Main navigation

Appendix one – Misstatements in financial statements submitted for audit

29 November 2023

Published

Regional NSW 2023

Industry

Environment

Planning

Whole of Government

Asset valuation

Compliance

Cyber security

Financial reporting

Fraud

Information technology

Infrastructure

Procurement

Regulation

Risk

Service delivery

Shared services and collaboration

What this report is about

Results of the Regional NSW financial statements audits for the year ended 30 June 2023.

What we found

Unqualified audit opinions were issued on all completed audits in the Regional NSW portfolio agencies.

The number of monetary misstatements identified in our audits increased from 28 in 2021–22 to 30 in 2022–23.

What the key issues were

Effective 1 July 2023, staff employed in the Northern Rivers Reconstruction Corporation Division of the Department of Regional NSW transferred to the NSW Reconstruction Authority Staff Agency.

The Regional NSW portfolio agencies were migrated into a new government wide enterprise resourcing planning system.

The total number of audit management letter findings across the portfolio of agencies decreased from 36 to 23.

A high risk matter was raised for the NSW Food Authority to improve the internal controls in the information technology environment including monitoring and managing privilege user access.

What we recommended

Local Land Services should prioritise completing all mandatory early close procedures.

Portfolio agencies should:

ensure any changes to employee entitlements are assessed for their potential financial statements impact under the relevant Australian Accounting Standards
prioritise and address internal control deficiencies identified in audit management letters.

This report provides Parliament and other users of the Regional NSW portfolio of agencies financial statements with the results of our audits, analysis, conclusions and recommendations in the following areas:

financial reporting
audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision-making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Regional NSW portfolio of agencies (the portfolio) for 2023.

Section highlights

Unqualified audit opinions were issued on all completed 30 June 2023 financial statements audits of the portfolio agencies. Two audits are ongoing.
The total number of errors (including corrected and uncorrected) in the financial statements increased compared to the prior year.
Portfolio agencies met the statutory deadline for submitting their 2022–23 early close financial statements and other mandatory procedures.
Portfolio agencies continue to provide financial assistance to communities affected by natural disasters.
A change to the NSW paid parental leave scheme, effective October 2023, created a new legal obligation that needed to be recognised by impacted government agencies. Impact to the agencies' financial statements were not material.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision-making.

This chapter outlines our observations and insights from our financial statement audits of agencies in the Regional NSW portfolio.

Section highlights

The 2022–23 audits identified one high risk and nine moderate risk issues across the portfolio. Of these, one was a moderate risk repeat issue.
The total number of findings decreased from 36 to 23 which mainly related to deficiencies in internal controls.
The high risk matter relates to the monitoring and managing of privilege user access at NSW Food Authority.

Appendix one – Misstatements in financial statements submitted for audit

28 November 2023

Published

Stronger Communities 2023

Community Services

Whole of Government

Asset valuation

Compliance

Cyber security

Financial reporting

Information technology

Internal controls and governance

Management and administration

Procurement

Project management

Shared services and collaboration

What this report is about

Results of the Stronger Communities financial statement audits for the year ended 30 June 2023.

What we found

Unqualified audit opinions were issued on all completed Stronger Communities portfolio agencies.

Machinery of government changes during the year returned the sports-related agencies to the Stronger Communities portfolio.

Resilience NSW was abolished on 16 December 2022 with most of its functions transferred to the newly created NSW Reconstruction Authority.

The Trustee for the First Australian Mortgage Acceptance Corporation (FANMAC) is a prescribed entity under the Government Sector Finance Regulation 2018. The Trustee should have presented the FANMAC's financial statements for audit after it became a GSF agency on 1 July 2020.

The number of monetary misstatements identified in our audits decreased from 42 in 2021–22 to 29 in 2022–23.

What the key issues were

In 2022–23, agencies in the portfolio recorded net revaluation uplifts to land and buildings totalling $643 million.

Out of home care and permanency support grant expenditure has increased by 27% since 2019–20. An upcoming performance audit report will focus on the timeliness and quality of the child protection services provided by the department and its non-government service providers.

A high-risk matter was raised for the department over segregation of duties deficiencies in the Justice Link system.

Four high-risk matters reported in 2021–22 have been resolved.

Thirty-three agencies were onboarded into a new government-wide enterprise resource planning system. Additional agencies will be onboarded in three tranches from April 2024 through to October 2024.

What we recommended

Portfolio agencies should:

ensure any changes to employee entitlements are assessed for their financial statement impact under the relevant Australian Accounting Standards
prioritise and address internal control deficiencies identified in our management letters.

This report provides Parliament and other users of the Stronger Communities portfolio of agencies’ financial statements with the results of our audits, analysis, conclusions and recommendations in the following areas:

financial reporting
audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision-making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Stronger Communities portfolio of agencies (the portfolio) for 2023.

Section highlights

Unqualified audit opinions were issued on all completed 30 June 2023 financial statements audits of portfolio agencies, including the audit of the Crown Solicitor's Office's Trust Account for compliance with clause 14 of the Legal Profession Uniform Law Application Regulation 2015.
The financial statement audits of the NSW Trustee and Guardian Common Funds (the common funds) – year ended 30 June 2022 were certified by management on 6 December 2022 and independent auditor's reports issued 21 December 2022. The 30 June 2023 financial statements audits of the common funds are ongoing.
A variation to an agreement between the Commonwealth Attorney-General and the Legal Aid Commission of New South Wales for legal services to support the Royal Commission into Violence, Neglect and Exploitation of people with disability program extended the reporting period from 30 June 2023 to 29 September 2023 – the conclusion of the Royal Commission. The audit of the financial report acquitting expenditure under the agreement is expected to be completed before 28 February 2024.
The audit of the Home Purchase Assistance Fund's (the fund) 30 June 2022 financial statements remains incomplete. Those charged with governance of the fund have not provided sufficient and appropriate evidence to support the carrying value of material investments reported in the fund's financial statements. The financial audit of the fund's 2023 financial statements remain incomplete as a result.
The Trustee for the First Australian Mortgage Acceptance Corporation Master and Pooled Super Trusts had not prepared general purpose financial statements since 30 June 2021 when the financial reporting provisions of the Government Finance Sector Act 2018 were enacted and the Trustee was prescribed as a GSF agency under the regulations. The audits of these financial statements are ongoing.
Reported corrected misstatements decreased from 28 in 2021–22 to six with a gross value of $8.8 million in 2022–23 ($277 million in 2021–22).
Portfolio agencies met the statutory deadline for submitting their 2022–23 early close financial statements and other mandatory procedures.
In 2022–23, portfolio agencies collectively recorded net revaluation uplifts to the carrying values of land and buildings totalling $643 million (2021–22: $993 million) initiated through a combination of comprehensive and desktop valuations.
The Department of Communities and Justice (the department) had previously deferred performing a comprehensive revaluation of its land and building portfolio relating to the Corrective Services and Youth Justice functions. The deferral was due to the challenges in providing valuers sufficient access to the facilities due to the pandemic. The department is scheduled to perform a comprehensive revaluation of its full land and building portfolio in 2023–24.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision-making.

This chapter outlines our observations and insights from our financial statement audits of agencies in the Stronger Communities portfolio.

Section highlights

The number of findings reported to management has decreased from 142 in 2021–22, to 71 in 2022–23, and 35% were repeat issues (36% in 2021–22). Repeat issues related to non-compliance with key legislation and/or agency policies, information technology and internal control deficiencies.
A long-standing issue about segregation of duties over the JusticeLink system managed by the department has been elevated from moderate to high risk.
Four out of six high-risk issues reported in the prior year have been addressed.
Of the 15 newly identified moderate risk issues, 11 related to information technology and internal control deficiencies.

Appendix one – Response from the Office of Local Government within the Department of Planning and Environment

13 June 2023

Published

Local Government 2022

Local Government

Asset valuation

Cyber security

Financial reporting

Information technology

This report is about

Results of the local government sector financial statement audits for the year ended 30 June 2022.

What we found

Unqualified audit opinions were issued for 83 councils, 11 joint organisations and nine county councils' financial statements.

The financial audits for two councils and two joint organisations are in progress due to accounting issues.

Fifty-seven councils and joint organisations (2021: 41) required extensions to submit their financial statements to the Office of Local Government (OLG), within the Department of Planning and Environment (the department).

The audit opinion on Kiama Municipal Council's 30 June 2021 financial statements was disclaimed due to deficient books and records.

Qualified audit opinions were issued on 43 councils' financial statements due to non-recognition of rural firefighting equipment vested under section 119 (2) of the Rural Fires Act 1997. Forty-seven councils appropriately recognised this equipment.

What we recommended

Consistent with the NSW Government's accounting position and the department's role of assessing councils' compliance with legislative responsibilities, standards or guidelines, the department should intervene where councils do not recognise vested rural firefighting equipment.

The key issues

There were 1,045 audit findings reported to councils in audit management letters, with 52% being unresolved from prior years.

What we recommended

Councils need to track progress of implementing audit recommendations, giving priority to high-risk and repeat issues.

Ninety-three high-risk matters were identified across the sector mainly relating to asset management, information technology, financial accounting and council governance procedures.

Asset valuations

Audit management letters reported 267 findings relating to asset management. Fifty-three councils had deficiencies in processes that ensure assets are fairly stated.

What we recommended

Councils need to complete timely asset valuations (repeat recommendation).

Integrity and completeness of asset source records

Fifty-two councils had weak processes over the integrity of fixed asset registers.

What we recommended

Councils need to improve controls that ensure integrity of asset records (repeat recommendation).

Cybersecurity

Our audits found that 47% of councils did not have a cyber security plan.

What we recommended

All councils need to prioritise creation of a cyber security plan to ensure data and assets are safeguarded.

Pursuant to the Local Government Act 1993 I am pleased to present my Auditor-General's report on Local Government 2022. My report provides the results of the 2021–22 financial audits of 126 councils, 11 joint organisations and nine county councils. The audits for two councils and two joint organisations are in progress due to significant accounting issues.

Unqualified audit opinions were issued for 83 councils, 11 joint organisations and nine county councils' 2021–22 financial statements. The statements for 43 councils were qualified due to non-recognition of rural firefighting equipment vested under section 119 (2) of the Rural Fires Act 1997. And the audit opinion on Kiama Municipal Council's 30 June 2021 financial statements was disclaimed due to deficiencies in books and records.

This year has again been challenging for many New South Wales local councils still recovering from the impact of emergency events and facing cost and resourcing pressures. We appreciate the efforts of council staff and management in meeting their financial reporting obligations. We share a mutual interest in raising the standard of financial management in this sector, and the importance of accurate and transparent reporting.

Disappointingly, accounting for the value of rural firefighting equipment vested in councils continued to be an unnecessary distraction and resulted in 43 councils having their financial statements qualified. We continue to recommend that the Office of Local Government should intervene where councils fail to comply with Australian Accounting Standards by not recognising assets vested to them under section 119(2) of the Rural Fires Act 1997.

Sound financial management is critical to councils' ability to instil trust and properly serve their communities. The recommendations in this report are intended to further improve their financial management and reporting capability, and encourage sound governance arrangements and cyber resilience. I am committed to continuing this work with councils in the 2022–23 year and beyond.

Margaret Crawford PSM

Auditor-General for New South Wales

Financial reporting is an important element of good governance. Confidence in and transparency of public sector decision-making are enhanced when financial reporting is accurate and timely.

This chapter outlines audit observations related to the financial reporting audit results of councils and joint organisations.

Section highlights

Ninety-three councils and joint organisations (2020–21: 109) lodged audited financial statements with OLG by the statutory deadline of 31 October.
More councils received extensions. Fifty-seven councils and joint organisations (2020–21: 41) received extensions to submit audited financial statements to OLG.
Unqualified audit opinions were issued for 83 councils, 11 joint organisations and nine county councils 2021–22 financial statements.
A disclaimer of audit opinion was issued to Kiama Municipal Council relating to the 30 June 2021 financial statements.
The audits of two councils and two joint organisations are still in progress as at the date of this report due to significant accounting issues.
Qualified audit opinions were issued for 43 councils (2020–21: one) due to non-recognition of rural firefighting equipment vested to councils under the Rural Fires Act 1997 in their financial statements. Forty-seven councils appropriately recognised this equipment.
Since 2017, the Audit Office of New South Wales has recommended that OLG address the different practices across the local government sector in accounting for the rural firefighting equipment. Despite repeated recommendations, the OLG has not been effective in resolving this issue.
The OLG within the department should now intervene where councils do not recognise rural firefighting equipment.
The total number of errors and total dollar values (including corrected and uncorrected) in the financial statements decreased compared to prior year.
Eighty-two per cent of councils performed some early financial reporting procedures (2020–21: 59%). We continue to recommend that OLG should require early close procedures across the local government sector.

A strong system of internal controls enables councils to operate effectively and efficiently, produce reliable financial reports, comply with laws and regulations, and support ethical government.

This chapter outlines the overall trends in governance and internal controls across councils and joint organisations in 2021–22.

Financial audits focus on key governance matters and internal controls supporting the preparation of councils’ financial statements. Breakdowns and weaknesses in internal controls increase the risk of fraud and error. Deficiencies in internal controls, matters of governance interest and unresolved issues are reported to management and those charged with governance through audit management letters. These letters include our observations, related implications, recommendations and risk ratings.

Section highlights

Total number of audit findings reported in audit management letters decreased from 1,277 in 2020–21 to 1,045 in 2021–22.
Total number of high-risk audit findings increased from 92 in 2021–21 to 93 in 2021–22. Forty-three (2020–21: 60) of the high-risk findings in 2021–22 related to the non-recognition of vested rural firefighting equipment in councils’ financial statements.
Ninety per cent of total high-risk findings in 2021–22 were repeat findings. Thirty-two per cent of these high-risk findings were escalated from unactioned moderate risk findings in 2020–21.
Fifty-two per cent (2020–21: 53%) of findings reported in audit management letters were repeat or partial repeat findings. We continue to recommend councils and those charged with governance track progress of implementing recommendations from our audits.
Governance, asset management and information technology comprise over 65% (2020–21: 62%) of findings and continue to be key areas requiring improvement. Eleven per cent of these findings were high risk in 2021–22.
A number of repeat recommendations were made relating to asset valuations and integrity of asset data records, in response to the findings that:
- 52 (2021: 67) councils had weak processes over maintenance, completeness and security of fixed asset registers
- 53 (2021: 58) councils had deficiencies in their processes to revalue infrastructure assets.
Sixty-three (2021: 65) councils have yet to implement basic governance and internal controls to manage cyber security. We recommended that all councils should create a cyber security plan in order to ensure cyber security risks over key data and IT assets are appropriately managed and key data is safeguarded. Councils should refer to the ‘Cyber Security Guidelines for NSW Local Government’ released by the OLG.

Total number of findings reported in audit management letters decreased

The following shows the overall findings of the 2021–22 audits reported in management letters compared with the previous year.

Appendix two – Status of audits

Appendix three – Councils received qualified audit opinions

Appendix four – Common reasons for council extensions

Copyright notice

19 December 2022

Published

Enterprise, Investment and Trade 2022

Finance

Asset valuation

Compliance

Cyber security

Financial reporting

Information technology

Internal controls and governance

Management and administration

Procurement

Regulation

Risk

What the report is about

Result of the Enterprise, Investment and Trade cluster agencies' financial statement audits for the year ended 30 June 2022.

What we found

The Machinery of Government changes within the Enterprise, Investment and Trade cluster resulted in the creation of the Department of Enterprise, Investment and Trade and the transfer of $1.0 billion of net assets into the new department.

Unmodified audit opinions were issued for all completed cluster agencies' 2021–22 financial statements audits. Two audits are ongoing.

An 'Other Matter' paragraph was included in the audit opinion for the Jobs for NSW Fund's 30 June 2021 financial report to reflect the non-compliance with the Jobs for NSW Act 2015 (the Act) and Government Sector Finance Act 2018. The Act requires the board to consist of seven members that include the Secretary of the Treasury, the Secretary of the Department of Premier and Cabinet, and five ministerial appointments. The board has consisted of two secretaries since 24 May 2019 when the independent members resigned. The remaining five members have not been appointed by the ministers as required by section 5(2) of the Act.

Three cluster agencies accepted changes to their office leasing arrangements managed by Property NSW. This has resulted in the collective derecognition of $24.8 million of right-of-use assets and $26.7 million in lease liabilities, and recognition of $1.9 million of other gains.

What the key issues were

The number of issues we reported to management decreased from 108 in 2020–21 to 103 in 2021–22. Thirty per cent of issues were repeated from the prior year.

Six high-risk issues were identified across the cluster related to the quality and timeliness of financial reporting, governance processes and internal controls.

Recommendations were made to address these deficiencies.

This report provides Parliament and other users of the Enterprise, Investment and Trade cluster's financial statements with the results of our audits, analysis, conclusions and recommendations in the following areas:

financial reporting
audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision-making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Enterprise, Investment and Trade cluster (the cluster) for 2022.

Section highlights

Unqualified audit opinions were issued for all completed cluster agencies 2021–22 financial statements audits. The Jobs for NSW Fund and Responsible Gambling Fund audits are ongoing.
An 'Emphasis of Matter' paragraph was included in the Australian Institute of Asian Culture and Visual Arts Limited's 30 June 2022 financial statements to draw attention to management’s disclosures that the entity's financial statements for the year ended 30 June 2022 were prepared on a non-going concern basis following cessation of its operations and resolution by the directors in October 2021 to deregister the entity.
An 'Other Matter' paragraph was included in the Jobs for NSW Fund's 30 June 2021 financial report to reflect the non-compliance with the Jobs for NSW Act 2015 and Government Sector Finance Act 2018.
The Act requires the board to consist of seven members that include the Secretary of the Treasury, the Secretary of the Department of Premier and Cabinet (or their nominees) and five ministerial appointments, one of whom is to be appointed as Chair of the board. The board has consisted of the two secretaries since 24 May 2019 when the independent members resigned. The remaining five members have not been appointed by the ministers as required by section 5(2) of the Act.
An 'Emphasis of Matter' paragraph was included in the Jobs for NSW Fund's 30 June 2021 financial report to draw attention to the financial report being prepared for the purpose of fulfilling the Jobs for NSW Fund's financial reporting responsibilities as requested by the Treasurer's delegate.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision-making.

This chapter outlines our observations and insights from our financial statement audits of agencies in the Enterprise, Investment and Trade cluster.

Section highlights

In 2021–22, there were 103 findings raised across the cluster, a decrease from 2020–21.
In total, six high-risk findings were identified during 2021–22. Two related to 2021–22 whilst four were related to the audit of Jobs for NSW Fund's 30 June 2021 financial report.
Thirty per cent of all findings during 2021–22 were repeat issues. The most common repeat issues related to information technology controls and accounting for property plant and equipment notably fair value assessment and valuation.

Appendix one – Misstatements in financial statements submitted for audit

Appendix one – Misstatements in financial statements submitted for audit

Copyright notice

13 December 2022

Published

Stronger Communities 2022

Justice

Community Services

Asset valuation

Compliance

Cyber security

Financial reporting

Information technology

Internal controls and governance

Management and administration

Procurement

Project management

Risk

What the report is about

Results of the Stronger Communities cluster agencies' financial statement audits for the year ended 30 June 2022.

What we found

Unqualified audit opinions were issued on all completed 30 June 2022 financial statement audits. One audit is ongoing.

All 13 cluster agencies that have accommodation arrangements with Property NSW derecognised right-of-use assets and lease liabilities of $917 million and $1 billion respectively. The agencies also collectively recorded a gain on derecognition of $136 million.

The Department of Communities and Justice (the department) assumed the responsibility for delivery of the Process and Technology Harmonisation program from the Department of Customer Service. In 2021–22, the department incurred costs of $42.8 million in relation to the project, which remains ongoing.

The number of monetary misstatements identified during the audits decreased from 50 in 2020–21 to 48 in 2021–22.

What the key issues were

Six of the 15 cluster agencies required to submit 2021–22 mandatory early close procedures did not meet the statutory deadlines. One agency did not complete all mandatory procedures.

Five high-risk findings were identified in 2021–22. They related to deficiencies in:

user access administration at the department, NSW Rural Fire Service and New South Wales Aboriginal Land Council (NSWALC)
segregation of duties at the NSW Trustee and Guardian and NSWALC.

Recommendations were made to those agencies to address these control deficiencies.

This report provides Parliament and other users of the Stronger Communities cluster’s financial statements with the results of our audits, analysis, conclusions and recommendations in the following areas:

financial reporting
audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Stronger Communities cluster (the cluster) for 2022.

Section highlights

Unqualified audit opinions were issued on all completed 30 June 2022 financial statement audits of cluster agencies, including the acquittal and compliance audits for the Legal Aid Commission of New South Wales and Crown Solicitor's Office. One audit is ongoing.
Reported corrected misstatements decreased from 30 in 2020–21 to 23 with a gross value of $187 million in 2021–22 ($101 million in 2020–21). Reported uncorrected misstatements increased from 20 in 2020–21 to 25 with a gross value of $92.3 million in 2021–22 ($107 million in 2020–21).
Six of the 15 cluster agencies required to submit 2021–22 early close financial statements and all other mandatory procedures did not meet the statutory deadlines. One agency did not complete all mandatory procedures.
All 13 cluster agencies that have accommodation arrangements with Property NSW accepted the changes in the Client Acceptance Letters, resulting in the derecognition of right-of-use assets and lease liabilities of $917 million and $1 billion respectively. The agencies also collectively recorded a gain on derecognition of $136 million.
The Department of Communities and Justice (the department) assumed the responsibility to deliver the Process and Technology Harmonisation program from the Department of Customer Service. In 2021–22, the department incurred costs of $42.8 million in relation to the project.
In 2021–22, the department continued to implement the International Financial Reporting Standards Interpretations Committee's agenda decision on 'Configuration or customisation costs in a cloud computing arrangement'. The department's review of the remaining arrangements, with a net book value of $233 million at 30 June 2021, resulted in the recognition as an expense (through accumulated funds at 1 July 2020) of previously capitalised intangible assets totalling $106 million.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

This chapter outlines our observations and insights from our financial statement audits of agencies in the Stronger Communities cluster.

Section highlights

The number of issues reported to management has decreased from 130 in 2020–21, to 110 in 2021–22, and 43% were repeat issues (51% in 2020–21). Many repeat issues related to information technology, governance and oversight controls, and non-compliance with key legislation and/or agency policies.
Five high-risk issues were identified in 2021–22, all of which are repeat issues and related to user access administration and segregation of duties.
Of the 24 newly identified moderate risk issues, 11 related to information technology. The rest related to governance and oversight controls and internal control deficiencies or improvements in payroll, asset management and other processes.

Appendix one – Misstatements in financial statements submitted for audit

Copyright notice

30 November 2022

Published

Customer Service 2022

Finance

Asset valuation

Compliance

Cyber security

Financial reporting

Information technology

Internal controls and governance

Management and administration

Procurement

Regulation

Risk

Service delivery

Shared services and collaboration

What the report is about

Result of the Customer Service cluster agencies' financial statement audits for the year ended 30 June 2022.

What we found

Unmodified audit opinions were issued for Customer Service cluster agencies.

What the key issues were

The number and size of Service NSW's administered grant programs have increased significantly in response to emergency events. Improvements are required to address gaps in Service NSW's policies, systems and processes in administering and financial reporting of grant programs.

The Department of Customer Service (the department) reported a retrospective correction of a prior period error of $33.3 million understatement of the land titling database, which is a service concession asset managed by a private operator.

The 2021–22 audits identified five high-risk issues across the cluster:

the department:
- control weaknesses in user access to GovConnect systems
- significant control deficiencies in information technology change management controls
Rental Bond Board:
- legislation amendment required to better support the accounting treatment of rental bonds
- no delegation instrument to government officers authorising them to approve expenditures
Service NSW:
- improvements required in the timeliness and quality of grant administration revenue assessment and controls over the recovery of grant administration costs.

Recommendations were made to address these deficiencies.

This report provides Parliament and other users of the Customer Service cluster's financial statements with the results of our audits, analysis, conclusions and recommendations in the following areas:

financial reporting
audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision-making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Customer Service cluster (the cluster) for 2022.

Section highlights

Unqualified audit opinions were issued on the financial statements of cluster agencies.
Reported corrected misstatements decreased from 33 in 2020–21 to 30 with a gross value of $406 million in 2021–22 ($418.9 million in 2020–21). Reported uncorrected misstatements decreased from 13 in 2020–21 to nine with a gross value of $31.8 million in 2021–22 ($78 million).
Seven of nine cluster agencies did not submit or complete certain mandatory early close procedures on time.
Service NSW's late resolution of the accounting of $256 million revenue from administering COVID-19 and flood grant programs resulted in misstatements and delays in financial reporting and audit.
The Department of Customer Service corrected prior period errors retrospectively related to the valuation of a service concession asset (land titling database) which reduced the prior year comparative for service concession asset by $33.3 million in the financial statements.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision-making.

This chapter outlines our observations and insights from our financial statement audits of agencies in the Customer Service cluster.

Section highlights

The 2021–22 audits identified five high risks (three in 2020–21) and 36 moderate risk issues (59 in 2020–21) across the cluster. Fifty-three per cent of the issues (42% in 2020–21) were repeat issues. Many repeat issues related to information technology controls around user access management.
While improvement was noted in the number of control deficiencies in GovConnect ASAE 3402 controls assurance reports, internal control qualification and control deviation issues continued to occur in 2021–22. Ineffective controls at service providers increase the risk of fraud, error and security to data.
Cyber security governance and management requires improvement. The department is yet to fully implement Essential 8 Mitigation Strategies and the maturity level for several Essential 8 strategies is at Level Zero in the current maturity model. The department is in the process of completing the roll out of some long outstanding system patches.
Significant gaps were identified in Service NSW's policies, systems and processes in administering and financial reporting of grant programs.

Appendix one – Response from the Office of Local Government within the Department of Planning and Environment

Copyright notice

22 June 2022

Published

Local Government 2021

Local Government

Asset valuation

Cyber security

Financial reporting

Information technology

What the report is about

Results of the local government sector council financial statement audits for the year ended 30 June 2021.

What we found

Unqualified audit opinions were issued for 126 councils, 13 joint organisation audits and nine county councils in 2020–21.

A qualified audit opinion was issued for Central Coast Council who was unable to provide evidence to support the carrying value of $5.5 billion of roads, bridges, footpaths, bulk earthworks, stormwater drainage, water supply and sewerage network assets.

The audit of Kiama Municipal Council is still in progress as at the date of this report due to significant accounting issues not resolved resulting in corrections to the financial statements and prior period errors.

Forty-one councils and joint organisations (2020: 16) received extensions to submit audited financial statements to the Office of Local Government (OLG).

Councils were impacted by recent emergency events, including bushfires, floods and the COVID-19 pandemic. The financial implications from these events varied across councils. Councils adapted systems, processes and controls to enable staff to work flexibly.

What the key issues were

There were 1,277 audit findings reported to councils in audit management letters.

Ninety-two high-risk matters were identified across the sector:

69 high-risk matters relating to asset management (see page 30)
six high-risk matters relating to information technology (see page 39)
six high-risk matters relating to financial reporting (see page 26)
six high-risk matters to council governance procedures (see page 22)
five high-risk matters relating to financial accounting (see page 28).

More needs to be done to reduce the number of errors identified in financial reports. Twenty-nine councils required material adjustments to correct errors in previous audited financial statements.

Rural firefighting equipment

Sixty-eight councils did not record rural firefighting equipment estimated to be $145 million in their financial statements.

The financial statements of the NSW Total State Sector and the NSW Rural Fire Service do not include these assets, as the State is of the view that rural firefighting equipment that has been vested to councils under the Rural Fires Act 1997 is not controlled by the State. In reaching this conclusion, the State argued that on balance it would appear the councils control rural firefighting equipment that has been vested to them.

The continued non-recording of rural firefighting equipment in financial management systems of some councils increases the risk that these assets are not properly maintained and managed.

What we recommended

Councils should perform a full asset stocktake of rural firefighting equipment, including a condition assessment for 30 June 2022 financial reporting purposes and recognise this equipment as assets in their financial statements.

Consistent with OLG’s role to assess council’s compliance with legislative responsibilities, standards or guidelines, OLG should intervene where councils do not recognise rural firefighting equipment.

Fast facts

150 councils and joint organisations in the sector
99% unqualified audit opinions issued for the 30 June 2021 financial statements
489 monetary misstatements reported in 2020–21
54 prior period errors reported
92 high-risk management letter findings identified
53% of reported issues were repeat issues.

Early financial reporting procedures

Fifty-nine per cent of councils performed some early financial reporting procedures, less than the prior year.

What we recommended

OLG should require early financial reporting procedures across the local government sector by April 2023. Policy requirements should be discussed with key stakeholders to ensure benefits of the procedures are realised.

Asset valuations

Audit management letters reported 288 findings relating to asset management. Fifty-eight councils had deficiencies in their processes to revalue infrastructure assets.

Thirty-five councils corrected errors relating to revaluations amounting to $1 billion and 13 councils had prior period errors relating to asset revaluations that amounted to $253 million.

What we recommended

Councils should have all asset revaluations completed by April of the financial year subject to audit.

Integrity/completeness of asset records

Sixty-seven councils had weak processes over maintenance, completeness and security of fixed asset registers.

Thirty-five councils corrected errors to the financial statements relating to poor record keeping of asset data that amounted to $102.1 million. Nineteen councils had 27 prior period financial statement errors that amounted to $417.1 million relating to the quality of asset records such as found and duplicate assets.

What we recommended

Councils need to improve controls and processes to ensure integrity and completeness of asset source records.

Cybersecurity

Our audits found that cybersecurity frameworks and related controls were not in place at 65 councils.

These councils have yet to implement basic governance and internal controls to manage cybersecurity such as having a cybersecurity framework, policy and procedure, register of cyber incidents, system penetrations testing and training.

What we recommended

OLG needs to develop a cybersecurity policy to be applied by councils as a matter of high priority in order to ensure cybersecurity risks over key data and IT assets are appropriately managed across councils and key data is safeguarded.

Councils should monitor the implementation of recommendations

Fifty-three per cent of total findings reported in 2020–21 audit management letters were repeat or partial repeat findings from prior years.

What we recommended

Councils and those charged with governance should track the progress of implementing recommendations from financial audits, performance audits and public inquiries.

Key financial information

In 2020–21, councils:

collected $7.6b in rates and annual charges
received $5.1b in grants and contributions
incurred $4.8b of employee benefits and on costs
held $15.3b of cash and investments
managed $161.7b of infrastructure, property, plant and equipment
entered into $3.4b of borrowings.

Pursuant to the Local Government Act 1993 I present my report Local Government 2021. My report provides the results of the 2020–21 financial audits of 127 councils, 13 joint organisations and nine county councils.

Unqualified audit opinions were issued for 126 councils, 13 joint organisation and nine county councils in 2020–21. My independent auditor’s opinion was qualified for Central Coast Council who was unable to provide evidence to support the carrying value of $5.5 billion of roads, bridges, footpaths, bulk earthworks, stormwater drainage, water supply and sewerage network assets.

The 2020–21 year was challenging from many perspectives, not least being the continuing impact of and response to the recent emergency events, including bushfires, floods and the COVID-19 pandemic. We appreciate the efforts of council staff and management right across local government and they must be congratulated for their responsiveness and resilience in meeting their financial reporting obligations in such challenging circumstances.

This report makes a number of recommendations to councils and to the regulator, the Office of Local Government within the Department of Planning and Environment. These are intended to support councils to further improve the timeliness, accuracy and strength of financial reporting and their governance arrangements. Arguably, when faced with challenges, it is even more important to prioritise and invest in systems and processes to protect the integrity of councils' operations and promote accurate and transparent reporting.

I look forward to continuing engagement and constructive dialogue with councils in 2022–23 and beyond.

Margaret Crawford
Auditor-General for New South Wales

Financial reporting is an important element of good governance. Confidence in and transparency of public sector decision-making are enhanced when financial reporting is accurate and timely.

This chapter outlines audit observations related to the financial reporting of councils and joint organisations.

Highlights

One hundred and nine councils and joint organisations (2020: 133) lodged audited financial statements with OLG by the statutory deadline of 31 October (2020: 30 November).
Forty-one councils and joint organisations (2020: 16) received extensions to submit audited financial statements to OLG.
Unqualified audit opinions were issued for 126 councils, 13 joint organisations and nine county councils in 2020–21. A qualified audit opinion was issued for Central Coast Council in both 2019–20 and 2020–21.
The audit of Kiama Municipal Council is still in progress as at the date of this report due to significant accounting issues.
Fifty-nine per cent of councils performed some early financial reporting procedures, less than the prior year. We recommended that OLG should require early close procedures across the local government sector by 30 April 2023.
The total number and dollar value of corrected financial statement errors increased compared with the prior year, however uncorrected financial statement errors and prior period financial statement errors decreased compared to the prior year.
Sixty-eight councils (2020: 68 councils) did not record rural firefighting equipment in their financial statements worth an estimated $145 million (2020: $119 million). The NSW Government has confirmed these assets are not controlled by the NSW Rural Fire Service and are not recognised in the financial records of the NSW Government. We recommended that consistent with the OLG's role to assess council’s compliance with legislative responsibilities, standards or guidelines, OLG should intervene where councils do not recognise rural firefighting equipment. Councils should perform a full asset stocktake of rural firefighting equipment, including a condition assessment for 30 June 2022 financial reporting purposes.

A strong system of internal controls enables councils to operate effectively and efficiently, produce reliable financial reports, comply with laws and regulations, and support ethical government.

This chapter outlines the overall trends in governance and internal control findings across councils, county councils and joint organisations in 2020–21.

Financial audits focus on key governance matters and internal controls supporting the preparation of councils' financial statements. Audit findings are reported to management and those charged with governance through audit management letters.

Highlights

Total number of audit findings reported in audit management letters decreased from 1,435 in 2019–20 to 1,277 in 2020–21.
No extreme risk audit findings were identified in 2020–21 (2019–20: 1).
Total number of high-risk audit findings increased from 53 in 2019–20 to 92 in 2020–21. Sixty of the high-risk findings in 2020–21 related to the non-recording of rural firefighting equipment in councils' financial statements. Twenty-six per cent of the high-risk findings identified in 2019–20 were reported as high-risk findings in 2020–21.
Fifty-three per cent of findings reported in audit management letters were repeat or partial repeat findings. We recommend councils and those charged with governance should track progress of implementing recommendation from our audits.
Governance, asset management and information technology comprise over 62% of findings and continue to be key areas requiring improvement.
A number of recommendations were made relating to asset valuations and integrity of asset data records, in response to the findings that:
- 67 councils had weak processes over maintenance and security of fixed asset registers
- 58 councils had deficiencies in their processes to revalue infrastructure assets.
Sixty-five councils have yet to implement basic governance and internal controls to manage cybersecurity. We recommended that OLG needs to develop a cybersecurity policy to be applied by councils as a matter of high priority.

Total number of findings reported in audit management letters decreased

In 2020–21, 1,277 audit findings were reported in audit management letters (2019–20: 1,435 findings). No extreme audit risk findings were identified this year. The extreme risk relating to Central Coast Council's use of externally restricted funds in 2019–20 was partially addressed by management and has been rated as a high-risk for 2020–21. The total number of high-risk findings increased to 92 (2019–20: 53 high-risk findings).

Findings are classified as new, repeat or ongoing, based on:

new findings were first reported in 2020–21 audits
repeat findings were first reported in prior year audits, but remain unresolved in 2020–21
ongoing findings were first reported in prior year audits, but the action due dates to address the findings are after 2020–21.

Findings are categorised as governance, financial reporting, financial accounting, asset management, purchases and payables, payroll, cash and banking, revenue and receivables, or information technology. The high-risk and common audit findings across these areas are explored further in this chapter.

Audit Office’s annual work program for 2021–22 onwards

Focus on integrity of systems, good governance and good advice

We have a fundamental role in helping the Parliament hold government accountable for the use of public resources. In doing so, we examine whether councils' systems and processes are effective in supporting integrity, accountability and transparency. Key aspects of integrity that we expect to through conduct of our financial and performance audits over the next three years include the integrity of systems, good governance and good advice. These focus areas have arisen from the collation of key findings and recommendations from our past reports.

Focus on local councils' continued response to recent emergencies

The COVID-19 pandemic continues to have a significant impact on the people and the public sector of New South Wales. Local councils are continuing to assist communities in their recovery from the 2019–20 bushfires and subsequent and recent flooding. The full extent of some of these events remain unclear and will likely continue to have an impact into the future.

Image of a bus stop that's been completely burned because of a bushfire

The Office of Local Government within the Department of Planning and Environment continues to work with other state agencies to assist local councils and their communities to recover from these unprecedented events.

The increasing and changing risk environment presented by these events has meant that we have recalibrated and focused our efforts on providing assurance on how effectively aspects of responses to these emergencies have been delivered.

This includes financial and governance risks arising from the scale and complexity of government responses to these events.

We will take a phased approach to ensure our financial and performance audits address the following elements of the emergencies and the Local Government's responses:

local councils' planning and preparedness for emergencies
local councils' initial responses to support people and communities impacted by COVID-19 and the 2019–20 bushfires and recent floods
governance and oversight risks that arise from the need for quick decision-making and responsiveness to emergencies
effectiveness and robustness of processes to direct resources toward recovery efforts and ensure good governance and transparency in doing so
the mid to long-term impact of government responses to the natural disasters and COVID-19
whether government investment has achieved desired outcomes.

Focus on the effectiveness of cybersecurity in local government

The increasing global interconnectivity between computer networks has dramatically increased the risk of cybersecurity incidents. Such incidents can harm local government service delivery and may include theft of information, denial of access to critical technology, or even hijacking of systems for profit or malicious intent.

Outdated IT systems and capability present risks to government cybersecurity. Local councils need to be alert to the need to update and replace legacy systems, and regularly train and upskill staff in their use. To add to this, cybersecurity risks have been exacerbated by recent emergencies, which have resulted in greater and more diverse use of digital technology.

Our approach to auditing cybersecurity across in the sector involves:

considering how local councils are responding to the risks associated with cybersecurity across our financial audits
examining the effectiveness of cybersecurity planning and governance arrangements within local councils
conducting deep-dive performance audits of the effectiveness of cybersecurity measures in selected councils.

Local government elections

Local government elections took place in 2021–22

The local government elections were deferred for one year due to the COVID-19 pandemic and were held on 4 December 2021.

As part of our audits, we will consider the impact of any significant change on key decisions and activities for councils, county councils and joint organisations following the local government elections.

New rate peg methodology to support growing councils

The Independent Pricing and Regulatory Tribunal (IPART) has completed its review of the local government rate peg methodology to include population growth.

On 10 September 2021, IPART provided the final report on this review to the Minister for Local Government.

The minister has endorsed the new rate peg methodology and has asked IPART to give effect to it in setting the rate peg from the 2022–23 financial year.

As part of our audits, we will consider the impact of these changes on the financial statements and on key decisions and activities for councils, county councils and joint organisations.

Appendix two – Status of previous recommendations

Appendix three – Status of audits

Copyright notice

17 December 2021

Published

Customer Service 2021

Finance

Asset valuation

Cyber security

Financial reporting

Information technology

Internal controls and governance

Shared services and collaboration

This report analyses the results of our audits of the Customer Service cluster agencies for the year ended 30 June 2021.

Our preferred approach is to table the ‘Report on State Finances’ in Parliament before any other cluster report. This is because the ‘Report on State Finances’ focuses on the audit results and observations relating to the Total State Sector Accounts, in effect a consolidation of all government agencies. This year the ‘Report on State Finances’ has been delayed due to significant accounting issues being considered in the Total State Sector Accounts and which may impact the Treasury and Transport clusters.

As there are no outstanding matters relating to audits in the Customer Service cluster impacting the Total State Sector Accounts we have decided to break with normal practice and table this cluster report ahead of the ‘Report on State Finances’.

What the report is about

The results of Customer Service cluster agencies' financial statement audits for the year ended 30 June 2021.

What we found

Unmodified audit opinions were issued for all Customer Service cluster agencies.

The number of monetary misstatements decreased from 48 in 2019–20 to 46 in 2020–21.

Seven out of eight agencies did not complete all mandatory early close procedures.

What the key issues were

Upon the implementation of AASB 1059 'Service Concession Arrangements: Grantors', the Department of Customer Service (the department) recognised a service concession asset, the land titling database, totalling $845 million for the first time at 1 July 2019.

The department reported several retrospective corrections of prior period errors.

The 2020–21 audits identified three high-risk and 59 moderate risk issues across the cluster. The high-risk issues were related to:

the Department of Customer Service – internal control qualifications and control deviations in GovConnect service providers
the Department of Customer Service – significant control deficiencies in information technology change management controls
Rental Bond Board – uncertainties in the accounting treatment of rental bonds.

The percentage of repeat issues we report to management and those charged with governance in management letters increased from 29 per cent in prior year to 42 per cent in 2020–21 while the number of items decreased from 94 to 93.

The magnitude and number of internal control exceptions in GovConnect service providers increased resulting in additional audit procedures to address the risks of fraud and errors in the financial statements.

What we recommended

The department should improve the validation process of key valuation assumptions and inputs provided by the private operator NSW Land Registry Services. It should revisit its accounting treatment of new land titling records.

The department should ensure GovConnect service providers prioritise the remediation of control deficiencies in information technology services.

The department should continue to improve controls in cyber security management.

Cyber Security NSW and NSW Government agencies need to prioritise improvements to their cyber security resilience as a matter of urgency.

The New South Wales Government Telecommunications Authority should improve its fixed assets management and financial reporting process to accommodate its growing fixed assets profile.

Fast facts

The Customer Service cluster aims to plan, prioritise, fund and drive digital transformation and customer service across every cluster in the NSW Government.

$3.9b total expenditure incurred in 2020–21
$34.1b total administered income managed on behalf of the NSW Government in 2020–21
100% unqualified audit opinions were issued on agencies' 30 June 2021 financial statements
3 high-risk management letter findings were identified
46 monetary misstatements were reported in 2020–21
42% of reported issues were repeat issues.

This report provides Parliament and other users of the Customer Service cluster’s financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:

financial reporting
audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision-making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Customer Service cluster (the cluster) for 2021.

Section highlights

Unqualified audit opinions were issued on the financial statements of cluster agencies.
The number of reported misstatements has decreased from 48 in 2019–20 to 46 in 2020–21.
Agencies could do more work to improve the quality and timeliness of completing mandatory early close procedures.
The Department of Customer Service implemented the new accounting standard AASB 1059 'Service Concession Arrangements: Grantors', which resulted in recognition of a service concession asset of $845 million at 1 July 2019. The valuation of land titling database requires significant judgements and estimations.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision-making.

This chapter outlines our observations and insights from our financial statement audits of agencies in the Customer Service.

Section highlights

The 2020–21 audits identified three high-risk and 59 moderate risk issues across the cluster. Twenty-six moderate risk issues were repeat issues. The most common repeat issues related to information technology controls around user access management.
The magnitude and number of internal control qualification issues from GovConnect service providers have increased. Ineffective controls at service providers increase the risk of fraud, error and security to data. Urgent attention is required to remediate the internal control exceptions in information and technology services.
The NSW Public Sector's cyber security resilience needs urgent attention. Cyber Security NSW and NSW Government agencies need to prioritise improvements to their cyber security resilience as a matter of urgency.

Findings reported to management

Forty-two per cent of findings reported to management were repeat issues

Breakdowns and weaknesses in internal controls increase the risk of fraud and error. Deficiencies in internal controls, matters of governance interest and unresolved issues were reported to management and those charged with governance of agencies. The Audit Office does this through management letters, which include observations, related implications, recommendations and risk ratings.

In 2020–21, there were 93 findings raised across the cluster (94 in 2019–20). Forty-two per cent of all issues were repeat issues (29 per cent in 2019–20).

The most common repeat issues related to weaknesses in controls over information technology user access administration.

A delay in implementing audit recommendations increases the risk of intentional and accidental errors in processing information, producing management reports and generating financial statements. This can impair decision-making, affect service delivery and expose agencies to fraud, financial loss and reputational damage. Poor controls may also mean agency staff are less likely to follow internal policies, inadvertently causing the agency not to comply with legislation, regulation and central agency policies.

The table below describes the common issues identified across the cluster by category and risk rating.

Risk rating	Issue
Information technology
High³ 1 new, 1 repeat	The financial audits identified the need for agencies to improve information technology processes and controls that support the integrity of financial data used to prepare agencies' financial statements. Of particular concern are issues associated with: internal control exceptions in information and technology services provided by GovConnect service providers inadequate change management controls poor user access administration and no monitoring of privileged user activities insufficient cybersecurity controls and processes. High-risk issues are discussed later in the chapter.
Moderate² 5 new, 8 repeat
Low¹ 7 new, 5 repeat
Internal control deficiencies or improvements
Moderate² 5 new, 3 repeat	The financial audits identified internal control weaknesses across key business processes, including: lack of documentation support for payroll transactions untimely removal of unused transaction negotiation authority facility and old bank signatories inadequate fixed asset management controls including timely capitalisation of project overhead costs.
Low¹ 3 new, 2 repeat
Financial reporting
High³ 1 new	The financial audits identified opportunities for agencies to strengthen financial reporting, including: uncertainties in legislation to support accounting of rental bonds as funds held in trust improvements required in lease accounting including the review of extension options, assessing indicators of impairment and reviewing the lease reports for completeness and accuracy the removal of fully depreciated assets in the fixed asset register was not timely the quality and timeliness of completing early close procedures required improvement. High-risk issues are discussed later in the chapter.
Moderate² 9 new, 8 repeat
Low¹ 7 new, 3 repeat
Governance and oversight
Moderate² 10 new, 3 repeat	The financial audits identified opportunities for agencies to improve governance and oversight processes, including: renewing or finalising service arrangement agreements between agencies were required lack of formalised documentation regarding arrangements with external providers for leasing and use of assets.
Low¹ 3 new
Non-compliance with key legislation and/or central agency policies
Moderate² 4 new, 4 repeat	The financial audits identified the need for agencies to improve its compliance with key legislation and central agency policies, including: non-compliance with contract and procurement management policy, including the use of purchasing cards non-compliance with TC 21-02 'Statutory Act of Grace Payments' annual leave in excess of 30 days where Circular 2020-12 requires agency heads to reduce employee recreation leave balances to 30 days or less.
Low¹ 1 repeat

⁴ Extreme risk from the consequence and/or likelihood of an event that has had, or may have a negative impact on the entity.

³ High-risk from the consequence and/or likelihood of an event that has had, or may have a negative impact on the entity.

² Moderate risk from the consequence and/or likelihood of an event that has had, or may have a negative impact on the entity.

¹ Low risk from the consequence and/or likelihood of an event that has had, or may have a negative impact on the entity.

Note: Management letter findings are based on management letters issued to agencies.

2020–21 audits identified three high-risk findings

High-risk findings, including repeat findings, were reported at the following cluster agencies. One of the 2019–20 high-risk findings were not resolved.

Agency	Description
2020–21 findings
Department of Customer Service Repeat finding: Qualifications and control deviations in GovConnect NSW controls assurance reports	The GovConnect information technology general controls (ITGC) provided by the department, Infosys and Unisys were qualified in 2020–21. The key controls over user access, system changes and batch process failed in all ITGC reports. Most of these deviations were not mitigated or sufficiently mitigated to address the risk of unauthorised user access. The control deficiencies in ITGC increase: the risk of unauthorised transactions, system and configuration changes (workflow approvals, three-way match etc.) and modifications to the system reports incomplete, invalid and inappropriate system access, segregation of duties controls and system reports for the customers using the SAPConnect. The role of the department has changed significantly from a coordinating agency on behalf of GovConnect customers to a GovConnect IT service provider. It is leading a new IT operating model called ‘Service Integration and Application Management’ (SIAM) to strengthen governance and improve performance of GovConnect service providers. The Department is responsible for the remediation of control deficiencies and continuous improvement in the GovConnect environment. This matter was assessed as high-risk, if not adequately addressed, it had the potential to result in material fraud and error in the department's financial statements and reputation damages. This issue is further discussed later in this chapter.
2020–21 findings
Department of Customer Service New finding: Change management significant control deficiencies	Revenue NSW, a division of the department has a key role in managing the State’s finances. It administers State taxes, manages fines, recovers State debt and administers grants and subsidies. The audit team found significant control deficiencies in change management controls: appropriate system controls were not in place to restrict developers from releasing changes to the live business systems 8 developers had direct access to the business application servers used for calculating and administering State taxes. We have included this matter as a high-risk management letter finding, as the audit team could not identify mitigating controls. The system activity of these developers was also not being independently logged and monitored. This increases the risk of unauthorised system change. This can significantly affect the integrity of tax calculation, business process approvals, invalid changes to bank accounts, unauthorised refunds and write-offs. The audit team conducted a risk analysis over the relevant business processes affected by this issue and performed additional audit procedures to address the audit risk.
Rental Bond Board Repeat finding: Accounting treatment of rental bonds held in trust	The Rental Bond Board (the Board) holds rental bonds totalling $1.7 billion at 30 June 2021. The Board treated the rental bonds off-balance sheet and disclosed the rental bonds as ‘trust funds’. This treatment is based on management’s judgement that the Board does not have control of these funds. Previously the Board obtained advices from the Crown Solicitors who stated that in their view the rental bond funds held in the rental bond account were not moneys held in trust and the Residential Tenancies Act 2010 (the Act) should be reviewed and amended to better support its accounting treatment of rental bonds. The Board has initiated the need to amend the Act, however the implementation of the legislative amendments is still pending. This matter was assessed as high-risk, if not adequately supported, it had the potential to result in material misstatements in the Board's financial statements.

The number of moderate risk findings increased from prior year

Fifty-nine moderate risk findings were reported in 2020–21, which was a 11.3 per cent increase from 2019–20. Of these, 26 were repeat findings, and 33 were new issues.

Moderate risk findings include:

weaknesses in user access management, such as untimely access removal for terminated staff, and a lack of periodic user access review
accounting for leases such as the review of extension options, assessing indicators of impairment and reviewing the lease reports for completeness and accuracy
formalising arrangements between agencies including corporate service arrangements, funding arrangements, leases, use of SAP system and computer assets
use of purchasing cards where our data analytics performed indicated potential gaps and controls and non-compliance with government policies.

The magnitude and number of internal control exceptions in GovConnect service providers have increased

In 2015, the NSW Government selected Unisys Australia Pty Limited’s (Unisys) as an information technology (IT) outsourced service provider and Infosys Limited (Infosys) as a business process outsourced service provider. The outsourced services arrangement was branded GovConnect NSW (GovConnect). The Department of Customer Service (the department) is the contract authority for the NSW Government. In 2019, the NSW Government transitioned a number of Unisys’ IT services progressively to the department and ceased all Unisys's IT services in May 2021. In 2020-21, Infosys, Unisys and the Department were co-providers of business processes and information technology services that constitute the GovConnect environment.

The role of the department has changed significantly from a coordinating agency on behalf of GovConnect customers to a GovConnect IT service provider. The department is responsible for the remediation of control deficiencies and continuous improvement in GovConnect internal control environment.

The department leads the project management of GovConnect services, including the arrangement to provide internal control assurance reports to customers in 2020–21. It engages an independent service auditor (service auditor) from the private sector to perform annual assurance reviews of controls at GovConnect service providers in accordance with Australian Standard on Assurance Engagements 3402 'Assurance Reports on Controls at a Service Organisation' (ASAE 3402). The service auditor reports on the internal controls at a service organisation, which are relevant to a user entity's internal control environment.

The service auditor issued eight ASAE 3402 reports covering business processes controls and information technology general controls (ITGC) provided by the service providers. Four out of eight reports were qualified, a significant increase from previous years.

The table below shows the service auditor's ASAE 3402 opinions issued in various business processes and information technology services provided by service providers for the last five years.

ASAE 3402 controls report^#	2015–16^	2016–17	2017–18	2018–19	2019–20	2020–21
Infosys Accounts receivable	Qualified	Unqualified	Unqualified	Unqualified	Unqualified	Qualified
Infosys Accounts payable	Qualified	Qualified	Unqualified	Unqualified	Unqualified	Unqualified
Infosys Fixed assets	Qualified	Unqualified	Unqualified	Unqualified	Unqualified	Unqualified
Infosys General ledger	Qualified	Qualified	Unqualified	Unqualified	Unqualified	Unqualified
Infosys Payroll	Adverse	Qualified	Unqualified	Unqualified	Unqualified	Unqualified
Infosys ITGC	Qualified	Qualified	Unqualified	Unqualified	Unqualified	Qualified
Unisys ITGC	Qualified	Unqualified	Qualified	Qualified	Unqualified	Qualified
The department ITGC*	--	--	--	--	Qualified	Qualified
ServiceFirst**	Disclaimer	--	--	--	--	--

# The ASAE 3402 controls reports were issued by an independent private sector service auditor appointed by the Department of Customer Service.

* Information technology services were transitioned from Unisys to the department in phases from 2019–20 to 2020–21.

** ServiceFirst was the shared service centre and its last reporting period was from 1 July 2015 to 13 December 2015.

^ GovConnect first reporting period from 14 December 2015 to 30 June 2016.

In 2020–21, the information technology services controls reports issued to the department, Infosys and Unisys were qualified. Infosys' accounts receivable business process controls report was also qualified. The audit qualifications were because:

the service auditor did not get access to the complete set of records processed during the financial year for several ITGC controls. The system that stored these records was hosted at Unisys. From December 2019 to 28 May 2021, the services at Unisys were progressively migrated to the department's IT environment but this system could not be migrated to the department in the required format, resulting in audit scope limitation for service auditors
of the deviations identified during sample testing of ITGC controls
the monthly follow up of outstanding receivables was not performed regularly, which was the only key control to address the timely collection of accounts receivable.

Internal control exceptions in GovConnect information and technology services require urgent remediations

The relevant controls over user access, system changes and password controls failed in all three ASAE 3402 GovConnect ITGC reports. These control failures can lead to unauthorised system access, system and configuration changes (workflow approvals, three-way match, etc.) and modifications to key reports. It increases the risk of:

fraud and error in the financial statements
ineffective segregation of duties controls
accuracy and completeness of system generated reports for the agencies using the SAPConnect system.

The table shows the number of ITGC control deviations compared to prior year:

Year ended 30 June	2021		2020
	Total controls tested	Total number of control deviations and findings	Total controls tested	Total number of control deviations and findings
Infosys ITGC	41	16	35	8
Unisys ITGC	25	11	33	4
DCS ITGC	31	9	10	5

Most of these deviations were not mitigated or sufficiently mitigated to address the risk of unauthorised user access.

The service auditor identified significant areas for remediation:

governance arrangement of the IT services
user access management controls
SAP database controls
logical access
incident management.

In response to the internal control qualifications, the audit teams performed data analytics over payroll and accounts payable. The data analytics identified several terminated employees that were paid long after their termination dates which resulted in salary overpayments during 2020–21. While management had put processes in place to recover these overpayments, the payroll processing controls need to be improved to prevent such overpayments.

The Department of Customer Service advised that it established a ‘Control Reframe Project’ (the project) to address the internal control exceptions at GovConnect service providers. The objective of the project is to ensure the GovConnect assurance model is aligned with clear lines of responsibility and remediation actions are in place to support the delivery of services and achieve an improved outcome for future years.

Recommendation

We recommend the Department of Customer Service:

improve governance and internal control environment over the information technology services
ensure GovConnect service providers prioritise remediation actions to address internal control exceptions
perform a post-implementation review of the transition of the Unisys arrangement to identify lessons learnt and continuous improvement
develop data analytics to help analyse and identify high-risk patterns and anomalies in GovConnect key transaction systems, augmenting their existing monitoring and detective controls.

The NSW Public Sector's cyber security resilience needs urgent attention

The 2020 'Central Agencies' Report to Parliament highlighted the need for Cyber Security NSW, a business unit within the Department of Customer Service, and NSW Government agencies to prioritise improvements to their cyber security resilience as a matter of urgency. A status update of the 2020 recommendation is included in Appendix five of this report.

The Audit Office's Annual Work Program identifies cyber security as a focus area for the Audit Office in 2021–24. It outlines a three-pronged approach to auditing cyber security in this period:

considering how agencies are responding to the risks associated with cyber security across our financial audits across the NSW public sector
examining the effectiveness of cyber security planning and governance arrangements for large NSW state government agencies for our Internal Controls and Governance report
conducting deep-dive performance audits of the effectiveness of specific agency activities in preparing for, and responding to cyber security risks.

A performance audit 'Managing cyber risks' was tabled in Parliament in July 2021. The audit made several recommendations to audited agencies to uplift their cyber security management. It also recommended the Department of Customer Service to:

clarify the requirement of the NSW Cyber Security Policy (CSP) reporting to all systems
require agencies to report the target level of maturity for each mandatory requirement.

A compliance audit 'Compliance with the NSW Cyber Security Policy' was tabled in October 2021. The audit examined whether agencies are complying with the NSW Cyber Security Policy to ensure all NSW Government departments and public service agencies are managing cyber security risks to their information and systems.

The report found that key elements to strengthen cyber security governance, controls and culture are not sufficiently robust and not consistently applied. There has been insufficient progress to improve cyber security safeguards across NSW Government agencies. The poor levels of cyber security maturity are a significant concern. Improvement requires dedicated leadership and resourcing. To comply with some elements of the government’s policy agencies will have to invest in technical uplift and some measures may take time to implement. However, other elements of the policy do not require any investment in technology. They simply require leadership and management commitment to improve cyber literacy and culture. And they require accountability and transparency. Transparent reporting of performance is a key means to improve performance.

The report noted that the CSP was not achieving the objective of improved cyber governance, controls and culture. The compliance audit made several recommendations to Cyber Security NSW and other NSW Government agencies.

The 2021 maturity self-assessment results against the Australian Cyber Security Centre Essential 8 for the 25 largest NSW State Government agencies are reported in the 2021 'Internal Control and Governance' Report to Parliament.

Repeat recommendation

Cyber Security NSW and NSW Government agencies need to prioritise improvements to their cyber security resilience as a matter of urgency.

Management of cyber security risk

Our 2020-21 financial audit assessed whether cyber security risks represent a risk of material misstatement to the department's own financial statements. A request performance audit 'Service NSW's handling of personal information' was tabled on 18 December 2020. The audit followed two cyber security incidents that resulted in data breaches of customer information. As part of our audit procedures, we obtained an understanding of the controls the department has in place to address the risk of cyber security incidents and respond to any incidences which may have occurred during the year, including its impact on the audit.

Our assessment of the department’s own cyber risk management shows that:

an approved security incident response plan was not in place during the reporting period. There was a lack of testing over incident detection and monitoring process
a formal process over patch management that includes assessment, determining relevance and priority, timely rollout and escalation and reporting of long outstanding patches to senior management is being established.

The department provides information security services including cyber security management to cluster agencies. We found that there were insufficient communications within the Customer Service cluster over the controls and assurance over cyber security risk management. Some cluster agencies had put in place limited controls over cyber security risk management.

Recommendation

We recommend the Department of Customer Service:

establish an approved security incident response plan and formal process over patch management
improve communications with cluster agencies over the controls and assurance in cyber security management.

Appendix one – Misstatements in financial statements submitted for audit