Record crown revenue has been driven by the sustained increase in duties revenue, which has increased by 93.7 per cent over the last five years. This is a consequence of the continued strength in the property market over this time and large one off NSW Government business asset sales and leases. |
3.3 ICT and digital government | |
The Digital Government Strategy (the Strategy) was released in May 2017 to build on reforms set out in previous ICT strategies. | The Strategy’s priorities and enablers aim to support digital innovation. Targets and measures will need to be set to assess and monitor progress against the Strategy. |
The Digital Information Security Policy (DISP) is a key tool that helps ensure a minimum set of information security controls are implemented across NSW Government agencies. A review of 2016 annual reports found 15 agencies (13 in 2015) did not attest to compliance with the DISP and of the agencies that attested to compliance, 34 reported issues associated with their compliance. |
The Strategy’s priorities and enablers aim to support digital innovation. Targets and measures will need to be set to assess and monitor progress against the Strategy. |
3.4 Property and asset utilisation | |
Property NSW's performance reporting could be |
Property NSW's performance reporting would be enhanced by developing and reporting on customer satisfaction, reporting against set targets and benchmarking cost of service to the private sector. |
This chapter outlines our audit observations, conclusions and recommendations specific to NSW Government agencies providing financial services.
Observation | Conclusion or recommendation |
4.1 Key issues | |
The SAS Trustee Corporation (STC) Pooled Fund and the Parliamentary Contributory Superannuation (PCS) Fund are not required to comply with the prudential and reporting standards issued by the Australian Prudential Regulation Authority (APRA). Amendments to relevant legislation allows the Minister for Finance, Services and Property to prescribe applicable prudential standards and audit requirements. |
Structured and comprehensive prudential oversight of these funds remains important as they operate in a specialised, complex and continuously changing investment market sector, have over 106,000 members and manage investments of more than $42.4 billion. Recommendation: The Treasury should liaise with the respective Trustees to implement appropriate prudential standards and oversight arrangements for the exempt public sector superannuation funds. |
Currently, Green Slips in NSW are the most expensive in Australia. Average premiums for Sydney Metropolitan vehicles increased by 10.4 per cent between 1 January 2016 and 31 December 2016. |
CTP reforms are expected to reduce the cost of Green Slips. The State Insurance Regulatory Authority will need to ensure it has appropriate processes in place to track and report against the expected benefits. |
4.2 Financial performance and sustainability | |
Net unfunded superannuation liabilities were $15.0 billion at 30 June 2017. Under the Fiscal Responsibility Act 2012, the NSW Government’s target is to eliminate unfunded superannuation liabilities by 2030. |
The superannuation funds’ strategic asset allocation and investment strategies are monitored and adjusted to help achieve a fully funded position by 2030. |
The Home Warranty Scheme commenced in 2011. Over this time total premiums collected have not been sufficient to cover expected claim costs. | Funding arrangements introduced during 2016–17 allow the Home Building Compensation Fund to apply to the Crown for reimbursement of unfunded realised losses from under-pricing of premiums. Other reforms are planned to address the long term sustainability of the home building compensation scheme. |
4.3 Investment performance | |
The NSW Government’s main superannuation funds have maintained the management expense ratio (MER) at consistent levels over the past two years. The Parliamentary Contributory Superannuation (PCS) Fund does not set an MER target. | MER is an industry recognised ratio to measure the performance of funds and investment managers. Recommendation: The Fund Secretary for the PCS Fund, in conjunction with the Trustee, should consider establishing an appropriate management expense ratio target to measure performance. |
Actions for Information and Communication Technologies in schools for teaching and learning
Information and Communication Technologies in schools for teaching and learning
Several factors are reducing effective use of information and communication technology (ICT) in the classroom.
These are primarily:
Parliamentary reference - Report number #289 - released 6 July 2017
Actions for Planning for school infrastructure
Planning for school infrastructure
The Department of Education proposes to fundamentally reform school infrastructure planning and delivery to meet the future demand for student places, and to overcome chronic under-investment for much of the last decade. To do this, it will need to spend much more than it has been receiving to date.
Parliamentary reference - Report number #284 - released 4 May 2017
Actions for 2016 - An overview
2016 - An overview
This report focuses on key observations and findings from 2016 audits and highlights key areas of focus for financial and performance audits in 2017.
Financial reporting | |
Observation | Conclusion |
Only one qualified audit opinion was issued on the 2015–16 financial statements of NSW public sector agencies, compared to two in 2014–15. | The quality of financial reporting continued to improve across the NSW public sector. |
More 2015–16 financial statements and audit opinions were signed within three months of the year end. | Timely financial reporting was facilitated by more agencies resolving significant accounting issues early, completing asset valuations on time and compiling sufficient evidence to support financial statement balances. |
NSW Treasury’s early close procedures in 2015–16 were again successful in improving the quality and timeliness of financial reporting, largely facilitated by the early resolution of accounting issues. For 2016–17, NSW Treasury has narrowed the scope of mandatory early close procedures. |
The narrowed scope of mandatory early close procedures may diminish the good performance in ensuring the quality and timeliness of financial reporting achieved in recent years. To mitigate this risk, NSW Treasury has mandated that agencies perform non-financial asset valuations and prepare proforma financial statements in their early close procedures. It also encourages them to continue with the good practices embedded in recent years. |
Although most agencies complied with NSW Treasury’s early close asset revaluation procedures we identified areas where they can improve. | Asset revaluations need to commence early enough to ensure all assets are identified and the results are analysed, recorded and reflected accurately in the early close financial statements. |
Number of misstatements | |||||
Year ended 30 June | 2015-16 | 2014-15 | 2013-14 | 2012-13 | 2011-12 |
Total reported misstatements | 298 | 396 | 459 | 661 | 1,077 |
All material misstatements identified by agencies and audit teams were corrected before the financial statements and audit opinions were signed. A material misstatement relates to an incorrect amount, classification, presentation or disclosure in the financial statements that could reasonably be expected to influence the economic decisions of users.
Significant matters reported to the portfolio Minister, Treasurer and Agency Head
In 2015–16, we reported the following significant matters to the portfolio Minister, Treasurer and agency head in our Statutory Audit Reports:
Appropriate financial controls help ensure the efficient and effective use of resources and the implementation and administration of agency policies. They are essential for quality and timely decision making.
In 2015–16, our audit teams made the following key observations on the financial controls of NSW public sector agencies.
Financial controls | |
Observation | Conclusion |
More needs to be done to implement audit recommendations on a timely basis. We found 212 internal control issues identified in previous audits had not been adequately addressed by 30 June 2016. |
Delays in implementing audit recommendations can impact the quality of financial information and the effectiveness of decision making. Agencies need to ensure they have action plans, timeframes and assigned responsibilities to address recommendations in a timely manner. |
Agencies continue to face challenges managing information security. Most information technology issues we identified related to poor IT user administration in areas like password controls and inappropriate access. | Agencies should review the design and effectiveness of information security controls to ensure data is adequately protected. |
We found shared service provider agreements did not always adequately address information security requirements. |
Where agencies use shared service providers they should consider whether the service level arrangements adequately address information security. |
Thirteen of 108 agencies required to attest to having a minimum set of information security controls did not do so in their 2015 annual reports. | The 'NSW Government Digital Information Security Policy' recognises the growing need for effective information security. With cyber security threats continuing to increase as digital services expand we plan to look at cyber security as part of our 2017–18 performance audit program. |
We identified instances where service level agreements with shared service providers were outdated, signed too late or did not exist. | Corporate and shared service arrangements are more effective when service level arrangements are negotiated and signed in time, clearly detail rights and responsibilities and include meaningful KPIs, fee arrangements and dispute resolution processes. |
Internal controls at GovConnect, the private sector provider of transactional and information technology services to many NSW public sector agencies were ineffective in 2015–16. We found mitigating actions taken to manage transition risks from ServiceFirst to GovConnect were ineffective in ensuring effective control over client transactions and data. | The Department of Finance, Services and Innovation should ensure GovConnect addresses the control deficiencies. It should also examine the breakdowns in the transition of the shared service arrangements and apply the learnings to other services being transitioned to the private sector. |
Maintenance backlogs exist in several NSW public sector agencies, including Roads and Maritime Services, Sydney Trains, NSW Health, the Department of Education and the Department of Justice. | To address backlog maintenance it is important for agencies to have asset lifecycle planning strategies that ensure newly built and existing assets are funded and maintained to a desired service level. |
Actions for Relocating Agencies to Regional Areas
Relocating Agencies to Regional Areas
Decisions to relocate government agencies to non-metropolitan areas are not made purely for cost reasons. They can also serve government policy objectives, such as promoting regional economic development.
Regardless of the policy objectives that may exist, I would expect that decisions on individual agency relocations would be based on sound business cases. Those business cases would show how the relocation achieves any relevant government objectives, what costs (or savings) would be involved, logistical considerations such as obtaining appropriate accommodation and staff, and any impacts on levels service to the public.
In my view, the existence of government policy objectives does not remove the need for individual decisions to be made in a transparent, rational and accountable manner. Responsible public servants should provide the appropriate information to government to allow it to judge how best to implement its policies.
Parliamentary reference - Report number #147 - released 14 December 2005
Actions for Follow-up of Performance Audit: Management of Intellectual Property
Follow-up of Performance Audit: Management of Intellectual Property
Periodically we review the extent to which agencies have implemented the recommendations they accept from our earlier audits. This gives Parliament
and the public an update on the extent of progress made.
Intellectual property (IP) can have value to the agency concerned and may have the potential for wider commercial use. Poor management of IP can impose risks, including the risk of lost opportunities. Because it is not ‘tangible’ like a building or plant and equipment, the need for properly managing IP may be overlooked.
In this follow-up audit, we examine changes following our October 2001 report on how well public sector agencies were managing intellectual property.
Parliamentary reference - Report number #133 - released 30 March 2005
Actions for Fraud Control: Current Progress and Future Directions
Fraud Control: Current Progress and Future Directions
Periodically we review the extent to which agencies have implemented the recommendations they accept from our earlier audits. This gives Parliament and the public an update on the extent of progress made.
Given the size of the NSW public sector, the potential for fraud could run into billions of dollars if not properly managed. It is an area of risk that warrants close and ongoing attention. Over the last decade, we have responded by issuing three performance audits and a comprehensive guide to better practice on this topic.
In conducting my financial audits, there is now an Auditing Standard that requires me to seek annual assurances from every agency concerning the adequacy of their arrangements for fraud control. This latest performance audit provides a further report card on the extent to which the NSW public sector is managing its fraud risks.
This Report also provides updated guidance on improving arrangements for fraud control both at a whole-of-government level and at the agency level.
I commend the Report for close and careful attention by every agency.
Parliamentary reference - Report number #130 - released 9 February 2005
Actions for NSW Senior Executive Service: Professionalism and Integrity Volume 1 Part 1 Summary and Research Report
NSW Senior Executive Service: Professionalism and Integrity Volume 1 Part 1 Summary and Research Report
The Audit Office is of the opinion that there are several features of the current Senior Executive Service (SES) model, or its application, which hinder the capacity of the SES to operate effectively in line with the Government’s stated objectives. The ultimate effect of these features is to reduce the capacity or perceived capacity of the SES to meet the Government’s objectives for the operation of the SES.
Taken overall, difficulties in the SES identified by the audit included: uncertainty caused by the way some contracts have been applied in practice, removal for reasons other than poor performance, informal strategies such as using restructuring to “terminate contracts and to move people in and out of positions regardless of their formal reported performance” (Section 5.4), inconsistently applied rules about selection/recruitment, appointment and removal of the SES, an imbalance between CES responsibility to the Minister as the employer/reviewer with their responsibility not to act in a political or partial manner, apparent lack of rigour in, value of and Ministerial accountability for CES performance review processes and failure to implement an adequate system of rewards and sanctions related to performance.
Parliamentary reference - Report number #59.1 - released 17 December 1998