What the report is about

Result of Health cluster (the cluster) agencies' financial statement audits for the year ended 30 June 2022.

What we found

Unmodified audit opinions were issued for the financial statements for all Health cluster agencies.

The COVID-19 pandemic continued to increase the complexity and number of accounting matters faced by the cluster. The total gross value of corrected misstatements in 2021–22 was $353.3 million, of which $186.7 million related to an increase in the impairment provision for Rapid Antigen Tests (RATs).

A qualified audit opinion was issued on the Annual Prudential Compliance Statement related to five residential aged care facilities. There were 20 instances (19 in 2020–21) of non-compliance with the prudential responsibilities within the Aged Care Act 1997.

What the key issues were

The total number of matters we reported to management across the cluster decreased from 116 in 2020–21 to 67 in 2021–22. Of the 67 issues raised, four were high risk (three in 2020-21) and 37 were moderate risk (57 in 2020–21). Nearly half of all control deficiencies reported in 2021–22 were repeat issues.

Three unresolved high-risk issues were:

• COVID-19 inventories impairment – we continued to identify issues relating to management’s impairment model which relies on anticipated future consumption patterns. RATs had not been assessed for impairment.

• Asset capitalisation threshold – management has not reviewed the appropriateness of the asset capitalisation threshold since 2006.

• Forced-finalisation of HealthRoster time records – we continued to observe unapproved rosters being finalised by system administrators so payroll can be processed on time. 2.6 million time records were processed in this way in 2021–22.

What we recommended

• COVID-19 inventories impairment – ensure consumption patterns are supported by relevant data and plans.

• Assets capitalisation threshold – undertake further review of the appropriateness of applying a $10,000 threshold before capitalising expenditure on property, plant and equipment.

• Forced-finalisation of HealthRoster time records – develop a methodology to quantify the potential monetary value of unapproved rosters being finalised.

This report provides Parliament and other users of Health cluster (the cluster) agencies' financial statements with the results of our audits, analysis, conclusions and recommendations in the following areas:

• financial reporting

• audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision-making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Health cluster (the cluster) for 2022.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision-making.

This chapter outlines our observations and insights from our financial statement audits of agencies in the cluster.

Appendix one – Misstatements in financial statements submitted for audit

Appendix two – Early close procedures

Appendix three – Timeliness of financial reporting

Appendix four – Financial data

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

What the report is about

Result of the Premier and Cabinet cluster financial statement audits for the year ended 30 June 2022. 

What we found

Unmodified audit opinions were issued for all Premier and Cabinet cluster agencies.

The machinery of government changes within the Premier and Cabinet cluster resulted in the transfer of net assets of $1 billion from the Department of Premier and Cabinet.

The Department of Premier and Cabinet, Public Service Commission and Parliamentary Counsel's Office accepted changes to their office leasing arrangements managed by Property NSW. These changes resulted in the collective de-recognition of $167.3 million of right-of-use assets, $225.1 million in lease liabilities and recognition of $47.8 million of other gains/losses. 

What the key issues were

The number of issues we reported to management decreased. 

Forty per cent of issues were repeated from the prior year.

Four moderate risk issues were reported in the management letters for Department of Premier and Cabinet and New South Wales Electoral Commission. Three out of the four moderate risk issues were repeat issues. 

The repeat issues related to internal control deficiencies in agencies' including lack of updated procurement policies and procedures and information technology general controls.

This report provides Parliament and other users of the Premier and Cabinet’s financial statements with the results of our audits, analysis, conclusions and recommendations in the following areas:

• financial reporting
• audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision-making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Premier and Cabinet cluster for 2022.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

This chapter outlines our observations and insights from our financial statement audits of agencies in the Premier and Cabinet cluster.

Appendix one – Early close procedures

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

What the report is about

In this report, we have analysed the key findings and recommendations from our audit reports over the past four years.

This analysis includes financial audits, performance audits, and compliance audits of state and local government entities that were tabled in NSW Parliament between July 2018 and February 2022.

The report is framed by recognition that the past four years have seen significant challenges and emergency events.

The scale of government responses to these events has been wide-ranging, involving emergency response coordination, service delivery, governance and policy.

The report is a resource to support public sector agencies and local government to improve future programs and activities.

What we found

Our analysis of findings and recommendations is structured around six key themes:

• Integrity and transparency
• Performance and monitoring
• Governance and oversight
• Cyber security and data
• System planning for disruption
• Resource management.

The report draws from this analysis to present recommendations for elements of good practice that government agencies should consider in relation to these themes. It also includes relevant examples from recent audit reports.

In this report we particularly call out threats to the integrity of government systems, processes and governance arrangements.

The report highlights the need for balanced advice to government on options and risks, for transparent documentation and reporting of directions and decisions, and for early and open sharing of information with integrity bodies and audit.

A number of the matters highlighted in this report are similar to those described in our previous Insights Report, (Performance Audit Insights: key findings from 2014–2018) specifically in relation to cyber and information security, to performance measurement, reporting and evaluation, and system and workforce planning and capability.

I am pleased to present the Audit Insights 2018–2022 report. This report describes key findings, trends and lessons learned from the last four years of audit. It seeks to inform the New South Wales Parliament of key risks identified and to provide insights and suggestions to the agencies we audit to improve performance across the public sector.

The report is framed by a very clear recognition that governments have been responding to significant events, in number, character and scale, over recent years. Further, it acknowledges that public servants at both state and council levels generally bring their best selves to work and diligently strive to deliver great outcomes for citizens and communities. The role of audit in this context is to provide necessary assurance over government spending, programs and services, and make suggestions for continuous improvement.

A number of the matters highlighted in this report are similar to those described in our previous Insights Report, (Performance Audit Insights: key findings from 2014–2018) specifically in relation to cyber and information security, to performance measurement, reporting and evaluation, and system and workforce planning and capability.

However, in this report we particularly call out threats to the integrity of government systems, processes and governance arrangements. We highlight the need for balanced advice to government on options and risks, for transparent documentation and reporting of directions and decisions, and for early and open sharing of information with integrity bodies and audit. Arguably, these considerations are never more important than in an increasingly complex environment and in the face of significant emergency events and they will be key areas of focus in our future audit program.

While we have acknowledged the challenges of the last few years have required rapid responses to address the short-term impacts of emergency events, there is much to be learned to improve future programs. I trust that the insights developed in this report provide a helpful resource to public sector agencies and local government across New South Wales. I would be pleased to receive any feedback you may wish to offer.

Margaret Crawford
Auditor-General for New South Wales

This report brings together a summary of key findings arising from NSW Audit Office reports tabled in the New South Wales Parliament between July 2018 and February 2022. This includes analysis of financial audits, performance audits, and compliance audits tabled over this period.

• Financial audits provide an independent opinion on the financial statements of NSW Government entities, universities and councils and identify whether they comply with accounting standards, relevant laws, regulations, and government directions.
• Performance audits determine whether government entities carry out their activities effectively, are doing so economically and efficiently, and in accordance with relevant laws. The activities examined by a performance audit may include a selected program or service, all or part of an entity, or more than one government entity. Performance audits can consider issues which affect the whole state and/or the local government sectors.
• Compliance audits and other assurance reviews are audits that assess whether specific legislation, directions, and regulations have been adhered to.

This report follows our earlier edition titled 'Performance Audit Insights: key findings from 2014–2018'. That report sought to highlight issues and themes emerging from performance audit findings, and to share lessons common across government. In this report, we have analysed the key findings and recommendations from our reports over the past four years. The full list of reports is included in Appendix 1. The analysis included findings and recommendations from 58 performance audits, as well as selected financial and compliance reports tabled between July 2018 and February 2022. The number of recommendations and key findings made across different areas of activity and the top issues are summarised at Exhibit 1.

The past four years have seen unprecedented challenges and several emergency events, and the scale of government responses to these events has been wide-ranging involving emergency response coordination, service delivery, governance and policy. While these emergencies are having a significant impact today, they are also likely to continue to have an impact into the future. There is much to learn from the response to those events that will help the government sector to prepare for and respond to future disruption. The following chapters bring together our recommendations for core elements of good practice across a number of areas of government activity, along with relevant examples from recent audit reports.

This 'Audit Insights 2018–2022' report does not make comparative analysis of trends in public sector performance since our 2018 Insights report, but instead highlights areas where government continues to face challenges, as well as new issues that our audits have identified since our 2018 report. We will continue to use the findings of our Insights analysis to shape our future audit priorities, in line with our purpose to help Parliament hold government accountable for its use of public resources in New South Wales.

Appendix one – Included reports, 2018–2022

Appendix two – About this report

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

What the report is about

This report draws together the financial impact of COVID-19 on the agencies integral to responses across the state government sector of New South Wales.

What we found

Since the COVID-19 pandemic hit NSW in January 2020, and until 30 June 2021, $7.5 billion was spent by state government agencies for health and economic stimulus. The response was largely funded by borrowings.

The key areas of spending since the start of COVID-19 in NSW to 30 June 2021 were:

• direct health response measures – $2.2 billion
• personal protective equipment – $1.4 billion
• small business grants – $795 million
• quarantine costs – $613 million
• increases in employee expenses and cleaning costs across most agencies
• vaccine distribution, including vaccination hubs – $71 million.

The COVID-19 pandemic significantly impacted the financial performance and position of state government agencies.

Decreases in revenue from providing goods and services were offset by increases in appropriations, grants and contributions, for health and economic stimulus funding in response to the pandemic.

Most agencies had expense growth, due to additional operating requirements to manage and respond to the pandemic along with implementing new or expanded stimulus programs and initiatives.

Response measures for COVID-19 have meant the NSW Government is unlikely to meet targets in the Fiscal Responsibility Act 2012 being:

• annual expense growth kept below long-term average revenue growth
• elimination of State’s unfunded superannuation liability by 2030.

What the report is about

The Aboriginal Land Rights Act 1983 (NSW) (the Act) provides land rights over certain Crown land for Aboriginal Land Councils in NSW.

If a claim is made over Crown land (land owned and managed by government) and meets other criteria under the Act, ownership of that land is to be transferred to the Aboriginal Land Council.

This process is intended to provide compensation for the dispossession of land from Aboriginal people in NSW. It is a different process to the recognition of native title rights under Commonwealth law.

We examined whether relevant agencies are effectively facilitating and administering Aboriginal land claim processes. The relevant agencies are:

• Department of Premier and Cabinet (DPC)
• Department of Planning and Environment (DPE)
• NSW Aboriginal Land Council (NSWALC).

We consulted with Local Aboriginal Land Councils (LALCs) and other Aboriginal community representative groups to hear about their experiences.

What we found

Neither DPC nor DPE have established the resources required for the NSW Government to deliver Aboriginal land claim processes in a coordinated way, and which transparently commits to the requirements and intent of the Act.

Delays in determining land claims result in Aboriginal Land Councils being denied the opportunity to realise their statutory right to certain Crown land. Delays also create risks due to uncertainty around the ownership, use and development of Crown land.

DPC has not established governance arrangements to ensure accountability for outcomes under the Act, and effective risk management.

DPE lacks clear performance measures for the timely and transparent delivery of its claim assessment functions. DPE also lacks a well-defined framework for prioritising assessments.

LALCs have concerns about delays, and lack of transparency in the process.

Reviews since at least 2014 have recommended actions to address numerous issues and improve outcomes, but limited progress has been made.

The database used by DPC (Office of the Registrar) for the statutory register of land claims has not been upgraded or fully validated since the 1990s.

In 2020, DPE identified the transfer of claimable Crown land to LALCs to enable economic and cultural outcomes as a strategic priority. DPE has some activities underway to do this, and to improve how it engages with Aboriginal Land Councils – but DPE still lacks a clear, resourced strategy to process over 38,000 undetermined claims within a reasonable time.

What we recommended

In summary:

• DPC should lead strategic governance to oversee a resourced, coordinated program that is accountable for delivering Aboriginal land claim processes
• DPE should implement a resourced, ten-year plan that increases the rate of claim processing, and includes an initial focus on land grants
• DPE and DPC should jointly establish operational arrangements to deliver a coordinated interagency program for land claim processes
• DPC should plan an interagency, land claim spatial information system, and the Office of the Registrar should remediate and upgrade the statutory land claims register
• DPC and NSWALC should implement an education program (for state agencies and the local government sector) about the Act and its operations
• DPE should implement a five-year workforce development strategy for its land claim assessment function
• DPE should finalise updates to its land claim assessment procedures
• DPE should enhance information sharing with Aboriginal Land Councils to inform their claim making
• NSWALC should enhance information sharing and other supports to LALCs to inform their claim making and build capacity.

The return of land under the Aboriginal Land Rights Act 1983 (NSW) (the Act) is intended to provide compensation for the dispossession of land from Aboriginal people in New South Wales. A claim on Crown land¹ made by an Aboriginal Land Council that meets criteria under the Act is to be transferred to the claimant council as freehold title. The 2021 statutory review of the Act recognises the spiritual, social, cultural and economic importance of land to Aboriginal people.

The Minister for Aboriginal Affairs administers the Act, with support from Aboriginal Affairs NSW (AANSW) in the Department of Premier and Cabinet (DPC). AANSW also leads the delivery of Opportunity, Choice, Healing, Responsibility and Empowerment (OCHRE), the NSW Government's plan for Aboriginal affairs, and assists the Minister to implement the National Agreement on Closing the Gap – which includes a target for increasing the area of land covered by Aboriginal and Torres Strait Islander people's legal rights or interests.

The Act gives responsibility for registering land claims to an independent statutory officer, the Registrar of the Aboriginal Land Rights Act (the Registrar), whose functions are supported by the Office of the Registrar (ORALRA) which is resourced by AANSW.²

The Land and Environment Court of New South Wales has stated that there is an implied obligation for land claims to be determined within a reasonable time. The Minister administering the Crown Land Management Act 2016 (NSW) is responsible for determining land claims. This function is supported by the Department of Planning and Environment (DPE),³ whose staff assess and recommend claims for determination based on the criteria under section 36(1) of the Act. There is also a mechanism under the Act for land claims to be negotiated in good faith through an Aboriginal Land Agreement.

The NSW Aboriginal Land Council (NSWALC) is a statutory corporation constituted under the Act with a mandate to provide for the development of land rights for Aboriginal people in NSW, in conjunction with the network of 120 Local Aboriginal Land Councils (LALCs). LALCs are constituted over specific areas to represent Aboriginal communities across NSW. Both NSWALC and LALCs can make land claims.

DPC and DPE are responsible for governance and, in partnership with NSWALC, operational and information-sharing activities that are required to coordinate Aboriginal land claim processes. LALCs, statutory officers, government agencies, local councils, and other parties need to be engaged so that these processes are coordinated effectively and managed in a way that is consistent with the intent of the Act, and other legislative requirements.

The first land claim was lodged in 1983. The number of undetermined land claims has increased over time, and at 31 December 2021 DPE data shows 38,257 undetermined claims.

The issue of undetermined land claims has been publicly reported by the Audit Office since 2007. Recommendations to agencies to better facilitate processes and improve how functions are administered have been made in multiple reviews, including two Parliamentary inquiries in 2016.

The objective of this audit was to assess whether relevant agencies are effectively facilitating and administering Aboriginal land claim processes. In making this assessment, we considered whether:

• agencies (DPE, DPC (AANSW and ORALRA) and NSWALC) coordinate information and activities to effectively facilitate Aboriginal land claim processes
• agencies (DPE and DPC (ORALRA)) are effectively administering their roles in the Aboriginal land claim process.

We consulted with LALCs to hear about their experiences and priorities with respect to Aboriginal land claim processes and related outcomes. We have aimed to incorporate their insights into our understanding of their expectations of government with respect to delivering requirements, facilitating processes, and identifying opportunities for improved outcomes. 

Since 1983, 53,861 Aboriginal land claims have been lodged with the Registrar.²⁵

The Land and Environment Court of New South Wales has stated there is an implied obligation on the Crown Lands Minister to determine land claims within a reasonable time.²⁶

As at 31 December 2021, DPE has processed less than a third (31 per cent) of these land claims: 14,273 were determined by the Crown Lands Minister (that is, granted or refused, in whole or part) and 2,562 were withdrawn. This amounts to 16,835 claims processed, including the negotiated settlement of 15 claims through three Aboriginal Land Agreements. As a result, DPE reports that approximately 163,900 hectares of Crown land has been granted to Aboriginal Land Councils since 1983 up to 31 December 2021.

There are 38,257 land claims awaiting determination, which cover about 1.12 million hectares of Crown land.

The 2017 report on the statutory review of the Act noted that the land claims ‘backlog’ was one of the ‘Top 5’ priorities identified by LALCs during consultations. The importance of this issue is consistent with findings from our consultations with LALCs in 2021 (see Exhibit 7).

Delays in delivering on the statutory requirement to determine land claims, and limited use of other mechanisms to process claims in consultation or agreement with NSWALC and LALCs, undermines the beneficial and remedial intent of Aboriginal land rights under the Act. It also:

• impacts negatively on DPE’s ability to comply with the statutory requirement to determine land claims, because often the older a claim becomes the more difficult it can be to gather the evidence required to assess it
• creates uncertainty around the ownership, use and development of Crown land, which can have financial impacts on Aboriginal Land Councils, government agencies, local councils and developers.

Risks that arise in the context of undetermined claims are discussed further in section 3.3.

NSW Treasury describes public sector governance as providing strategic direction, ensuring objectives are achieved, and managing risks and the use of resources responsibly with accountability.

Consistent with the NSW Treasury’s Risk Management Toolkit (TPP-12-03b), governance arrangements for Aboriginal land claim processes should ensure their effective facilitation and administration. That is, arrangements are expected to contribute to and oversee the performance of administrative processes and service delivery towards outcomes, and ensure that legal and policy compliance obligations are met consistent with community expectations of accountability and transparency.

DPC and DPE are responsible for governance and, in partnership with NSWALC, operational and information-sharing activities required to coordinate Aboriginal land claim processes. LALCs, statutory officers, government agencies, local councils, and other parties (such as native title groups and those with an interest in development on Crown land) need to be engaged so that these processes are coordinated effectively with risks managed – consistent with the intent of the Act, and other legislative requirements.

Policy commitments to Aboriginal people and communities made by the NSW Government in the OCHRE Plan and Closing the Gap priority reforms establish an expectation for culturally informed governance.

The Crown Lands Minister, supported by DPE, is required to determine whether Aboriginal land claims meet the criteria to be ‘claimable Crown lands’ under section 36(1) of the Act. DPE staff within its Crown Lands division are responsible for assessing land claims and preparing recommendation briefs to the Crown Lands Minister, or their delegate, on determination outcomes. That is, on whether to grant or refuse the claim.³⁸ DPE staff also make decisions about which land claims within the large number of undetermined claims should be processed first.

Appendix one – Response from agencies

Appendix two – About the audit

Appendix three – Performance auditing

Banner image used with permission.
Title: Forces of Nature
Artist: Lee Hampton – Koori Kicks Art

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #365 - released 28 April 2022.

What the report is about

The results of Treasury cluster agencies' financial statement audits for the year ended 30 June 2021. The results of the audit of the NSW Government's consolidated Total State Sector Accounts (TSSA), which are prepared by NSW Treasury, are reported separately in our report on State Finances 2021.

What we found

Unmodified audit opinions were issued for all Treasury cluster agencies.

The number of identified monetary misstatements increased from 16 in 2019–20 to 24 in 2020–21.

Reported corrected monetary misstatements decreased from 15 in 2019–20 to seven with a gross value of $1.1 billion in 2020–21.

The largest corrected misstatement was in NSW Treasury's financial statements and was a $1 billion correction to administered borrowings.

Reported uncorrected monetary misstatements increased from one in 2019–20 to 17 with a gross value of $168 million in 2020–21.

Seven of the 2020–21 uncorrected misstatements related to one common decision relating to investment management funds terminated during the year by the NSW Treasury Corporation (TCorp).

All agencies submitted their 2020–21 financial statements within NSW Treasury's reporting deadlines.

What the key issues were

Significant audit findings were identified with respect to NSW Treasury's processes to prepare the NSW Government's consolidated TSSA (whole of government accounts). This included one extreme finding and several high-risk findings related to NSW Treasury processes. These are reported in our report on State Finances 2021.

Two high-risk issues raised in 2019–20 were also not addressed by NSW Treasury during the year and were repeat issues reported to management. These related to the appropriations framework and resolution of cross cluster payments, and instances where some agencies spent deemed appropriations money without an authorised delegation.

A number of previously reported audit findings and recommendations with respect to icare continue to be ongoing issues, namely:

• The Workers Compensation Nominal Insurer continues to hold less assets than the estimated present value of its future payment obligations.
• The Workers Compensation Nominal Insurer's four week return-to-work rate fell from 68% to 64%. This is below icare's 70% target. Contributing factors include COVID-19 lockdowns which have impacted claims handling processes, and increased barriers to claimants returning to work.
• Instances were noted where inadequate documentation was kept on file to support claims, including pre-injury average weekly earnings (PIAWE) calculations.

The Workers Compensation (Dust Diseases) Authority increased its outstanding claims liability by $93.9 million, which included $39.3 million to remediate historical underpayments, resulting from workers not being paid the rate required by existing legislation.

The icare Board approved a new approach for remediating PIAWE underpayments on 24 September 2021, the date the Workers Compensation Nominal Insurer’s financial statements were approved for issue. The impact of the decision on the financial statements was not discussed with the Audit Office and assessed as an ‘after balance date event’.

What we recommended

Our report on State Finances 2021 made several recommendations to improve NSW Treasury processes. These included:

• improve processes to ensure information is shared with audit on a timely basis
• seek legislative amendments to resolve statutory inconsistencies relating to statutory reporting time frames
• implement effective quality review processes over key accounting information
• establish a policy to determine the minimum expected rate of return on equity injections in other public sector entities
• prepare robust financial projections to support accounting decisions
• re-confirm sector classifications of TAHE, Sydney Trains and NSW Trains
• ensure sufficient oversight of its use of consultants and assess the risk of an overdependence on consultants at the cost of internal capability
• improve disclosures of equity injections invested in other public sector entities
• determine a state-wide policy on when borrowings are recognised in agency financial statements
• make legislative amendments to ensure expenditure incurred across financial years does not exceed the appropriation authority and assess the financial reporting impact
• improve the guidance provided to agencies to ensure expenditure of public money is properly supported by authorised delegations.

We also recommended icare should ensure:

• it has sufficient controls over claim payments including an effective quality assurance program, to minimise claim payment errors
• that documentation to support injured worker benefit calculations is appropriately maintained, and the documentation requirements are set out in a policy
• the impact of ‘after balance date events’ on financial statements is appropriately assessed
• its operational practices are improved to ensure the correct payment of claims in compliance with legislative requirements. icare also needs to act on a timely basis on received legal advice and amend operational practices to ensure correct payments are made.

This report focuses on agencies within the Treasury cluster and provides parliament and other users of the Treasury cluster's financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:

• financial reporting
• audit observations.

NSW Treasury also prepares the consolidated NSW whole of government financial statements (the Total State Sector Accounts), which is reported in the report on State Finances 2021.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making is enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Treasury cluster (the cluster) for 2021.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

This chapter outlines our observations and insights from our financial statement audits of agencies in the Treasury cluster.

Findings reported to management

The number of findings reported to management has decreased, but 30% of all issues were repeat issues and these need greater focus and prioritisation

Breakdowns and weaknesses in internal controls increase the risk of fraud and error. Deficiencies in internal controls, matters of governance interest and unresolved issues were reported to management and those charged with governance of agencies. The Audit Office does this through management letters, which include observations, related implications, recommendations and risk ratings.

In 2020–21, there were 57 findings raised across the cluster (71 in 2019–20), 30% of which were repeat issues (32% in 2019–20).

The most common repeat issues related to claims processing and information technology user access administration.

A delay in implementing audit recommendations increases the risk of intentional and accidental errors in processing information, producing management reports and generating financial statements. This can impair decision-making, affect service delivery and expose agencies to fraud, financial loss and reputational damage. Poor controls may also mean agency staff are less likely to follow internal policies, inadvertently causing the agency not to comply with legislation, regulation and central agency policies.

The table below describes the common issues identified across the cluster by category and risk rating.

The number of moderate risk findings decreased from prior year

There were 21 moderate risk findings reported in 2020–21, representing a 30% decrease from 2019–20. Of these, ten were repeat findings, and 11 were new issues.

Moderate risk repeat findings include:

• claims processing weaknesses including claim payment errors, and inadequate documentation to support calculations and evidence claims were reviewed by someone with appropriate delegation
• inadequate review of user access and higher risks of unintended or unauthorised system access
• controls assurance reports from an outsourced service provider did not cover the services it provided to the government agency
• failure to review procurement contracts register to ensure it is accurate and complete
• ongoing control deficiencies with grant application and approval processes
• key policies including delegations not being reviewed in a number of years and do not incorporate new requirements from more recent legislation
• quality review processes failing to identify material classification errors associated with grant funding.

NSW Treasury related matters

Accounting for the Government's investment in Transport Asset Holding Entity

A total of seven recommendations were made with respect to NSW Treasury's processes to prepare the NSW Government's consolidated whole of government accounts (the TSSA). This included one extreme risk finding and six high risk findings. The extreme finding related to NSW Treasury needing to significantly improve its processes to ensure all key information is identified and shared with the Audit Office on a timely basis. Other high-risk findings were identified which resulted in the following recommendations for NSW Treasury:

• establishing a policy to determine the minimum expected rate of return on the GGS equity injections in other public sectors entities and report on the performance of these GGS investments in the TSSA, including how much and what type of returns the government is obtaining from its investments compared to its targeted return
• facilitate revised commercial agreements to reflect access and license fees that were agreed in the 18 December 2021 Heads of Agreement between Transport for NSW, TAHE and the operators Sydney Trains and NSW Trains
• with TAHE, prepare robust projections and business plans to support GGS investment returns beyond FY2031.
• liaising with the ABS to re-confirm the classification of TAHE, NSW Trains and Sydney Trains as entities within the PNFC sector
• monitoring the risk that control of TAHE assets could change in future reporting periods and the implications on the TSSA
• consider whether there is sufficient competent oversight of its use of consultants and assess the risk of an over dependence on consultants at the cost of internal capability.

More details on the recommendations to NSW Treasury relating to its accounting for the GGS investment in TAHE are included on pages 7 to 24 of the State Finances 2021 NSW Auditor-General’s Report to Parliament. 

Borrowings of $1 billion were understated by NSW Treasury

NSW Treasury, a GGS agency, made agreements to borrow $1 billion from New South Wales Treasury Corporation (TCorp), a PFC sector agency. Some of these agreements were entered as early as 17 May 2021 and all agreements for borrowings were entered into before 30 June 2021. However, NSW Treasury requested that settlement of those additional borrowings be deferred until 1 July 2021.

As TCorp raised the funds before 30 June 2021, it recognised a financial asset and liability to NSW Treasury on 30 June 2021. Despite TCorp having raised the funds by 30 June 2021 under the mutually agreed trade deal, NSW Treasury did not recognise any borrowings at year end on the basis that it requested the settlement date and receipt of cash to be deferred to past the balance sheet date. This led to an understatement of debt liabilities of $1 billion by NSW Treasury, and an inconsistent accounting treatment between the two agencies. NSW Treasury subsequently corrected the misstatement after the matter was raised by the audit, resulting in the GGS recognising $1 billion in financial assets and borrowings at 30 June 2021.

More detail on these inconsistencies is on page 37 of the State Finances 2021 NSW Auditor-General’s Report to Parliament. We recommended NSW Treasury seek develop a state-wide accounting policy for borrowings which ensure correct and consistent accounting treatment between agencies and sectors.

Inconsistencies exist in the GSF Act and GSA Act related to key statutory timeframes

There are inconsistencies between key statutory reporting timeframes imposed on the Treasurer and Auditor-General for the Consolidated State Financial Statements (the Statements) in the Government Sector Finance Act 2018 (GSF Act) and Government Sector Audit Act 1983 (GSA Act). Ambiguity in the statutory reporting timeframes could impact on the future timely provision of this information to Parliament. More detail on these inconsistencies is on page 54 of the State Finances 2021 NSW Auditor-General’s Report to Parliament. We recommended NSW Treasury seek legislative amendments in Parliament to resolve these inconsistencies.

NSW Treasury lacks a framework to monitor and provide assurance to ministers that they are in compliance with their appropriation authority

In July 2021, NSW Treasury highlighted a potential issue associated with certain cross-cluster payments which was based on advice received from the Crown Solicitor in January 2021. After being made aware of the issue, the Audit Office obtained its own advice on matters related to the appropriations framework under relevant state legislation. In the advice to the Audit Office, the Crown Solicitor advised that an agency is not subject to its own legally appropriated expenditure limit (assuming it is not subject to any annual spending limit imposed through an instrument of delegation or a budget control authority issued by the Treasurer under section 5.1 of the GSF Act). In effect, because responsible ministers are given appropriations, these legal expenditure limits, rest in aggregate, with the principal department and agencies the minister is responsible for. It is not possible for an individual agency to monitor or determine at what ‘point in time’ expenditure has been incurred in excess of the minister’s appropriation authority and there is currently no framework to monitor this.

Further detail on this matter is on pages 54 to 56 of the State Finances 2021 NSW Auditor-General’s Report to Parliament. In this report, we recommended that NSW Treasury:

• ensure a framework exists to monitor and provide assurance to ministers that expenditure incurred across a financial year by agencies under the relevant minister's coordination does not exceed the appropriation authority conferred by the annual Appropriations Act and the GSF Act
• assess how the requirement to prepare a Summary of Compliance under Australian Accounting Standards impacts relevant principal departments and cluster agencies financial statement disclosures.

Agencies have again spent monies without an authorised delegation

In the State Finances NSW Auditor-General's Report to Parliament for 2020 and 2021 we reported instances where agencies spent money received from an annual appropriation and/or deemed appropriation money without an authorised delegation from the relevant minister(s) as required by sections 4.6(1) and 5.5(3) of the GSF Act. Further detail on this matter is on pages 56 to 57 of the State Finances 2021 NSW Auditor-General’s Report to Parliament. In this report, we recommended NSW Treasury promptly improve the guidance it provides agencies to ensure that expenditure of public monies is properly supported by authorised delegations.

Control deficiencies at NSW Treasury's service providers

NSW Treasury's business processes and information technology services were provided by Infosys, Unisys and the Department of Customer Service during 2020–21. Together this constitutes the GovConnect environment.

The GovConnect information technology general controls (ITGC) were qualified in 2020–21. The key controls over user access, system changes and batch process failed in all ITGC reports. Most of these deviations were not mitigated or sufficiently mitigated to address the risk of unauthorised user access.

In response to the internal control qualifications, the audit teams performed data analytics over payroll and accounts payable to obtain reasonable assurance that these control deficiencies did not materially impact on relevant agencies' financial statements.

Refer to the Customer Service 2021 NSW Auditor-General’s Report to Parliament for further details.

Insurance related matters

icare is in the process of implementing organisational reform in response to findings in recent external reviews. These reviews have identified 151 recommendations for icare to improve in the areas of risk and governance, performance, and culture and accountability. The reviews include the April 2021 McDougall Review, and the February 2021 ‘Independent Review of icare governance, accountability and culture’ which was recommended by SIRA in the Dore Report.

All of these recommendations were accepted by icare and are expected to be addressed through their ‘Improvement Program’. As at February 2022, icare report that 21 have been addressed, 139 are in progress, and 15 still to commence.

A number of the observations referred to in this report were also identified in the above reviews and are expected to be actioned as part of the improvement program.

Workers Compensation Nominal Insurer (the Nominal Insurer)

The Nominal Insurer’s net asset deficiency at 30 June 2021

Last year's Central Agencies Report to Parliament reported that the Workers Compensation Nominal Insurer (the Nominal Insurer), the NSW Self Insurance Corporation and the Lifetime Care and Support Authority of New South Wales all had negative net assets at 30 June 2020. After strong investment returns in 2020–21, only the Nominal Insurer continued to have negative net assets at 30 June 2021.

The Nominal Insurer's negative net assets of $252.9 million at 30 June 2021 ($316.2 million at 30 June 2020) means that it still does not hold sufficient capital to meet the estimated present value of its future payment obligations, when measured in accordance with the accounting framework. The financial statements continued to be prepared on a going concern basis because the future payment obligations are not all due for settlement within the next 12 months.

As noted in section 2.4 ‘Key accounting issues’, icare changed from an 'Accounting Ratio', to an 'Insurance Ratio', to assess the Nominal Insurer’s capital position from 2020–21. The insurance ratio uses a (higher) discount rate based on the expected earnings rate on the Nominal Insurer’s assets, rather the ‘risk free’ rate which is used for financial reporting.

Last year's Report to Parliament also noted that the deterioration in the value of the Nominal Insurer’s net assets has resulted in its funding ratio at 30 June 2020 being outside of the ‘target operating zone’ set by the Board of icare. The Insurance Ratio at 30 June 2021 is 122%, which is less than icare's target operating zone of over 130%.

icare is assessing how it can increase the Nominal Insurer’s funding ratio, and advises that actions taken to date include the execution of the Nominal Insurer Improvement Program (the Improvement Program) and an increase in premium rates.

icare were given approval by the State Insurance Regulatory Authority (SIRA) to increase workers compensation premium rates from 1.4% to 1.44%  of wages (2.9%) for the 2021–22 policy year. icare advises that their pricing strategy for workers compensation premiums is for ‘modest increases over the medium term’.

Return-to-work rates have worsened

Last year's Central Agencies Report to Parliament noted that the Nominal Insurer has experienced deteriorating return-to-work rates since late 2017. According to data published by SIRA, the Nominal Insurer’s monthly four week return-to-work rate has continued to decline, falling from 68% at 30 June 2020 to 64% at 30 June 2021, and down to 63% at 30 September 2021.

A key assumption when measuring the Nominal Insurer’s outstanding claims liability, is the amount of time that injured workers will remain on benefits (i.e. continuance rates). This assumption is significantly aligned with return-to-work rate measures. At 30 June 2021, the liability was increased by $296 million due to changes in continuance rate assumptions, with workers expected to remain on benefits longer. This change is consistent with the fall in four week return-to-work rates.

The four week return-to-work rate trend since August 2017 is shown in the graph below.

Appendix one - Misstatements in financial statements submitted for audit

Appendix two – Early close procedures

Appendix three – Timeliness of financial reporting

Appendix four – Financial data

Appendix five – Acquittals and other opinions

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

What the report is about

The results of the consolidated General Government Sector (GGS) and Total State Sector (TSS) financial statements audits for the year ended 30 June 2021.

What we found

The Independent Auditor’s Report on the 2020–21 GGS and TSS financial statements was unqualified but contained an emphasis of matter. The resolution of significant issues delayed signing until 24 December 2021.

The emphasis of matter draws attention to significant uncertainties associated with key assumptions related to the recognition by the GGS of a $2.4 billion investment in the Transport Asset Holding Entity (TAHE).

The Audit Office advised NSW Treasury that it intended to issue a qualified audit opinion, but actions by the NSW Government avoided this outcome. All evidence provided prior to 14 December indicated that the GGS’s return on the $2.4 billion cash contributed to TAHE was insufficient to support accounting for it as an investment. Projected returns were below the long term inflation rate and were insufficient to recover:

• TAHE's revaluation loss of $20.3 billion in 2020–21
• an average rate of return of at least 2.5 per cent of equity invested in TAHE.

In these circumstances, the $2.4 billion contributed to TAHE should have been expensed. This could have impacted the GGS’s budget result.

The NSW Government’s actions to avoid a qualified audit opinion included:

• a government decision made on 14 December approving TAHE’s shareholding ministers communicating that their expectation of a return had increased to 2.5 per cent
• reflecting the revised shareholding ministers’ expectations in the 2021–22 ‘NSW Half-Yearly Review’ on 16 December. The NSW Government provided an additional $1.1 billion to fund increased access and license fees to TAHE from the public sector operators (Sydney Trains and NSW Trains)
• signing a Heads of Agreement (HoA) on 18 December between Transport for NSW (TfNSW),TAHE and the public sector operators. The HoA reflected the parties’ intent to renegotiate contracts to increase TAHE’s licence and access fees by $5.2 billion.

The uncertainty raised in our emphasis of matter relates to:

• TAHE’s future estimated access and licence fees, which remain subject to re-negotiation and must meet or exceed the indicative future access and licence fees set out in the HoA
• continued funding for TAHE's key customers (Sydney Trains and NSW Trains) to meet the price increases outlined in the HoA
• the 2021–22 'NSW Budget Half Yearly Review', which provides for $1.1 billion of the additional funding over the forward estimates period to 2024–25. A further $4.1 billion is required over the following six years (2026–31), which are outside the forward estimates period
• further significant cash flows required to support the funding model are outside the 10-year contract period. That is, beyond 30 June 2031.

There remains a risk that:

• TAHE will not be able to re-contract with the rail operators for access and licence fees at a level that is consistent with current projections
• future government's funding to TAHE’s key customers, the rail operators, may not be consistent with the current shareholding ministers’ expectations
• TAHE will be unable to grow its non-government revenues.

The audit found a risk of undue reliance on consultants, a need to improve quality controls on materials submitted to audit and an extreme risk finding raised with respect to providing key information on a timely basis.

The GGS Budget Result for the 2020–21 financial year was a deficit of $7.1 billion compared to an original forecast budget deficit of $16 billion.

The State did not achieve its fiscal target of maintaining annual expenditure growth below the long-term revenue growth target of 5.6 per cent. In 2020–21, the GGS expenditure grew by 6.9 per cent mainly due to grants and subsidies paid from the COVID-19 stimulus packages received from the Commonwealth.

What we recommended

Significant matters concerning TAHE

We recommend NSW Treasury:

• implement effective quality review processes over key accounting information
• establish a policy to determine the minimum expected rate of return on its equity injections into public sector entities
• report on the performance of investments in TAHE and all other public sector entities
• ensure the revised commercial agreements between TAHE and NSW rail operators reflect access and licence fees set out in the Heads of Agreement
• with TAHE, prepare robust projections and business plans to support returns beyond FY2031
• liaise with the Australian Bureau of Statistics (ABS) and reconfirm the sector classifications of TAHE, NSW Trains and Sydney Trains
• with TAHE, monitor the risk that control of TAHE assets could change in future reporting periods
• significantly improve its processes to ensure all key information is identified and shared on a timely basis
• consider whether there is sufficient competent oversight of its use of consultants and assess the risk of an overdependence on consultants at the cost of internal capability.

A number of other non-TAHE related recommendations have been raised in Section 6 ‘Key Audit Findings’.

Image

Pursuant to the Government Sector Audit Act 1983 I present my report on State Finances 2021. My independent auditor’s opinion on the State’s consolidated financial statements, albeit delayed, is unqualified. My independent auditor’s report however, does include an emphasis of matter drawing attention to significant uncertainties remaining in relation to the State’s equity investment in the Transport Asset Holding Entity (TAHE).

The 2020–21 year was challenging from many perspectives, not least being the continuing impact of and response to the COVID-19 pandemic. Once again, NSW Treasury provided government agencies extensions of time to submit financial statements for audit. Finance staff and management right across government must be congratulated for their responsiveness in meeting their financial reporting obligations in such challenging circumstances.

The General Government’s 2020–21 budget result, reflected within the Total State Sector Accounts, was a deficit of $7.1 billion. This compares with the original budgeted deficit of $16 billion. The factors that contributed to this outcome are presented in this Report to Parliament along with other significant matters related to the audit of the Total State Sector Accounts.

One section of my report is dedicated to issues related to the accounting for TAHE. This year’s audit was significantly delayed by protracted disagreement over the treatment of the government’s cash contribution to TAHE. This matter was further frustrated by the fact that information was withheld and not shared with my Office on a timely basis. This has warranted an extreme risk finding for NSW Treasury to significantly improve governance processes to ensure complete and timely sharing of information. This is key to preserving trust, which is one of the foundations that underpins my Office’s engagement with agencies in the conduct of their audits.

The challenges encountered in completing this year’s audit were extraordinary and tested the constructive partnership between the Audit Office and NSW Treasury. I want to acknowledge the enormous efforts of staff of both agencies to correct material errors and ultimately achieve my unmodified audit opinion. I saw first-hand the professionalism, resilience and dedication of my staff. A commitment to accurate and transparent financial reporting is a key basis upon which confidence in the financial management of New South Wales’ resources can be assured.

Margaret Crawford

Auditor-General for New South Wales

9 February 2022

The Independent Auditor's Report, which includes an emphasis of matter was issued on 24 December 2021

While the audit opinion on the State's 2020–21 financial statements was ultimately unmodified, NSW Treasury delayed signing the NSW Total State Sector Accounts (TSSA) in order to resolve significant accounting issues that were material to the TSSA, in particular the treatment of the General Government Sector's (GGS) investment in the Transport Asset Holding Entity (TAHE) during 2020–21.

The Treasurer and NSW Treasury signed the consolidated financial statements on 24 December 2021, eleven weeks later than the 2018–19 pre-pandemic timetable.

The Audit Office advised NSW Treasury that the 2020–21 TSSA would be qualified with respect to TAHE

Our review of all evidence received prior to 14 December indicated the GGS's expected returns were below the long-term inflation rate and that there was no expectation it should recover a significant asset revaluation loss. The levels of projected returns did not support the accounting treatment of the GGS's cash contribution of $2.4 billion to TAHE as an equity injection.

The TSSA are prepared in accordance with Australian Accounting Standards and particularly AASB 1049 ‘Whole-of-Government and General Government Sector Financial Reporting’. This standard requires contributions from owners to comply with the Australian Bureau of Statistics (ABS) Government Finance Statistics Manual 2015¹ (GFSM) where it would not conflict with Australian Accounting Standards.

The ABS GFSM states that an equity contribution is recognised unless there is no reasonable expectation that a sufficient rate of return can be generated by that investment, in which case the transfer is expensed. A realistic rate of return is defined in the ABS GFSM as the intention to earn a rate of return that is sufficient to generate dividends (including income tax equivalents) and holding gains or losses at a later date. Holding losses include the final asset revaluation decrement of $20.3 billion, which TAHE incurred on its property plant and equipment assets when it became a for-profit entity and was required to value its assets on the basis of the cash flows they are expected to generate. The lower the commercial returns (cashflows), the greater the potential valuation losses of a for-profit entity's assets. This $20.3 billion valuation loss is disclosed within notes 1 'Significant Accounting policies - TAHE Reform in 2020–21', Note 11 'Equity Investments in Other Public Sector Entities' and Note 14 'Property, Plant & Equipment of the Total State Sector and GGS' financial statements.

Multiple versions of models estimating the GGS's expected rate of return were submitted to the Audit Office by NSW Treasury attempting to demonstrate the commerciality of the GGS's investment in TAHE. Until 14 December 2021, our review of all calculations indicated the existing access and licence fees set up under commercial arrangements effective 1 July 2021 did not support a reasonable expectation that a sufficient rate of return would be earned on the equity injections to TAHE. The existing revenue arrangements reflected a shareholders' expected rate of return of only 1.5 per cent per annum of contributed equity and did not include recovery of the revaluation loss of $20.3 billion incurred in 2020–21.

Having reviewed all evidence provided, the Audit Office communicated to NSW Treasury that unless corrected, the State's accounts would be qualified as the $2.4 billion transfer made by the GGS to TAHE should have been reported as a grant expense instead of an investment. The GGS's estimated rate of return was not sufficient to cover:

• TAHE's final revaluation loss of $20.3 billion in 2020–21
• a dollar value equal to, or exceeding a 2.5 per cent rate of return on the equity invested in TAHE (ie: at least equal to the long term inflation rate).

Action was required by the NSW Government to avoid a qualified audit opinion

NSW Government actions avoided a qualified audit opinion related to the GGS’s cash contribution of $2.4 billion to TAHE. To support the TAHE structure as a commercial arrangement earning a sufficient rate of return, the NSW Government agreed to provide additional future funding to TAHE's key government customers (Sydney Trains and NSW Trains) to support increases in access and licence fees to be paid to TAHE.

Shareholding ministers increased their expectations as to TAHE's target average return to the expected long-term inflation rate of 2.5 per cent

On 14 December 2021, a government decision was made resulting in the TAHE shareholding ministers requesting that TAHE re-negotiate the access fees and license fees payable under the Operating Agreements between TAHE and the public operators (Sydney Trains and NSW Trains). The renegotiation was to target an average return to the GGS of 2.5 per cent on the equity contributed. TAHE's existing ten year agreements with the operators provide a mechanism by which the parties meet annually and consult in order to determine the amount of the access fees and licence fees that will be payable in the following financial year.

The revised shareholder expectations for TAHE were published in the 2021–22 'NSW Budget Half Yearly Review' on 16 December 2021. The revised expectations changed the basis of the expected returns on equity from the 10-year Commonwealth bond rate of only 1.5 per cent, to the expected long-term inflation rate of 2.5 per cent. This is consistent with the Reserve Bank's target band and the Commonwealth's Department of Finance's expected return on government investments in other sectors.

The revised shareholder expectations were confirmed in a signed Heads of Agreement

On 18 December 2021, Transport for NSW (TfNSW), TAHE and the operators, Sydney Trains and NSW Trains entered into a Heads of Agreement (HoA). This HoA forms the basis of negotiations to revise the pricing within the existing 10-year contracts and deliver upon the shareholders' expectation of a return of 2.5 per cent per annum of contributed equity. This revised return includes:

• income earned over the estimated weighted average remaining useful lives of TAHE’s assets
• recovery of the revaluation losses in 2020–21 on TAHE’s property, plant and equipment assets incurred when TAHE commenced operations as a for-profit entity, albeit the recovery of the revaluation loss is projected to take up to 2052.

The HoA reflects an intention between all parties to revise the contractual agreements to increase future access and license fees by $5.2 billion. This included $1.1 billion for the period FY2023–25, which is reflected in the 2021–22 'NSW Budget Half Yearly Review'. Further detail on the HoA is reported in Section 3 of this report ‘Investment in the Transport Asset Holding Entity’.

NSW Treasury revised its calculations to reflect the increased future returns

Following these changes, NSW Treasury revised its calculations of estimated returns to reflect a cumulative return equivalent to the expected long-term inflation rate, and recovery of the 2021 valuation loss by 2052. The rate of return period is consistent with the weighted average remaining useful life of TAHE's assets. The changes supported the financial reporting treatment of the $2.4 billion transfer from the GGS to TAHE as an investment rather than an expense, even though TAHE is currently heavily reliant on revenues from the public rail operators, Sydney Trains and NSW Trains. If the cash contribution had to be treated as a capital grant expense, it would have reduced the GGS's budget result by $2.4 billion.

The Independent Auditor’s Report includes an emphasis of matter drawing attention to uncertainty relating to the General Government Sector's investment in the Transport Asset Holding Entity (TAHE)

Despite the investment in TAHE being better supported, and the independent auditor's opinion being unqualified, the Independent Auditor’s Report includes an emphasis of matter, which draws attention to the significant uncertainties remaining in relation to the GGS’s equity investment in TAHE. The significant uncertainty is associated with key assumptions that support the recognition by the GGS of its $2.4 billion investment in TAHE during 2020–21.

As at the time of signing the Independent Auditor's Report, there was significant uncertainty with regards to judgements around the commerciality of TAHE's operations because:

• TAHE’s future estimated access and licence fees, which are critical to its ability to earn a realistic rate of return, remain subject to re-negotiation and re-signing of the current access agreements. The proposed indicative future access and licence fees, which are set out in the HoA are intended to form the basis of the re-negotiation.
• $1.1 billion in additional funding for TAHE's key customers, Sydney Trains and NSW Trains, was provided in the 2021–22 'NSW Budget Half Yearly Review' consistent with the terms in the HoA. However, this funding only extends to the end of the forward estimates period in 2024–25. There is an additional $4.1 billion required over the following six years, which falls outside of the forward estimates period (up to the end of the 10-year contract period). While this has been communicated to the government's Expenditure Review Committee, it is yet to be provided for in government's budget figures. As TAHE's projections are currently highly dependent on its government customers, it is critical that the government continue to provide sufficient funding to the GGS to support increases in the prices government customers will pay for access to TAHE's assets.
• A further significant portion of the required returns is earned outside of the 10-year contract period (terminating 30 June 2031). NSW Treasury has estimated $37.9 billion in returns from its investment in TAHE over the period from 1 July 2022 to 30 June 2052, but has not identified the source or means of these returns beyond 2031. Currently, TAHE derives the majority of its revenue from access and licence fee agreements with Sydney Trains and NSW trains, who in turn are both funded by grants to Transport for NSW from the GGS. The projected returns calculated by NSW Treasury beyond 2031 are calculated by assuming a 2.5 per cent growth rate. About 87 per cent of these estimated returns are being earned beyond the ten years, with $32.9 billion estimated over the period 2032–52. There remains risk that:
  • TAHE will not be able to re-contract for access and licence fees at a level that is consistent with current projections
  • future governments' funding to TAHE's key customers will not be sufficient to fund payment of access and licence fees at a level that is consistent with current projections
  • TAHE will be unable to grow its non-government revenues.

Significant accounting issues relating to TAHE are detailed in Section 3 to this report titled ‘Investment in the Transport Asset Holding Entity’. Other significant matters related to the TSSA audit are covered in section 6 to this report titled ‘Key Audit findings’.

Other financial reporting matters

The State extended the date for submission of agency financial statements for audit to provide relief to agencies impacted by the New South Wales' COVID-19 lockdowns

All agencies were given a one-week extension (two weeks in 2019–20) to prepare their financial statements and submit them for audit by 2 August 2021. Further extensions were subsequently approved for the following ten agencies and funds (11 in 2019–20) to submit completed financial statements for audit:

• Department of Communities and Justice (9 August 2021 for disclosures related to cloud computing costs)
• Investment NSW (13 August 2021)
• Jobs for NSW (13 August 2021)
• TCorp IM Funds (19 August 2021)
• Lord Howe Island Board (22 October 2021)
• Department of Customer Service (31 August 2021 for disclosures related to AASB 1059 'Service Concession Arrangements: Grantors')
• Department of Transport (20 August 2021)
• Sydney Olympic Park Authority (12 August 2021)
• Planning Ministerial Corporation (12 August 2021)
• Transport Asset Holding Entity (16 August 2021).

Additional extensions provided agencies with more time to resolve accounting issues relating to:

• asset valuations
• first time implementation of AASB 1059
• asset transfers and treatment of software as service costs.

The extensions outlined above resulted in a two-week delay submitting the State’s draft consolidated financial statements for audit.

In 2020–21, agency financial statements presented for audit contained 24 errors exceeding $20 million (19 in 2019–20). The total value of these errors was $6.6 billion, a significant increase from the previous year ($1.4 billion in 2019–20)

The graph below shows the number of reported errors exceeding $20 million over the past five years in agencies’ financial statements presented for audit.

The errors resulted from:

• incorrect application of Australian Accounting Standards and NSW Treasury Policies
• incorrect judgements and assumptions when valuing non-current physical assets and liabilities
• human error or lack of oversight.

The completion of the 2020–21 Total State Sector Accounts was significantly delayed as material accounting issues were resolved. These issues related to how the General Government Sector’s (GGS)² investment in the Transport Asset Holding Entity was accounted for. The key areas of audit concern, which required considerable effort to satisfactorily resolve, included our assessment of:

• the accounting treatment of funds transferred to TAHE from the GGS, specifically:
  • whether funds transferred to TAHE from the GGS should be considered an equity investment or capital grant expense, with the latter having implication to the presentation of the NSW Government Budget positions. Funds are expensed unless, as an investment, there is a reasonable expectation to generate a sufficient rate of return
  • forming a view as to what a ‘reasonable expectation of a sufficient rate of return on investment³’ should be with respect to the Australian Bureau of Statistics' Government Finance Statistics Manual 2015 (GFSM)
  • the valuation of TAHE’s property, plant and equipment at 30 June 2021
• whether TAHE was correctly classified as a Public Non-Financial Corporation (PNFC) entity
• whether, under the agreements in place for the use and price of TAHE's assets, TAHE controlled its property, plant and equipment.

Our assessments were hindered by errors and omissions in information and models provided by NSW Treasury to demonstrate expected returns from TAHE, as well as a lack of timeliness and completeness in their responses to requests for documentation to support NSW Treasury's proposed accounting of government's contributions to TAHE.

Up until 13 December 2021, evidence provided by NSW Treasury to support the treatment of a $2.4 billion equity transfer from the GGS to TAHE did not demonstrate a sufficient rate of return on the State's investment. Instead, the evidence suggested the transfer was of the nature of a capital grant expense, which would impact the GGS budget result. Unless corrected, by either reversing the equity investment to a capital grant expense (impacting the GGS budget result) or providing additional resources to the rail operators to support additional TAHE access and licence fees (adding additional expenses to future GGS budget results), this matter would have caused the State's accounts to have been qualified.

After the Audit Office communicated the likely audit outcome to NSW Treasury, significant changes were made by government from 14 December 2021. Government decisions that avoided qualification of the TSSA included:

• On 14 December, a government decision approved communicating revised shareholders' expectations of rate of return of 2.5 per cent being the long-term inflation rate, and increased grants to Transport for NSW for the rail operators to pay increased access and licence fees to TAHE to support of the new rate of return (previously 1.5 per cent).
• On 16 December, the 2021–22 'NSW Budget Half Yearly Review' included an increase in expected returns to be derived through higher access and license fees charged by TAHE. To facilitate these returns, an increased allocation of funds of $1.1 billion was made to Transport for NSW (TfNSW) from 1 July 2022 as part of the forward estimates for the period 2022–25. This was to pay for the proposed increased access and licence fees the operators would be required to pay TAHE.
• On 18 December, TfNSW, TAHE and the operators Sydney Trains and NSW Trains signed a Heads of Agreement (HoA) forming the basis of negotiations to revise annual operating agreements to facilitate the shareholders’ expected returns of 2.5 per cent of contributed equity. The HoA included indicative access and licence charges to be used as a basis of renegotiation, increasing access fees and licence fees to be paid by Sydney Trains and NSW Trains over the 10-year period from 2022–2031 by a further $5.2 billion. Most of this increase occurs outside the forward estimates. The majority of the additional funding may need to be funded by future governments.

NSW Treasury has projected returns to be earned to 2052 (a period covering the weighted average remaining useful lives of TAHE's assets) as sufficient to recover the revaluation loss of $20.3 billion which arose when TAHE revalued its assets under the income approach. These assets were valued on a discounted cash flow basis as at 30 June 2021.

These key decisions and the circumstances leading up to these changes are detailed later in this section.

Background

On 1 July 2020, the former Rail Corporation of New South Wales (RailCorp), a not-for-profit entity, was renamed the Transport Asset Holding Entity of New South Wales (TAHE) transitioning to a for-profit statutory State-Owned Corporation under the Transport Administration Act 1988. There was no change in the structure of TAHE as a new entity was not created. Ownership remains fully with the government. TAHE, and the former RailCorp, were both classified as Public Non-Financial Corporation (PNFC) entities within the Total State Sector Accounts. TAHE was not a newly created entity, nor was it the result of a change in administrative re-arrangements (such as Machinery of Government change).

Prior to 1 July 2015, the government paid appropriations to TfNSW, a GGS agency, to construct transport assets. When completed, these assets were granted to RailCorp, a not for-profit entity within the PNFC sector. The grants to RailCorp were recorded as an expense in the State’s GGS budget result and in the NSW Total State Sector Accounts (TSSA).

From 1 July 2015, the government announced the creation of TAHE (a dedicated asset manager). Funding for new capital projects was to be provided through equity injections, even though the business model was yet to be determined. NSW Treasury initially set a timetable for finalising the business model, operating model and contracts for the use of TAHE's assets of 1 July 2019.

Contributions paid to TAHE by the GGS were treated as equity investments from July 2015 forward. This treatment continued, despite delays in settling the business model. In 2020, the Audit Office raised a high risk finding due to the significance of the financial reporting impacts and business risks for NSW Treasury and TAHE.

The business model eventually adopted was one whereby:

• The GGS invests in TAHE with an expectation of a sufficient rate of return.
• TAHE charges the operators (predominantly Sydney Trains and NSW Trains) to use network and rolling stock to deliver services. The operators remain responsible for both the delivery of the services and the maintenance and safe operation of the assets. The operators are primarily funded by TfNSW through grants.
• The GGS grants funds to operators, which allows them to pay access fees to TAHE. The amount of these grants impacts the budget result.
• TAHE pays a return back to GGS by way of dividends and tax equivalents. The return may also include holding gains and losses on the fair value of the net assets of TAHE.

TAHE earns relatively small amounts of income from transactions with the private sector. While the TAHE Board envisages that, over time, they will enhance the commerciality of TAHE’s operations, it is currently highly dependent on revenues from government contracts (over 80 per cent). The circularity in flow of funds between transport agencies in the GGS and PNFC sectors is shown in the diagram below:

The government continues to respond to the impacts of the COVID-19 pandemic on New South Wales through its economic stimulus measures

The COVID-19 pandemic continues to significantly impact the State’s finances, reducing revenue and increasing expenses especially in sectors directly responsible for responding to the COVID-19 pandemic, such as Health. Over 2020–21, the government allocated an additional $5.6 billion to agencies as part of its economic stimulus and pandemic response. Measures included:

• $1.8 billion in health measures including essential medical equipment purchases, vaccine distribution, quarantine, contract tracing and maintaining clinical health capacity (such as intensive care units)
• $508 million in additional cleaning services primarily to the Department of Education and Transport for NSW
• $500 million as part of the ‘Dine & Discovery NSW’ voucher program to the Department of Customer Service
• $350 million in combined land tax relief and small business recovery grants to Department of Customer Service and NSW Treasury respectively.

Around $4.5 billion of this package was spent in 2020–21, leaving $1.1 billion unspent and carried forward into 2021–22. The graph below shows the total allocation and spend by cluster for 2021 compared to their target spend.

Deficit of $7.1 billion compared with a budgeted deficit of $16 billion

The outcomes of the government’s overall activity and policies are reflected its net operating balance (Budget Result). This is the difference between the cost of general government service delivery and the revenue earned to fund these sectors.

The General Government Sector, which comprises 204 entities, generally provides goods and services funded centrally by the State.

In addition to the 204 entities within the General Government Sector, a further 98 government controlled businesses are included within the consolidated Total State Sector financial statements. These businesses generally provide goods and services, such as water, electricity and financial services for which consumers pay for directly.

The Budget Result for the 2020–21 financial year was a deficit of $7.1 billion compared to an original forecast of a budget deficit of $16 billion.

Revenues increased $5.6 billion to $91.8 billion

In 2020–21, the State’s total revenues increased by $5.6 billion to $91.8 billion, 6.5 per cent higher than previous year. A decrease of 0.3 per cent was recorded in 2019–20. The main contributors to the increase in the State's revenues were an increase in taxation revenue of $4.6 billion and an increase in grants and subsidies of $1.4 billion when compared to the prior financial year.

Taxation revenue increased by 15.3 per cent

Taxation revenue increased by $4.6 billion, mainly due to:

• $2.9 billion higher stamp duties collected from property sales driven by:
  • $2.7 billion increase in contracts and conveyance duties (transfer duties) from both higher transaction volumes and strong property price growth during 2020–21
  • $200 million increase in motor vehicle registration duty driven by increases in new vehicle sales
• $520 million higher Gambling and Betting Taxes was earned as 2019–20. The previous year's revenues were impacted by club and hotel closures due to COVID-19. The operation of these venues in 2020–21 returned to normal for most of the year resulting in higher club gaming tax revenue of $216 million and hotel gaming taxes of $265 million
• $439 million higher collections of payroll taxes. The previous year's revenues were impacted by tax relief measures implemented by the government in response to COVID-19. Lower payroll tax was collected in 2019–20 as employment levels dropped during the State’s first lock down
• $416 million higher land tax revenues, driven by an average 3.2 per cent increase in valuer general land values, which are the basis for determining land tax values.

Stamp duties of $11.7 billion remains the largest source of taxation revenue, $2.9 billion higher than payroll tax of $8.8 billion, the second-largest source of taxation revenue.

Expenses increased $4.1 billion to $101 billion

The State’s expenses increased 4.3 per cent compared with 2019–20. Most of the increase was due to higher employee expenses, depreciation and amortisation, other operating costs and grants and subsidies expense.

Employee expenses, including superannuation, increased 3.6 per cent to $44.1 billion

Salaries and wages increased to $36.3 billion ($34.8 billion in 2019–20). This was mainly due to increases in staff numbers and an average increase of approximately three per cent in the cost of NSW's employees across the sector. Salaries and wages for the Education and Health sectors increased by $511 million and $619 million respectively.

The Health sector employed an additional 4,893 full time staff in 2020–21 (2,763 in 2019–20) and incurred an extra $28 million in overtime mainly in response to COVID-19. Education increased staff numbers by 2,418 full time equivalents in 2020–21 (4,866 in 2019–20). This year, the health and education sectors received a 0.3 per cent award increase in pay rates.

The Public Service Commission (PSC) noted in the ‘State of the NSW Public Sector Report, 2021’ that the government sector senior executive headcount increased by 347 to 3,680 (3,333 in 2019–20). The Transport cluster represented the majority of the increase in the government sector's senior executive headcount, with an increase of 182. The PSC report noted the increase was due to the growing portfolio of major transport infrastructure projects.

Historically, the government wages policy aims to limit growth in employee remuneration and other employee related costs to no more than 2.5 per cent per annum.

Depreciation and amortisation expense increased 7.6 per cent to $10.3 billion

Depreciation and amortisation increased to $10.3 billion in 2020–21 ($9.6 billion in 2019–20). This increase was mainly driven by the depreciation of completed infrastructure projects including the State’s WestConnex M8 and M5 East Motorways, and other road projects such as Woolgoolga to Ballina project. This year also includes twelve months of depreciation relating to the CBD and South-East Light Rail versus six months in the previous financial year.

Furthermore, the first time adoption of AASB 1059 ‘Service Concession Arrangements’ resulted in the State recognising $45.4 billion of service concession assets in its capacity as grantor under arrangements with operators. More than 87 per cent of this balance was recognised by the Transport cluster. These assets are valued at current replacement cost and are depreciated on an annual basis. A service concession arrangement is an arrangement whereby the government as grantor, contracts with an operator to develop (or upgrade), operate and maintain the grantor's public service assets such as roads, bridges or hospitals. The grantor controls or regulates what services the operator must provide using the assets, to whom, and at what price. The grantor also retains any significant residual interest in the assets at the end of the arrangement. Further details about AASB 1059 are included in the ‘Implementation of new accounting standards’ section of this report.

Grants and subsidies increased $1.5 billion to $15.6 billion

The increase in grants and subsidies is due to payments made by the State in supporting businesses and local communities in response to COVID-19. These mainly included $240 million in Dine & Discover voucher payments, $156 million in land tax relief assistance, $160 million increase in grants to non-government schools (including $31 million to support Covid intensive learning support programs), and $109 million relating to small business grant payments.

The State also transferred $592 million in newly constructed assets to local councils. These mainly related to $378 million in assets transferred following completion of WestConnex stage 2 and $180 million from Northern Roads.

Other operating expenses increased two per cent to $27.5 billion

Operating expenses increased to $27.5 billion in 2020–21 ($26.9 billion in 2019–20) due to higher operating activities as agencies responded to the pandemic.

Supplies and Other Services increased by $1.7 billion. This was mainly due to funding of $533 million in hotel quarantine and associated services, and $495 million in medical equipment for the health sector.

Inventories consumed increased by $266 million. This included $217 million in COVID-19 medical equipment that was written off because it had expired or did not meet the TGA regulatory standards. Contractor expenses increased by $306 million because of increased capital works activity, primarily in the Transport sector.

The increase was offset by $1.6 billion in lower insurance claims expense. In 2019–20 financial year, higher claims were made in respect to natural disaster events, including bush fires.

Health costs remain the State’s highest expense

Total expenses of the State were $101 billion ($96.4 billion in 2019–20). In 2020–21, Health remains the highest contributor of expenses for the State with $25.7 billion ($24.2 billion in 2019–20). Education remains the second highest contributor of expenses reporting $18.4 billion in 2020–21 ($17.5 billion in 2019–20).

The following sectors have the highest expenses as a percentage of total State expenses:

• Health – 25.6 per cent (25.1 per cent in 2019–20)
• Education – 18.3 per cent (18.2 per cent in 2019–20)
• Transport – 14.5 per cent (13.3 per cent in 2019–20).

Assets grew by $12.3 billion to $526 billion

The State’s assets include physical assets such as land, buildings and infrastructure, and financial assets such as cash, and other financial instruments and equity investments. The value of total assets increased by $12.3 billion to $526 billion. This was a 2.4 per cent increase compared with 2019–20, mostly due to changes in asset carrying values.

Valuing the State’s physical assets

State’s physical assets valued at $391 billion

The value of the State’s physical assets increased by $1.7 billion to $391 billion in 2020–21 ($37.9 billion increase in 2019–20). The State’s physical assets include land and buildings ($172 billion), infrastructure systems ($202 billion) and plant and equipment ($16.7 billion).

The movement in physical asset values between years includes additions, disposals, depreciation and valuation adjustments. Other movements include assets reclassified to held for sale and other opening balance adjustments.

Liabilities increased $16.4 billion to $291 billion

The State borrowed additional funds in response to COVID-19

The State’s borrowings rose by $15.8 billion to $134 billion at 30 June 2021. This accounted for most of the increase in the State’s total liabilities.

The value of TCorp bonds on issue increased by $16.8 billion to $114 billion, which largely funded the State's capital expenditure and response to the COVID-19 pandemic.

TCorp bonds are traded in financial markets and are guaranteed by the NSW Government.

Over 2020–21, TCorp continued to take advantage of lower interest rates, buying back short-term bonds and replacing them with longer dated debt. This lengthens the portfolio matching liabilities with the funding requirements for infrastructure assets.

The State’s fiscal objective published in the 2021–22 Budget Papers is to repair the operating position by returning the budget to surplus by 2024–25 and rebuilding balance sheet capacity by bringing net debt down towards seven per cent of Gross State Product (GSP) over the medium-term. The State measures net debt as the sum of deposits held, government securities, loans payable and other borrowings, less the sum of cash and deposits, advances paid and investments, loans receivable and placements.

The chart below shows the actual net debt to GSP for NSW compared to the Commonwealth net debt to Gross Domestic Product (GDP) over the past six years. The trend shows an increase in net debt, particularly in the past two years, which is mainly driven by additional borrowings needed to fund stimulus measures when responding to COVID-19 and natural disaster relief.

GSF Act and GSF Regulation

Financial reporting provisions in the Government Sector Finance Act 2018 (GSF Act) have now commenced

From 1 July 2021, the Public Finance and Audit Act 1983 (PF&A Act) financial reporting provisions were repealed. Agencies prepared their 2020–21 financial statements under Part 7 of the GSF Act. They were audited under the Government Sector Audit Act (GSA Act). The GSF Act requires the timeframe for annual financial statement submission be specified in the Treasurer’s Directions.

Under the GSF Act, all reporting GSF agencies are required to prepare annual financial statements, unless exempt from the definition of a reporting agency under the Government Sector Finance Regulation 2018 (GSF Regulation). Those agencies exempt from preparing financial statements include certain small agencies, Crown Land Managers, special purpose staff agencies and retained State interests. These agencies must meet prescribed requirements or thresholds and self-assess each year to determine whether they remain exempt against the criteria in the GSF Regulation.

Most of the financial reporting provisions of the GSF Act have now commenced except for requirements concerning special deposit accounts (SDA) and special purpose financial reports, which are scheduled to commence on 1 July 2023, subject to approval from the Governor.

The GSF Act now includes most of the provisions applicable to GSF agencies, as requirements for appropriations, expenditure, financial services, and other matters were enacted on 1 December 2018 and 1 July 2019.

Once fully commenced, the GSF Act will consolidate and replace reporting provisions of four Acts:

• PF&A Act
• Public Authorities (Financial Arrangements) Act 1987
• Annual Reports (Departments) Act 1985
• Annual Reports (Statutory Bodies) Act 1984.

GSA Act and GSA Regulation

The PF&A Act was renamed the GSA Act on 1 July 2021 and now only contains provisions relating to the Auditor-General and the Audit Office, the audit of government sector finances and governance of the Public Accounts Committee.

Of note in the renamed GSA Act is that:

• a new principal object was added that specifically provides the Auditor-General is an independent and accountable statutory officer
• the previous financial reporting provisions in the PF&A Act were repealed as the financial reporting provisions are contained in Part 7 of the GSF Act. As a result, there are no longer financial reporting provisions in the GSA Act
• a new section 34 was added, which contains the requirements for the audit of State sector agencies’ financial statements. These were previously contained in two separate sections.

The GSA Regulation commenced on 1 July 2021, replacing the Public Finance and Audit Regulation 2015 (PF & A Regulation). The GSA Regulation contains the list of entities, funds and accounts prescribed for the purpose of audits under the GSA Act.

Inconsistencies exist in the GSF Act and GSA Act related to key statutory timeframes

There are inconsistencies between key statutory timeframes imposed on the Treasurer and Auditor-General in the GSF Act and GSA Act which has been brought to the attention of NSW Treasury. The inconsistencies identified include:

• Section 34(3)(a) of the GSA Act defines the audit period for the Statements be as soon as practicable after the Auditor-General is given the Statements. This appears to be inconsistent with section 49(3) of the GSA Act, which requires that the Auditor-General, on or before 22 October transmit the Statements and audit report to the Treasurer. Neither provision is a paramount provision.
• Section 49(3) of the GSA Act also appears to be inconsistent with section 52(1) of the GSA Act which provides that the Statements are to be given to the Auditor-General in accordance with section 7.17 of the GSF Act. Section 7.17 of the GSF Act requires that the Statements are to be prepared and given to the Auditor-General by an agreed date to enable the audit of the Statements. Part 7 of the GSF Act is a paramount provision under section 1.8 of the GSF Act, which means the requirements in section 7.17 of the GSF Act prevail.

There are also inconsistencies in key statutory reporting timeframes imposed on the Treasurer under the GSF Act.

The audited Statements are a key accountability mechanism that provides information on the State’s financial performance and position. Ambiguity in the statutory reporting timeframes could impact on the future timely provision of this information to Parliament. As noted at the beginning of this report, the delay in issuing the audit report for the 30 June 2021 Statements was due to NSW Treasury’s resolution of accounting issues that were material to the Statements, in particular the treatment of the General Government Sectors investment in TAHE during 2020–21. NSW Treasury's management letter will include a high risk finding with regards to the inconsistencies between the GSF Act and GSA Act.

Appropriations framework

NSW Treasury lacks a framework to monitor and provide assurance to ministers that they are in compliance with their appropriation authority

The GSF Act requires that money not be paid out of the Consolidated Fund except under the authority of an Act, such as the annual Appropriation Act or GSF Act. This means a minister is only authorised to spend out of the Consolidated Fund the amount they have been appropriated by the relevant Act(s).

Generally, money is authorised to be paid out of the Consolidated Fund either through:

• The Annual Appropriation Act - this is an act to appropriate out of the Consolidated Fund sums for the services of the government for the relevant financial year. These appropriations are made to the responsible ministers of principal departments, Special Offices and certain SDAs.
• The GSF Act - this act allows the responsible minister of a GSF agency to be given an appropriation out of the Consolidated Fund, at the time the agency receives or recovers any deemed appropriation money. Deemed appropriation money is defined in section 4.7(3) of the GSF Act.

Ministers can delegate and sub-delegate appropriation expenditure functions to accountable authorities and officers of GSF agencies. Any spending by accountable authorities and officers of GSF agencies in excess of the amount appropriated to their relevant minister would be made contrary to section 4.6(1) of the GSF Act.

The Budget Papers are an additional mechanism by which the government controls the level of expenditure by agencies both at the individual and departmental administrative cluster level. The Budget Papers set an administrative limit imposed by the government. Separately, the Treasurer can issue a Budget control authority under section 5.1 of the GSF Act. A Budget control authority can regulate expenditure of money by GSF agencies in a variety of ways, as set out in section 5.1(2) of the GSF Act.

In July 2021, NSW Treasury advised the Audit Office that it had received advice from the Crown Solicitor's Office, in January 2021, that payments between agencies in different administrative clusters would not meet the definition of a 'deemed appropriation' under the GSF Act by the receiving agency. This applies to money paid and received by two agencies across different administrative clusters that continue to hold the money in the Consolidated Fund. These intra-government receipts increase the amount an agency has available to spend, without there being a corresponding increase in the responsible minister’s appropriated expenditure limits, thus increasing the risk an agency’s expenditure could cause a minister to exceed their appropriated expenditure authority.

After being made aware of the issue, the Audit Office worked with NSW Treasury officers to clarify potential implications. The Audit Office also obtained further advice from the Crown Solicitor’s Office to clarify certain aspects of the appropriations framework more broadly. In the advice to the Audit Office, the Crown Solicitor advised that an agency is not subject to its own legally appropriated expenditure limit (assuming it is not subject to any annual spending limit imposed through an instrument of delegation or a budget control authority issued by the Treasurer under section 5.1 of the GSF Act). In effect, because responsible ministers are given appropriations, these legal expenditure limits, rest in aggregate, with the principal department and agencies the minister is responsible for. The advice also confirmed:

• a deemed appropriation for the services of an agency would ordinarily be available for the services of other agencies, if the officers of the other agencies had a delegation from the minister(s) to expend the deemed appropriation and funds remained available under those deemed appropriations
• that the ‘exhaustion’ of a minister’s appropriation may be precipitated by one agency’s level of expenditure in the financial year, but the effect is that the relevant appropriation is exhausted for all agencies (and their officers) that may otherwise rely on it
• whether expenditure by an agency occurred beyond the scope of its authority would require a progressive examination of the total amounts expended from the minister’s appropriation
• amounts expended from the Consolidated Fund without the authority of an appropriation are spent contrary to section 4.6(1) of the GSF Act
• a minister is responsible to Parliament for (i) the manner in which appropriations are expended, and (ii) any ‘overspends’ (that is, expenditure without authority) by agencies for which they are responsible.

Determining whether expenditure has occurred without the authority of an appropriation is complex and it is not possible for an individual agency to monitor or determine at what ‘point in time’ expenditure has been incurred in excess of the minister’s appropriation authority. As noted earlier, there are mechanisms in place to manage agencies' administrative expenditure limits set by the Budget Papers, but there is no mechanism in place to ensure expenditure by agencies does not exceed a minister’s appropriation authority received under the annual Appropriations Act and GSF Act.

In addition, principal departments and agencies that hold money in the Consolidated Fund are required by Australian Accounting Standard AASB 1058 'Income of Not-for-Profit Entities' and NSW Treasury Circular TC20/08 'Mandates of options and major policy decisions under Australian Accounting Standards' to prepare a Summary of Compliance in their financial statements. The Summary of Compliance applies to agencies that obtain part or all of their spending authority from a Parliamentary appropriation. It is intended to provide information on the amounts appropriated or authorised for an agency’s use and whether those expenditures were authorised. There remains uncertainty around how the Crown Solicitor’s Office advice received by the Audit Office impacts these disclosures, as the total spending authority given by Parliamentary appropriations and expenditure against these appropriations cannot generally be attributed to an individual agency. Such a scenario is not contemplated by the relevant Australian Accounting Standard. NSW Treasury's management letter will include high risk findings about improving mechanisms in place to manage agencies administrative expenditure limits, uncertainties related to appropriation spending authority on agencies summary of compliance disclosures.

Delegations to incur expenditure

Further to last year's reporting, some agencies have again spent monies without an authorised delegation

The delegation to incur expenditure is an important accountability mechanism of responsible government.

Last year’s Report on State Finances reported instances where government agencies did not understand or correctly apply the requirements of the GSF Act for deemed appropriations, resulting in some agencies spending deemed appropriations money without an authorised delegation from the relevant minister(s) as required by sections 4.6(1) and 5.5(3) of the GSF Act.

This year’s financial audits identified that further agencies: TAFE Commission, Multicultural NSW and the Office of the Ageing and Disability Commissioner spent money received from an annual Appropriation and/or deemed appropriation money without an authorised delegation from the relevant minister(s), as required by sections 4.6(1) and 5.5(3) of the GSF Act. NSW Treasury's management letter will include high risk issues about improving mechanisms in place to ensure agencies have appropriate delegations in place to spend Appropriation and/or deemed appropriation money.

In addition, the audit of the Jobs for NSW Fund (the Fund) special purpose statements identified that five payments from the Fund were authorised by an officer without the necessary delegation from the minister as required by section 14 of the Jobs for NSW Act 2015 and sections 5.5(2) and 5.5(3) of the GSF Act.

Implementation of new accounting standards

This year, the State implemented the requirements of AASB 1059

AASB 1059 ‘Service Concession Arrangements: Grantors’

AASB 1059 is an Australian Accounting Standard that requires public sector entities (grantors) that enter service concession arrangements with private sector operators for the delivery of public services recognise service concession assets and liabilities in their financial statements. The standard was effective from 1 July 2020.

AASB 1059 requires a grantor to:

• recognise an asset provided by the operator as a service concession asset if the grantor controls the asset
• initially measure the service concession asset at current replacement cost (CRC) in accordance with AASB 13 ‘Fair Value Measurement’
• recognise a corresponding liability measured initially at the fair value (CRC) of the service concession asset, adjusted for any consideration between the grantor and the operator
• make sufficient disclosure in the financial statements so that users can understand the nature, amount and timing of assets, liabilities, revenue and cash flows arising from these.

The adoption of AASB 1059 increased the State’s total assets and liabilities by $19.5 billion and $19.6 billion respectively, with net worth reducing by $131 million at 1 July 2019

The State adopted a modified retrospective approach when adopting AASB 1059 and recognised and measured service concession assets and liabilities at the date of initial application of 1 July 2019, with any net adjustments recognised in accumulated funds at that date. This means comparatives were restated to reflect the impact of AASB 1059.

Most of the service concession assets recognised by the State related to Property, Plant & Equipment, in particular infrastructure assets.

Agencies had to devote significant effort to implement AASB 1059 and ensure their 2020–21 financial statements materially complied with the standard's requirements. Last year, the Audit Office highlighted advance preparation was key to ensuring agencies effectively transitioning to this new standard. Despite the new standard being issued well in advance of its commencement date, Sydney Water Corporation, Department of Customer Service, Transport for NSW (TfNSW) and TAHE did not prepare sufficiently for their respective implementations.

Whilst most agencies in 2019–20 had commenced assessing their existing commercial arrangements to determine whether they were within the scope of AASB 1059, calculating and posting the accounting entries to support the implementation of this standard was delayed for TfNSW. TfNSW had not finalised its opening balance adjustments in time for the Audit Office’s early close review. Critical assessments of AASB 1059 to identify the accounting implications for the Transport sector, in particular TfNSW and TAHE were still being considered as late as 30 September 2021.

Restart NSW

Restart NSW was established in 2011 to fund the State’s major infrastructure projects

Restart NSW funds Rebuilding NSW, the government’s 10-year plan to invest $23 billion in new infrastructure. Its infrastructure projects, including Sydney Metro West and Parramatta Light Rail, are primarily funded by proceeds from the government’s asset recycling program. The Restart Fund had a balance of $12.4 billion at 30 June 2021 ($15 billion in 2019–20).

The Fund paid $3.8 billion for infrastructure projects in 2020–21 ($4.3 billion in 2020–21). The largest payments were for transport projects, including Sydney Metro West, Parramatta Light Rail, and contributed $319 million of the $2.4 billion equity contribution to the Transport Asset Holding Entity (TAHE).

The funds are invested in the NSW Infrastructure Future Fund (NIFF), which is allowed under the Restart NSW Fund Act 2011 (Restart Act). The NIFF is an investment vehicle for the fund to help the NSW Government meet its infrastructure objectives and this fund is managed by TCorp. In 2020–21, the fund earned a net return of 7.9 per cent, higher than its annual benchmark return of 4.2 per cent, benefiting from improved returns in financial markets over 2020–21.

The fund directed 30.1 per cent of its payments towards rural and regional infrastructure projects in 2020–21

The Restart Act requires the fund to report on the percentage of payments directed to rural and regional infrastructure projects and whether this represents at least 30 per cent of the total payments from the fund. The Restart NSW Fund Amendment (Rural and Regional Infrastructure Funding) Bill 2020 introduced in Parliament in 2020 would amend the Restart Act by requiring at least 30 per cent of the total payments each financial year and for the life of the Restart NSW Fund be made on infrastructure projects in rural and regional areas.

This year the fund exceeded its target of directing at least 30 per cent of funding towards rural and regional infrastructure projects. However, since the funds’ commencement, only 23 per cent of total payments went towards rural and regional infrastructure projects. Current projections for the life of the fund indicate only 27.5 per cent of funding will be spent on rural and regional projects, which is below the funds target of 30 per cent target for the life of the fund.

Audit Office’s work plan for 2021–22

The Audit Office’s 2021–22 work plan focuses on the State’s response, recovery and impact from the COVID-19 pandemic and natural disaster emergencies

The COVID-19 pandemic continues to have a significant impact on the people and the public sector of New South Wales. Government continues to assist communities in their recovery from the 2019–20 bushfires and subsequent flooding. The scale of government responses to these events has been significant and has required a wide-ranging response involving emergency response coordination, service delivery, governance and policy.

Significant resources have been directed toward these responses, and in assisting rebuilding and economic recovery. Some systems and processes have changed to reflect the need for quick responses to immediate needs. The increasing and changing risk environment presented by these events has meant that we have recalibrated and focused our efforts on providing assurance on how effectively aspects of these emergency responses have been delivered. This includes financial and governance risks arising from the scale and complexity of government responses to these events.

While these emergencies are having a significant impact today, they are also likely to continue to have an impact into the future. We will take a phased approach to ensuring that our work addresses the following elements of the emergencies and government responses:

Appendix one – Prescribed entities

Appendix two – Legal opinions

Appendix three – TSS sectors and entities
 

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

This report analyses the internal controls and governance of the 25 largest agencies in the NSW public sector, excluding state owned corporations and public financial corporations, for the year ended 30 June 2021.

Our preferred approach is to table the ‘Report on State Finances’ in Parliament before any other cluster report. This is because the ‘Report on State Finances’ focuses on the audit results and observations relating to the Total State Sector Accounts, in effect a consolidation of all government agencies. This year the ‘Report on State Finances’ has been delayed due to significant accounting issues being considered in the Total State Sector Accounts and which may impact the Treasury and Transport clusters.

As there are no matters in this report impacting the Total State Sector Accounts we have decided to break with normal practice and table this report ahead of the ‘Report on State Finances’.

What the report is about

This report analyses the internal controls and governance of the 25 largest agencies in the NSW public sector, excluding state owned corporations and public financial corporations, for the year ended 30 June 2021.

What we found

Internal control trends

The proportion of control deficiencies identified as high risk this year increased to 2.8 per cent (2.5 per cent in 2019–20). Six high risk findings related to financial controls while three related to IT controls. Two were repeat findings from the previous year.

Repeat findings of control deficiencies now represent 49 per cent of all findings (42 per cent in 2019–20).

Information technology

We continue to see a high number of deficiencies relating to IT general controls, particularly around user access administration and privileged user access which affected 82 per cent of agencies.

Cyber security

Agencies' self-assessed maturity levels against the NSW Cyber Security Policy (CSP) mandatory requirements are low. Although agencies are required to demonstrate continuous improvement against the CSP, 20 per cent have not set target levels and of those that have set target levels, 40 per cent have not met their target levels.

Policies, processes and definition around security incidents and data breaches lack consistency. Improvement is required to ensure breaches are recorded in registers and action taken to address the root cause of incidents.

Conflicts of interest

Agencies' policies generally meet the minimum requirements of the Ethical Framework set out in the Government Sector Employment Act 2013. However, few meet the Independent Commission Against Corruption's best practice guidelines. Policies could be strengthened in relation to requirements around annual declarations of interests from employees and contractors.

Masterfile management

Policies governing the management of supplier masterfiles and employee masterfiles existed in 79 per cent and 54 per cent of agencies respectively.

Weaknesses were identified in those policies. Access restriction, segregation of duties and record keeping were the most common opportunities for improvement.

Tracking recommendations

Most agencies do not maintain a register to monitor recommendations from performance audits and public inquiries. Registers of recommendations could be improved to include risk ratings and record revisions to due dates. While recommendations can take several years to fully address, the oldest open items were originally due for completion by June 2016.

What we recommended

Agencies should:

• prioritise actions to address repeat control deficiencies, particularly those that have been repeated findings for a number of years
• prioritise improvements to their cyber security and resilience as a matter of urgency
• formalise and implement policies on tracking and monitoring the progress of implementing recommendations from performance audits and public inquiries.

Internal controls are processes, policies and procedures that help agencies to:

• operate effectively and efficiently
• produce reliable financial reports
• comply with laws and regulations
• support ethical government.

This chapter outlines the overall trends for agency controls and governance issues, including the number of audit findings, the degree of risk those deficiencies pose to the agency, and a summary of the most common deficiencies we found across agencies. The rest of this report presents this year’s controls and governance findings in more detail.

The scope of this year's report covers 25 general government sector agencies. Last year's report covered 40 agencies within the total state sector. For consistency and comparability, we have adjusted the 2020 results to include only the agencies remaining within scope of this year's report. Therefore, the 2020 figures will not necessarily align with those reported in our 2020 report.

This chapter outlines our audit observations, conclusions and recommendations arising from our review of agency controls to manage key financial systems.

This chapter outlines our audit observations, conclusions and recommendations arising from our review of agencies' cyber security planning and governance arrangements.

This chapter outlines our audit observations, conclusions and recommendations arising from our review of agencies' conflicts of interest management processes.

This chapter outlines our audit observations, conclusions and recommendations arising from our review of agency's management of supplier and employee masterfiles.

This chapter outlines our audit observations, conclusions and recommendations arising from our review of agencies' processes to track and monitor the implementation of recommendations from performance audits and public inquiries.

What the report is about

The term ‘machinery of government’ refers to the way government functions and responsibilities are organised.

The decision to make machinery of government changes is made by the Premier. Changes may be made for a range of reasons, including to support the policy and/or political objectives of the government of the day.

Larger machinery of government changes typically occur after an election or a change of Premier.

This report assessed how effectively the Department of Planning, Industry and Environment (DPIE) and the Department of Regional NSW (DRNSW) managed their 2019 and 2020 machinery of government changes, respectively. It also considered the role of the Department of Premier and Cabinet (DPC) and NSW Treasury in overseeing machinery of government changes.

What we found

The anticipated benefits of the changes were not articulated in sufficient detail and the achievement of benefits has not been monitored. The costs of the changes were not tracked or reported.

DPC and NSW Treasury provided principles to guide implementation but did not require departments to collect or report information about the benefits or costs of the changes.

The implementation of the machinery of government changes was completed within the set timeframes, and operations for the new departments commenced as scheduled.

Major implementation challenges included negotiation about the allocation of corporate support staff and the integration of complex corporate and ICT systems.

What we recommended

DPC and NSW Treasury should:

• consolidate existing guidance on machinery of government changes into a single document that is available to all departments and agencies
• provide guidance for departments and agencies to use when negotiating corporate services staff transfers as a part of machinery of government changes, including a standard rate for calculating corporate services requirements
• progress work to develop and implement common processes and systems for corporate services in order to support more efficient movement of staff between departments and agencies.

The term ‘machinery of government’ refers to the way government functions and responsibilities are allocated and structured across government departments and agencies. A machinery of government change is the reorganisation of these structures. This can involve establishing, merging or abolishing departments and agencies and transferring functions and responsibilities from one department or agency to another.

The decision to make machinery of government changes is made by the Premier. These changes may be made for a range of reasons, including to support the policy and/or political objectives of the government of the day. Machinery of government changes are formally set out in Administrative Arrangements Orders, which are prepared by the Department of Premier and Cabinet, as instructed by the Premier, and issued as legislative instruments under the Constitution Act 1902.

The heads of agencies subject to machinery of government changes are responsible for implementing them. For more complex changes, central agencies are also involved in providing guidance and monitoring progress.

The NSW Government announced major machinery of government changes after the 2019 state government election. These changes took place between April and June 2019 and involved abolishing five departments (Industry; Planning and Environment; Family and Community Services; Justice; and Finance, Services and Innovation) and creating three new departments (Planning, Industry and Environment; Communities and Justice; and Customer Service). This also resulted in changes to the 'clusters' associated with departments. The NSW Government uses clusters to group certain agencies and entities with related departments for administrative and financial management. Clusters do not have legal status. Most other departments that were not abolished had some functions added or removed as a part of these machinery of government changes. For example, the functions relating to regional policy and service delivery in the Department of Premier and Cabinet were moved to the new Department of Planning, Industry and Environment.

Our Report on State Finances 2019, tabled in October 2019, outlined these changes and identified several issues that can arise from machinery of government changes if risks are not identified early and properly managed. These include: challenges measuring the costs and benefits of machinery of government changes; disruption to services due to unclear roles and responsibilities; and disruption to control environments due to staff, system and process changes.

In April 2020, the Department of Regional NSW was created in a separate machinery of government change. This involved moving functions and agencies related to regional policy and service delivery from the Department of Planning, Industry and Environment into a standalone department.

This audit assessed how effectively the Department of Planning, Industry and Environment (DPIE) and the Department of Regional NSW (DRNSW) managed their 2019 and 2020 machinery of government changes, respectively. It also considered the role of the Department of Premier and Cabinet and NSW Treasury in overseeing machinery of government changes. The audit investigated whether:

• DPIE and DRNSW have integrated new responsibilities and functions in an effective and timely manner
• DPIE and DRNSW can demonstrate the costs of the machinery of government changes
• The machinery of government changes have achieved or are achieving intended outcomes and benefits.

Appendix one – Response from agencies

Appendix two – About the audit

Appendix three – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #359 - released (17 December 2021).

What the report is about

This audit assessed nine agencies’ compliance with the NSW Cyber Security Policy (CSP) including whether, during the year to 30 June 2020, the participating agencies:

• met their reporting obligations under the CSP
• reported accurate self-assessments of their level of maturity implementing the CSP’s requirements including the Australian Cyber Security Centre’s (ACSC) Essential 8.

What we found

Key elements to strengthen cyber security governance, controls and culture are not sufficiently robust and not consistently applied. The CSP is not achieving the objectives of improved cyber governance, controls and culture because:

• the CSP does not specify a minimum level for agencies to achieve in implementing the 'mandatory requirements' or the Essential 8
• the CSP does not require agencies to report their target levels, nor does it require risk acceptance decisions to be documented or formally endorsed
• each participating agency had implemented one or more of the mandatory requirements in an ad hoc or inconsistent basis
• none of the participating agencies had implemented all of the Essential 8 controls
• agencies tended to over-assess their cyber security maturity - all nine participating agencies were unable to support all of their self-assessments with evidence
• there is no monitoring of the adequacy or accuracy of agencies' self-assessments.

What we recommended

In this report, we repeat recommendations made in the 2019 and 2020 Central Agencies reports, that Cyber Security NSW and NSW Government agencies need to prioritise improvements to cyber security resilience as a matter of urgency.

Cyber Security NSW should:

• monitor and report compliance with the CSP
• require agencies to report the target and achieved levels of maturity
• require agencies to justify why it is appropriate to target a low level of maturity
• require the agency head to formally accept the residual risk
• challenge agencies' target maturity levels.

Agencies should resolve discrepancies between their reported level of maturity and the level they are able to support with evidence.

Separately, the agencies we audited requested that we not disclose our audit findings. We reluctantly agreed to anonymise our findings, even though they are more than 12 months old. We are of the view that transparency and accountability to the Parliament of New South Wales are part of the solution, not the problem.

The poor levels of agency cyber security maturity are a significant concern. Improvement requires leadership and resourcing.

This report assesses whether state government agencies are complying with the NSW Cyber Security Policy. The audit was based on the level of compliance reported at 30 June 2020.

Our audit identified non-compliance and significant weaknesses against the government’s policy.

Audited agencies have requested that we not report the findings of this audit to the Parliament of New South Wales, even though the findings are more than 12 months old, believing that the audit report would expose their weaknesses to threat actors.

I have reluctantly agreed to modify my report to anonymise agencies and their specific failings because the vulnerabilities identified have not yet been remedied. Time, leadership and prioritised action should have been sufficient for agencies to improve their cyber safeguards. I am of the view that transparency and accountability to the Parliament is part of the solution, not the problem.

The poor levels of cyber security maturity are a significant concern. Improvement requires dedicated leadership and resourcing. To comply with some elements of the government’s policy agencies will have to invest in technical uplift and some measures may take time to implement. However, other elements of the policy do not require any investment in technology. They simply require leadership and management commitment to improve cyber literacy and culture. And they require accountability and transparency. Transparent reporting of performance is a key means to improve performance.

Cyber security is increasingly a focus of governments around Australia. The Australian Cyber Security Centre (ACSC) is the Australian Government’s lead agency for cyber security and is part of the Australian Signals Directorate, a statutory authority within the Australian Government’s Defence portfolio. The ACSC has advised that government agencies at all levels, as well as individuals and other organisations were increasingly targeted over the 2021 financial year¹. The ACSC received over 67,500 cybercrime reports, a 13 per cent increase on the previous year. This equates to one reported cyber attack every eight minutes. They also noted that attacks by cyber criminals and state actors are becoming increasingly sophisticated and complex and that the attacks are increasingly likely to be categorised as ‘substantial’ in impact.

High profile attacks in Australia and overseas have included a sustained malware campaign targeted at the health sector², a phishing campaign deploying emotet malware, spear phishing campaigns targeting people with administrator or other high-level access, and denial of service attacks. The continuing trend towards digital delivery of government services has increased the vulnerability of organisations to cyber threats.

The COVID-19 pandemic has increased these risks. It has increased Australian dependence on the internet – to work remotely, to access services and information, and to communicate and continue our daily lives. Traditional security policies within an organisation’s perimeter are harder to enforce in networks made up of home and other private networks, and assets the organisation does not manage. This has increased the cyber risks for NSW Government agencies.

In March 2020, Service NSW suffered two cyber security incidents in short succession. Technical analysis undertaken by the Department of Customer Service (DCS) concluded that these cyber breaches resulted from a phishing exercise through which external threat actors gained access to the email accounts of 47 staff members. These attacks resulted in the breach of a large amount of personal customer information contained in these email accounts. These attacks were the subject of the Auditor-General's report on Service NSW's handling of personal information tabled on 18 December 2020.

This audit also follows two significant performance audits. Managing cyber risks, tabled on 13 July 2021 found Transport for NSW and Sydney Trains were not effectively managing their cyber security risks. Integrity of data in the Births, Deaths and Marriages Register, tabled 7 April 2020 found that although there are controls in place to prevent and detect unauthorised access to, and activity in the register, there were significant gaps in these controls.

The NSW Cyber Security Policy (CSP) was issued by Cyber Security NSW, a business unit within the Department of Customer Service, and took effect from 1 February 2019. It applies to all NSW Government departments and public service agencies, including statutory authorities. Of the 104 agencies in the NSW public sector that self-assessed their maturity implementing the mandatory requirements, only five assessed their maturity at level three or above (on the five point maturity scale). This means that, according to their own self-assessments, 99 agencies practiced requirements within the framework in what the CSP’s maturity model describes as an ad hoc manner, or they did not practice the requirement at all. Cyber Security NSW and NSW Government agencies need to prioritise improvements to their cybersecurity and resilience as a matter of priority.

This audit looks specifically at the compliance of nine key agencies with the CSP. It looks at their achievement implementing the requirements of the policy, the accuracy of their self-assessments and the attestations they made as to their compliance with the CSP.

The CSP outlines the mandatory requirements to which all NSW Government departments and public service agencies must adhere. It seeks to ensure cyber security risks to agencies’ information and systems are appropriately managed. The key areas of responsibility for agencies are:

• Lead - Agencies must implement cyber security planning and governance and report against the requirements outlined in the CSP and other cyber security measures.
• Prepare - Agencies must build and support a cyber security culture across their agency and NSW Government more broadly.
• Prevent - Agencies must manage cyber security risks to safeguard and secure their information and systems.
• Detect/Respond/Recover - Agencies must improve their resilience including their ability to rapidly detect cyber incidents and respond appropriately.
• Report - Agencies must report against the requirements outlined in the CSP and other cyber security measures.

DCS has only recommended, but not mandated the CSP for state owned corporations, local councils and universities.

NSW Government agencies must include an attestation on cyber security in their annual report and provide a copy to Cyber Security NSW by 31 August each year stating whether, for the preceding financial year, the agency has:

• assessed its cyber security risks
• appropriately addressed cyber security at agency governance forums
• a cyber incident response plan that is integrated with the security components of business continuity arrangements, and the response plan has been tested during the previous 12 months (involving senior business executives)
• certified the agency’s Information Security Management System (ISMS) or confirmed the agency’s Cyber Security Framework (CSF)
• a plan to continuously improve the management of cyber security governance and resilience.

The purpose of the attestation is to focus the agency's attention on its cyber risks and the mitigation of those risks.

Agencies assess their level of compliance in accordance with a maturity model. The CSP does not mandate a minimum maturity threshold for any requirement, including implementation of the Australian Cyber Security Centre's (ACSC) Essential 8 Strategies to Mitigate Cyber Security Incidents (Essential 8).

Agencies are required to set a target maturity level based on their risk appetite for each requirement, seek continual improvement in their maturity, and annually assess their maturity on an ascending scale of one to five for all requirements (refer to Appendix two for the maturity model). Each control within the Essential 8 is assessed on an ascending scale of zero to three reflecting the agency's level of alignment with the strategy (refer to Appendix three for the maturity model).

Scope of this audit

We assessed whether agencies had provided accurate reporting on their level of maturity implementing the requirements of the CSP in a documented way and covering all their systems.

The scope of this audit covered nine agencies (the participating agencies). These agencies were selected because they are the lead agency in their cluster, or have a significant digital presence within their respective cluster. The list of participating agencies is in section 1.2. The audit aimed to determine whether, during the year to 30th June 2020, the participating agencies:

• met their reporting obligations under the CSP
• provided accurate reporting in self-assessments against the CSP’s mandatory requirements, including their implementation of the Australian Cyber Security Centre’s (ACSC) Essential 8
• achieved implementation of mandatory requirements at maturity levels which meet or exceed the ‘level three - defined’ threshold (i.e. are documented and practiced on a regular and consistent basis).

While the audit does assess the accuracy of agency self-assessed ratings, the audit did not assess the appropriateness of the maturity ratings.

1. Key findings

The CSP allows agencies to determine their own level of maturity to implement the 'mandatory requirements', which can include not practicing a policy requirement or implementing a policy requirement on an ad hoc basis. These determinations do not need to be justified

Agencies can decide not to implement requirements of the CSP, or they can decide to implement them only in an informal or ad-hoc manner. The CSP allows agencies to determine their desired level of maturity in implementing the requirements on a scale of one to five - level one being 'initial – not practiced' and level five being 'optimised'. The desired level of maturity is determined by the agency based on their own assessment of the risk of the services they provide and the information they hold.

The reporting template for the 2019 version of the CSP stated that level three maturity - where a policy requirement is practiced on a regular and consistent basis and its processes are documented - was required for compliance with the CSP. This requirement was removed in the 2020 revision of the reporting template.

This CSP does not require the decisions on risk tolerance, or the timeframes agencies have set to implement requirements to be documented or formally endorsed by the agency head. There is no requirement to report these decisions to Cyber Security NSW.

Some comparable jurisdictions require formal risk acceptance decisions where requirements are not implemented. The NSW CSP does not have a similar formal requirement

Some jurisdictions, with a similar policy framework to NSW, require agencies to demonstrate reasons for not implementing requirements, and require agency heads to formally acknowledge the residual risk. The NSW CSP does not require these considerations to be documented, nor does it require an explicit acknowledgement and acceptance of the residual risk by the agency head or Cyber Security NSW. The NSW CSP does not require that the records of how agencies considered and decided which measures to adopt to be documented and auditable, limiting transparency and accountability of decisions made.

All of the participating agencies had implemented one or more of the mandatory requirements in an ad hoc or inconsistent basis

All of the participating agencies had implemented one or more of the mandatory requirements at level one or two. Maturity below level three typically means not all elements of the requirement have been implemented, or the requirements have been implemented on an ad-hoc or inconsistent basis.

None of the participating agencies has implemented all of the Essential 8 controls at level one – that is, only partly aligned with the intent of the mitigation strategy

Eight of the nine agencies we audited had not implemented any of the Essential 8 strategies to level three – that is, fully aligned with the intent of the mitigation strategy. At the time of this audit the ACSC advised that:

as a baseline organisations should aim to reach to reach Maturity Level Three for each mitigation strategy³.

The Australian Signals Directorate⁴ currently advises that, with respect to the Essential 8:

[even] level three maturity will not stop adversaries willing and able to invest enough time, money and effort to compromise a target. As such, organisations still need to consider the remainder of the mitigation strategies from the Strategies to Mitigate Cyber Security Incidents and the Australian Government Information Security Manual

All agencies failed to reach even level one maturity for at least three of the Essential 8.

Cyber Security NSW modified the ACSC model for implementation of the Essential 8

The NSW maturity model used for the Essential 8 does not fully align with the ACSC’s model. At the time of this audit the major difference was the inclusion of level zero in the NSW CSP maturity scale. Level zero broadly means that the relevant cyber mitigation strategy is not implemented or is not applied consistently. Level zero had been removed by the ACSC in February 2019 and was not part of the framework at the time of this audit. It was re-introduced in July 2021 when the ACSC revised the detailed criteria for each element of the essential 8 maturity model. The indicators to reach level one on the new ACSC model are more detailed, specific and rigorous than those currently prescribed for NSW Government agencies. Cyber Security NSW asserted the level zero on the CSP maturity scale:

is not identical to the level zero of the ACSC’s previous Essential 8 maturity model, but is a NSW-specific inclusion designed to prevent agencies incorrectly assessing as level one when they have not achieved that level.

Attestations did not accurately reflect whether agencies implemented the requirements

Of the nine participating agencies, seven did not modify the proforma wording in their attestation to reflect their actual situation. Despite known gaps in their implementation of mandatory requirements, these agencies stated that they had 'managed cyber security risks in a manner consistent with the Mandatory Requirements set out in the NSW Government Cyber Security Policy'. Only two agencies modified the wording of the attestation to reflect their actual situation.

Attestations should be accurate so that agencies’ and the government’s response to the risk of cyber attack is properly informed by an understanding of the gaps in agency implementation of the policy requirements and the Essential 8. Without accurate information about these gaps, subsequent decisions as to prioritisation of effort and deployment of resources are unlikely to effectively mitigate the risks faced by NSW Government agencies.

Participating agencies were not able to support all of their self-assessments with evidence and had overstated their maturity assessments, limiting the effectiveness of agency risk management approaches

Seven of the nine participating agencies reported levels of maturity against both the mandatory requirements and the Essential 8 that were not supported by evidence.

Each of the nine participating agencies for this audit had overstated their level of maturity against at least one of the 20 mandatory requirements. Seven agencies were not able to provide evidence to support their self-assessed ratings for the Essential 8 controls.

Where agency staff over-assess the current state of their cyber resilience, it can undermine the effectiveness of subsequent decision making by Agency Heads and those charged with governance. It means that actions taken in mitigating cyber risks are less likely to be appropriate and that gaps in implementing cyber security measures will remain, exposing them to cyber attack.

Agencies' self-assessments across government exposed poor levels of maturity in implementing the mandatory requirements and the Essential 8 controls

We reviewed the data 104 NSW agencies provided to Cyber Security NSW. The 104 agencies includes nine audited agencies referred to in more detail in this report. Our review of the 104 agency self-assessment returns submitted to Cyber Security NSW highlighted that, consistent with previous years, there remains reported poor levels of cyber security maturity. We reported the previous years’ self-assessments in the Central Agencies 2019 Report to Parliament and the Central Agencies 2020 Report to Parliament.

Only five out of the 104 agencies self-assessed that they had implemented all of the mandatory requirements at level three or above (against the five point scale). Fourteen agencies self-assessed that they had implemented each of the Essential 8 controls at level one maturity or higher (using Cyber NSW’s four point scale). The remainder reported at level zero for implementation of one or more of the Essential 8 controls, meaning that for the majority of agencies the cyber mitigation strategy has not been implemented, or is applied inconsistently.

Where agencies had reported in both 2019 and 2020, agencies’ self-assessments showed little improvement over the previous year’s self-assessments:

• 14 agencies reported improvement across both the Essential 8 and the mandatory requirements
• 8 agencies reported a net decline in both the Essential 8 and the mandatory requirements.

The poor levels of maturity in implementing the Essential 8 over the last couple of years is an area of significant concern that requires better leadership and resourcing to prioritise the required significant improvement in agency cyber security measures.

2. Recommendations

Cyber Security NSW should:

1. monitor and report compliance with the CSP by:

• obtaining objective assurance over the accuracy of self-assessments
• requiring agencies to resolve inaccurate or anomalous self-assessments where these are apparent

2. require agencies to report:

• the target level of maturity for each mandatory requirement they have determined appropriate for their agency
• the agency head's acceptance of the residual risk where the target levels are low

3. identify and challenge discrepancies between agencies' target maturity levels and the risks of the information they hold and services they provide

4. more closely align their policy with the most current version of the ACSC model.

Participating agencies should:

5. resolve the discrepancies between their reported level of maturity and the level they are able to demonstrate with evidence, and:

• compile and retain in accessible form the artefacts that demonstrate the basis of their self-assessments
• refer to the CSP guidance when determining their current level of maturity
• ensure the attestations they make refer to departures from the CSP
• have processes whereby the agency head and those charged with governance formally accept the residual cyber risks.

Repeat recommendation from the 2019 Central Agencies report and the 2020 Central Agencies report

6. Cyber Security NSW and NSW Government agencies need to prioritise improvements to their cyber security and resilience as a matter of urgency.

The objective of the CSP is to ensure cyber security risks are appropriately managed. However, meeting this objective depends on the requirements being implemented at all agencies to a level of maturity that addresses their specific cyber security risks. Agency systems and data are increasingly interconnected. If an agency does not implement the requirements, or implements them only in an ad-hoc or informal way, an agency is more susceptible to their systems and data being compromised, which may affect the confidentiality of citizens' data and the reliability of services, including critical infrastructure services.

Agencies determine their own target level of maturity, which may mean the requirement is not addressed, or is addressed in an ad hoc or inconsistent way

While the CSP is mandatory for all agencies, it does not set a minimum maturity threshold for agencies to meet.

The reporting template issued in 2019 stated that agencies were required to reach level three maturity in order to comply with the CSP. The 2020 revision⁶ of the CSP and guidance indicates that level three maturity may not be sufficient to mitigate risks. It advises the agency may determine the level to which it believes it is suitable to implement the requirements, and allows for an agency to aim for a target level of maturity less than level three. The agency can set its optimal maturity level with reference to its risk tolerance with the objective that that aim ‘to be as high as possible’. However, ‘as high as possible’ does not necessarily mean ‘fully implemented’. The CSP contemplates that a lower level of maturity is sufficient if it aligns with the agency's risk tolerance.

The Department of Customer Service asserts that while the quotes above were part of their annual templates and policy documents, their documents were incorrect. They assert that the policy has never required a minimum level of maturity to be reached. They have responded to our enquiries that:

…a level three maturity was not a requirement of the Policy or Maturity Model’ and ‘it is misleading to suggest it was a requirement of the Policy.

This audit found that, based on the 2020 reporting template there is no established minimum baseline. Consequently, because the Department of Customer Service had not established a minimum baseline agencies are able to target lower levels (providing they were within the agency’s own risk appetite), which includes targeting to not practice a CSP policy requirement, or to practice a CSP policy requirement on an ad hoc basis.

Where requirements are not implemented, documentation of formal acceptance of the residual risks by the agency head is not required

The New Zealand Government has an approach that is not dissimilar to NSW, in that it also identifies 20 mandatory requirements and allows for a risk based approach to implementation. However, the New Zealand approach puts more rigor around risk acceptance decisions.

The New Zealand Government requires that agencies that do not implement the requirements must demonstrate that a measure is not relevant for them. It requires agencies to document the rationale for not implementing the measure, including explicit acknowledgement of the residual risk by the agency head. They require these records to be auditable.

A security measure with a ‘must’ or ‘must not’ compliance requirement is mandatory. You must implement or follow mandatory security measures unless you can demonstrate that a measure is not relevant in your context.

Not using a security measure without due consideration may increase residual risk for your organisation. This residual risk needs to be agreed and acknowledged by your organisation head.

A formal auditable record of how you considered and decided which measures to adopt is required as part of the governance and assurance processes within your organisation.

The NSW CSP does not require these considerations to be documented or auditable and does not require an explicit acknowledgement or acceptance of the residual risk by the agency head.

None of the participating agencies achieved level three implementation for all mandatory risk prevention and mitigation requirements

Maturity level three is the minimum level whereby an agency has implemented documented processes that are practiced on a regular basis across their environment. An agency has not reached level three if the requirement is implemented on an ad-hoc or inconsistent basis, or if not all elements of the requirement have been implemented.

None of the participating agencies achieved level three implementation for all mandatory requirements.

The requirements of the CSP are organised into five sections. Agency implementation of these requirements is discussed in the next five sections of this report.

• Lead: Planning and governance requirements. Section 2.1
• Prepare: Cyber security culture requirements. Section 2.2
• Prevent: Managing cyber incident prevention requirements. Section 2.3
• Detect/Respond/Recover: Resilience requirements. Section 2.4
• Report: Reporting requirements. Section 2.5.

Appendix one – Response from agencies

Appendix two – The maturity model for the mandatory requirements

Appendix three – Essential 8 maturity model

Appendix four – About the audit

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.