Reports
Service NSW's handling of personal information
The Auditor-General for New South Wales, Margaret Crawford, released a report today examining the effectiveness of Service NSW’s handling of customers’ personal information to ensure its privacy.
The audit found that Service NSW is not effectively handling personal customer and business information to ensure its privacy. Service NSW continues to use business processes that pose a risk to the privacy of personal information. This includes the routine emailing of personal information between Service NSW service centres and other agencies, which is one of the processes that contributed to the data breach earlier this year. The audit found that previously identified risks and recommended solutions had not been implemented on a timely basis.
The Auditor-General made eight recommendations aimed at ensuring improved processes, technologies, and governance arrangements for how Service NSW handles customers’ personal information.
The Hon. Victor Dominello, MP, Minister for Customer Service, requested this audit under section 27(B)(3)(c) of the Public Finance and Audit Act 1983 following public reports in May 2020 of a cyber security attack which had led to a breach of Service NSW customer information. This audit also included the Department of Customer Service which supports Service NSW with privacy, risk and governance functions.
Service NSW was established in 2013 with the intention that it would, over time, 'become the primary interaction point for customers accessing New South Wales Government transaction services'.
Service NSW's functions are set out in the Service NSW (One stop Access to Government Services) Act 2013. This legislation allows for other NSW Government agencies to delegate to and enter into agreements with the Chief Executive Officer of Service NSW in order for Service NSW to undertake service functions for the agency.
Service NSW now has agreements with 36 NSW Government client agencies to facilitate over 1,200 types of interactions and transactions for the community.
The nature of each agreement between Service NSW and its client agencies varies. Some client agencies have delegated authority to allow Service NSW staff to conduct transactions on their behalf in the agencies' systems. Other arrangements do not include the same degree of delegation. In these cases, Service NSW provides services such as responding to enquiries and validating documents.
In addition, Service NSW conducts transactions for its own programs, such as the Seniors Card. Personal information for these programs, as well as information for customers' MyServiceNSW accounts, are stored by Service NSW on its Salesforce Customer Relationship Management (CRM) system.
In March 2020, Service NSW suffered two cyber security attacks in short succession. Technical analysis undertaken by the Department of Customer Service (DCS) concluded that these attacks resulted from a phishing exercise through which external threat actors gained access to the email accounts of 47 staff members. These attacks resulted in the breach of a large amount of personal customer information that was contained in these email accounts. See Section 1.1 for further details.
This audit is being conducted in response to a request from the Hon. Victor Dominello, Minister for Customer Service, under section 27B(3)(c) of the Public Finance and Audit Act 1983. Minister Dominello requested that the Auditor General conduct a performance audit in relation to Service NSW's handling of sensitive customer and business information.
This audit assessed how effectively Service NSW handles personal customer and business information to ensure its privacy.
It addressed the following:
- Does Service NSW have processes and governance in place to identify and manage risks to the privacy of personal customer and business information?
- Does Service NSW have policies, processes and systems in place that support the effective handling of personal customer and business information to ensure its privacy?
- Has Service NSW effectively implemented its policies, processes and systems for managing personal customer and business information?
ConclusionService NSW is not effectively handling personal customer and business information to ensure its privacy. It continues to use business processes that pose a risk to the privacy of personal information. These include routinely emailing personal customer information to client agencies, which is one of the processes that contributed to the March 2020 data breach. Previously identified risks and recommended solutions had not been implemented on a timely basis.Service NSW identifies privacy as a strategic risk in both its Risk Management Guideline and enterprise risk register and sets out a zero level appetite for privacy risk in its risk appetite statement. That said, the governance, policies, and processes established by Service NSW to mitigate privacy risk are not effective in ensuring the privacy of personal customer and business information. While Service NSW had risk identification and management processes in place at the time of the March 2020 data breach, these did not prevent the breach occurring. Some of the practices that contributed to the data breach are still being followed by Service NSW staff. For example, business processes still require Service NSW staff to scan and email personal information to some client agencies. The lack of multi factor authentication has been identified as another key contributing factor to the March 2020 data breach as this enabled the external threat actors to gain access to staff email accounts once they had obtained the user account details through a phishing exercise. Service NSW had identified the lack of multi factor authentication on its webmail platform as a risk more than a year prior to the breach and had committed to addressing this by June 2019. It was not implemented until after the breach occurred. There are weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce Customer Relationship Management (CRM) system, which holds the personal information of over four million NSW residents.Internal audits carried out by Service NSW, including one completed in August 2020, have identified significant weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce CRM system. These include deficiencies in the management of role based access, monitoring and audit of user access, and partitioning of program specific transaction information. These deficiencies create an increased risk of unauthorised access to the personal information of over four million customers held in the system. Lines of responsibility for meeting privacy obligations are not clearly drawn between Service NSW and its client agencies.Service NSW has agreements in place with client agencies. However, the agreements lack detail and clarity about the roles and responsibilities of the agencies in relation to the collection, storage and security of customer's personal information. This lack of clarity raises the risk that privacy obligations will become confused and missed between the agencies. Service NSW carries out privacy impact assessments for major new projects but does not routinely review existing processes and systems.Service NSW carries out privacy impact assessments as part of its routine processes for implementing major new projects, ensuring that privacy management is considered as part of project design. Service NSW does not regularly undertake privacy impact assessments or reviews of existing or legacy processes and systems, which has resulted in some processes continuing despite posing significant risks to the privacy of personal information, such as the scanning, emailing, and storing of identification documents. |
1. Key findings
Service NSW identifies privacy risks, but the controls and processes it put in place to mitigate these privacy risks were not adequate to prevent or limit the extent of the data breach that occurred in March 2020
Service NSW’s approach to risk management is framed by its Risk Management Guideline, which defines 'privacy and compliance' as one of the key types of risk for the agency. Service NSW's enterprise risk register identifies four strategic privacy related risks. Service NSW has set out a zero level appetite for privacy risk in its risk appetite statement.
Service NSW has assessed the adequacy of its controls for privacy risks as needing improvement. To be fully effective, the Risk Management Guideline says that these controls should have a focus that is ‘largely preventative and address the root causes’.
One of the business processes that was a key contributing factor to the data breach was the emailing of personal information by Service NSW staff to client agencies.
This process had been identified as a risk prior to the breach and some steps had been put in place to mitigate the risk. In particular, staff were required to manually delete emails that contained personal information. However, these measures were ineffective in preventing the breach, as the external threat actors still gained access to 47 staff email accounts that contained a large amount of personal information.
It is unclear why Service NSW did not effectively mitigate this risk prior to the breaches. However, Service NSW has advised that it implemented measures in June and October 2020 to automatically archive emails likely to contain personal information. This is expected to limit the quantity of information retained in email accounts for extended periods.
Service NSW has not put in place any technical or other solutions to avoid Service NSW staff having to scan and email personal information to some client agencies. Urgent action is needed to remove the requirement for staff to email personal information to client agencies, thereby mitigating the risk inherent in sending and storing this information using email.
There are weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce CRM system, which holds the personal information of over four million customers
There are weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce CRM system. These weaknesses include deficiencies in governance of role based access, monitoring and audit of staff access, and partitioning of program specific transaction information. These deficiencies create an increased risk of unauthorised access to the personal information of over four million customers which is stored in this system.
In addition, there is an absence of important controls to safeguard customers' privacy, such as multi factor authentication and reviewable logs of access history to their information. Such controls, when properly implemented, would enhance the control that customers are able to exercise over their personal information.
A privacy impact assessment conducted on Service NSW’s Salesforce CRM system in 2015 recommended that the system include the ability for customers to review access history to their personal information, as well as the option for customers to apply multi factor authentication to their accounts. While both these recommendations appeared positively received by Service NSW, neither have been implemented.
Since its inception, Service NSW’s use of Salesforce has extended to storing transaction data, particularly for transactions for which Service NSW is responsible, such as the Seniors Card. It also holds details of over four million MyServiceNSW account holders, including name, email address and phone number, and optional address details. It was not originally intended for the system to hold this volume and nature of customer information.
Lines of responsibility for meeting privacy obligations are unclear between Service NSW and its client agencies
Service NSW's privacy management plan does not clearly set out the privacy obligations of Service NSW and its client agencies. It sets out that 'compliance with the privacy principles will primarily be the responsibility of that [client] agency'. However, Service NSW has its own obligations under the security principles of the Privacy and Personal Information Protection Act 1998 (PPIP Act) to take reasonable steps to prevent unauthorised access to personal information, which is not made clear in the privacy management plan.
The agreements between Service NSW and client agencies reviewed for this audit only include general and high level references to privacy. Most do not include details of each parties' privacy responsibilities such as: which agency will provide the customer with a privacy notice explaining how their personal information will be handled, how personal information will be kept secure, how long Service NSW will retain information, what processes will be followed for internal reviews, and what specific planning is in place to respond to data breaches.
Service NSW's privacy management plan has not been updated to include new programs and governance changes
Service NSW's privacy management plan includes most of the matters required by law or good practice, with some exceptions. It does not explain any exemptions that the agency commonly relies on under the PPIP Act and does not address any health information that Service NSW may handle. It had also not been updated to reflect governance changes and the fact that, at the time this audit commenced, Service NSW was disclosing the content of internal review applications (the formal expression for 'complaints') to the Department of Customer Service (DCS). These governance changes were part of the centralisation of Service NSW's corporate support functions into DCS in late 2019, though internal review staff were seconded back into Service NSW during the course of this audit.
The current July 2019 privacy management plan has also not been updated since the rollout of a number of major new initiatives in 2020. These include 2019–20 bushfire emergency recovery initiatives (such as small business grants) and COVID 19 pandemic response initiatives (such as small business grants, border permits and the COVID safe check in app).
Service NSW routinely conducts privacy impact assessments for new initiatives, though privacy risks remain in legacy systems and processes
Service NSW routinely conducts privacy impact assessments for major new initiatives and the assessments reviewed for this audit largely accorded with good practice guidance.
Service NSW does not routinely review existing processes and systems to ensure that they are effective in ensuring the privacy of customer personal information. Business processes that create the highest risk to privacy, such as emailing of personal information, are more common in these longstanding legacy systems.
Service NSW's significant and rapid growth has outpaced the establishment of a robust control environment which has exacerbated privacy risks
Since it was established in 2013, Service NSW has experienced significant growth in the number and diversity of the types of transactions it provides, as well as the number of client agencies with which it works. The pace and extent of this growth has contributed to important controls not being properly implemented on a timely basis, which has heightened privacy risks, particularly in regard to existing, legacy systems and processes.
The pace of change and increasing demand for new program implementation has limited the opportunity for Service NSW, in collaboration with its client agencies, to revisit and redesign legacy business practices which pose a greater privacy risk. This includes the scanning and emailing of personal information.
While 2019–20 has seen additional demands placed on Service NSW in responding to the 2019–20 bushfire emergency and COVID 19 pandemic, it is the nature of the agency’s work that it operates in a fast paced and complex environment, where it is required to respond to multiple client agencies and stakeholders. Ensuring customer privacy should be integral to Service NSW’s business as usual operations.
2. Recommendations
Service NSW commissioned a number of external reviews and investigations stemming from the data breaches. The Auditor General's recommendations below have taken these other reviews into account. In order to offer assurance that it is appropriately protecting the privacy of its customers, Service NSW should address the full breadth of findings and recommendations made across all relevant reviews.
As a matter of urgency, Service NSW should:
1. in consultation with relevant client agencies and the Department of Customer Service, implement a solution for a secure method of transferring personal information between Service NSW and client agencies
2. review the need to store scanned copies of personal information and, if still required, implement a more secure method of storing this information and regular deletion of material.
By March 2021, Service NSW should:
3. ensure that all new agreements entered into with client agencies from 1 April 2021 address the deficiencies identified in this audit, including that they provide clarity on:
- the content and provision of privacy collection notices
- the terms by which personal information will be retained, stored, archived, and disposed of when no longer required
- steps that will be taken by each agency to ensure that personal information is kept secure
- the circumstances in which, and processes by which, applications for internal review will be referred by one agency to the other
- how identified breaches of privacy will be handled between agencies
4. in collaboration with the Department of Customer Service, review its privacy management plan to address the deficiencies raised in this audit, including:
- to clarify Service NSW's understanding of how responsibility for meeting privacy obligations are delineated between Service NSW and client agencies
- to better reflect the full scope and complexity of personal information handled by Service NSW
- to better explain how applications for internal review are handled between Service NSW and the Department of Customer Service
- to ensure regular ongoing review, either according to a schedule or when Service NSW experiences substantial change to its programs and handling of personal information
5. in consultation with the Department of Customer Service, review its policies and processes for the management of privacy risks, including to:
- ensure that there are appropriate mechanisms to escalate identified privacy risks from business units to the Executive Leadership Team
- ensure that there are action plans to address strategic privacy risks that are assessed as having ineffective controls.
By June 2021, Service NSW should:
6. address deficiencies in the controls over, and security for, its Salesforce customer relationship management and related systems that hold customer personal information, including:
- establish policies and processes for regular access reviews and monitoring of user activity in these systems, including for privileged users
- enable partitioning and role based access restrictions to personal information collected for different programs
- provide customers the choice to use multi factor authentication to further secure their MyServiceNSW accounts
- enable customers to view the transaction history of their personal information to detect possible mishandling.
By December 2021, Service NSW should:
7. ensure that all existing agreements with client agencies address the deficiencies identified in this audit, including that they provide clarity on:
- the content and provision of privacy collection notices
- the terms by which personal information will be retained, stored, archived, and disposed of when no longer required
- steps that will be taken by each agency to ensure that personal information is kept secure
- the circumstances in which, and processes by which, applications for internal review will be referred by one agency to the other
- how identified breaches of privacy will be handled between agencies
8. carry out a risk assessment of all processes, systems and transactions that involve the handling of personal information and undertake a privacy impact assessment for those that:
- are identified as high risk and have not previously had a privacy impact assessment
- have had major changes or updates since the privacy impact assessment was completed.
Appendix one – Responses from agencies
Appendix two – About the audit
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Central Agencies 2020
This report analyses the results of our audits of the financial statements of the Treasury, Premier and Cabinet, Customer Service cluster agencies (central agencies), and the Legislature for the year ended 30 June 2020. The table below summarises our key observations.
1. Financial reporting
| Audit opinions and timeliness of reporting |
Unqualified audit opinions were issued on the 2019–20 financial statements of central agencies and the Legislature. The audit opinion on the Social and Affordable Housing NSW Fund's compliance with the payment requirements of the Social and Affordable Housing NSW Fund Act 2016 was qualified. All agencies met statutory deadlines for submitting |
| Agencies were financially impacted by recent emergency events | The NSW Government allocated $1.4 billion to provide small business support and bushfire recovery relief, support COVID-19 quarantine compliance management, recruit more staff to respond to increased customer demand, and meet additional COVID-19 cleaning requirements. Agencies spent $901 million (64 per cent of the allocated funding) for the financial year ended 30 June 2020. NSW Self Insurance Corporation reported an increase of $850 million in its liability for claims related to emergency events. |
| AASB 16 'Leases' resulted in significant changes to agencies' financial position | The implementation of new accounting standards was challenging for many agencies. The New South Wales Government Telecommunications Authority was not well-prepared to implement AASB 16 'Leases' and had not completely assessed contracts that contained leases. This resulted in understatements of leased assets and liabilities by $56 million which were subsequently corrected. |
| Implementation of new revenue standards | NSW Treasury did not adequately implement the new revenue standard AASB 1058 ‘Income of Not-for-Profit Entities’ for the Crown Entity. This resulted in understatements of $274 million in opening equity and $254 million to current year revenue, which have been corrected in the final financial statements. |
2. Audit observations
| Management letter findings and repeat issues | Our 2019–20 audits identified nine high risk and 122 moderate risk issues across central agencies and the Legislature. The high risk issues were identified in the audits of:
High risk findings include:
Of the 122 moderate risk issues, 36 per cent were repeat issues. The most common repeat issue related to weaknesses in controls over information technology user access administration, which increases the risk of inappropriate access to systems and records. |
| Grants administration for disaster relief | Service NSW delivers grants responding to emergency events on behalf of other NSW Public Sector agencies. Since the first grant program commenced in January 2020, Service NSW processed approximately $791 million to NSW citizens and businesses impacted by emergency events for the financial year ended 30 June 2020. A performance audit of grants administration for disaster relief is planned for 2020–21. It will assess whether grants programs administered under the Small Business Support Fund were effectively designed and implemented to provide disaster relief. |
| Internal controls at GovConnect NSW service providers require enhancement |
GovConnect NSW provides transactional and information technology services to central agencies. It engages an independent service auditor (service auditor) from the private sector to perform annual assurance reviews of controls at service providers, namely Infosys, Unisys and the Department of Customer Service (DCS). The service auditor issued:
These may impact on the ability of agencies to detect and respond to a cyber incident. Recommendation: We recommend DCS work with GovConnect service providers to resolve the identified control deficiencies as a matter of priority. |
| The NSW Public Sector's cyber security resilience needs to improve |
The NSW Cyber Security Policy requires agencies to provide a maturity self-assessment against the Australian Cyber Security Centre (ACSC) Essential 8 to the head of the agency and Cyber Security NSW annually. Completed self-assessment returns highlighted limited progress in implementing the Essential 8. Repeat recommendation: Cyber Security NSW and NSW government agencies need to prioritise improvements to their cyber security resilience as a matter of urgency |
| Three Insurance and Care NSW (icare) entities had net asset deficiencies at 30 June 2020 | The Workers Compensation Nominal Insurer, NSW Self Insurance Corporation and the Lifetime Care and Support Authority of NSW all had negative net assets at 30 June 2020. These icare entities did not hold sufficient assets to meet the estimated present value of all of their future payment obligations at 30 June 2020. The deterioration in net assets was largely due to increases in outstanding claims liabilities. Notwithstanding the overall net asset deficiencies, the financial statements for these entities were prepared on a going concern basis. This is because future payment obligations are not all due within the next 12 months. Settlement is instead expected to occur over years into the future, depending on the nature of the benefits provided by each scheme. |
| icare has not been able to demonstrate that its allocation of costs reflects the actual costs incurred by the Workers Compensation Nominal Insurer and other schemes |
Costs are incurred by icare as the 'service entity' of the statutory scheme it administers, and then subsequently recovered from the schemes through 'service fees'. In the absence of documentation supported by robust supporting analysis, there is a risk of the schemes being overcharged, and the allocation of costs being in breach of legislative requirements. Recommendation: icare should ensure its approach to allocating service fees to the Workers Compensation Nominal Insurer and the other schemes it manages, is transparent and reflects actual costs. |
| icare did not comply with GIPA requirements | icare did not comply with the Government Information (Public Access) Act 2009 (GIPA) contract disclosure requirements in 2019–20 and has not complied for several years. A total of 417 contracts were identified by management as not having been published on the NSW Government’s eTendering website. The final upload of these past contracts occurred on 20 August 2020. |
| Implementation of Machinery of Government (MoG) changes | MoG changes impacted the governance and business processes of some agencies. Our audits identified and reported areas for improvement in the consolidation of corporate functions following MoG implementation processes at Infrastructure NSW and in the Customer Service cluster. |
This report provides Parliament and other users of NSW Government central agencies' financial statements and the Legislature's financial statements with the results of our financial audits, observations, analyses, conclusions and recommendations.
Emergency events, such as bushfires, floods and the COVID-19 pandemic significantly impacted agencies in 2019–20. Our findings on nine agencies that were most impacted by recent emergency events are included throughout this report.
Refer to Appendix one for the names of all central agencies and Appendix four for the nine agencies most impacted by emergency events.
Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely. This chapter outlines our audit observations on the financial reporting of central agencies and the Legislature for 2020, including the financial implications from recent emergency events.
Section highlights
|
Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.
This chapter outlines:
- our observations and insights from the financial statement audits of agencies in the central agencies and the Legislature
- our assessment of how well agencies adapted their systems, policies, procedures and governance arrangements in response to recent emergencies.
Section highlights
|
Transport 2020
1. Financial Reporting |
|
| Audit opinion | Unmodified audit opinions issued for the financial statements of all Transport cluster entities. |
| Quality and timeliness of financial reporting | All cluster agencies met the statutory deadlines for completing the early close and submitting the financial statements. Transport cluster agencies continued to experience some challenges with accounting for land and infrastructure assets. The former Roads and Maritime Services and Sydney Metro recorded prior period corrections to property, plant and equipment balances. |
| Impact of COVID-19 on passenger revenue and patronage | Total patronage and revenue for public transport decreased by approximately 18 per cent in 2019–20 due to COVID-19. The Transport cluster received additional funding from NSW Treasury during the year to support the reduced revenue and additional costs incurred such as cleaning on all modes of public transport and additional staff to manage physical distancing. |
| Completion of the CBD and South East Light Rail | The CBD and South East Light Rail project was completed and commenced operations in this financial year. At 30 June 2020, the total cost of the project related to the CBD and South East Light Rail was $3.3 billion. Of this total cost, $2.6 billion was recorded as assets, whilst $700 million was expensed. |
2. Audit Observations |
|
| Internal control | While internal controls issues raised in management letters in the Transport cluster have decreased compared to the prior year, control weaknesses continue to exist in access security for financial systems. We identified 56 management letter findings across the cluster and 43 per cent of all issues were repeat issues. The majority of the repeat issues relate to information technology controls around user access management. There were three high risk issues identified - two related to financial reporting of assets and one for implementation of TAHE (see below). |
| Agency responses to emergency events | Transport for NSW established the COVID-19 Taskforce in March 2020 to take responsibility for the overall response of planning and coordination for the Transport cluster. It also implemented the COVIDSafe Transport Plan which incorporates guidance on physical distancing, increasing services to support social distancing and cleaning. |
| RailCorp transition to TAHE | On 1 July 2020, RailCorp was renamed Transport Asset Holding Entity of New South Wales (TAHE) and converted to a for-profit statutory State-Owned Corporation. TAHE is a commercial for-profit Public Trading Entity with the intent to provide a commercial return to its shareholders. A plan was established by NSW Treasury to transition RailCorp to TAHE which covered the period 1 July 2015 to 1 July 2019. A large portion of the planned arrangements were not implemented by 1 July 2020. As at the time of this report, the TAHE operating model, Statement of Corporate Intent (SCI) and other key plans and commercial agreements are not finalised. The State Owned Corporations Act 1989 generally requires finalisation of an SCI three months after the commencement of each financial year. However, under the Transport Administration Act 1988, TAHE received an extension from the voting shareholders, the Treasurer and Minister for Finance and Small Business, to submit its first SCI by 31 December 2020. In accordance with the original plan, interim commercial access arrangements were supposed to be in place with RailCorp prior to commencement of TAHE. Under the transitional arrangements, TAHE is continuing to operate in accordance with the asset and safety management plans of RailCorp. The final operating model is expected to include considerations of safety, operational, financial and fiscal risks. This should include a consideration of the potential conflicting objectives of a commercial return, and maintenance and safety measures. This matter has been included as a high risk finding in our management letter due to the significance of the financial reporting impacts and business risks for TAHE. Recommendation: TAHE management should:
Resolution of the above matters are critical as they may significantly impact the financial reporting arrangements for TAHE for 2020–21, in particular, accounting policies adopted as well as measurement principles of its significant infrastructure asset base. |
| Completeness and accuracy of contracts registers | Across the Transport cluster, contracts and agreements are maintained by the transport agencies using disparate registers. Recommendation (repeat): Transport agencies should continue to implement a process to centrally capture all contracts and agreements entered. This will ensure:
|
This report provides parliament and other users of the Transport cluster’s financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:
- financial reporting
- audit observations
- the impact of emergencies and the pandemic.
Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.
This chapter outlines our audit observations related to the financial reporting of agencies in the Transport cluster for 2020, including any financial implications from the recent emergency events.
Section highlights
|
Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.
This chapter outlines our:
- observations and insights from our financial statement audits of agencies in the Transport cluster
- assessment of how well cluster agencies adapted their systems, policies and procedures, and governance arrangements in response to recent emergencies.
Section highlights
|
Appendix one – List of 2020 recommendations
Appendix two – Status of 2019, 2018 and 2017 recommendations
Appendix three – Management letter findings
Appendix four – Financial data
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Stronger Communities 2020
This report analyses the results of our audits of financial statements of the agencies comprising the Stronger Communities cluster for the year ended 30 June 2020. The table below summarises our key observations.
1. Financial reporting |
|
| Quality of financial reporting | Unqualified audit opinions were issued for all agencies' 30 June 2020 financial statements. |
| Compliance with financial reporting requirements |
The Treasury extended the statutory deadline for the submission of the 2019–20 financial statements. For agencies subject to Treasurer's Directions, Treasury required agencies to submit their 30 June 2020 financial statements by 5 August 2020. For other agencies, the deadline was extended to 31 October 2020. All agencies in the cluster met the revised statutory deadlines. Cluster agencies substantially completed the mandatory early close procedures set by NSW Treasury. However, nine agencies including the Department of Communities and Justice (the department) did not complete one or more mandatory requirements, such as assessing the impact of new and updated accounting standards. |
| Financial implications of recent emergencies |
Emergency events significantly impacted cluster agencies in 2019–20. Our review of seven cluster agencies most affected highlighted some had incurred additional expenditure because of the bushfires and floods. Others lost revenue due to the COVID-19 pandemic. During the year these agencies collectively received additional funding of $1.1 billion from the State to respond to:
The Sydney Cricket Ground Trust, Venues NSW and Office of Sport lodged insurance claims of $51.3 million with the Treasury Managed Fund with respect to lost revenues from the pandemic. The losses were mainly due to event cancellations and covered various periods ranging from mid-March to 31 December 2020. The change in economic conditions caused by the COVID-19 pandemic resulted in the NSW Government cancelling the refurbishment of Stadium Australia it had previously approved in August 2019. Venues NSW wrote off $16.8 million of redevelopment costs during 2019–20. |
| Restatement of the Sydney Cricket Ground valuation | The valuation of the Sydney Cricket Ground (the Stadium) included costs of $28.6 million which were not eligible for capitalisation. The financial statements were restated to reflect the reduction in the value of the Stadium and the asset revaluation reserve. |
| Unresolved data quality issues in the VS Connect system |
The department continues to address significant data quality issues resulting from its implementation of the VS Connect system (the System) in 2019. The issues relate to the completeness and accuracy of the data transferred from the legacy system. The System is used by the department to manage its Victims Support Services (VSS) and for financial reporting purposes. An independent actuary helps the department estimate its liability for VSS claims. The actuary's valuation at 30 June 2020 was again impacted by the data quality issues. Consequently, the actuary adopted a revised valuation methodology compared to previous years. Recommendation (repeat issue): The department should resolve the data quality issues in the VS Connect System before 31 March 2021. |
| AASB 16 'Leases' resulted in significant changes to agencies' financial position |
Cluster agencies implemented three new accounting standards for the first time in 2019–20. Adoption of AASB 16 'Leases' resulted in cluster agencies collectively recognising right-of-use assets and lease liabilities of $1.7 billion and $1.1 billion respectively on 1 July 2019. Significant misstatements in how lease related balances had been calculated were found in 17 of the 29 cluster agencies. The cluster outsources the management of most of its owned and leased property portfolio to Property NSW, but cluster agencies remain responsible for any deliverables under that arrangement. The misstatements were mainly caused by late revisions of key assumptions and issues with the accuracy and completeness of Property NSW's lease information. |
2. Audit observations |
|
| Internal control deficiencies |
Our 2019–20 financial audits identified 191 internal control issues. Of these, two were high risk and almost one-third were repeat findings from previous audits. While repeat findings reduced by 5.7 percentage points in 2019–20, the number remains high. Recommendation (repeat issue): Cluster agencies should action recommendations to address internal control weaknesses promptly. Focus should be given to addressing high risk and repeat issues. |
| Agencies response to recent emergencies |
The severity of the recent bushfires and floods meant natural disaster expenses incurred by emergency services agencies rose from $67.4 million in 2018–19 to $497 million in 2019–20. The COVID-19 pandemic presented unprecedented challenges for the cluster. Social distancing and other infection control measures disrupted the traditional means of delivering services. Agencies established committees or response teams to respond to these challenges. The department introduced measures to minimise the risk of the spread of COVID-19 amongst inmates in custodial settings. |
| Managing excess annual leave |
Managing excess annual leave was a challenge for cluster agencies directly involved in the government's response to the emergency events. Employees in frontline cluster agencies deferred leave plans and many have taken little or no annual leave during the reporting period. Annual leave liabilities rose at the department, NSW Police Force, Fire and Rescue NSW, Office of the NSW Rural Fire Service, the Legal Aid Commission of New South Wales and the Office of the Director of Public Prosecutions. The combined liabilities increased from $620 million to $692 million or 11.6 per cent between 30 June 2019 and 30 June 2020. |
| Implementation of Machinery of Government (MoG) changes |
Administrative Arrangement Orders effective from 1 July 2019, created the department of Communities and Justice and transferred functions and staff, together with associated assets and liabilities into the department from the former departments of Justice and Family and Community Services. The department continues to establish its governance arrangements following the MoG changes. Recommendation: The department should finalise appropriate governance arrangements for its new organisational structure as soon as possible. This includes:
|
| Delivery of the Prison Bed Capacity Program |
The department continued to expand prison system capacity through the NSW Government's $3.8 billion Prison Bed Capacity Program. The department reported it spent $480 million on the Program in 2019–20. Six prison expansion projects were completed during the year, which added 1,660 new and 395 refurbished beds to the NSW prison system. Data from the department shows the number of adult inmates in the NSW prison system reached a maximum of 14,165 during the year. Operational capacity was 16,096 beds on 19 August 2020. |
This report provides parliament and other users of the financial statements of agencies in the Stronger Communities cluster with the results of our audits, our observations, analysis, conclusions and recommendations.
Agencies in the Stronger Communities cluster were significantly impacted by the bushfires, floods and the COVID-19 pandemic in 2019–20. Our 2019–20 financial audits of the seven cluster agencies most significantly impacted by the recent emergency events considered:
- the financial implications of the emergency events
- changes to agencies' operating models and control environments
- delivery of new or expanded projects, programs or services at short notice.
Our findings on these seven agencies' responses to the recent emergencies are included throughout this report. These agencies are:
- Department of Communities and Justice
- Fire and Rescue NSW
- NSW Police Force
- Office of the NSW Rural Fire Service
- Office of the NSW State Emergency Service
- Sydney Cricket and Sports Ground Trust
- Venues NSW.
The Department of Communities and Justice is the principal agency of the cluster. The names of all agencies in the Stronger Communities cluster are included in Appendix one.
Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.
This chapter outlines our audit observations related to the financial reporting of agencies in the Stronger Communities cluster for 2020, including any financial implications from the recent emergency events.
Section highlights
|
Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.
This chapter outlines our:
- observations and insights from our financial statement audits of agencies in the Stronger Communities cluster
- assessment of how well cluster agencies adapted their systems, policies and procedures, and governance arrangements in response to recent emergencies
- review of how the cluster agencies managed the increased risks associated with new programs aimed at stemming the spread of COVID-19 and stimulating the economy.
Section highlights
|
Appendix one – Timeliness of financial reporting by agency
Appendix two – Management letter findings by agency
Appendix three – List of 2020 recommendations
Appendix four – Status of 2019 recommendations
Appendix five – Selected agencies for review of response to emergency events
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Regional NSW 2020
This report analyses the results of our audits of financial statements of entities within the Regional NSW cluster for the year ended 30 June 2020. The table below summarises our key observations and recommendations.
1. Machinery of Government (MoG) changes |
|
| Creation of Regional NSW cluster | MoG changes on 2 April 2020 created the Department of Regional NSW (the Department). The Department of Planning, Industry and Environment (DPIE) staff employed in the Regions, Industry, Agriculture and Resources Group, together with associated functions, assets and liabilities were transferred to the new Department. A number of agencies moved from the Planning, Industry and Environment cluster to the new Regional NSW cluster. The Department deals with major issues affecting regional communities, including the coordination of support for people, businesses and farmers who have faced drought, bushfires, flood and the COVID-19 pandemic. |
| The Department is still in the process of implementing changes | The Department continues to receive corporate services support from DPIE. The Department has indicated it will transition to its own policies and procedures by June 2021. |
2. Financial reporting |
|
| Audit opinions | Unqualified audit opinions were issued for all cluster agencies' 30 June 2020 financial statements audits. |
| Timeliness of financial reporting | Nine of the ten cluster agencies subject to statutory reporting deadlines met the revised timeline for submitting the financial statements. The Department and a number of cluster agencies obtained NSW Treasury’s approval to delay submission of their 30 June 2020 financial statements due to delays resulting from accounting and administrative complexities created by the Machinery of Government changes that separated the Department from DPIE. The deadlines were moved from 5 August 2020 to either 10 August 2020 or 12 August 2020. New South Wales Rural Assistance Authority missed the revised deadline by one day. All agencies that were required to perform early close procedures had met the revised timeline. Due to issues identified during audit, four financial statements audit were not completed and audit opinions issued by the statutory deadline. |
| New accounting standards |
Agencies implemented three new accounting standards during the year. Our audit of the Department identified there was a lack of quality assurance over the accuracy of lease information provided by Property NSW. Recommendation: The Department should:
|
3. Audit observations |
|
| Internal control deficiencies |
We identified 30 internal control issues, including 16 findings that were raised with former agencies in previous years. Two matters from previous years have been elevated to high risk during 2019–20. Both matters related to Local Land Services:
Recommendation: Management letter recommendations to address internal control weaknesses should be actioned promptly, with a focus on addressing high-risk and repeat issues. |
| Agency responses to emergency events | The Department's executive leadership committee along with support from DPIE crisis management team managed the recovery from the bushfires and impact of COVID-19. Social distancing and other infection control measures were put in place. The Forestry Corporation of New South Wales accelerated a fire salvage timber program in response to the bushfire emergency. The Department and cluster agencies received additional funding for bushfire recovery and COVID-19 pandemic response. |
The Regional NSW cluster aims to respond to regional issues, creating and preserving regional jobs, driving regional economy, growing existing and supporting emerging industries. The key areas of focus across the New South Wales (NSW) State is shown below:
MoG changes impact on Department of Regional NSW
The Department was created as result of the MoG changes during 2019–20. The Administrative Arrangements Order 2020, effective on 2 April 2020 created the Department of Regional NSW. These changes had a significant administrative impact on the cluster agencies. The MoG change resulted in a transfer of net assets ($446 million) and budget ($284 million) from DPIE to the newly created Department of Regional NSW on 2 April 2020. A summary of the MoG impacts on the Regional NSW cluster is shown below.
Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.
The COVID-19 Legislation Amendment (Emergency Measures–Treasurer) Act 2020 amended legislation administered by the Treasurer to implement further emergency measures as a result of the COVID-19 pandemic. These amendments:
- allowed the Treasurer to authorise payments from the consolidated fund until the enactment of the 2020–21 budget – impacting the going concern assessments of cluster agencies
- revised budgetary and financial and annual reporting time frames – impacting the timeliness of financial reporting
- exempted certain statutory bodies and departments from preparing financial statements.
This chapter outlines our audit observations related to the financial reporting of agencies in the Regional NSW cluster for 2020, including any financial implications from the recent emergency events.
|
Section highlights
|
Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.
This chapter outlines our:
- observations and insights from our financial statement audits of agencies in the Regional NSW cluster
- assessment of how well cluster agencies adapted their systems, policies and procedures, and governance arrangements in response to recent emergencies.
|
Section highlights
|
Appendix one - List of 2020 recommendations
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Planning, Industry and Environment 2020
This report analyses the results of our audits of financial statements of the Planning, Industry and Environment cluster agencies for the year ended 30 June 2020. The table below summarises our key observations.
1. Financial reporting
|
Audit opinions |
There are 45 separate entities in the cluster. Unqualified audit opinions were issued for 38 cluster agencies' 30 June 2020 financial statements audits. Four financial statements audits are still ongoing, and three agencies were not subject to audit due to NSW Treasury reporting exemptions. |
|
Timeliness of financial reporting |
The majority of cluster agencies subject to statutory reporting deadlines met the revised timeline for submitting financial statements. Twenty‑four of the 26 cluster agencies required to submit early close financial statements met the revised timeframe. Due to issues identified during the audit, 13 financial statements audits were not completed and audit opinions not issued by the statutory deadline. |
|
Implementation of AASB 16 'Leases' |
Significant deficiencies were identified in Property NSW's lease data maintenance and lease calculations. Recommendation (partially repeat): Property NSW should:
Our audits of the cluster agencies identified there was a lack of thorough quality assurance over the accuracy of lease information provided by Property NSW. Recommendation: The Department and cluster agencies should:
|
|
Unprocessed Aboriginal land claims continued to increase |
In 2019–20, the Department resolved an additional 468 Aboriginal land claims compared to the prior year. However, the total number of unprocessed Aboriginal land claims increased by 914 to 36,769 at 30 June 2020. The number of claims remaining unprocessed for more than ten years after lodgement increased by 10.9 per cent from last year. Until claims are resolved, there is an uncertainty over who is entitled to the land and the uses and activities that can be carried out on the land. Auditor-General's Reports to Parliament since 2007 have recommended action to address the increasing number of unprocessed claims. To date, the Department has not been able to resolve this issue. During 2020–21, a performance audit will assess the effectiveness and efficiency of the administration of Aboriginal land claims. |
|
Financial reporting of Crown land managers |
The Department will need to provide additional support and guidance to help Crown land managers (CLMs) meet their financial reporting obligations. Recommendation: The Department should:
During 2019–20, NSW Treasury established the reporting exemption criteria for the CLMs. Based on available information, the Department determined 31 CLMs would not meet the exemption criteria and therefore are required to prepare annual financial statements. |
2. Audit observations
|
Internal controls |
Six high‑risk issues were identified across the cluster in 2019–20:
One in three internal control issues identified and reported to management in 2019–20 were repeat issues. Recommendation: Management letter recommendations to address internal control weaknesses should be actioned promptly, with a focus on addressing high‑risk and repeat issues. |
|
Agencies response to recent emergencies |
The unprecedented bushfires and COVID‑19 pandemic presented challenges for the cluster. Agencies established taskforces or response teams to respond to these emergencies. With more staff working from home, agencies implemented protocols and procedures to manage risks associated with the remote working arrangements, and also needed to address certain technology issues. The Department is responsible for the new Planning System Acceleration Program, which aims to fast‑track planning assessments, boost the State's economy and keep people in jobs during COVID‑19 pandemic. Between April and October 2020, the Department announced and determined 101 major projects and planning proposals. |
|
Recognition of Crown land |
Crown land is an important asset of the State. Management and recognition of Crown land assets is weakened when there is confusion over who is responsible for a particular Crown land parcel. Auditor-General's Reports to Parliament since 2017 have recommended that the Department should ensure the database of Crown land is complete and accurate. Whilst the Department has commenced actions to improve the database, this remained an issue in 2019–20. Recommendation (repeat issue): The Department should prioritise action to ensure the Crown land database is complete and accurate. This allows state agencies and local councils to be better informed about the Crown land they control. |
|
Implementation of Machinery of Government (MoG) changes |
Since its creation on 1 July 2019, the Department has largely established its governance arrangements, including setting up the Audit and Risk Committee and internal audit function for the Department and relevant cluster agencies. The Department still operated three main financial reporting systems in 2019–20, and has commenced the process to consolidate some of the systems. The recent Regional NSW MoG change led to the transfer of $446 million net assets and $284 million 2019–20 budget from the Department to the newly created Department of Regional NSW on 2 April 2020. |
This report provides parliament and other users of the Planning, Industry and Environment cluster agencies’ financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:
- financial reporting
- audit observations
- the impact of emergencies and the pandemic.
Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.
The COVID‑19 Legislation Amendment (Emergency Measures–Treasurer) Act 2020 amended legislation administered by the Treasurer to implement further emergency measures as a result of the COVID‑19 pandemic. These amendments:
- allowed the Treasurer to authorise payments from the Consolidated fund until the enactment of the 2020–21 budget – impacting the going concern assessments of cluster agencies
- revised budgetary, financial and annual reporting time frames – impacting the timeliness of financial reporting
- exempted certain statutory bodies and departments from preparing financial statements.
This chapter outlines our audit observations related to the financial reporting of agencies in the Planning, Industry and Environment cluster for 2020, including any financial implications from the recent emergency events.
Section highlights
The Department has not yet developed a statutory reporting framework for Crown land managers and will need to provide additional resources to help Crown land managers meet their financial reporting obligations. |
Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.
This chapter outlines our:
- observations and insights from our financial statements audits of agencies in the Planning, Industry and Environment cluster
- assessment of how well cluster agencies adapted their systems, policies and procedures, and governance arrangements in response to recent emergencies
- review of how the cluster agencies managed the increased risks associated with new programs aimed at stemming the spread of COVID-19 and stimulating the economy.
Cluster agencies experienced a range of control and governance related issues in recent years. An increased number of high risk issues and greater proportion of repeat issues were identified as part of our audits. It is important for cluster agencies to promptly address these issues.
Section highlights
|
Waste levy and grants for waste infrastructure
The Auditor-General for New South Wales, Margaret Crawford, released a report today that examined the effectiveness of the waste levy and grants for waste infrastructure in minimising the amount of waste sent to landfill and increasing recycling rates.
The audit found that the waste levy has a positive impact on diverting waste from landfill. However, while the levy rates increase each year in line with the consumer price index, the EPA has not conducted a review since 2009 to confirm whether they are set at the optimal level. The audit also found that there were no objective and transparent criteria for which local government areas should pay the levy, and the list of levied local government areas has not been reviewed since 2014.
Grant funding programs for waste infrastructure administered by the EPA and the Environmental Trust have supported increases in recycling capacity. However, these grant programs are not guided by a clear strategy for investment in waste infrastructure.
The Auditor-General made six recommendations aimed at ensuring the waste levy is as effective as possible at meeting its objectives and ensuring funding for waste infrastructure is contributing effectively to recycling and waste diversion targets.
Overall, waste generation in New South Wales (NSW) is increasing. This leads to an increasing need to manage waste in ways that reduce the environmental impact of waste and promote the efficient use of resources. In 2014, the NSW Government set targets relating to recycling rates and diversion of waste from landfill, to be achieved by 2021–22. The NSW Waste and Resource Recovery (WARR) Strategy 2014–21 identifies the waste levy, a strong compliance regime, and investment in recycling infrastructure as key tools for achieving these waste targets.
This audit assessed the effectiveness of the NSW Government in minimising waste sent to landfill and increasing recycling rates. The audit focused on the waste levy, which is paid by waste facility operators when waste is sent to landfill, and grant programs that fund infrastructure for waste reuse and recycling.
The waste levy is regulated by the Environment Protection Authority (EPA) and is generally paid when waste is disposed in landfill. The waste levy rates are set by the NSW Government and prescribed in the Protection of Environment Operations (Waste) Regulation 2014. As part of its broader role in reviewing the regulatory framework for managing waste and recycling, the EPA can provide advice to the government on the operation of the waste levy.
The purpose of the waste levy is to act as an incentive for waste generators to reduce, re-use or recycle waste by increasing the cost of sending waste to landfill. In 2019–20, around $750 million was collected through the waste levy in NSW. The government spends approximately one third of the revenue raised through the waste levy on waste and environmental programs.
One of the waste programs funded through the one third allocation of the waste levy is Waste Less, Recycle More (WLRM). This initiative funds smaller grant programs that focus on specific aspects of waste management. This audit focused on five grant programs that fund projects that provide new or enhanced waste infrastructure such as recycling facilities. Four of these programs were administered by the Environmental Trust and one by the EPA.
Conclusion
The waste levy has a positive impact on diverting waste from landfill. However, aspects of the EPA's administration of the waste levy could be improved, including the frequency of its modelling of the waste levy impact and coverage, and the timeliness of reporting. Grant funding programs have supported increases in recycling capacity but are not guided by a clear strategy for investment in waste infrastructure which would help effectively target them to where waste infrastructure is most needed. Data published by the EPA indicates that the NSW Government is on track to meet the recycling target for construction and demolition waste, but recycling targets for municipal solid waste and commercial and industrial waste are unlikely to be met.
Waste levy
The waste levy rate, including a schedule of annual increases to 2016, was set by the NSW Government in 2009. Since 2016, the waste levy rate has increased in line with the consumer price index (CPI). The EPA has not conducted recent modelling to test whether the waste levy is set at the optimal level to achieve its objectives. The waste levy operation was last reviewed in 2012, although some specific aspects of the waste levy have been reviewed more recently, including reviews of waste levy rates for two types of waste. The waste levy is applied at different rates across the state. Decisions about which local government areas (LGAs) are subject to the levy, and which rate each LGA pays, were made in 2009 and potential changes were considered but not implemented in 2014. Currently, there are no objective and transparent criteria for determining which LGAs pay the levy. The EPA collects waste data from waste operators. This data has improved since 2015, but published data is at least one year out of date which limits its usefulness to stakeholders when making decisions relating to waste management.
Grants for waste infrastructure
All state funding for new and enhanced waste infrastructure in NSW is administered through grants to councils and commercial waste operators. The government's Waste and Resource Recovery (WARR) Strategy 2014–21 includes few priorities for waste infrastructure and there is no other waste infrastructure strategy in place to guide investment. The absence of a formal strategy to guide infrastructure investment in NSW limits the ability of the State Government to develop a shared understanding between planners, councils and the waste industry about waste infrastructure requirements and priorities. The Department of Planning, Industry and Environment is currently developing a 20-year waste strategy and there is an opportunity for the government to take a more direct role in planning the type, location and timing of waste infrastructure needed in NSW.
The grants administration procedures used for the grant programs reviewed in this audit were well designed. However, we identified some gaps in risk management, record-keeping and consistency of information provided to applicants and assessment teams. In four of the five programs we examined, there was no direct alignment between program objectives and the NSW Government's overall waste targets.
Achievement of the 2014–21 state targets for waste and resource recovery (WARR targets) is reliant in part on the availability of infrastructure that supports waste diversion and recycling. The state WARR targets dependent on waste infrastructure are:
- Increase recycling rates to 70 per cent for municipal solid waste and commercial and industrial waste, and 80 per cent for construction and demolition waste.
- Increase waste diverted from landfill to 75 per cent.
A further target — manage problem waste better by establishing or upgrading 86 drop-off facilities or services for managing household problem wastes state-wide — is dependent on accessible community waste drop-off facilities across NSW.
Exhibit 7 identifies the five grant programs that provide funding for new or enhanced waste infrastructure to increase capacity for reuse or recycling of waste. All five of these programs were examined in the audit.
In addition to the grant programs shown in Exhibit 7, other programs provide funding for infrastructure, but at a smaller scale. Examples of these include:
- Bin Trim which provides rebates to small businesses for small scale recycling equipment such as cardboard and soft plastic balers.
- Litter grants which provide funding for litter bins.
- Weighbridges grants for installation of a weighbridge at waste facilities.
- Landfill consolidation and environmental improvement grants for rural councils to replace old landfills with transfer stations or to improve the infrastructure at landfill sites.
Appendix one – Responses from audited agencies
Appendix two – About the audit
Appendix three – Performance auditing
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Parliamentary reference - Report number #343 - released 26 November 2020
Internal controls and governance 2020
The Auditor-General for New South Wales, Margaret Crawford today released her report on the findings and recommendations from the 2019–20 financial audits that relate to internal controls and governance at 40 of the largest agencies in the NSW public sector.
The bushfire and flood emergencies and the COVID‑19 pandemic continue to have a significant impact on the people and public sector of New South Wales. The scale of the government response to these events has been significant. The report focuses on the effectiveness of internal controls and governance processes, including relevant agencies’ response to the emergencies. In particular, the report focuses on:
- financial and information technology controls
- business continuity and disaster recovery planning arrangements
- procurement, including emergency procurement
- delegations that support timely and effective decision-making.
Due to the ongoing impact of COVID‑19 agencies have not yet returned to a business‑as‑usual environment. ‘Agencies will need to assess their response to the recent emergencies and update their business continuity, disaster recovery and other business resilience frameworks to reflect the lessons learnt from these events’ the Auditor-General said.
The report noted that special procurement provisions were put in place to allow agencies to better respond to the COVID-19 pandemic. The Auditor-General recommended agencies update their procurement policies to reflect the current requirements of the NSW Procurement Framework and the emergency procurement requirements.
This report analyses the internal controls and governance of 40 of the largest agencies in the NSW public sector for the year ended 30 June 2020. These 40 agencies constitute an estimated 85 per cent of total expenditure for all NSW public sector agencies.
1. Internal control trends
| New, repeat and high risk findings |
Internal control deficiencies increased by 13 per cent compared to last year. This is predominately due to a seven per cent increase in new internal control deficiencies and 24 per cent increase in repeat internal control deficiencies. There were ten high risk findings compared to four last year. The recent emergencies have consumed agency time and resources and may have contributed to the increase in internal control deficiencies, particularly repeat deficiencies. Agencies should:
|
| Common findings |
A number of findings remain common across multiple agencies over the last four years, including:
|
2. Information technology controls
| IT general controls |
We found deficiencies in information security controls over key financial systems including:
The deficiencies above increase the risk of non-compliance with the NSW Cyber Security Policy, which requires agencies to have processes in place to manage user access, including privileged user access to sensitive information or systems and remove that access once it is not required or employment is terminated. |
3. Business continuity and disaster recovery planning
| Assessing risks to business continuity and Scenario testing |
The response to the recent emergencies and the COVID-19 pandemic has encompassed a wide range of activities, including policy setting, on-going service delivery, safety and availability of staff, availability of IT and other systems and financial management. Agencies were required to activate their business continuity plans in response, and with the continued impact of COVID-19 have not yet returned to a business-as-usual environment. Our audits focused on the preparedness of agency business continuity and disaster recovery planning arrangements prior to the onset of the COVID-19 pandemic. We identified deficiencies in agency business continuity and disaster recovery planning arrangements. Twenty-three per cent of agencies had not conducted a business impact analysis (BIA) to identify critical business functions and determine business continuity priorities. Agencies can also improve the content of their BIA. For example, ten per cent of agencies' BIAs did not include recovery time objectives and six per cent of agencies did not identify key IT systems that support critical business functions. Scenario testing improves the effectiveness with which a live crisis is handled, but 40 per cent of agencies had not conducted a business continuity scenario testing exercise in the period from 1 January 2019 to 31 December 2019. There were also opportunities to improve the effectiveness of scenario testing exercises by:
Agencies have responded to the recent emergencies but addressing deficiencies will ensure agencies have adequate safeguards in their processes to again respond in the future, if required. During 2020–21 we plan to conduct a performance audit on 'Business continuity and disaster recovery planning'. This audit will consider the effectiveness of agency business continuity planning arrangements to maintain business continuity through the recent emergencies and/or COVID-19 pandemic and return to a business-as-usual environment. We also plan to conduct a performance audit on whole-of-government 'Coordination of emergency responses'. |
| Responding to disruptions |
We found agencies' governance functions could have been better informed about responses to disruptive incidents that had activated a business continuity or disaster recovery response between 1 January 2019 to 31 December 2019. For instance: in 89 per cent of instances where a business continuity response was activated, a post-incident review had been performed. In 82 per cent of these instances, the outcomes were reported to a relevant governance or executive management committee in 95 per cent of instances where a disaster recovery response was activated, a post incident review had been performed. In 86 per cent of these instances, the outcomes were reported to a relevant governance committee or executive management committee. Examples of recorded incidents included extensive air quality issues and power outages due to bushfires, system and network outages, and infected and hijacked servers. Agencies should assess their response to the recent emergencies and the COVID-19 pandemic and update business continuity, disaster recovery and other business resilience frameworks to incorporate lessons learned. Agencies should report to those charged with governance on the results and planned actions. |
| Management review and oversight | Eighty-two per cent and 86 per cent of agencies report to their audit and risk committees (ARC) on their business continuity and disaster recovery planning arrangements, respectively. Only 18 per cent and five per cent of ARCs are briefed on the results of respective scenario testing. Briefing ARCs on the results of scenario testing exercises helps inform their decisions about whether sound and effective business continuity and disaster recovery arrangements have been established. |
4. Procurement, including emergency procurement
| Policy framework |
Agency procurement policies did not capture the requirements of several key NSW Procurement Board Directions (the Directions), increasing the risk of non-compliance with the Directions. We noted:
Recommendation: Agencies should review their procurement policies and guidelines to ensure they capture the key requirements of the NSW Government Procurement Policy Framework, including NSW Procurement Board Directions. |
| Managing contracts |
Eighty-eight per cent of agencies maintain a central contract register to record all details of contracts above $150,000, which is a requirement of GIPA legislation. Of the agencies that maintained registers, 13 per cent did not capture all contracts and eight per cent did not include all relevant contract details. Sixteen per cent of agencies did not periodically review their contract register. Timely review increases compliance with GIPA legislation, and enhances the effectiveness with which procurement business units monitor contract end dates, contract extensions and commence new procurement. |
| Training and support |
Ninety-three per cent of agencies provide training to staff involved in procurement processes, and a further 77 per cent of agencies provide this training on an on-going basis. Of the seven per cent of agencies that had not provided training to staff, we noted gaps in aspects of their procurement activity, including:
Training on procurement activities ensures there is effective management of procurement processes to support operational requirements, and compliance with procurement directions. |
| Procurement activities | While agencies had implemented controls for tender activities above $650,000, 43 per cent of unaccredited agencies did not comply with the NSW Procurement Policy Framework because they had not had their procurement endorsed by an accredited agency within the cluster or by NSW Procurement. This endorsement aims to ensure the procurement is properly planned to deliver a value for money outcome before it commences. |
| Emergency procurement |
As at 30 June 2020, agencies within the scope of this report reported conducting 32,239 emergency procurements with a total contract value of $316,908,485. Emergency procurement activities included the purchase of COVID-19 cleaning and hygiene supplies. The government, through NSW Procurement released the 'COVID-19 Emergency procurement procedure', which relaxed procurement requirements to allow agencies to make COVID-19 emergency procurements. Our review against the emergency procurement measures found most agencies complied with requirements. For example:
Complying with the procedure helps to ensure government resources are being efficiently, effectively, economically and in accordance with the law. Recommendation: Agency procurement frameworks should be reviewed and updated so they can respond effectively to emergency situations that may arise in the future. This includes:
|
5. Delegations
| Instruments of delegation |
We found that agencies have established financial and human resources delegations, but some had not revisited their delegation manuals following the legislative and machinery of government changes. For those agencies impacted by machinery of government changes we noted:
Delegations manuals are not always complete; 16 per cent of agencies had no delegation for writing off bad debts and 26 per cent of agencies had no delegation for writing off capital assets. Recommendation: Agencies should ensure their financial and human resources delegation manuals contain regular set review dates and are updated to reflect the Government Sector Finance Act 2018, machinery of government changes and their current organisational structure and roles and responsibilities. |
| Compliance with delegations |
Agencies did not understand or correctly apply the requirements of the Government Sector Finance Act 2018 (GSF Act), resulting in non-compliance with the Act. We found that 18 per cent of agencies spent deemed appropriations without obtaining an authorised delegation from the relevant Minister(s), as required by sections 4.6(1) and 5.5(3) of the GSF Act. Further detail on this issue will be included in our Auditor-General's Reports to Parliament on Central Agencies, Education, Health and Stronger Communities, which will be tabled throughout December 2020. Recommendation: Agencies should review financial and human resources delegations to ensure they capture all key functions of laws and regulations, and clearly specify the relevant power or function being conferred on the officer. |
6. Status of 2019 recommendations
| Progress implementing last year's recommendations |
Recommendations were made last year to improve transparency over reporting on gifts and benefits and improve the visibility management and those charged with governance had over actions taken to address conflicts of interest that may arise. This year, we continue to note:
While we acknowledge the significance of the recent emergencies, which have consumed agency time and resources, we note limited progress has been made implementing these recommendations. Further detail on the status of implementing all recommendations is in Appendix 2. Recommendation: Agencies should re-visit the recommendations made in last year's report on internal controls and governance and action these recommendations. |
Internal controls are processes, policies and procedures that help agencies to:
- operate effectively and efficiently
- produce reliable financial reports
- comply with laws and regulations
- support ethical government.
This chapter outlines the overall trends for agency controls and governance issues, including the number of audit findings, the degree of risk those deficiencies pose to the agency, and a summary of the most common deficiencies we found across agencies. The rest of this report presents this year’s controls and governance findings in more detail.
|
Section highlights We identified ten high risk findings, compared to four last year with two findings repeated from the previous year. There was an overall increase of 13 per cent in the number of internal control deficiencies compared to last year due to a seven per cent increase in new internal control deficiencies, and a 24 per cent increase in repeat internal control deficiencies. The recent emergencies have consumed agency time and resources and may have contributed to the increase in internal control deficiencies, particularly repeat deficiencies. We identified a number of findings that remain common across multiple agencies over the last four years. Some of these findings related to areas that are fundamental to good internal control environments and effective organisational governance. Examples include:
Policies, procedures and internal controls should be properly designed, be appropriate for the current organisational structure and its business activities, and work effectively. |
This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency controls to manage key financial systems.
|
Section highlights Government agencies’ financial reporting is heavily reliant on information technology (IT). We continue to see a high number of deficiencies related to IT general controls, particularly those related to user access administration. These controls are key in adequately protecting IT systems from inappropriate access and misuse. IT is also important to the delivery of agency services. These systems often provide the data to help monitor the efficiency and effectiveness of agency processes and services they deliver. Our financial audits do not review all agency IT systems. For example, IT systems used to support agency service delivery are generally outside the scope of our financial audit. However, agencies should also consider the relevance of our findings to these systems. Agencies need to continue to focus on assessing the risks of inappropriate access and misuse and the implementation of controls to adequately protect their systems, focussing on the processes in place to grant, remove and monitor user access, particularly privileged user access. |
This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency business continuity and disaster recovery planning arrangements.
|
Section highlights We identified deficiencies in agency business continuity and disaster recovery planning arrangements and opportunities for agencies to enhance their business continuity management and disaster recovery planning arrangements. This will better prepare them to respond to a disruption to their critical functions, resulting from an emergency or other serious event. Twenty-three per cent of agencies had not conducted a business impact analysis (BIA) to identify critical business functions and determine business continuity priorities and 40 per cent of agencies had not conducted a business continuity scenario testing exercise in the period from 1 January 2019 to 31 December 2019. Scenario testing improves the effectiveness with which a live crisis is handled. This section focusses on the preparedness of agency business continuity and disaster recovery planning arrangements prior to the onset of the COVID-19 pandemic. While agencies have responded to the recent emergencies, proactively addressing deficiencies will ensure agencies have adequate safeguards in their processes to again respond in the future, if required. During 2020–21 we plan to conduct a performance audit on 'Business continuity and disaster recovery planning'. This audit will consider the effectiveness of agency business continuity planning arrangements to maintain business continuity through the recent emergencies and/or COVID-19 pandemic and return to a business-as-usual environment. We also plan to conduct a performance audit on whole-of-government 'Coordination of emergency responses'. |
This chapter outlines our audit observations, conclusions and recommendations, arising from our review of procurement agency procurement policies and procurement activity.
|
Section highlights We found agencies have procurement policies in place to manage procurement activity, but the content of these policies was not sufficiently detailed to ensure compliance with NSW Procurement Board Directions (the Directions). The Directions aim to ensure procurement activity achieves value for money and meets the principles of probity and fairness. Agencies have generally implemented controls over their procurement process. In relation to emergency procurement activity, agencies reported conducting 32,239 emergency procurements with a total contract value of $316,908,485 up to 30 June 2020. Our review of emergency procurement activity conducted during 2019–20 identified areas where some agencies did not fully comply with the 'COVID-19 Emergency procurement procedure'. We also found not all agencies are maintaining complete and accurate contract registers. This not only increases the risk of non-compliance with GIPA legislation, but also limits the effectiveness of procurement business units to monitor contract end dates, contract extensions and commence new procurement in a timely manner. We noted instances where agencies renewed or extended contracts without going through a competitive tender process during the year. |
This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency compliance with financial and human resources delegations.
Appendix one – List of 2020 recommendations
Appendix two – Status of 2019 recommendations
Appendix three – Cluster agencies
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Support for regional town water infrastructure
The Auditor-General for New South Wales, Margaret Crawford, released a report today examining whether the Department of Planning, Industry and Environment has effectively supported the planning for, and funding of, town water infrastructure in regional NSW.
The audit found that the department has not effectively supported or overseen town water infrastructure planning since at least 2014. It does not have a clear regulatory approach and lacks internal procedures and data to guide its support for local water utilities that service around 1.85 million people in regional NSW.
The audit also found that the department has not had a strategy in place to target investments in town water infrastructure to the areas of greatest priority. A state-wide plan is now in development.
The Auditor-General made seven recommendations to the department, aimed at improving the administration and transparency of its oversight, support and funding for town water infrastructure, and at strengthening its sector engagement and interagency coordination on town water planning issues and investments.
According to the Auditor-General, ‘A continued focus on coordinating town water planning, investments and sector engagement is needed for the department to more effectively support, plan for and fund town water infrastructure, and to work with local water utilities to help avoid future shortages of safe water in regional towns and cities.’
This report is part of a multi-volume series on the theme of water. Refer to ‘Water conservation in Greater Sydney’ and ‘Water management and regulation – undertaking in 2020-21’.
Safe and reliable water and sewer services are essential for community health and wellbeing, environmental protection, and economic productivity. In 2019, during intense drought, around ten regional New South Wales (NSW) cities or towns were close to ‘zero’ water and others had six to 12 months of supply. In some towns, water quality was declared unsafe.
Ensuring the right water and sewer infrastructure in regional NSW to deliver these services (known as 'town water infrastructure') involves a strategic, integrated approach to water management. The NSW Government committed to ‘secure long-term potable water supplies for towns and cities’ in 2011. In 2019, it reiterated a commitment to invest in water security by funding town water infrastructure projects.
The New South Wales’ Water Management Act 2000 (WM Act) aims to promote the sustainable, integrated and best practice management of the State’s water resources, and establishes the priority of town water for meeting critical human needs.
The Department of Planning, Industry and Environment (the department) is the lead agency for water resource policy, regulation and planning in NSW. It is also responsible for ensuring water management is consistent with the shared commitments of the Australian, State and Territory Governments under the National Water Initiative. This includes the provision of healthy, safe and reliable water supplies, and reporting on the performance of water utilities.
Ninety-two Local Water Utilities (LWUs) plan for, price and deliver town water services in regional NSW. Eighty-nine are operated by local councils under the New South Wales’ Local Government Act 1993, and other LWUs exercise their functions under the WM Act. The Minister for Water, Property and Housing is the responsible minister for water supply functions under both acts.
The department is the primary regulator of LWUs. NSW Health, the NSW Environment Protection Authority (EPA) and the Natural Access Resource Regulator (NRAR) also regulate aspects of LWUs' operations. The department’s legislative powers with respect to LWUs cover approving infrastructure developments and intervening where there are town water risks, or in emergencies. In this context, the department administers the Best Practice Management of Water Supply and Sewerage Guidelines (BPM Guidelines) to support its regulation and to assist LWUs to strategically plan and price their services, including their planning for town water infrastructure.
Under the BPM Guidelines, the department supports LWU’s town water infrastructure planning with the Integrated Water Cycle Management (IWCM) Checklist. The Checklist outlines steps for LWUs to prepare an IWCM strategy: a long-term planning document that sets out town water priorities, including infrastructure and non-infrastructure investments, water conservation and drought measures. The department's objective is to review and approve (i.e. give ‘concurrence to’) an IWCM strategy before the LWU implements it. In turn, these documents should provide the department with evidence of town water risks, issues and infrastructure priorities.
The department also assesses and co-funds LWU's town water infrastructure projects. In 2017, the department launched the $1 billion Safe and Secure Water Program to ensure town water infrastructure in regional NSW is secure and meets current health and environmental standards. The program was initially established under the Restart NSW Fund.
This audit examined whether the department has effectively supported the planning for and funding of town water infrastructure in regional NSW. It focused on the department’s activities since 2014. This audit follows a previous Audit Office of NSW report which found that the department had helped to promote better management practices in the LWU sector, up to 2012–13.
ConclusionThe Department of Planning, Industry and Environment has not effectively supported or overseen town water infrastructure planning in regional NSW since at least 2014. It has also lacked a strategic, evidence-based approach to target investments in town water infrastructure. A continued focus on coordinating town water planning, investments and sector engagement is needed for the department to more effectively support, plan for and fund town water infrastructure, and work with Local Water Utilities to help avoid future shortages of safe water in regional towns and cities. The department has had limited impact on facilitating Local Water Utilities’ (LWU) strategic town water planning. Its lack of internal procedures, records and data mean that the department cannot demonstrate it has effectively engaged, guided or supported the LWU sector in Integrated Water Cycle Management (IWCM) planning over the past six years. Today, less than ten per cent of the 92 LWUs have an IWCM strategy approved by the department. The department did not design or implement a strategic approach for targeting town water infrastructure investment through its $1 billion Safe and Secure Water Program (SSWP). Most projects in the program were reviewed by a technical panel but there was limited evidence available about regional and local priorities to inform strategic project assessments. About a third of funded SSWP projects were recommended via various alternative processes that were not transparent. The department also lacks systems for integrated project monitoring and program evaluation to determine the contribution of its investments to improved town water outcomes for communities. The department has recently developed a risk-based framework to inform future town water infrastructure funding priorities. The department does not have strategic water plans in place at state and regional levels: a key objective of these is to improve town water for regional communities. The department started a program of regional water planning in 2018, following the NSW Government’s commitment to this in 2014. It also started developing a state water strategy in 2020, as part of an integrated water planning framework to align local, regional and state priorities. One of 12 regional water strategies has been completed and the remaining strategies are being developed to an accelerated timeframe: this has limited the department’s engagement with some LWUs on town water risks and priorities. |
Regional New South Wales (NSW) is home to about a third of the state's population. Infrastructure that provides safe and reliable water and sewer services (also known simply as 'town water infrastructure') is essential for community health and wellbeing, environmental protection, and economic productivity. Planning for and meeting these infrastructure needs, as well as identifying when non-infrastructure options may be a better solution, involves a strategic and integrated approach to water resource management in regional NSW.
We examined whether the department has effectively supported planning for town water infrastructure since 2014. This assessment was made in the context of its current approach to LWU sector regulation. The findings below focus on whether the department has an effective framework including governance arrangements for town water issues to inform state-wide strategic water planning, and whether (at the local level) the department has effectively overseen and facilitated town water infrastructure planning through its Integrated Water Cycle Management (IWCM) planning guidance to LWUs.
We examined whether the department has effectively targeted town water infrastructure funding to policy objectives, with a focus on the design and implementation of the Safe and Secure Water Program (SSWP) since its commencement in 2017. The program’s aim was to fund town water infrastructure projects that would deliver health, social and environmental benefits, and support economic growth and productivity. We also assessed the department’s capacity to demonstrate the outcomes of the SSWP funding and the contributions of its town water infrastructure investments more broadly. Finally, we identified risks to the effectiveness of the department’s work underway since 2018–19, which is intended to enhance its strategic water planning and approach to prioritising investments in reducing town water risks.
Appendix one – Response from agency
Appendix three – About the audit
Appendix four – Performance auditing
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Parliamentary reference - Report number #341 - released 24 September 2020
Credit card management in Local Government
The Auditor-General for New South Wales, Margaret Crawford, released a report today examining credit card management in Local Government.
The audit was in response to a letter from the then Minister for Local Government in November 2018. The audit assessed the effectiveness of credit card management practices in six councils, including in the areas of policies, procedures, compliance and monitoring.
The audit found that all six councils had gaps in their credit card policies and procedures. The Auditor-General recommended that the Department of Planning, Industry and Environment publish guidelines on credit card management for the Local Government sector. The report also generated insights for the Local Government sector with respect to credit card management.
In 2018–19, all councils responding to an Audit Office survey (representing over 90 per cent of the sector) indicated they issued credit cards to staff members to make work-related purchases. As there are no sector-wide requirements or policies for credit card use and management in Local Government, councils have developed their credit card management frameworks to suit their own needs. The quality of credit card policies and procedures may therefore vary across the sector.
Credit cards are an efficient means of payment, especially for low-value purchases. Compared to the use of petty cash, credit card transactions provide better transparency and accountability for expenditure. By using credit cards, councils only need to make one payment each month, which can reduce the time spent on paying separate vendors, as in the case of purchase orders.
This audit assessed the effectiveness of credit card management practices in six councils: Dubbo Regional Council, Junee Shire Council, Lane Cove Council, Nambucca Valley Council, Penrith City Council and Shellharbour City Council. The councils selected represent a mix of rural, regional and metropolitan councils. They were also among the top ten users of credit cards within their geographical classification, in terms of the number of credit cards issued or the number of transactions per credit card.
This audit referenced the NSW Treasury's Policy and Guidelines Paper TPP17–09 'Use and Management of NSW Government Purchasing Cards', as its principles and recommendations for NSW Government agencies are relevant for councils.
The Audit Office of New South Wales Report on Local Government 2019 provided a high-level overview of credit card management across the sector. While over 90 per cent of councils reported that they had a credit card policy and a credit card acquittal process, the quality of these policies and procedures may vary across the sector as there is no standardised or recommended approach to credit card management for Local Government. This audit complements the Report on Local Government 2019 by providing a detailed discussion of the effectiveness of credit card management practices in councils.
Audit conclusionAll six audited councils had important gaps in their credit card policies and procedures. Their reconciliation of credit card transactions needs to be enhanced to enable detection of potential misuse or fraud.
The audit found important gaps in each of the six audited councils' credit card management practices. Their policies and procedures covered the essential aspects of credit card use and management, but a lack of coverage or clarity in some areas could lead to inconsistent and inappropriate use of credit cards. These areas included: eligibility to hold a credit card, aligning credit card limits with financial delegations, and the reconciliation procedures.
While all six councils conducted reconciliations of credit card transactions, the processes need to be enhanced to enable detection of potential misuse or fraud. Reconciliations had focused solely on verifying receipts, and did not require evidence of business-related purposes, even for transactions such as alcohol purchases or spending at entertainment venues. Five of the six councils also did not include compliance checks in their reconciliation process, such as checking that purchases were not for restricted items.
The level of senior management involvement in monitoring credit card use varied across the six councils. Three of the six councils did not generate regular reports for management oversight. Five of the six councils had no plans for internal audits or targeted reviews of credit card management and use.
|
Council staff provided with a credit card can purchase from a wide range of businesses, including online transactions with overseas vendors. However, councils may limit the types of purchases that staff can make through their policies and procedures or by setting controls that block certain transaction types such as cash advances. To examine credit card usage, the audit obtained credit card transaction data from 1 July 2016 to 30 June 2019 for the six councils in this review. The data included:
- transaction date
- amount
- merchant category code (MCC)
- merchant name.
The audit analysed the number and value of transactions by each council, and the types of purchases made using credit cards.
The existence of a documented approach to managing credit cards ensures transparency and consistency of use within the council. A credit card management framework that contains preventative and detective controls can also minimise risks of fraud, misuse and wastage.
There is no prescribed credit card management framework for Local Government, but typical components of a credit card management framework include:
- policies and procedures
- guidance for staff
- monitoring and reporting.
With no detailed guidance notes similar to those in TPP17–09 for NSW Government, councils have developed their own credit card management framework based on their size, structure, resources and intended credit card usage. For instance, the size of a council has implications for the number of credit cards issued, which in turn influences the arrangements for training and guidance provided to cardholders and approvers.
The intended level of credit card usage may determine whether a council adopts a manual or electronic credit card management system and councils should identify the system that best meets their needs. For instance, a council with few credit cards may not be able to justify investment in an electronic system. On the other hand, a manual system may only be viable for councils with a low number of credit cards and a low number of transactions.
Among the six councils audited, the three councils with fewer cards and a lower number of transactions had a manual credit card management system, while the three councils with more cards and a higher number of transactions used an electronic system.
Exhibit 10 summarises the six councils' policies on use of credit cards.
| Council | Audit Office classification | Number of staff (full-time equivalent) | Number of credit cards issued (current at August 2019) | Policy on credit card use |
| Dubbo Regional Council | Regional | 453 | 77 | Purchase cards are used for official council business up to $5,000 and the policy allows cardholders to delegate the use of their purchase cards to other staff members. |
| Junee Shire Council | Rural | 71 | 1 | Corporate credit cards are for council business activities and minor purchases where a purchase order is not accepted. Items that can be purchased via a purchase order should not be purchased on a corporate credit card. |
| Lane Cove Council | Metropolitan | 192 | 6 | Corporate credit cards are for official council business, but should not be used when there is an alternative form of payment that aligns with the council's purchasing process. |
| Nambucca Valley Council | Rural | 110 | 37 | Purchase cards are used for the payment of goods and services associated with council businesses. |
| Penrith City Council | Metropolitan | 1,031 | 167 | Purchase cards are used for ‘low value and low risk procurement of goods and services’, while corporate cards are held by senior staff for ‘non-routine low value work related purchases’. |
| Shellharbour City Council | Regional | 372 | 65 | Credit cards are for purchases up to $9,999 and the preferred payment method for transactions under $1,000. |
While it is important for councils to have an established credit card management framework, it is equally important that they ensure compliance in practice. This chapter examines councils' credit card management practices – how well staff members were complying with policies and procedures, and how effective their credit card controls were. The chapter is structured to cover:
- preventative controls (embedded in the issuance, use and cancellation of cards) that prevent fraud and misuse
- detective controls (embedded in reconciliation and record keeping) that assist in detecting fraud and misuse.
Where ineffective credit card management practices are identified, councils should reflect on whether they need to more closely monitor compliance, or whether there are fundamental deficiencies in their policies and procedures that need to be refined.
Dubbo Regional Council had gaps in its credit card policy and procedures. It allowed cardholders to share their credit card with other staff members, which complicated credit card management, increased the risk of misuse and fraud, and breached its agreement with the credit card issuer. The council's reconciliation of credit card transactions needs to be enhanced to ensure it can review compliance with policy and detect potential misuse or fraud.Dubbo Regional Council had 77 credit cards at the time of the audit. The council's policy on credit card sharing violated its agreement with the card issuer that each credit card should be for the respective cardholder's use only. Credit card sharing also increases the risk of misuse and fraud. The council's credit card policy and procedures lacked clarity in several areas. The eligibility criteria were broad and there was a risk of inconsistency in granting approvals, especially since the council gave approval delegations to multiple senior staff members. The policy and procedures also lacked guidance on the reconciliation of the general manager's credit card and the management of Cabcharge. The audit identified gaps in the council's credit card management practices. While the council had a clear policy on financial delegations, there was no evidence that credit card limits were monitored in line with financial delegations. The credit card register contained inaccurate information, and the council was also unable to provide records of certain transactions requested for review by the audit. The council's credit card reconciliation process needs to be enhanced to enable detection of potential misuse or fraud. It did not include compliance checks or reviewing the business-related purpose of transactions. Purchases of restricted items such as fuel, meals and entertainment were not accompanied by evidence of need or exemption. Travel expenses were not checked against travel pre-approval forms. The audit also identified instances of split transactions. The council provided no evidence of the finance team's involvement in the reconciliation of credit card transactions. Senior management oversight of credit card use was lacking, as the council did not produce reports on credit card use. There was also no evidence that the internal auditor had undertaken monitoring activities as required in the credit card policy. RecommendationsDubbo Regional Council should immediately: 1. amend its credit card policy to prevent cardholders from sharing their credit card with other staff. By December 2020, Dubbo Regional Council should: 2. clarify in the credit card policy and procedures:
3. ensure that credit card management practices include:
4. ensure reconciliation involves:
5. ensure there is ongoing senior management oversight of credit card use 6. ensure the internal auditor undertakes monitoring activities as specified in the credit card policy. |
|
Junee Shire Council had gaps in its credit card policy and procedures. The council's reconciliation of credit card transactions needs to be enhanced to ensure it can review compliance with policy and detect potential misuse or fraud. Junee Shire Council had only one credit card, held by the general manager, at the time of the audit. Staff members could seek approval from the general manager to purchase using the credit card. This raises concerns of credit card sharing, which would be a violation of the council's agreement with its credit card issuer. Credit card sharing also increases the risk of misuse and fraud. The council had fuel cards and store cards for use by staff members. However, its credit card policy and procedures did not cover the management of these types of cards. The lack of documented rules and guidance increases the risk of misuse and fraud. The audit identified other gaps in the council's credit card management practices:
The council's credit card reconciliation process needs to be enhanced to enable detection of potential misuse or fraud. It did not include reviewing the business-related purpose of transactions. The council also provided no evidence of the finance team's involvement in the reconciliation of credit card transactions. As the cardholder, the general manager reviewed all transactions every month. As the approver, the mayor (or deputy mayor) had to sign off on these transactions. Hence, there was sufficient management oversight of the council's credit card use. However, there was a lack of periodic review of the council's credit card use, as it was not included in the council's forward program of internal audits. RecommendationsJunee Shire Council should immediately: 1. amend its credit card policy to prevent cardholders from sharing their credit card with other staff. By December 2020, Junee Shire Council should: 2. clarify in the credit card policy and procedures:
3. ensure that credit card management practices include:
4. ensure reconciliation involves:
5. develop a plan for periodic reviews (e.g. internal audit) of credit card use and management 6. ensure its credit card policy and procedures are reviewed according to schedule. |
Lane Cove Council had gaps in its credit card policy and procedures. The council's reconciliation of credit card transactions needs to be enhanced to ensure it can review compliance with policy and detect potential misuse or fraud.Lane Cove Council had six credit cards, held by the most senior staff members, at the time of the audit. During our interviews, cardholders advised that they had shared their credit card with reporting staff. Credit card sharing is a violation of the council's agreement with its credit card issuer, and it also increases the risk of misuse and fraud. The council's credit card policy lacked clarity in several areas. While the general manager had delegation to authorise the issue of credit cards, the policy did not specify any eligibility criteria. The policy and procedures also lacked guidance on the reconciliation of the general manager's credit card and the management of fuel cards and store cards. The audit identified gaps in the council's credit card management practices. There was no evidence that credit card limits were monitored in line with financial delegations. The credit card register contained inaccurate information, and the council was also unable to provide records of certain transactions requested for review by the audit. The council's credit card reconciliation process needs to be enhanced to enable detection of potential misuse or fraud. The process also did not include compliance checks or reviewing the business-related purpose of transactions. Purchases of restricted items such as fuel and fine payments were not accompanied by adequate justification. There was a lack of targeted guidance for approvers in reconciliation, and the council only evidenced the finance team's involvement in an administrative capacity (i.e. entering data into the journals). Senior management oversight of credit card use was lacking. Although the credit card policy referred to management reporting, the council had not been producing such reports at the time of the audit. Management reporting was implemented in December 2019 following our discussions. There was a lack of periodic review of the council's credit card use, as it was not included in the council's forward program of internal audits. The council has adopted a new Management Directive in January 2020, which has clarified the eligibility criteria for credit cards. RecommendationsLane Cove Council should immediately: 1. amend its credit card policy to prevent cardholders from sharing their credit card with other staff. By December 2020, Lane Cove Council should: 2. clarify in the credit card policy and procedures:
3. ensure that credit card management practices include:
4. ensure reconciliation involves:
5. develop a plan for periodic reviews (e.g. internal audit) of credit card use and management. |
Nambucca Valley Council had gaps in its credit card policy and procedures. The council's reconciliation of credit card transactions needs to be enhanced to ensure it can review compliance with policy and detect potential misuse or fraud.Nambucca Valley Council had 37 credit cards at the time of the audit. During our interviews, cardholders described instances of credit card sharing within the council. Credit card sharing is a violation of the council's agreement with its credit card issuer, and it also increases the risk of misuse and fraud. The council's credit card policy lacked clarity in several areas. While the general manager had delegation to authorise the issue of credit cards, the policy did not specify any eligibility criteria. The policy and procedures lacked guidance on the management of fuel cards, store cards and Cabcharge. The policy also lacked coverage of the reconciliation arrangements for the general manager's credit card as the general manager did not hold a credit card. While the policy did not preclude the mayor and the general manager from holding a credit card, both opted not to do so. The audit identified gaps in the council's credit card management practices. There was no evidence that credit card limits were monitored in line with financial delegations. The credit card register contained inaccurate information, and there was insufficient control in handling staff departures, as the audit identified one incident where a credit card was returned after the staff member's last day. The council's credit card reconciliation process needs to be enhanced to enable detection of potential misuse or fraud. The process also did not include adequate compliance checks or reviewing the business-related purpose of transactions. Purchases of restricted items such as fuel and the use of third-party travel websites were not accompanied by adequate justification. Travel expenses were not checked against travel pre-approval forms. The audit also identified instances of split transactions. Senior management oversight of credit card use was insufficient, as the council had been producing reports for only one manager for his department at the time of the audit. Management reporting for the Chief Finance Officer was implemented following our discussions. There was a lack of periodic review of the council's credit card use, as it was not included in the council's forward program of internal audits. The audit acknowledges that the council had revised its credit card procedures following our discussions to address our preliminary findings. The council has also set additional credit card blocks in response to this audit. The recommendations below contain only the outstanding items. RecommendationsNambucca Valley Council should immediately: 1. ensure cardholders stop sharing their credit card with other staff. By December 2020, Nambucca Valley Council should: 2. clarify in the credit card policy and procedures:
3. ensure that credit card management practices include:
4. ensure reconciliation involves:
5. develop a plan for periodic reviews (e.g. internal audit) of credit card use and management. |
Penrith City Council had gaps in its credit card policy and procedures. The council's reconciliation of credit card transactions needs to be enhanced to ensure it can review compliance with policy and detect potential misuse or fraud.Penrith City Council had 167 credit cards at the time of the audit. During our interviews, cardholders described instances of credit card sharing within the council. Credit card sharing is a violation of the council's agreement with its credit card issuer, and it also increases the risk of misuse and fraud. The audit identified gaps in the council's credit card policy and procedures. There was no documented arrangement for the reconciliation of the general manager's credit card. There was also no guidance on the management of Cabcharge. The credit card register contained inaccurate information, and the council was also unable to provide records of certain transactions requested for review by the audit. The council's credit card reconciliation process needs to be enhanced to enable detection of potential misuse or fraud. The process did not include adequate compliance checks or reviewing the business-related purpose of transactions. The council's policy required prior approval for conferences, accommodation or meal expenses. However, there was no evidence that such approvals were checked during credit card reconciliation. The audit also identified instances of split transactions. The council implemented monthly reporting for managers in July 2019. There was a lack of periodic review of the council's credit card use, as it was not included in the council's forward program of internal audits. RecommendationsPenrith City Council should immediately: 1. ensure cardholders stop sharing their credit card with other staff. By December 2020, Penrith City Council should: 2. clarify in the credit card policy and procedures
3. ensure that credit card management practices include:
4. ensure reconciliation involves:
5. develop a plan for periodic reviews (e.g. internal audit) of credit card use and management. |
Shellharbour City Council had gaps in its credit card policy and procedures. The council's reconciliation of credit card transactions needs to be enhanced to ensure it can review compliance with policy and detect potential misuse or fraud.Shellharbour City Council had 65 credit cards at the time of the audit. During our interviews, cardholders described instances of credit card sharing within the council. Credit card sharing is a violation of the council's agreement with its credit card issuer, and it also increases the risk of misuse and fraud. The council's credit card policy lacked clarity in several areas. While the general manager had delegation to authorise the issue of credit cards, the policy did not specify any eligibility criteria. The council did not align credit card limits with financial delegations, and while blocking codes were used, there was no explanation in the policy or procedures. Although the mayor and general manager's credit card transactions were reviewed during the council's monthly Executive Leadership Team meetings, the policy and procedures lacked guidance on the reconciliation of their credit cards. The council also did not have sufficiently detailed documentation for the management of fuel cards. The audit identified gaps in the council's credit card management practices:
The council's credit card reconciliation process needs to be enhanced to enable detection of potential misuse or fraud. The process did not include compliance checks or reviewing the business-related purpose of transactions. Purchases of restricted items, such as fuel and fine payments, were not accompanied by adequate justification. The audit identified instances of split transactions, and travel or conference approval forms were also not checked during reconciliation. There was a lack of targeted guidance for approvers in reconciliation, and the council also provided no evidence of the finance team's involvement in the reconciliation of credit card transactions. The council's Executive Leadership Team was involved in the monthly review of credit card transactions, hence there was management oversight of credit card use. However, there was a lack of periodic review of the council's credit card use, as it was not included in the council's forward program of internal audits. RecommendationsShellharbour City Council should immediately: 1. ensure cardholders stop sharing their credit card with other staff. By December 2020, Shellharbour City Council should: 2. clarify in the credit card policy and procedures:
3. ensure that credit card management practices include:
4. ensure reconciliation involves:
5. develop a plan for periodic reviews (e.g. internal audit) of credit card use and management 6. ensure its credit card policy and procedures are reviewed according to schedule. |
Appendix one – Responses from councils and the Department of Planning, Industry and Environment
Appendix two – About the audit
Appendix three – Performance auditing
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Parliamentary reference - Report number #340 - released 3 September 2020
