Refine search

Reports

18 December 2020

Published

Service NSW's handling of personal information

Premier and Cabinet

Finance

Cyber security

Fraud

Information technology

Internal controls and governance

Management and administration

Risk

Service delivery

The Auditor-General for New South Wales, Margaret Crawford, released a report today examining the effectiveness of Service NSW’s handling of customers’ personal information to ensure its privacy.

The audit found that Service NSW is not effectively handling personal customer and business information to ensure its privacy. Service NSW continues to use business processes that pose a risk to the privacy of personal information. This includes the routine emailing of personal information between Service NSW service centres and other agencies, which is one of the processes that contributed to the data breach earlier this year. The audit found that previously identified risks and recommended solutions had not been implemented on a timely basis.

The Auditor-General made eight recommendations aimed at ensuring improved processes, technologies, and governance arrangements for how Service NSW handles customers’ personal information.

The Hon. Victor Dominello, MP, Minister for Customer Service, requested this audit under section 27(B)(3)(c) of the Public Finance and Audit Act 1983 following public reports in May 2020 of a cyber security attack which had led to a breach of Service NSW customer information. This audit also included the Department of Customer Service which supports Service NSW with privacy, risk and governance functions.

Service NSW was established in 2013 with the intention that it would, over time, 'become the primary interaction point for customers accessing New South Wales Government transaction services'.

Service NSW's functions are set out in the Service NSW (One stop Access to Government Services) Act 2013. This legislation allows for other NSW Government agencies to delegate to and enter into agreements with the Chief Executive Officer of Service NSW in order for Service NSW to undertake service functions for the agency.

Service NSW now has agreements with 36 NSW Government client agencies to facilitate over 1,200 types of interactions and transactions for the community.

The nature of each agreement between Service NSW and its client agencies varies. Some client agencies have delegated authority to allow Service NSW staff to conduct transactions on their behalf in the agencies' systems. Other arrangements do not include the same degree of delegation. In these cases, Service NSW provides services such as responding to enquiries and validating documents.

In addition, Service NSW conducts transactions for its own programs, such as the Seniors Card. Personal information for these programs, as well as information for customers' MyServiceNSW accounts, are stored by Service NSW on its Salesforce Customer Relationship Management (CRM) system.

In March 2020, Service NSW suffered two cyber security attacks in short succession. Technical analysis undertaken by the Department of Customer Service (DCS) concluded that these attacks resulted from a phishing exercise through which external threat actors gained access to the email accounts of 47 staff members. These attacks resulted in the breach of a large amount of personal customer information that was contained in these email accounts. See Section 1.1 for further details.

This audit is being conducted in response to a request from the Hon. Victor Dominello, Minister for Customer Service, under section 27B(3)(c) of the Public Finance and Audit Act 1983. Minister Dominello requested that the Auditor General conduct a performance audit in relation to Service NSW's handling of sensitive customer and business information.

This audit assessed how effectively Service NSW handles personal customer and business information to ensure its privacy.

It addressed the following:

Does Service NSW have processes and governance in place to identify and manage risks to the privacy of personal customer and business information?
Does Service NSW have policies, processes and systems in place that support the effective handling of personal customer and business information to ensure its privacy?
Has Service NSW effectively implemented its policies, processes and systems for managing personal customer and business information?

Conclusion

Service NSW is not effectively handling personal customer and business information to ensure its privacy. It continues to use business processes that pose a risk to the privacy of personal information. These include routinely emailing personal customer information to client agencies, which is one of the processes that contributed to the March 2020 data breach. Previously identified risks and recommended solutions had not been implemented on a timely basis.

Service NSW identifies privacy as a strategic risk in both its Risk Management Guideline and enterprise risk register and sets out a zero level appetite for privacy risk in its risk appetite statement. That said, the governance, policies, and processes established by Service NSW to mitigate privacy risk are not effective in ensuring the privacy of personal customer and business information. While Service NSW had risk identification and management processes in place at the time of the March 2020 data breach, these did not prevent the breach occurring.

Some of the practices that contributed to the data breach are still being followed by Service NSW staff. For example, business processes still require Service NSW staff to scan and email personal information to some client agencies.

The lack of multi factor authentication has been identified as another key contributing factor to the March 2020 data breach as this enabled the external threat actors to gain access to staff email accounts once they had obtained the user account details through a phishing exercise. Service NSW had identified the lack of multi factor authentication on its webmail platform as a risk more than a year prior to the breach and had committed to addressing this by June 2019. It was not implemented until after the breach occurred.

There are weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce Customer Relationship Management (CRM) system, which holds the personal information of over four million NSW residents.

Internal audits carried out by Service NSW, including one completed in August 2020, have identified significant weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce CRM system. These include deficiencies in the management of role based access, monitoring and audit of user access, and partitioning of program specific transaction information. These deficiencies create an increased risk of unauthorised access to the personal information of over four million customers held in the system.

Lines of responsibility for meeting privacy obligations are not clearly drawn between Service NSW and its client agencies.

Service NSW has agreements in place with client agencies. However, the agreements lack detail and clarity about the roles and responsibilities of the agencies in relation to the collection, storage and security of customer's personal information. This lack of clarity raises the risk that privacy obligations will become confused and missed between the agencies.

Service NSW carries out privacy impact assessments for major new projects but does not routinely review existing processes and systems.

Service NSW carries out privacy impact assessments as part of its routine processes for implementing major new projects, ensuring that privacy management is considered as part of project design. Service NSW does not regularly undertake privacy impact assessments or reviews of existing or legacy processes and systems, which has resulted in some processes continuing despite posing significant risks to the privacy of personal information, such as the scanning, emailing, and storing of identification documents.

1. Key findings

Service NSW identifies privacy risks, but the controls and processes it put in place to mitigate these privacy risks were not adequate to prevent or limit the extent of the data breach that occurred in March 2020

Service NSW’s approach to risk management is framed by its Risk Management Guideline, which defines 'privacy and compliance' as one of the key types of risk for the agency. Service NSW's enterprise risk register identifies four strategic privacy related risks. Service NSW has set out a zero level appetite for privacy risk in its risk appetite statement.

Service NSW has assessed the adequacy of its controls for privacy risks as needing improvement. To be fully effective, the Risk Management Guideline says that these controls should have a focus that is ‘largely preventative and address the root causes’.

One of the business processes that was a key contributing factor to the data breach was the emailing of personal information by Service NSW staff to client agencies.

This process had been identified as a risk prior to the breach and some steps had been put in place to mitigate the risk. In particular, staff were required to manually delete emails that contained personal information. However, these measures were ineffective in preventing the breach, as the external threat actors still gained access to 47 staff email accounts that contained a large amount of personal information.

It is unclear why Service NSW did not effectively mitigate this risk prior to the breaches. However, Service NSW has advised that it implemented measures in June and October 2020 to automatically archive emails likely to contain personal information. This is expected to limit the quantity of information retained in email accounts for extended periods.

Service NSW has not put in place any technical or other solutions to avoid Service NSW staff having to scan and email personal information to some client agencies. Urgent action is needed to remove the requirement for staff to email personal information to client agencies, thereby mitigating the risk inherent in sending and storing this information using email.

There are weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce CRM system, which holds the personal information of over four million customers

There are weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce CRM system. These weaknesses include deficiencies in governance of role based access, monitoring and audit of staff access, and partitioning of program specific transaction information. These deficiencies create an increased risk of unauthorised access to the personal information of over four million customers which is stored in this system.

In addition, there is an absence of important controls to safeguard customers' privacy, such as multi factor authentication and reviewable logs of access history to their information. Such controls, when properly implemented, would enhance the control that customers are able to exercise over their personal information.

A privacy impact assessment conducted on Service NSW’s Salesforce CRM system in 2015 recommended that the system include the ability for customers to review access history to their personal information, as well as the option for customers to apply multi factor authentication to their accounts. While both these recommendations appeared positively received by Service NSW, neither have been implemented.

Since its inception, Service NSW’s use of Salesforce has extended to storing transaction data, particularly for transactions for which Service NSW is responsible, such as the Seniors Card. It also holds details of over four million MyServiceNSW account holders, including name, email address and phone number, and optional address details. It was not originally intended for the system to hold this volume and nature of customer information.

Lines of responsibility for meeting privacy obligations are unclear between Service NSW and its client agencies

Service NSW's privacy management plan does not clearly set out the privacy obligations of Service NSW and its client agencies. It sets out that 'compliance with the privacy principles will primarily be the responsibility of that [client] agency'. However, Service NSW has its own obligations under the security principles of the Privacy and Personal Information Protection Act 1998 (PPIP Act) to take reasonable steps to prevent unauthorised access to personal information, which is not made clear in the privacy management plan.

The agreements between Service NSW and client agencies reviewed for this audit only include general and high level references to privacy. Most do not include details of each parties' privacy responsibilities such as: which agency will provide the customer with a privacy notice explaining how their personal information will be handled, how personal information will be kept secure, how long Service NSW will retain information, what processes will be followed for internal reviews, and what specific planning is in place to respond to data breaches.

Service NSW's privacy management plan has not been updated to include new programs and governance changes

Service NSW's privacy management plan includes most of the matters required by law or good practice, with some exceptions. It does not explain any exemptions that the agency commonly relies on under the PPIP Act and does not address any health information that Service NSW may handle. It had also not been updated to reflect governance changes and the fact that, at the time this audit commenced, Service NSW was disclosing the content of internal review applications (the formal expression for 'complaints') to the Department of Customer Service (DCS). These governance changes were part of the centralisation of Service NSW's corporate support functions into DCS in late 2019, though internal review staff were seconded back into Service NSW during the course of this audit.

The current July 2019 privacy management plan has also not been updated since the rollout of a number of major new initiatives in 2020. These include 2019–20 bushfire emergency recovery initiatives (such as small business grants) and COVID 19 pandemic response initiatives (such as small business grants, border permits and the COVID safe check in app).

Service NSW routinely conducts privacy impact assessments for new initiatives, though privacy risks remain in legacy systems and processes

Service NSW routinely conducts privacy impact assessments for major new initiatives and the assessments reviewed for this audit largely accorded with good practice guidance.

Service NSW does not routinely review existing processes and systems to ensure that they are effective in ensuring the privacy of customer personal information. Business processes that create the highest risk to privacy, such as emailing of personal information, are more common in these longstanding legacy systems.

Service NSW's significant and rapid growth has outpaced the establishment of a robust control environment which has exacerbated privacy risks

Since it was established in 2013, Service NSW has experienced significant growth in the number and diversity of the types of transactions it provides, as well as the number of client agencies with which it works. The pace and extent of this growth has contributed to important controls not being properly implemented on a timely basis, which has heightened privacy risks, particularly in regard to existing, legacy systems and processes.

The pace of change and increasing demand for new program implementation has limited the opportunity for Service NSW, in collaboration with its client agencies, to revisit and redesign legacy business practices which pose a greater privacy risk. This includes the scanning and emailing of personal information.

While 2019–20 has seen additional demands placed on Service NSW in responding to the 2019–20 bushfire emergency and COVID 19 pandemic, it is the nature of the agency’s work that it operates in a fast paced and complex environment, where it is required to respond to multiple client agencies and stakeholders. Ensuring customer privacy should be integral to Service NSW’s business as usual operations.

2. Recommendations

Service NSW commissioned a number of external reviews and investigations stemming from the data breaches. The Auditor General's recommendations below have taken these other reviews into account. In order to offer assurance that it is appropriately protecting the privacy of its customers, Service NSW should address the full breadth of findings and recommendations made across all relevant reviews.

As a matter of urgency, Service NSW should:

1. in consultation with relevant client agencies and the Department of Customer Service, implement a solution for a secure method of transferring personal information between Service NSW and client agencies

2. review the need to store scanned copies of personal information and, if still required, implement a more secure method of storing this information and regular deletion of material.

By March 2021, Service NSW should:

3. ensure that all new agreements entered into with client agencies from 1 April 2021 address the deficiencies identified in this audit, including that they provide clarity on:

the content and provision of privacy collection notices
the terms by which personal information will be retained, stored, archived, and disposed of when no longer required
steps that will be taken by each agency to ensure that personal information is kept secure
the circumstances in which, and processes by which, applications for internal review will be referred by one agency to the other
how identified breaches of privacy will be handled between agencies

4. in collaboration with the Department of Customer Service, review its privacy management plan to address the deficiencies raised in this audit, including:

to clarify Service NSW's understanding of how responsibility for meeting privacy obligations are delineated between Service NSW and client agencies
to better reflect the full scope and complexity of personal information handled by Service NSW
to better explain how applications for internal review are handled between Service NSW and the Department of Customer Service
to ensure regular ongoing review, either according to a schedule or when Service NSW experiences substantial change to its programs and handling of personal information

5. in consultation with the Department of Customer Service, review its policies and processes for the management of privacy risks, including to:

ensure that there are appropriate mechanisms to escalate identified privacy risks from business units to the Executive Leadership Team
ensure that there are action plans to address strategic privacy risks that are assessed as having ineffective controls.

By June 2021, Service NSW should:

6. address deficiencies in the controls over, and security for, its Salesforce customer relationship management and related systems that hold customer personal information, including:

establish policies and processes for regular access reviews and monitoring of user activity in these systems, including for privileged users
enable partitioning and role based access restrictions to personal information collected for different programs
provide customers the choice to use multi factor authentication to further secure their MyServiceNSW accounts
enable customers to view the transaction history of their personal information to detect possible mishandling.

By December 2021, Service NSW should:

7. ensure that all existing agreements with client agencies address the deficiencies identified in this audit, including that they provide clarity on:

the content and provision of privacy collection notices
the terms by which personal information will be retained, stored, archived, and disposed of when no longer required
steps that will be taken by each agency to ensure that personal information is kept secure
the circumstances in which, and processes by which, applications for internal review will be referred by one agency to the other
how identified breaches of privacy will be handled between agencies

8. carry out a risk assessment of all processes, systems and transactions that involve the handling of personal information and undertake a privacy impact assessment for those that:

are identified as high risk and have not previously had a privacy impact assessment
have had major changes or updates since the privacy impact assessment was completed.

Appendix one – Responses from agencies

Appendix two – About the audit

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

17 December 2020

Published

Procurement management in Local Government

Local Government

Internal controls and governance

Management and administration

Procurement

Regulation

Service delivery

The Auditor‑General for New South Wales, Margaret Crawford, released a report today examining procurement management in Local Government.

The audit assessed the effectiveness of procurement management practices in six councils. All six councils had procurement management policies that were consistent with legislative requirements, but the audit found compliance gaps in some councils. The audit also identified opportunities for councils to address risks to transparency and accountability, and to ensure value for money is achieved when undertaking procurement.

The Auditor‑General recommended that the Department of Planning, Industry and Environment review the Local Government (General) Regulation 2005 and publish updated and more comprehensive guidance on procurement management for the Local Government sector. The report also generated insights for the Local Government sector on opportunities to strengthen procurement practices.

Effective procurement is important in ensuring councils achieve their objectives, demonstrate value for money and deliver benefits to the community when purchasing goods and services. Procurement also comes with risks and challenges in ensuring the purchased goods and services deliver to expectations. The risks of fraud and conflicts of interest also need to be mitigated.

The legislative requirements related to procurement in the Local Government sector are focused on sourcing and assessing tender offers. These requirements are included in the Local Government Act 1993 (the Act), the Local Government Amendment Act 2019 (the Amendment), the Local Government (General) Regulation 2005 (the Regulation), the Tendering Guidelines for NSW Local Government 2009 (the Tendering Guidelines), the Government Information (Public Access) Act 2009 (the GIPA Act) and the State Records Act 1998.

General requirements and guidance relevant to councils are also available in the Model Code of Conduct for Local Councils in NSW 2018 (the Model Code), the NSW Government Procurement Policy Framework 2019 and in publications by the Independent Commission Against Corruption (ICAC).^₁

Individual councils have developed their own procurement policies and procedures to expand on the legislative requirements. Understandably, these vary to reflect each council’s location, size and procurement needs. Nevertheless, the general principles of effective procurement management (such as transparency and accountability) and risk-mitigating practices (such as segregation of duties and the provision of training) are relevant to all councils.

The Audit Office of New South Wales Report on Local Government 2018 provided a sector-wide summary of aspects of procurement management in Local Government (see Section 2.1 of this report). This audit builds on this state-wide view by examining in detail the effectiveness of procurement management practices in six councils. This report also provides insights on opportunities to strengthen procurement management in the sector.

The selected councils for this audit were Cumberland City Council, Georges River Council, Lockhart Shire Council, Tweed Shire Council, Waverley Council and Wollongong City Council. They were selected to provide a mix of councils of different geographical classifications, sizes, priorities and levels of resourcing.

Conclusion

All six councils had procurement management policies and procedures that were consistent with the legislative requirements for sourcing and assessing tender offers. Their policies and procedures also extended beyond the legislative requirements to cover key aspects of procurement, from planning to completion. In terms of how these policies were applied in practice, the six councils were mostly compliant with legislative requirements and their own policies and procedures, but we found some gaps in compliance in some councils and made specific recommendations on closing these gaps.

There were also opportunities for councils to improve procurement management to mitigate risks to transparency, accountability and value for money. Common gaps in the councils’ procurement management approaches included not requiring procurement needs to be documented at the planning stage, not providing adequate staff training on procurement, not requiring procurement outcomes to be evaluated, and having discrepancies in contract values between contract registers and annual reports. These gaps expose risks to councils’ ability to demonstrate their procurements are justified, well managed, delivering to expectations, and achieving value for money. Chapter three of this report provides insights for the audited councils and the Local Government sector on ways to address these risks

Recommendations

By June 2022, the Department of Planning, Industry and Environment should:
1. publish comprehensive and updated guidance on effective procurement practices – including electronic tender submissions and procurements below the tender threshold
2. review and update the Local Government (General) Regulation 2005 to reflect the increasing use of electronic tender submissions rather than paper copies.
By December 2021, the six audited councils should consider the opportunities to improve procurement management in line with the improvement areas outlined in chapter three of this report.
Cumberland City Council should immediately:
1. ensure contract values are consistent between the contract register and the annual report
2. introduce procedures to ensure supplier performance reviews are conducted as per the council’s policy
Georges River Council should immediately:
1. ensure contract values are consistent between the contract register and the annual report
2. introduce procedures to ensure all the steps up to the awarding of a contract are documented as per the council’s policy
3. introduce procedures to ensure outcome evaluations are conducted as per the council’s policy.
Lockhart Shire Council should immediately:
1. include additional information in the council’s contract register to ensure compliance with Section 29(b), (f), (g), (h) and (i) of the GIPA Act
2. ensure contract values are consistent between the contract register and the annual report.
Waverley Council should immediately ensure contracts are disclosed in the annual report as per Section 217(1)(a2) of the Regulation.

(1) The relevant ICAC publications include: Corruption Risks in NSW Government Procurement – The Management Challenge (2011), Corruption Risks in NSW Government Procurement – Suppliers’ Perception of Corruption (2011) and Corruption Risks in NSW Government Procurement – Recommendations to Government (2011).

While all six councils had procurement policies in place and were generally compliant with legislative requirements, this report has identified common gaps in processes and practices that expose risks to transparency, accountability and value for money.

This section discusses how councils can mitigate risks and ensure the best outcomes are achieved from their procurements.

Documented justification of procurement needs

The ICAC notes that determining what goods and services an agency requires is the first step of procurement, and the scope for corruption in how need is determined is significant. Without documenting how procurement needs have been justified, councils cannot demonstrate that they fulfill business needs, nor how the procurements may link to the councils’ strategic plans to deliver to the community.

This audit found that none of the six councils’ policies required them to document justification of procurement needs, and none did so consistently in practice. Councils can address this gap by building into their procurement planning process a requirement for staff to document the justification of procurement needs. For higher value procurements, this could be extended to include analysis of options, an assessment of risks and defining intended outcomes. Similarly, clearly establishing and documenting how relevant procurements relate to a council’s community strategic plans or operational plans helps ensure transparency.

Although a formal business case may not be required for many procurements (for example, low-value procurements or routine replacements), some form of documented justification for the expenditure should still be kept on record to demonstrate that the procurement relates to business purposes and is needed.

Segregation of duties

Segregation of duties is an effective control for reducing risks of error, fraud and corruption in procurement. It works on the principle that one person should not have end-to-end control of a procurement. Effective segregation of duties also often involves managerial or independent oversight that is built into the process. Four of the audited councils (Cumberland City Council, Georges River Council, Lockhart Shire Council and Wollongong City Council) appropriately addressed segregation of duties in their procurement frameworks. For example:

All procurements in Cumberland City Council required a delegated officer’s approval before commencing, and the requisitioning department is responsible for ensuring the completion of the goods, works or services associated with each contract. For contracts over $50,000, a specific ‘Authority to Procure’ form had to be completed by the requesting staff, signed by an approver and then forwarded to the procurement team.
Reflecting its small size, all procurements in Lockhart Shire Council were managed by one senior staff member. Nevertheless, this staff member had to bring contract management plans to the rest of the Executive Leadership Team for review and discussion, with large contracts such as those above the tender threshold referred to Council for approval.

The ICAC notes that segregation of duties helps to control discretion, which has particular risk implications for some types of procurement.₂This includes those involving low-value and high-volume transactions, restricted tenders, long-standing procurements and ‘pet projects’ (projects advocated by individual staff members). In cases where corruption risks are low, ICAC notes that monitoring staff’s involvement in procurement may be a cost-effective alternative to total segregation of duties.

Assessment of supplier performance

Councils need to monitor and assess supplier performance to ensure suppliers deliver the goods and services as agreed. The audit found that all six councils consistently monitored progress in capital works and for externally funded projects. Contract monitoring in these cases included ensuring timelines, funding, and legislative requirements were met. This is positive, as capital works made up the bulk of procurements (in terms of volume) in all of the audited councils.

That said, in all six councils, the level of scrutiny was lower for other types of procurements, and there is scope for improvement. For instance, the approach to monitoring capital works or externally funded projects could be replicated across other procurements of a similar nature and value. Conducting assessments and keeping records of supplier performance on all procurements does not need to be onerous, but instead provides useful information to inform future decision-making—including by helping ensure supplier pricing remains competitive, and avoiding re-engaging underperforming suppliers.

The NSW Government Procurement Policy Framework requires that NSW Government agencies establish systems and processes jointly with the suppliers to ensure compliance with contract terms and performance requirements. It also advises that agencies should drive continuous improvement and encourage innovation in coordination with suppliers and key stakeholders.

Centralised contract register

Centrally registering a contract provides improved transparency of procurement activities and facilitates monitoring and compliance checks. While councils are already required to maintain a contract register for all contracts above the reporting threshold (as per the GIPA Act), given the threshold is set at a relatively high benchmark ($150,000), there is merit in councils extending the practice to procurements below the reporting threshold. A central and comprehensive register of contracts helps avoid duplication of procurements and re-contracting of underperforming suppliers.

Three of the audited councils (Georges River Council, Tweed Shire Council and Wollongong City Council) had contract register policies that applied to procurements below the reporting threshold during the audited period. For example, Georges River Council required contracts valued at $10,000 or above to be registered with the procurement team, and Tweed Shire Council had a threshold of $50,000.

Evaluation of community outcomes and value for money

Councils may be progressing procurements to fulfill their strategic and business plans, or using them to fulfill commitments to the community. In these instances, outcomes evaluation is an important way to demonstrate to the community that the intended benefits and value for money have been delivered.

Five of the six audited councils did not require evaluations of community outcomes and value for money. While Georges River Council required contracts valued at $50,000 or more to be monitored, evaluated and reported on at least annually throughout the contract and also at its conclusion, in the procurements we examined the only ‘outcome evaluations’ that the council had conducted were community surveys that did not refer to individual procurements. Councils can miss opportunities to understand the impact of their work on the local community if evaluations of procurement outcomes are not completed. Evaluation findings are also valuable in guiding future resource allocation decisions.

Value for money in the procurement of goods and services is more than just having the specified goods delivered or services carried out. The NSW Government Procurement Policy Framework requires that state government agencies track and report benefits to demonstrate how value for money is being delivered. The framework notes that value for money is not necessarily the lowest price, nor the highest quality good or service, but requires a balanced assessment of a range of financial and non-financial factors, such as: quality, cost, fitness for purpose, capability, capacity, risk, total cost of ownership or other relevant factors.

Procurement training

Effective procurement management relies on the capability of staff involved in various stages of the process. Guidance can be provided through training, which is an important element of any procurement management framework. It ensures that staff members are aware of the councils' policies and procedures. If structured appropriately and provided in a timely manner, training can help to standardise practices, ensure compliance, reduce chances of error, and mitigate risks of fraud or corruption.

The ICAC notes that effective procurement management depends on the competence of staff undertaking procurements and the competence of those who oversee procurement activities. As the public sector is characterised by varying levels of procurement expertise, the ICAC notes that the sector would benefit from a structured approach to training and the application of minimum standards.₃

At the time of this audit, only Wollongong City Council addressed staff training requirements in its procurement management framework. Exhibit 8 details its approach.

Exhibit 8: Wollongong City Council's approach to training
Wollongong City Council has a suite of procurement training available for staff, administered by a dedicated staff member who also monitors attendance and training needs
Staff must complete training before they can take part in a procurement or be a member of a tender assessment panel, and the council keeps a list of all accredited staff members.
Staff cannot access procurement files on the council's electronic records management system until they have received training and have been approved for access by the trainer.
Staff must be trained before they can receive a financial delegation.

Source: Audit Office of New South Wales analysis of Wollongong City Council's procurement policies and procedures 2020.

Two of the audited councils have now also introduced procurement training:

Georges River Council implemented online training, which is mandatory for new staff and serves as refresher training for existing staff. The council also provides in-person training for selected staff (covering contract management, contract specification writing and contractor relationship management) and has developed quick reference cards for all staff to increase awareness of the council's procurement processes.
Tweed Shire Council implemented mandatory online training for all staff members. The training covers the council's procurement policy and protocol as well as relevant legislation. It is linked to relevant council documents such as the Procurement Toolkit on the council's intranet, and includes a quiz for which training participants must score at least 80 per cent to have the training marked as completed.

(2) ICAC (2011) Corruption Risks in NSW Government Procurement – The Management Challenge.

(3) ICAC (2011) Corruption Risks in NSW Government Procurement – Recommendations to Government.

Appendix one – Responses from councils and the Department of Planning, Industry and Environment

Appendix two – Councils’ procurement contracts

Appendix three – About the audit

Appendix four – Performance auditing

Parliamentary reference - Report number #345 - released 17 December 2020

26 November 2020

Published

Waste levy and grants for waste infrastructure

Planning

Environment

Management and administration

Regulation

Risk

Service delivery

The Auditor-General for New South Wales, Margaret Crawford, released a report today that examined the effectiveness of the waste levy and grants for waste infrastructure in minimising the amount of waste sent to landfill and increasing recycling rates.

The audit found that the waste levy has a positive impact on diverting waste from landfill. However, while the levy rates increase each year in line with the consumer price index, the EPA has not conducted a review since 2009 to confirm whether they are set at the optimal level. The audit also found that there were no objective and transparent criteria for which local government areas should pay the levy, and the list of levied local government areas has not been reviewed since 2014.

Grant funding programs for waste infrastructure administered by the EPA and the Environmental Trust have supported increases in recycling capacity. However, these grant programs are not guided by a clear strategy for investment in waste infrastructure.

The Auditor-General made six recommendations aimed at ensuring the waste levy is as effective as possible at meeting its objectives and ensuring funding for waste infrastructure is contributing effectively to recycling and waste diversion targets.

Overall, waste generation in New South Wales (NSW) is increasing. This leads to an increasing need to manage waste in ways that reduce the environmental impact of waste and promote the efficient use of resources. In 2014, the NSW Government set targets relating to recycling rates and diversion of waste from landfill, to be achieved by 2021–22. The NSW Waste and Resource Recovery (WARR) Strategy 2014–21 identifies the waste levy, a strong compliance regime, and investment in recycling infrastructure as key tools for achieving these waste targets.

This audit assessed the effectiveness of the NSW Government in minimising waste sent to landfill and increasing recycling rates. The audit focused on the waste levy, which is paid by waste facility operators when waste is sent to landfill, and grant programs that fund infrastructure for waste reuse and recycling.

The waste levy is regulated by the Environment Protection Authority (EPA) and is generally paid when waste is disposed in landfill. The waste levy rates are set by the NSW Government and prescribed in the Protection of Environment Operations (Waste) Regulation 2014. As part of its broader role in reviewing the regulatory framework for managing waste and recycling, the EPA can provide advice to the government on the operation of the waste levy.

The purpose of the waste levy is to act as an incentive for waste generators to reduce, re-use or recycle waste by increasing the cost of sending waste to landfill. In 2019–20, around $750 million was collected through the waste levy in NSW. The government spends approximately one third of the revenue raised through the waste levy on waste and environmental programs.

One of the waste programs funded through the one third allocation of the waste levy is Waste Less, Recycle More (WLRM). This initiative funds smaller grant programs that focus on specific aspects of waste management. This audit focused on five grant programs that fund projects that provide new or enhanced waste infrastructure such as recycling facilities. Four of these programs were administered by the Environmental Trust and one by the EPA.

Conclusion

The waste levy has a positive impact on diverting waste from landfill. However, aspects of the EPA's administration of the waste levy could be improved, including the frequency of its modelling of the waste levy impact and coverage, and the timeliness of reporting. Grant funding programs have supported increases in recycling capacity but are not guided by a clear strategy for investment in waste infrastructure which would help effectively target them to where waste infrastructure is most needed. Data published by the EPA indicates that the NSW Government is on track to meet the recycling target for construction and demolition waste, but recycling targets for municipal solid waste and commercial and industrial waste are unlikely to be met.

Waste levy

The waste levy rate, including a schedule of annual increases to 2016, was set by the NSW Government in 2009. Since 2016, the waste levy rate has increased in line with the consumer price index (CPI). The EPA has not conducted recent modelling to test whether the waste levy is set at the optimal level to achieve its objectives. The waste levy operation was last reviewed in 2012, although some specific aspects of the waste levy have been reviewed more recently, including reviews of waste levy rates for two types of waste. The waste levy is applied at different rates across the state. Decisions about which local government areas (LGAs) are subject to the levy, and which rate each LGA pays, were made in 2009 and potential changes were considered but not implemented in 2014. Currently, there are no objective and transparent criteria for determining which LGAs pay the levy. The EPA collects waste data from waste operators. This data has improved since 2015, but published data is at least one year out of date which limits its usefulness to stakeholders when making decisions relating to waste management.

Grants for waste infrastructure

All state funding for new and enhanced waste infrastructure in NSW is administered through grants to councils and commercial waste operators. The government's Waste and Resource Recovery (WARR) Strategy 2014–21 includes few priorities for waste infrastructure and there is no other waste infrastructure strategy in place to guide investment. The absence of a formal strategy to guide infrastructure investment in NSW limits the ability of the State Government to develop a shared understanding between planners, councils and the waste industry about waste infrastructure requirements and priorities. The Department of Planning, Industry and Environment is currently developing a 20-year waste strategy and there is an opportunity for the government to take a more direct role in planning the type, location and timing of waste infrastructure needed in NSW.

The grants administration procedures used for the grant programs reviewed in this audit were well designed. However, we identified some gaps in risk management, record-keeping and consistency of information provided to applicants and assessment teams. In four of the five programs we examined, there was no direct alignment between program objectives and the NSW Government's overall waste targets.

Achievement of the 2014–21 state targets for waste and resource recovery (WARR targets) is reliant in part on the availability of infrastructure that supports waste diversion and recycling. The state WARR targets dependent on waste infrastructure are:

Increase recycling rates to 70 per cent for municipal solid waste and commercial and industrial waste, and 80 per cent for construction and demolition waste.
Increase waste diverted from landfill to 75 per cent.

A further target — manage problem waste better by establishing or upgrading 86 drop-off facilities or services for managing household problem wastes state-wide — is dependent on accessible community waste drop-off facilities across NSW.

Exhibit 7 identifies the five grant programs that provide funding for new or enhanced waste infrastructure to increase capacity for reuse or recycling of waste. All five of these programs were examined in the audit.
In addition to the grant programs shown in Exhibit 7, other programs provide funding for infrastructure, but at a smaller scale. Examples of these include:

Bin Trim which provides rebates to small businesses for small scale recycling equipment such as cardboard and soft plastic balers.
Litter grants which provide funding for litter bins.
Weighbridges grants for installation of a weighbridge at waste facilities.
Landfill consolidation and environmental improvement grants for rural councils to replace old landfills with transfer stations or to improve the infrastructure at landfill sites.

Appendix one – Responses from audited agencies

Appendix two – About the audit

Appendix three – Performance auditing

Copyright notice

Parliamentary reference - Report number #343 - released 26 November 2020

24 November 2020

Published

Internal controls and governance 2020

Education

Environment

Community Services

Finance

Health

Industry

Justice

Premier and Cabinet

Transport

Treasury

Compliance

Cyber security

Information technology

Internal controls and governance

Management and administration

Procurement

The Auditor-General for New South Wales, Margaret Crawford today released her report on the findings and recommendations from the 2019–20 financial audits that relate to internal controls and governance at 40 of the largest agencies in the NSW public sector.

The bushfire and flood emergencies and the COVID‑19 pandemic continue to have a significant impact on the people and public sector of New South Wales. The scale of the government response to these events has been significant. The report focuses on the effectiveness of internal controls and governance processes, including relevant agencies’ response to the emergencies. In particular, the report focuses on:

financial and information technology controls
business continuity and disaster recovery planning arrangements
procurement, including emergency procurement
delegations that support timely and effective decision-making.

Due to the ongoing impact of COVID‑19 agencies have not yet returned to a business‑as‑usual environment. ‘Agencies will need to assess their response to the recent emergencies and update their business continuity, disaster recovery and other business resilience frameworks to reflect the lessons learnt from these events’ the Auditor-General said.

The report noted that special procurement provisions were put in place to allow agencies to better respond to the COVID-19 pandemic. The Auditor-General recommended agencies update their procurement policies to reflect the current requirements of the NSW Procurement Framework and the emergency procurement requirements.

Read the PDF report

This report analyses the internal controls and governance of 40 of the largest agencies in the NSW public sector for the year ended 30 June 2020. These 40 agencies constitute an estimated 85 per cent of total expenditure for all NSW public sector agencies.

1. Internal control trends

New, repeat and high risk findings

Internal control deficiencies increased by 13 per cent compared to last year. This is predominately due to a seven per cent increase in new internal control deficiencies and 24 per cent increase in repeat internal control deficiencies. There were ten high risk findings compared to four last year.

The recent emergencies have consumed agency time and resources and may have contributed to the increase in internal control deficiencies, particularly repeat deficiencies.

Agencies should:

prioritise addressing high-risk findings
address repeat internal control deficiencies by re-setting action plans and timeframes and monitoring the implementation status of recommendations.

Common findings

A number of findings remain common across multiple agencies over the last four years, including:

out of date or missing policies to guide appropriate decisions
poor record keeping and document retention
incomplete or inaccurate centralised registers or gaps in these registers.

2. Information technology controls

IT general controls

We found deficiencies in information security controls over key financial systems including:

user access administration deficiencies relating to inadequate oversight of the granting, review and removal of user access at 53 per cent of agencies
privileged users were not appropriately monitored at 43 per cent of agencies
deficient password controls that did not align to the agency's own password policies at 25 per cent of agencies.

The deficiencies above increase the risk of non-compliance with the NSW Cyber Security Policy, which requires agencies to have processes in place to manage user access, including privileged user access to sensitive information or systems and remove that access once it is not required or employment is terminated.

3. Business continuity and disaster recovery planning

Assessing risks to business continuity and Scenario testing

The response to the recent emergencies and the COVID-19 pandemic has encompassed a wide range of activities, including policy setting, on-going service delivery, safety and availability of staff, availability of IT and other systems and financial management. Agencies were required to activate their business continuity plans in response, and with the continued impact of COVID-19 have not yet returned to a business-as-usual environment.

Our audits focused on the preparedness of agency business continuity and disaster recovery planning arrangements prior to the onset of the COVID-19 pandemic.

We identified deficiencies in agency business continuity and disaster recovery planning arrangements. Twenty-three per cent of agencies had not conducted a business impact analysis (BIA) to identify critical business functions and determine business continuity priorities. Agencies can also improve the content of their BIA. For example, ten per cent of agencies' BIAs did not include recovery time objectives and six per cent of agencies did not identify key IT systems that support critical business functions. Scenario testing improves the effectiveness with which a live crisis is handled, but 40 per cent of agencies had not conducted a business continuity scenario testing exercise in the period from 1 January 2019 to 31 December 2019. There were also opportunities to improve the effectiveness of scenario testing exercises by:

involving key dependent or inter-dependent third parties who support or deliver critical business functions
testing one or more high impact scenarios identified in their business continuity plan
preparing a formalpost-exercise report documenting the outcome of their scenario testing.

Agencies have responded to the recent emergencies but addressing deficiencies will ensure agencies have adequate safeguards in their processes to again respond in the future, if required.

During 2020–21 we plan to conduct a performance audit on 'Business continuity and disaster recovery planning'. This audit will consider the effectiveness of agency business continuity planning arrangements to maintain business continuity through the recent emergencies and/or COVID-19 pandemic and return to a business-as-usual environment. We also plan to conduct a performance audit on whole-of-government 'Coordination of emergency responses'.

Responding to disruptions

We found agencies' governance functions could have been better informed about responses to disruptive incidents that had activated a business continuity or disaster recovery response between 1 January 2019 to 31 December 2019. For instance:

in 89 per cent of instances where a business continuity response was activated, a post-incident review had been performed. In 82 per cent of these instances, the outcomes were reported to a relevant governance or executive management committee

in 95 per cent of instances where a disaster recovery response was activated, a post incident review had been performed. In 86 per cent of these instances, the outcomes were reported to a relevant governance committee or executive management committee.

Examples of recorded incidents included extensive air quality issues and power outages due to bushfires, system and network outages, and infected and hijacked servers.

Agencies should assess their response to the recent emergencies and the COVID-19 pandemic and update business continuity, disaster recovery and other business resilience frameworks to incorporate lessons learned. Agencies should report to those charged with governance on the results and planned actions.

Management review and oversight

Eighty-two per cent and 86 per cent of agencies report to their audit and risk committees (ARC) on their business continuity and disaster recovery planning arrangements, respectively. Only 18 per cent and five per cent of ARCs are briefed on the results of respective scenario testing. Briefing ARCs on the results of scenario testing exercises helps inform their decisions about whether sound and effective business continuity and disaster recovery arrangements have been established.

4. Procurement, including emergency procurement

Policy framework	Agency procurement policies did not capture the requirements of several key NSW Procurement Board Directions (the Directions), increasing the risk of non-compliance with the Directions. We noted: 67 per cent of agencies did specify that procurement above $650,000 must be open to market unless exempt or procured through an existing Whole of Government Scheme or contract 36 per cent of agencies did specify that procurements above $500,000 payable in foreign currencies must be hedged 69 per cent of agencies' policies did specify that the agency head or cluster CFO must authorise the engagement of consultants where the engagement of the supplier does not comply with the standard commercial framework. Recommendation: Agencies should review their procurement policies and guidelines to ensure they capture the key requirements of the NSW Government Procurement Policy Framework, including NSW Procurement Board Directions.
Managing contracts	Eighty-eight per cent of agencies maintain a central contract register to record all details of contracts above $150,000, which is a requirement of GIPA legislation. Of the agencies that maintained registers, 13 per cent did not capture all contracts and eight per cent did not include all relevant contract details. Sixteen per cent of agencies did not periodically review their contract register. Timely review increases compliance with GIPA legislation, and enhances the effectiveness with which procurement business units monitor contract end dates, contract extensions and commence new procurement.
Training and support	Ninety-three per cent of agencies provide training to staff involved in procurement processes, and a further 77 per cent of agencies provide this training on an on-going basis. Of the seven per cent of agencies that had not provided training to staff, we noted gaps in aspects of their procurement activity, including: not conducting value for money assessments prior to renewing or extending the contract with their existing supplier not obtaining approval from a delegated authority to commence the procurement process procurement documentation not specifying certain key details such as the conditions for participation including any financial guarantees and dates for the delivery of goods or supply of services. Training on procurement activities ensures there is effective management of procurement processes to support operational requirements, and compliance with procurement directions.
Procurement activities	While agencies had implemented controls for tender activities above $650,000, 43 per cent of unaccredited agencies did not comply with the NSW Procurement Policy Framework because they had not had their procurement endorsed by an accredited agency within the cluster or by NSW Procurement. This endorsement aims to ensure the procurement is properly planned to deliver a value for money outcome before it commences.
Emergency procurement	As at 30 June 2020, agencies within the scope of this report reported conducting 32,239 emergency procurements with a total contract value of $316,908,485. Emergency procurement activities included the purchase of COVID-19 cleaning and hygiene supplies. The government, through NSW Procurement released the 'COVID-19 Emergency procurement procedure', which relaxed procurement requirements to allow agencies to make COVID-19 emergency procurements. Our review against the emergency procurement measures found most agencies complied with requirements. For example: 95 per cent of agencies documented an assessment of the need for the emergency procurement for the good and/or service 86 per cent of agencies obtained authorisation of the emergency procurement by the agency head or the nominated employee under Public Works and Procurement Regulation 2019 76 per cent of agencies reported the emergency procurement to the NSW Procurement Board. Complying with the procedure helps to ensure government resources are being efficiently, effectively, economically and in accordance with the law. Recommendation: Agency procurement frameworks should be reviewed and updated so they can respond effectively to emergency situations that may arise in the future. This includes: updating procurement policies and guidelines to define an emergency situation, specify who can approve emergency procurement and capture other key requirements using standard templates and documentation to prompt users to capture key requirements, such as needs analysis, supplier selection criteria, price assessment criteria, licence and insurance checks having processes for reporting on emergency procurements to those charged with governance and NSW Procurement.

5. Delegations

Instruments of delegation

We found that agencies have established financial and human resources delegations, but some had not revisited their delegation manuals following the legislative and machinery of government changes. For those agencies impacted by machinery of government changes we noted:

16 per cent of agencies had not updated their financial delegations to reflect the changes
16 per cent of agencies did not update their human resources delegations to reflect the changes.

Delegations manuals are not always complete; 16 per cent of agencies had no delegation for writing off bad debts and 26 per cent of agencies had no delegation for writing off capital assets.

Recommendation: Agencies should ensure their financial and human resources delegation manuals contain regular set review dates and are updated to reflect the Government Sector Finance Act 2018, machinery of government changes and their current organisational structure and roles and responsibilities.

Compliance with delegations

Agencies did not understand or correctly apply the requirements of the Government Sector Finance Act 2018 (GSF Act), resulting in non-compliance with the Act. We found that 18 per cent of agencies spent deemed appropriations without obtaining an authorised delegation from the relevant Minister(s), as required by sections 4.6(1) and 5.5(3) of the GSF Act.

Further detail on this issue will be included in our Auditor-General's Reports to Parliament on Central Agencies, Education, Health and Stronger Communities, which will be tabled throughout December 2020.

Recommendation: Agencies should review financial and human resources delegations to ensure they capture all key functions of laws and regulations, and clearly specify the relevant power or function being conferred on the officer.

6. Status of 2019 recommendations

Progress implementing last year's recommendations

Recommendations were made last year to improve transparency over reporting on gifts and benefits and improve the visibility management and those charged with governance had over actions taken to address conflicts of interest that may arise. This year, we continue to note:

38 per cent of agencies have not updated their gifts and benefits register to include all the key fields required under the minimum standards set by the Public Service Commission
56 per cent of agencies have not provided training to staff and 63 per cent of agencies have not implemented an annual attestation process for senior management
97 per cent of agencies have not published their gifts and benefits register on their website and 41 per cent of agencies are not reporting on trends in the gifts and benefits register to those charged with governance.

While we acknowledge the significance of the recent emergencies, which have consumed agency time and resources, we note limited progress has been made implementing these recommendations. Further detail on the status of implementing all recommendations is in Appendix 2.

Recommendation: Agencies should re-visit the recommendations made in last year's report on internal controls and governance and action these recommendations.

Internal controls are processes, policies and procedures that help agencies to:

operate effectively and efficiently
produce reliable financial reports
comply with laws and regulations
support ethical government.

This chapter outlines the overall trends for agency controls and governance issues, including the number of audit findings, the degree of risk those deficiencies pose to the agency, and a summary of the most common deficiencies we found across agencies. The rest of this report presents this year’s controls and governance findings in more detail.

Section highlights

We identified ten high risk findings, compared to four last year with two findings repeated from the previous year. There was an overall increase of 13 per cent in the number of internal control deficiencies compared to last year due to a seven per cent increase in new internal control deficiencies, and a 24 per cent increase in repeat internal control deficiencies. The recent emergencies have consumed agency time and resources and may have contributed to the increase in internal control deficiencies, particularly repeat deficiencies.

We identified a number of findings that remain common across multiple agencies over the last four years. Some of these findings related to areas that are fundamental to good internal control environments and effective organisational governance. Examples include:

out of date or missing policies to guide appropriate decisions
poor record keeping and document retention
incomplete or inaccurate centralised registers, or gaps in these registers.

Policies, procedures and internal controls should be properly designed, be appropriate for the current organisational structure and its business activities, and work effectively.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency controls to manage key financial systems.

Section highlights

Government agencies’ financial reporting is heavily reliant on information technology (IT). We continue to see a high number of deficiencies related to IT general controls, particularly those related to user access administration. These controls are key in adequately protecting IT systems from inappropriate access and misuse.

IT is also important to the delivery of agency services. These systems often provide the data to help monitor the efficiency and effectiveness of agency processes and services they deliver. Our financial audits do not review all agency IT systems. For example, IT systems used to support agency service delivery are generally outside the scope of our financial audit. However, agencies should also consider the relevance of our findings to these systems.

Agencies need to continue to focus on assessing the risks of inappropriate access and misuse and the implementation of controls to adequately protect their systems, focussing on the processes in place to grant, remove and monitor user access, particularly privileged user access.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency business continuity and disaster recovery planning arrangements.

Section highlights

We identified deficiencies in agency business continuity and disaster recovery planning arrangements and opportunities for agencies to enhance their business continuity management and disaster recovery planning arrangements. This will better prepare them to respond to a disruption to their critical functions, resulting from an emergency or other serious event. Twenty-three per cent of agencies had not conducted a business impact analysis (BIA) to identify critical business functions and determine business continuity priorities and 40 per cent of agencies had not conducted a business continuity scenario testing exercise in the period from 1 January 2019 to 31 December 2019. Scenario testing improves the effectiveness with which a live crisis is handled.

This section focusses on the preparedness of agency business continuity and disaster recovery planning arrangements prior to the onset of the COVID-19 pandemic. While agencies have responded to the recent emergencies, proactively addressing deficiencies will ensure agencies have adequate safeguards in their processes to again respond in the future, if required.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of procurement agency procurement policies and procurement activity.

Section highlights

We found agencies have procurement policies in place to manage procurement activity, but the content of these policies was not sufficiently detailed to ensure compliance with NSW Procurement Board Directions (the Directions). The Directions aim to ensure procurement activity achieves value for money and meets the principles of probity and fairness.

Agencies have generally implemented controls over their procurement process. In relation to emergency procurement activity, agencies reported conducting 32,239 emergency procurements with a total contract value of $316,908,485 up to 30 June 2020. Our review of emergency procurement activity conducted during 2019–20 identified areas where some agencies did not fully comply with the 'COVID-19 Emergency procurement procedure'.

We also found not all agencies are maintaining complete and accurate contract registers. This not only increases the risk of non-compliance with GIPA legislation, but also limits the effectiveness of procurement business units to monitor contract end dates, contract extensions and commence new procurement in a timely manner. We noted instances where agencies renewed or extended contracts without going through a competitive tender process during the year.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency compliance with financial and human resources delegations.

Section highlights

We found that agencies are not always regularly reviewing and updating their financial and human resources delegations when there are changes to legislation or other organisational changes within the agency or from machinery of government changes. For example, agencies did not understand or correctly apply the requirements of the GSF Act, resulting in non-compliance with the Act. We found that 18 per cent of agencies spent deemed appropriations without obtaining an authorised delegation from the relevant Minister(s), as required by sections 4.6(1) and 5.5(3) of the GSF Act.

In order for agencies to operate efficiently, make necessary expenditure and human resource decisions quickly and lawfully, particularly in emergency situations, it is important that delegations are kept up to date, provide clear authority to decision makers and are widely communicated.

Appendix one – List of 2020 recommendations

Appendix two – Status of 2019 recommendations

Appendix three – Cluster agencies

Copyright notice

24 September 2020

Published

Support for regional town water infrastructure

Industry

Environment

Local Government

Infrastructure

Management and administration

Regulation

Risk

The Auditor-General for New South Wales, Margaret Crawford, released a report today examining whether the Department of Planning, Industry and Environment has effectively supported the planning for, and funding of, town water infrastructure in regional NSW.

The audit found that the department has not effectively supported or overseen town water infrastructure planning since at least 2014. It does not have a clear regulatory approach and lacks internal procedures and data to guide its support for local water utilities that service around 1.85 million people in regional NSW.

The audit also found that the department has not had a strategy in place to target investments in town water infrastructure to the areas of greatest priority. A state-wide plan is now in development.

The Auditor-General made seven recommendations to the department, aimed at improving the administration and transparency of its oversight, support and funding for town water infrastructure, and at strengthening its sector engagement and interagency coordination on town water planning issues and investments.

According to the Auditor-General, ‘A continued focus on coordinating town water planning, investments and sector engagement is needed for the department to more effectively support, plan for and fund town water infrastructure, and to work with local water utilities to help avoid future shortages of safe water in regional towns and cities.’

This report is part of a multi-volume series on the theme of water. Refer to ‘Water conservation in Greater Sydney’ and ‘Water management and regulation – undertaking in 2020-21’.

Read full report (PDF)

Safe and reliable water and sewer services are essential for community health and wellbeing, environmental protection, and economic productivity. In 2019, during intense drought, around ten regional New South Wales (NSW) cities or towns were close to ‘zero’ water and others had six to 12 months of supply. In some towns, water quality was declared unsafe.

Ensuring the right water and sewer infrastructure in regional NSW to deliver these services (known as 'town water infrastructure') involves a strategic, integrated approach to water management. The NSW Government committed to ‘secure long-term potable water supplies for towns and cities’ in 2011. In 2019, it reiterated a commitment to invest in water security by funding town water infrastructure projects.

The New South Wales’ Water Management Act 2000 (WM Act) aims to promote the sustainable, integrated and best practice management of the State’s water resources, and establishes the priority of town water for meeting critical human needs.

The Department of Planning, Industry and Environment (the department) is the lead agency for water resource policy, regulation and planning in NSW. It is also responsible for ensuring water management is consistent with the shared commitments of the Australian, State and Territory Governments under the National Water Initiative. This includes the provision of healthy, safe and reliable water supplies, and reporting on the performance of water utilities.

Ninety-two Local Water Utilities (LWUs) plan for, price and deliver town water services in regional NSW. Eighty-nine are operated by local councils under the New South Wales’ Local Government Act 1993, and other LWUs exercise their functions under the WM Act. The Minister for Water, Property and Housing is the responsible minister for water supply functions under both acts.

The department is the primary regulator of LWUs. NSW Health, the NSW Environment Protection Authority (EPA) and the Natural Access Resource Regulator (NRAR) also regulate aspects of LWUs' operations. The department’s legislative powers with respect to LWUs cover approving infrastructure developments and intervening where there are town water risks, or in emergencies. In this context, the department administers the Best Practice Management of Water Supply and Sewerage Guidelines (BPM Guidelines) to support its regulation and to assist LWUs to strategically plan and price their services, including their planning for town water infrastructure.

Under the BPM Guidelines, the department supports LWU’s town water infrastructure planning with the Integrated Water Cycle Management (IWCM) Checklist. The Checklist outlines steps for LWUs to prepare an IWCM strategy: a long-term planning document that sets out town water priorities, including infrastructure and non-infrastructure investments, water conservation and drought measures. The department's objective is to review and approve (i.e. give ‘concurrence to’) an IWCM strategy before the LWU implements it. In turn, these documents should provide the department with evidence of town water risks, issues and infrastructure priorities.

The department also assesses and co-funds LWU's town water infrastructure projects. In 2017, the department launched the $1 billion Safe and Secure Water Program to ensure town water infrastructure in regional NSW is secure and meets current health and environmental standards. The program was initially established under the Restart NSW Fund.

This audit examined whether the department has effectively supported the planning for and funding of town water infrastructure in regional NSW. It focused on the department’s activities since 2014. This audit follows a previous Audit Office of NSW report which found that the department had helped to promote better management practices in the LWU sector, up to 2012–13.

Conclusion

The Department of Planning, Industry and Environment has not effectively supported or overseen town water infrastructure planning in regional NSW since at least 2014. It has also lacked a strategic, evidence-based approach to target investments in town water infrastructure.

A continued focus on coordinating town water planning, investments and sector engagement is needed for the department to more effectively support, plan for and fund town water infrastructure, and work with Local Water Utilities to help avoid future shortages of safe water in regional towns and cities.

The department has had limited impact on facilitating Local Water Utilities’ (LWU) strategic town water planning. Its lack of internal procedures, records and data mean that the department cannot demonstrate it has effectively engaged, guided or supported the LWU sector in Integrated Water Cycle Management (IWCM) planning over the past six years. Today, less than ten per cent of the 92 LWUs have an IWCM strategy approved by the department.

The department did not design or implement a strategic approach for targeting town water infrastructure investment through its $1 billion Safe and Secure Water Program (SSWP). Most projects in the program were reviewed by a technical panel but there was limited evidence available about regional and local priorities to inform strategic project assessments. About a third of funded SSWP projects were recommended via various alternative processes that were not transparent. The department also lacks systems for integrated project monitoring and program evaluation to determine the contribution of its investments to improved town water outcomes for communities. The department has recently developed a risk-based framework to inform future town water infrastructure funding priorities.

The department does not have strategic water plans in place at state and regional levels: a key objective of these is to improve town water for regional communities. The department started a program of regional water planning in 2018, following the NSW Government’s commitment to this in 2014. It also started developing a state water strategy in 2020, as part of an integrated water planning framework to align local, regional and state priorities. One of 12 regional water strategies has been completed and the remaining strategies are being developed to an accelerated timeframe: this has limited the department’s engagement with some LWUs on town water risks and priorities.

Regional New South Wales (NSW) is home to about a third of the state's population. Infrastructure that provides safe and reliable water and sewer services (also known simply as 'town water infrastructure') is essential for community health and wellbeing, environmental protection, and economic productivity. Planning for and meeting these infrastructure needs, as well as identifying when non-infrastructure options may be a better solution, involves a strategic and integrated approach to water resource management in regional NSW.

We examined whether the department has effectively supported planning for town water infrastructure since 2014. This assessment was made in the context of its current approach to LWU sector regulation. The findings below focus on whether the department has an effective framework including governance arrangements for town water issues to inform state-wide strategic water planning, and whether (at the local level) the department has effectively overseen and facilitated town water infrastructure planning through its Integrated Water Cycle Management (IWCM) planning guidance to LWUs.

We examined whether the department has effectively targeted town water infrastructure funding to policy objectives, with a focus on the design and implementation of the Safe and Secure Water Program (SSWP) since its commencement in 2017. The program’s aim was to fund town water infrastructure projects that would deliver health, social and environmental benefits, and support economic growth and productivity. We also assessed the department’s capacity to demonstrate the outcomes of the SSWP funding and the contributions of its town water infrastructure investments more broadly. Finally, we identified risks to the effectiveness of the department’s work underway since 2018–19, which is intended to enhance its strategic water planning and approach to prioritising investments in reducing town water risks.

Appendix one – Response from agency

Appendix two – Key terms

Appendix three – About the audit

Appendix four – Performance auditing

Copyright notice

Parliamentary reference - Report number #341 - released 24 September 2020

23 June 2020

Published

Water conservation in Greater Sydney

Environment

Industry

Infrastructure

Internal controls and governance

Management and administration

Regulation

Risk

This report examines whether the Department of Planning, Industry and Environment, and Sydney Water have effectively progressed water conservation initiatives in Greater Sydney.

The report found that the department and Sydney Water have not effectively investigated, implemented or supported water conservation initiatives in Greater Sydney. The agencies have not met key requirements of the current Metropolitan Water Plan and Sydney Water has not met all its operating licence requirements for water conservation. There has been little policy or regulatory reform, little focus on identifying new options and investments, and limited planning and implementation of water conservation initiatives.

As a result, Greater Sydney's water supply may be less resilient to population growth and climate variability, including drought.

The Metropolitan Water Plan states that water conservation, including recycling water, makes the drinking water supply go further. The plan also states that increasing water conservation efforts may be cheaper than building new large-scale supply options and can delay the timing of investment in new supply infrastructure.

The Auditor-General recommends the department develop a clear policy and regulatory position on water conservation options, improve governance and funding for water conservation, and work with Sydney Water to assess the viability of water conservation initiatives. The report also recommends improvements to Sydney Water’s planning for and reporting on water conservation, including the transparency of this information.

This report is part of a multi-volume series on the theme of water. Refer to ‘Support for regional town water infrastructure’ and ‘Water management and regulation – undertaking in 2020-21’.

Read full report (PDF)

The current, 2017 Metropolitan Water Plan states that water conservation, including recycling water, makes the drinking water supply go further. The plan also states that increasing water conservation efforts may be cheaper than building new large-scale supply options and can delay the timing of investment in new supply infrastructure.

Water conservation refers to water recycling, leakage management and programs to enhance water efficiency. Water recycling refers to both harvesting stormwater for beneficial use and reusing wastewater.

This audit examined whether water conservation initiatives for the Greater Sydney Metropolitan area are effectively investigated, implemented and supported. We audited the Department of Planning, Industry and Environment (the Department) and the Sydney Water Corporation (Sydney Water), with a focus on activities since 2016.

The Department is responsible for the integrated and sustainable management of the state’s water resources under the Water Management Act 2000, which includes encouraging ‘best practice in the management and use of water’ as an objective. The Department is also responsible for strategic water policy and planning for Greater Sydney, including implementing the Metropolitan Water Plan.

Sydney Water is a state-owned corporation and the supplier of water, wastewater, recycled water and some stormwater services to more than five million people in Greater Sydney. It is regulated by an operating licence that is issued by the Governor on the recommendation of the Independent Pricing and Regulatory Tribunal (IPART). The Tribunal determines Sydney Water’s maximum prices, reviews its operating licence and monitors compliance. Sydney Water's operating licence and reporting manual set out requirements for its planning, implementing and reporting of water conservation.

From 2007 to 2012, the Climate Change Fund was a source of funds for water conservation activities to be undertaken by the Department and Sydney Water. The Climate Change Fund was established under the Energy and Utilities Administration Act 1987. Four of its six objectives relate to water savings. Water distributors such as Sydney Water can be issued with orders to contribute funds for water-related programs. The Fund is administered by the Department.

In 2016, Sydney Water developed a method for determining whether and how much to invest in water conservation. Known as the ‘Economic Level of Water Conservation’ (ELWC), the method identifies whether it costs less to implement a water conservation initiative than the value of the water saved, in which case the initiative should be implemented.

Conclusion

The Department and Sydney Water have not effectively investigated, implemented or supported water conservation initiatives in Greater Sydney.

The agencies have not met key requirements of the Metropolitan Water Plan and Sydney Water has not met all its operating licence requirements for water conservation. There has been little policy or regulatory reform, little focus on identifying new options and investments, and limited planning and implementation of water conservation initiatives.

As a result, Greater Sydney's water supply may be less resilient to population growth and climate variability, including drought.

The Department has not undertaken an annual assessment of Sydney Water’s level of investment in water conservation against water security risks and the capacity to respond when drought conditions return, as required by the Metropolitan Water Plan. It did not complete identified research and planning activities to support the plan, such as developing and using a framework for assessing the potential for water conservation initiatives for Greater Sydney, and developing a long-term strategy for water conservation and water recycling. It also did not finalise a monitoring, evaluation, reporting and improvement strategy to support the plan.

Sydney Water has been ineffective in driving water conservation initiatives, delivering detailed planning and resourcing for ongoing initiatives, and in increasing its investment in water conservation during drought. These were requirements of the Metropolitan Water Plan. Sydney Water's reporting on water conservation has not met all its operating licence requirements and lacked transparency with limited information on key aspects such as planning for leakage management, how the viability of potential initiatives were assessed, and how adopted initiatives are tracking.

The Department and Sydney Water did not put in place sufficient governance arrangements, including clarifying and agreeing responsibilities for key water conservation planning, delivery and reporting activities. There has also been limited collaboration, capacity building and community engagement to support water conservation, particularly outside times of drought.

Appendix one – Responses from agencies

Appendix two – About the audit

Appendix three – Glossary

Appendix four – Performance auditing

Copyright notice

Parliamentary reference - Report number #336 - released 23 June 2020

7 April 2020

Published

Integrity of data in the Births, Deaths and Marriages Register

Justice

Premier and Cabinet

Whole of Government

Cyber security

Fraud

Information technology

Internal controls and governance

Management and administration

This report outlines whether the Department of Customer Service (the department) has effective controls in place to ensure the integrity of data in the Births, Deaths and Marriages Register (the register), and to prevent unauthorised access and misuse.

The audit found that the department has processes in place to ensure that the information entered in the register is accurate and that any changes to it are validated. Although there are controls in place to prevent and detect unauthorised access to, and activity in the register, there were significant gaps in these controls. Addressing these gaps is necessary to ensure the integrity of information in the register.

The Auditor-General made nine recommendations to the department, aimed at strengthening controls to prevent and detect unauthorised access to, and activity in the register. These included increased monitoring of individuals who have access to the register and strengthening security controls around the databases that contain the information in the register.

The NSW Registry of Births Deaths and Marriages is responsible for maintaining registers of births, deaths and marriages in New South Wales as well as registering adoptions, changes of names, changes of sex and relationships. Maintaining the integrity of this information is important as it is used to confirm people’s identity and unauthorised access to it can lead to fraud or identity theft.

Read full report (PDF)

The NSW Registry of Births Deaths and Marriages (BD&M) is responsible for maintaining registers of births, deaths and marriages in New South Wales. BD&M is also responsible for registering adoptions, changes of name, changes of sex and relationships. These records are collectively referred to as 'the Register'. The Births, Deaths and Marriages Registration Act 1995 (the BD&M Act) makes the Registrar (the head of BD&M) responsible for maintaining the integrity of the Register and preventing fraud associated with the Register. Maintaining the integrity of the information held in the Register is important as it is used to confirm people's identity. Unauthorised access to, or misuse of the information in the Register can lead to fraud or identity theft. For these reasons it is important that there are sufficient controls in place to protect the information.

BD&M staff access, add to and amend the Register through the LifeLink application. While BD&M is part of the Department of Customer Service, the Department of Communities and Justice (DCJ) manages the databases that contain the Register and sit behind LifeLink and is responsible for the security of these databases.

This audit assessed whether BD&M has effective controls in place to ensure the integrity of data in the Births, Deaths and Marriages Register, and to prevent unauthorised access and misuse. It addressed the following:

Are relevant process and IT controls in place and effective to ensure the integrity of data in the Register and the authenticity of records and documents?
Are security controls in place and effective to prevent unauthorised access to, and modification of, data in the Register?

Conclusion

BD&M has processes and controls in place to ensure that the information entered in the Register is accurate and that amendments to the Register are validated. BD&M also has controls in place to prevent and detect unauthorised access to, and activity in the Register. However, there are significant gaps in these controls. Addressing these gaps is necessary to ensure the integrity of the information in the Register.

BD&M has detailed procedures for all registrations and amendments to the Register, which include processes for entering, assessing and checking the validity and adequacy of source documents. Where BD&M staff have directly input all the data and for amendments to the Register, a second person is required to check all information that has been input before an event can be registered or an amendment can be made. BD&M carries out regular internal audits of all registration processes to check whether procedures are being followed and to address non-compliance where required.

BD&M authorises access to the Register and carries out regular access reviews to ensure that users are current and have the appropriate level of access. There are audit trails of all user activity, but BD&M does not routinely monitor these. At the time of the audit, BD&M also did not monitor activity by privileged users who could make unauthorised changes to the Register. Not monitoring this activity created a risk that unauthorised activity in the Register would not be detected.

BD&M has no direct oversight of the database environment which houses the Register and relies on DCJ's management of a third-party vendor to provide the assurance it needs over database security. The vendor operates an Information Security Management System that complies with international standards, but neither BD&M nor DCJ has undertaken independent assurance of the effectiveness of the vendor's IT controls.

Appendix one – Response from agency

Appendix two – About the audit

Appendix three – Performance auditing

Copyright notice

Parliamentary reference - Report number #330 - released 7 April 2020.

5 March 2020

Published

Report on Local Government 2019

Local Government

Asset valuation

Cyber security

Financial reporting

Information technology

Infrastructure

Internal controls and governance

Management and administration

Procurement

Project management

Service delivery

Shared services and collaboration

Workforce and capability

I am pleased to present my third report to the Parliament on the 2019 audits of local government councils in New South Wales.

This report notes that unqualified audit opinions were issued on the 2018–19 financial statements of 134 councils and 11 joint organisations. The opinion for one council was disclaimed and three audits are yet to complete.

The report also highlights improvements I have seen in financial reporting and governance arrangements across councils. Fewer errors were identified. More councils have audit, risk and improvement committees and internal audit functions. Risk management practices, including fraud control systems, have also improved.

These are very pleasing indicators of the gradual strengthening of governance and financial oversight of the sector. I want to acknowledge the investment councils have made in working with the Audit Office to improve consistency of practice and accountability generally.

Of course there is more work to do, particularly to prepare for new accounting standards and to strengthen controls over information technology and cyber security management. Asset management practices can also be improved. This report provides some guidance to council on these matters and we will continue to partner with the Office of Local Government in the Department of Planning, Industry and Environment to support good practice.

Margaret Crawford

Auditor-General
5 March 2020

This report focuses on key observations and findings from the 2018–19 financial audits of councils and joint organisations.

Unqualified audit opinions were issued on the financial statements for 134 councils and 11 joint organisations. The audit opinion for Bayside’s 2017–18 and 2018–19 financial statements were disclaimed. Three audits are still in progress and will be included in next year’s report.

The report highlights a number of areas where there has been improvement. There was a reduction in errors identified in council financial statements and high risk issues reported in audit management letters. More councils have audit, risk and improvement committees and internal audit functions. Risk management practices and fraud control systems have also improved.

The report also found that councils could do more to be better prepared for the new accounting standards, asset management practices could be strengthened, and information technology controls and cyber security management could be improved.

The Auditor-General recommended that the Office of Local Government within the Department of Planning, Industry and Environment develop a cyber security policy by 30 June 2021 to ensure a consistent response to cyber security risks across councils.

Read the PDF Report

Financial reporting is an important element of good governance. Confidence in and transparency of public sector decision making is enhanced when financial reporting is accurate and timely. Strong financial performance provides the platform for councils to deliver services and respond to community needs.

This chapter outlines our audit observations on the financial reporting and performance of councils and joint organisations.

Section highlights

There was a reduction in the number and dollar value of errors identified in councils' financial statements.
We continue to identify prior period errors, which are predominantly asset-related.
Unqualified audit opinions were issued for 99 per cent of completed audits for councils and joint organisations.
Three audits remain outstanding, with the outcomes to be reported in next year's Report to Parliament.
Seventy-nine per cent of councils and joint organisations lodged their financial reports by 31 October 2019.
Councils that performed some early reporting procedures achieved better outcomes in terms of the quality and timeliness of financial reporting.
Councils are at various levels of preparedness to implement the new accounting standards for the 2019–20 financial year. Some have made the necessary modifications to systems and processes, but others are still assessing impacts.
Most councils met the prescribed benchmarks for the liquidity and working capital performance measures over the past three years.
More councils reported negative operating performance compared with the prior year, meaning their operating expenditure exceeded their operating revenue.

Strong governance systems and internal controls help councils to operate effectively and efficiently, produce reliable financial reports, comply with laws and regulations and support ethical government.

This chapter outlines the overall trends related to governance and internal control issues across councils and joint organisations for 2018–19.

Section highlights

While the total number of issues reported in our management letters increased compared with the prior year, the total number of high risk issues have decreased. Of the high-risk issues, 41 per cent were deficiencies in information technology controls.
More councils have established audit, risk and improvement committees and internal audit functions.
Councils have improved risk management practices, with over 75 per cent of councils now having a risk management policy and register.
While most councils have policies and processes to manage gifts and benefits, we identified some instances of non-compliance with the Model Code of Conduct.
Most councils have policies and processes to manage the use of credit cards.
Councils can strengthen policies and practices for managing fraud controls and legislative compliance.
There are further opportunities for councils to improve internal controls over revenue, purchasing, payroll, cash, financial accounting and governance processes.

Councils rely on information technology (IT) to deliver services and manage information. While IT delivers considerable benefits, it also presents risks that council needs to address.

In prior years, we reported that councils need to improve IT governance and controls to manage key financial systems. This chapter outlines the progress made by councils in the management of key IT risks and controls, with an added focus on cyber security.

Section highlights

We continue to report deficiencies in information technology controls, particularly around user access management. These controls are key to ensuring IT systems are protected from inappropriate access and misuse.
Many councils do not have IT policies and procedures and others do not identify, monitor or report on IT risks.
Cyber security management requires improvement, with some basic elements of governance not yet in place for many councils.

Councils are responsible for managing a significant range of assets to deliver services on behalf of the community.

This chapter outlines our asset management observations across councils and joint organisations.

Section highlights

There was an increase in the total number of issues reported in our management letters for asset management processes.
There were less high-risk issues reported compared to the previous year.
We continue to identify discrepancies between the council's Crown land asset records and the Crown Land Information Database (CLID) managed by the former Department of Industry (DOI).
Inconsistent practices remain across the Local Government sector in accounting for landfill sites.

Appendix one – Response from the Office of Local Government within the Department of Planning, Industry and Environment

Appendix two – Status of 2018 recommendations

Appendix three – Status of audits

Copyright notice

20 December 2017

Published

Internal Controls and Governance 2017

Finance

Education

Community Services

Health

Justice

Whole of Government

Asset valuation

Compliance

Cyber security

Information technology

Internal controls and governance

Project management

Risk

Agencies need to do more to address risks posed by information technology (IT).

Effective internal controls and governance systems help agencies to operate efficiently and effectively and comply with relevant laws, standards and policies. We assessed how well agencies are implementing these systems, and highlighted opportunities for improvement.

1. Overall trends

New and repeat findings	The number of reported financial and IT control deficiencies has fallen, but many previously reported findings remain unresolved.
High risk findings	Poor systems implementations contributed to the seven high risk internal control deficiencies that could affect agencies.
Common findings	Poor IT controls are the most commonly reported deficiency across agencies, followed by governance issues relating to cyber security, capital projects, continuous disclosure, shared services, ethics and risk management maturity.

2. Information Technology

IT security	Only two-thirds of agencies are complying with their own policies on IT security. Agencies need to tighten user access and password controls.
Cyber security	Agencies do not have a common view on what constitutes a cyber attack, which limits understanding the extent of the cyber security threat.
Other IT systems	Agencies can improve their disaster recovery plans and the change control processes they use when updating IT systems.

3. Asset Management

Capital investment	Agencies report delays delivering against the significant increase in their budgets for capital projects.
Capital projects	Agencies are underspending their capital budgets and some can improve capital project governance.
Asset disposals	Eleven per cent of agencies were required to sell their real property through Property NSW but didn’t. And eight per cent of agencies can improve their asset disposal processes.

4. Governance

Governance arrangements	Sixty-four per cent of agencies’ disclosure policies support communication of key performance information and prompt public reporting of significant issues.
Shared services	Fifty-nine per cent of agencies use shared services, yet 14 per cent do not have service level agreements in place and 20 per cent can strengthen the performance standards they set.

5. Ethics and Conduct

Ethical framework	Agencies can reinforce their ethical frameworks by updating code‑of‑conduct policies and publishing a Statement of Business Ethics.
Conflicts of interest	All agencies we reviewed have a code of conduct, but they can still improve the way they update and manage their codes to reduce the risk of fraud and unethical behaviour.

6. Risk Management

Risk management maturity	All agencies have implemented risk management frameworks, but with varying levels of maturity.
Risk management elements	Many agencies can improve risk registers and strengthen their risk culture, particularly in the way that they report risks to their lead agency.

This report covers the findings and recommendations from our 2016–17 financial audits related to the internal controls and governance of the 39 largest agencies (refer to Appendix three) in the NSW public sector. These agencies represent about 95 per cent of total expenditure for all NSW agencies and were considered to be a large enough group to identify common issues and insights.

The findings in this report should not be used to draw conclusions on the effectiveness of individual agency control environments and governance arrangements. Specific financial reporting, controls and service delivery comments are included in the individual 2017 cluster financial audit reports tabled in Parliament from October to December 2017.

This new report offers strategic insight on the public sector as a whole

In previous years, we have commented on internal control and governance issues in the volumes we published on each ‘cluster’ or agency sector, generally between October and December. To add further value, we then commented more broadly about the issues identified for the public sector as a whole at the start of the following year.

This year, we have created this report dedicated to internal controls and governance. This will help Parliament to understand broad issues affecting the public sector, and help agencies to compare their own performance against that of their peers.

Without strong control measures and governance systems, agencies face increased risks in their financial management and service delivery. If they do not, for example, properly authorise payments or manage conflicts of interest, they are at greater risk of fraud. If they do not have strong information technology (IT) systems, sensitive and trusted information may be at risk of unauthorised access and misuse.

These problems can in turn reduce the efficiency of agency operations, increase their costs and reduce the quality of the services they deliver.

Our audits do not review every control or governance measure every year. We select a range of measures, and report on those that present the most significant risks that agencies should mitigate. This report divides these into the following six areas:

Overall trends
Information technology
Asset management
Governance
Ethics and conduct
Risk management.

Internal controls are processes, policies and procedures that help agencies to:

operate effectively and efficiently
produce reliable financial reports
comply with laws and regulations.

This chapter outlines the overall trends for agency controls and governance issues, including the number of findings, level of risk and the most common deficiencies we found across agencies. The rest of this volume then illustrates this year’s controls and governance findings in more detail.

Issues	Recommendations
1.1 New and repeat findings
The number of internal control deficiencies reduced over the past three years, but new higher-risk information technology (IT) control deficiencies were reported in 2016–17. Deficiencies repeated from previous years still make up a sizeable proportion of all internal control deficiencies.	Recommendation Agencies should focus on emerging IT risks, but also manage new IT risks, reduce existing IT control deficiencies, and address repeat internal control deficiencies on a more timely basis.
1.2 High risk findings
We found seven high risk internal control deficiencies, which might significantly affect agencies.	Recommendation Agencies should rectify high risk internal control deficiencies as a priority
1.3 Common findings
The most common internal control deficiencies related to poor or absent IT controls. We found some common governance deficiencies across multiple agencies.	Recommendation Agencies should coordinate actions and resources to help rectify common IT control and governance deficiencies.

Information technology (IT) has become increasingly important for government agencies’ financial reporting and to deliver their services efficiently and effectively. Our audits reviewed whether agencies have effective controls in place over their IT systems. We found that IT security remains the source of many control weakness in agencies.

Issues

Recommendations

2.1 IT security

User access administration

While 95 per cent of agencies have policies about user access, about two-thirds were compliant with these policies. Agencies can improve how they grant, change and end user access to their systems.

Recommendation

Agencies should strengthen user access administration to prevent inappropriate access to sensitive systems. Agencies should:

establish and enforce clear policies and procedures
review user access regularly
remove user access for terminated staff promptly
change user access for transferred staff promptly.

Privileged access

Sixty-eight per cent of agencies do not adequately manage who can access their information systems, and many do not sufficiently monitor or restrict privileged access.

Recommendation

Agencies should tighten privileged user access to protect their information systems and reduce the risks of data misuse and fraud. Agencies should ensure they:

only grant privileged access in line with the responsibilities of a position
review the level of access regularly
limit privileged access to necessary functions and data
monitor privileged user account activity on a regular basis.

Password controls

Forty-one per cent of agencies did not meet either their own standards or minimum standards for password controls.

Recommendation

Agencies should review and enforce password controls to strengthen security over sensitive systems. As a minimum, password parameters should include:

minimum password lengths and complexity requirements
limits on the number of failed log-in attempts
password history (such as the number of passwords remembered)
maximum and minimum password ages.

2.2 Cyber Security

Cyber security framework

Agencies do not have a common view on what constitutes a cyber attack, which limits understanding the extent of the cyber security threat.

Recommendation

The Department of Finance, Services and Innovation should revisit its existing framework to develop a shared cyber security terminology and strengthen the current reporting requirements for cyber incidents.

Cyber security strategies

While 82 per cent of agencies have dedicated resources to address cyber security, they can strengthen their strategies, expertise and staff awareness.

Recommendations

The Department of Finance, Services and Innovation should:

mandate minimum standards and require agencies to regularly assess and report on how well they mitigate cyber security risks against these standards
develop a framework that provides for cyber security training.

Agencies should ensure they adequately resource staff dedicated to cyber security.

2.3 Other IT systems

Change control processes

Some agencies need to improve change control processes to avoid unauthorised or inaccurate system changes.

Recommendation

Agencies should consistently perform user acceptance testing before system upgrades and changes. They should also properly approve and document changes to IT systems.

Disaster recovery planning

Agencies can do more to adequately assess critical business systems to enforce effective disaster recovery plans. This includes reviewing and testing their plans on a timely basis.

Recommendation

Agencies should complete business impact analyses to strengthen disaster recovery plans, then regularly test and update their plans.

Agency service delivery relies on developing and renewing infrastructure assets such as schools, hospitals, roads, or public housing. Agencies are currently investing significantly in new assets. Agencies need to manage the scale and volume of current capital projects in order to deliver new infrastructure on time, on budget and realise the intended benefits. We found agencies can improve how they:

manage their major capital projects
dispose of existing assets.

Issues

Recommendations or conclusions

3.1 Capital investment

Capital asset investment ratios

Most agencies report high capital investment ratios, but one-third of agencies’ capital investment ratios are less than one.

Recommendation

Agencies with high capital asset investment ratios should ensure their project management and delivery functions have the capacity to deliver their current and forward work programs.

Volume of capital spending

Most agencies have significant forward spending commitments for capital projects. However, agencies’ actual capital expenditure has been below budget for the last three years.

Conclusion

The significant increase in capital budget underspends warrant investigation, particularly where this has resulted from slower than expected delivery of projects from previous years.

3.2 Capital projects

Major capital projects

Agencies’ major capital projects were underspent by 13 percent against their budgets.

Conclusion

The causes of agency budget underspends warrant investigation to ensure the NSW Government’s infrastructure commitment is delivered on time.

Capital project governance

Agencies do not consistently prepare business cases or use project steering committees to oversee major capital projects.

Conclusion

Agencies that have project management processes that include robust business cases and regular updates to their steering committees (or equivalent) are better able to provide those projects with strategic direction and oversight.

3.3. Asset disposals

Asset disposal procedures

Agencies need to strengthen their asset disposal procedures.

Recommendations

Agencies should have formal processes for disposing of surplus properties.

Agencies should use Property NSW to manage real property sales unless, as in the case for State owned corporations, they have been granted an exemption.

Governance refers to the high-level frameworks, processes and behaviours that help an organisation to achieve its objectives, comply with legal and other requirements, and meet a high standard of probity, accountability and transparency.

This chapter sets out the governance lighthouse model the Audit Office developed to help agencies reach best practice. It then focuses on two key areas: continuous disclosure and shared services arrangements. The following two chapters look at findings related to ethics and risk management.

Issues

Recommendations or conclusions

4.1 Governance arrangements

Continuous disclosure

Continuous disclosure promotes improved performance and public trust and aides better decision-making. Continuous disclosure is only mandatory for NSW Government Businesses such as State owned corporations.

Conclusion

Some agencies promote transparency and accountability by publishing on their websites a continuous disclosure policy that provides for, and encourages:

regular public disclosure of key performance information
disclosure of both positive and negative information
prompt reporting of significant issues.

4.2 Shared services

Service level agreements

Some agencies do not have service level agreements for their shared service arrangements.

Many of the agreements that do exist do not adequately specify controls, performance or reporting requirements. This reduces the effectiveness of shared services arrangements.

Conclusion

Agencies are better able to manage the quality and timeliness of shared service arrangements where they have a service level agreement in place. Ideally, the terms of service should be agreed before services are transferred to the service provider and:

specify the controls a provider must maintain
specify key performance targets
include penalties for non-compliance.

Shared service performance

Some agencies do not set performance standards for their shared service providers or regularly review performance results.

Conclusion

Agencies can achieve better results from shared service arrangements when they regularly monitor the performance of shared service providers using key measures for the benefits realised, costs saved and quality of services received.

Before agencies extend or renegotiate a contract, they should comprehensively assess the services received and test the market to maximise value for money.

All government sector employees must demonstrate the highest levels of ethical conduct, in line with standards set by The Code of Ethics and Conduct for NSW government sector employees.

This chapter looks at how well agencies are managing these requirements, and where they can improve their policies and processes.

We found that agencies mostly have the appropriate codes, frameworks and policies in place. But we have highlighted opportunities to improve the way they manage those systems to reduce the risks of unethical conduct.

Issues

Recommendations or conclusions

5.1 Ethical framework

Code of conduct

All agencies we reviewed have a code of conduct, but they can still improve the way they update and manage their codes to reduce the risk of fraud and unethical behaviour.

Recommendation

Agencies should regularly review their code-of-conduct policies and ensure they keep their codes of conduct up-to-date.

Statement of business ethics

Most agencies maintain an ethical framework, but some can enhance their related processes, particularly when dealing with external clients, customers, suppliers and contractors.

Conclusion

Agencies can enhance their ethical frameworks by publishing a Statement of Business Ethics, which communicates their values and culture.

5.2 Potential conflicts of interest

Conflicts of interest

All agencies have a conflicts-of-interest policy, but most can improve how they identify, manage and avoid conflicts of interest.

Recommendation

Agencies should improve the way they manage conflicts of interest, particularly by:

requiring senior executives to make a conflict-of-interest declaration at least annually
implementing processes to identify and address outstanding declarations
providing annual training to staff
maintaining current registers of conflicts of interest.

Gifts and benefits

While all agencies already have a formal gifts-and-benefits policy, we found gaps in the management of gifts and benefits by some that increase the risk of unethical conduct.

Recommendation

Agencies should improve the way they manage gifts and benefits by promptly updating registers and providing annual training to staff.

Risk management is an integral part of effective corporate governance. It helps agencies to identify, assess and prioritise the risks they face and in turn minimise, monitor and control the impact of unforeseen events. It also means agencies can respond to opportunities that may emerge and improve their services and activities.

This year we looked at the overall maturity of the risk management frameworks that agencies use, along with two important risk management elements: risk culture and risk registers.

Issues

Recommendations or conclusions

6.1 Risk management maturity

All agencies have implemented risk management frameworks, but with varying levels of maturity in their application.

Agencies’ averaged a score of 3.1 out of five across five critical assessment criteria for risk management. While strategy and governance fared best, the areas that most need to improve are risk culture, and systems and intelligence.

Conclusion

Agencies have introduced risk management frameworks and practices as required by the Treasury’s:

'Risk Management Toolkit for the NSW Public Sector'
'Internal Audit and Risk Management Policy for the NSW Public Sector'.

However, more can be done to progress risk management maturity and embed risk management in agency culture.

6.2 Risk management elements

Risk culture

Most agencies have started to embed risk management into the culture of their organisation. But only some have successfully done so, and most agencies can improve their risk culture.

Conclusion

Agencies can improve their risk culture by:

setting an appropriate tone from the top
training all staff in effective risk management
ensuring desired risk behaviours and culture are supported, monitored, and reinforced through business plans, or the equivalent and employees' performance assessments.

Risk registers and reporting

Some agencies do not report their significant risks to their lead agency, which may impair the way resources are allocated in their cluster. Some agencies do not integrate risk registers at a divisional and whole-of-enterprise level.

Conclusion

Agencies not reporting significant risks at the cluster level increases the likelihood that significant risks are not being mitigated appropriately.

Effective risk management can improve agency decision-making, protect reputations and lead to significant efficiencies and cost savings. By embedding risk management directly into their operations, agencies can also derive extra value for their activities and services.

30 March 2017

Published

2016 - An overview

Education

Community Services

Finance

Health

Industry

Justice

Local Government

Planning

Premier and Cabinet

Transport

Treasury

Universities

Whole of Government

Environment

Asset valuation

Compliance

Cyber security

Financial reporting

Fraud

Information technology

Infrastructure

Internal controls and governance

Management and administration

Procurement

Project management

Regulation

Risk

Service delivery

Shared services and collaboration

Workforce and capability

This report focuses on key observations and findings from 2016 audits and highlights key areas of focus for financial and performance audits in 2017.

This report focuses on key observations and common issues identified from our financial, performance and compliance audits in 2016, and identifies examples of good practice. It also looks forward to where we will focus our efforts in 2017.

We have summarised our observations and findings for 2016 in four chapters:

Financial Performance and Reporting
Financial Controls
Governance
Service Delivery.

Key observations and common issues identified across several agencies will often apply more broadly across the NSW public sector. For this reason, we hope this report is a useful tool for agency management and Audit and Risk Committees to assess our observations and common issues and consider the impact on their agencies. The report provides links to other reports and refers to other useful reference material.

Our financial audits provide independent opinions on NSW agencies’ financial statements. They consider whether agencies have complied with accounting standards, relevant laws, regulations and government directions. They also identify and report internal control weaknesses and matters of governance interest, and make recommendations to address deficiencies.

Our performance and compliance audits build on the financial audits by reviewing and concluding on whether taxpayers’ money is being spent efficiently, effectively, economically and in accordance with the law.

Financial Reporting
Financial Reporting	The quality and timeliness of financial reporting continued to improve across the NSW public sector. NSW Treasury’s early close procedures helped facilitate this.
Financial Controls
Internal Controls	More needs to be done to implement audit recommendations on a timely basis.
Information Technology	Agencies continue to face challenges in managing information security.
Internal controls at shared service providers	Clients of ServiceFirst and GovConnect were unable to rely on the service providers’ internal controls increasing the risks of fraud, error and inappropriate access to data.
Governance
Cluster governance	Cluster governance arrangements that support cluster accountability, performance monitoring, risk and compliance management are unclear.
Management oversight	We identified deficiencies in the oversight and management of Crown Land, specifically sale and lease transactions.
Project governance	Project cost and time overruns continue to occur.
Service Delivery
Premiers and State Priorities	According to agency data, which we have not audited, some Premier's and State Priorities are at risk of not being achieved. A comprehensive report of performance against the State Priorities is not published.
Delivering Government Services	The NSW Government's program evaluation initiative has been largely ineffective. We found government decision makers are not always receiving enough information to make evidence based decisions.
Reporting on Performance	We found agencies’ performance was not routinely measured, evaluated or publicly reported.

Financial performance and reporting

The quality and timeliness of financial reporting continues to improve

Only one qualified opinion was issued on the 2015–16 financial statements of NSW public sector agencies, compared to two in 2014–15. The audit opinion for the Office of the NSW State Emergency Service was qualified because effective controls over fundraising activities did not operate for the entire year.

Since NSW Treasury introduced its ‘early close procedures’ initiative in 2011–12, the number of reported misstatements and significant matters have fallen considerably across the NSW public sector. The number of misstatements has fallen from 1,077 in 2011–12 to 298 in 2015–16.

Most agencies submitted and signed their financial statements on time, which enabled more audits to be completed within three months of year end. In 2015–16, 204 of 286 agencies’ financial statements and audit opinions were signed within three months of the year end, compared to only 67 in 2010–11.

NSW Treasury has narrowed the scope of mandatory early close procedures

NSW Treasury’s early close procedures in 2015–16 were again successful in improving the quality and timeliness of financial reporting, largely facilitated by the early resolution of accounting issues. For 2016–17, NSW Treasury has narrowed the scope of mandatory early close procedures, which may diminish the good performance achieved in recent years.

To mitigate this risk, NSW Treasury has mandated that agencies perform non-financial asset valuations and prepare proforma financial statements in their early close procedures. It also encourages them to continue with the good practices embedded in recent years. These include:

resolving all past audit issues
performing key account reconciliations
agreeing and confirming inter and intra (cluster) agency balances and transactions
identifying material, complex and one-off transactions
preparing quality workpapers to support balances with variance analysis and meaningful explanations for movements
adequate review by management and Audit and Risk Committees.

Financial controls

More needs to be done to implement audit recommendations

More needs to be done to implement audit recommendations on a timely basis. Internal control issues were identified in previous audits, but had not been adequately addressed. Delays in implementing audit recommendations can impact the quality of financial information and the effectiveness of decision making. Agencies need to ensure they have action plans, timeframes and assigned responsibilities to address recommendations in a timely manner.

Agencies continue to face challenges managing information security

Our financial audits identified opportunities to improve IT control environments, with most information technology issues relating to information security. We also found service level arrangements with IT service providers did not always adequately address information security risks.

Agencies should ensure information security controls and contractual arrangements with IT service providers adequately protect their data.

Internal controls at GovConnect were ineffective in 2015–16

GovConnect provides information technology and transactional services to agencies within the NSW Public Sector. Service levels fell during the transition of shared services from ServiceFirst to GovConnect and NSW public sector agencies using these services were unable to rely on controls over financial transactions and information. We found mitigating actions taken to manage transition risks from ServiceFirst to GovConnect did not ensure effective control over client transactions and data. This increased the risk of fraud and error, and inappropriate access to information.

Governance

Cluster governance arrangements are unclear

The sale and lease of Crown land is not being managed effectively

Our 2016 performance audit found limited oversight of sales and leases of Crown land by the Department of Industry - Lands. The Department has only just started monitoring whether tenants are complying with lease conditions, and does not have a clear view of what is happening on most leased Crown land.

Most guidance to staff had not been updated for a decade, contributing to staff sometimes incorrectly implementing policies on rental rebates, unpaid rent, rent redeterminations and the direct negotiation of sales and leases on Crown land. Between 2012 and 2015, 97 per cent of leases and 50 per cent of sales were negotiated directly between the Department and individuals, without a public expression of interest process.

Project cost and time overruns continue to occur

Our audits continue to highlight project management, cost and time issues. The Government’s 2016–17 Infrastructure Statement forecasts a $73.3 billion investment program to 2019–20. Good governance of individual projects is critical to ensure the investment program delivers the intended outcomes to the desired quality, on time and on budget.

A strong risk culture is fundamental to successful risk management

Our assessment of a sample of 33 agencies found that while agencies have risk management governance structures in place, they need to focus on developing stronger risk cultures and fit-for-purpose systems to capture risks and incidents.

Agencies are not fully complying with the GIPA Act

Our review of 13 agencies from across each cluster found varying degrees of non-compliance with recording and disclosure aspects of the GIPA Act by each agency. Our 2016 Special Report 'Compliance with the GIPA Act' details our findings and makes recommendations to help agencies comply with the requirements of the Act.

Service delivery

Some Premier's and State Priorities at risk of not being achieved

Agency data, which we have not audited, indicates some Premier's and State Priorities are at risk of not being achieved. We found that although performance reporting against the Premier’s Priorities is publicly reported, comprehensive performance reporting against the 18 State Priorities is not.

We will continue to report on performance against the targets to assess whether agency initiatives are delivering intended outcomes.

Government does not always get enough information for evidence-based decisions

The NSW Government’s program evaluation initiative has been largely ineffective. A performance audit looked at the Justice, Industry, Skills and Regional Development, Planning and Environment, Premier and Cabinet and Treasury clusters and made recommendations for improvements to program evaluation.

Performance is not always measured, evaluated or publicly reported

Inadequate performance measures and reporting that is primarily internal reduces the transparency of agency performance and makes it hard for the public to assess if the agencies are doing a good job. Our audits found instances where performance outcomes were not being measured, evaluated or publicly reported.

Agencies need to consider whether their performance measurement frameworks adequately measure performance and outcomes so they can make evidence-based decisions and be publicly accountable.

Commissioning and contestability continues to increase

New ways of delivering services across NSW Government are being developed and implemented, including commissioning and contestability arrangements. Commissioning services and introducing new systems can be challenging and it is important for this to be managed well. The learnings from decommissioning ServiceFirst and commissioning GovConnect should be applied to future commissioning arrangements.

NSW Treasury has developed a 'Government Commissioning and Contestability Policy', which is supported by the 'NSW Government Commissioning and Contestability Practice Guide'.

In 2017, we will build on our 2016 financial audits and continue to report our observations and findings as they relate to financial performance and reporting, financial controls, governance and service delivery. We also plan to review agencies' compliance with government travel policies at key agencies in each cluster.

In 2017, we will restructure our financial audit volumes to report our observations and findings on agencies’ financial controls and governance in one cross-sector report to Parliament in September. This will provide the Parliament with more timely reporting on these aspects of our audits. Our observations and findings on agencies’ financial performance and reporting, and service delivery will continue to be reported on a cluster by cluster basis through November and early December.

Our 2017 performance audits will have regard to what we see as key risks and opportunities for the NSW Government, and the Premier's and State Priorities. The program will aim to cover each NSW Government cluster, and focus on how efficiently, effectively and economically they deliver services and other outcomes.

Legislative reforms in the Local Government Amendment (Governance and Planning) Act 2016 have extended the Auditor-General's mandate to the Local Government sector. The expanded mandate includes auditing all NSW local council financial statements and conducting performance audits across the local government sector. The reforms generally bring NSW in line with most other Australian States.

We will report financial audit outcomes and our observations after the 30 June 2017 council audits are completed. Most are expected to complete by the end of October 2017. Our 2017 performance audits will examine and report on whether councils are operating efficiently, effectively, economically and in accordance with the law. In 2017–18, our performance audits will consider how councils are reporting on service delivery, managing shared services and the risk of fraud.

2017 – Issues, risks and opportunities impacting the NSW Government

Our 2017 audits will consider some of the following issues, risks and opportunities impacting the NSW Government.

In mid-2017, we will publish our rolling three-year performance audit program. This will include the performance audits we expect to perform in 2017–18 and the next two financial years. The program can be located at http://www.audit.nsw.gov.au/audit-program

Area of focus	Considerations	Audit Office response
Ensuring services meet citizen needs	The primary role of state and local government is to provide services to citizens. Today's society is less satisfied with one-size-fits-all services and its citizens want to have a say on the services they need and how they are delivered. This challenges governments to improve engagement with citizens, design services with them and support them in selecting the services that best meet their needs. At the same time, governments have to provide the services within constrained financial environments, and cater for ageing populations and strong population growth, particularly in metropolitan areas.	We will: focus our work on services that are important to citizens keep abreast of best practice and strategies used elsewhere to create more citizen centric services develop our understanding of the key trends putting pressure on government service delivery seek opportunities to engage with citizens in undertaking our work.
Leveraging digital opportunities	We live in a digital world, and government is no exception. Digital technologies and the mass of data now available to governments presents opportunities to deliver better services more efficiently and economically. Services can be delivered through digital channels, and data analytics can inform demand, the supply of services and identify potential efficiencies. These opportunities come with risks, including cyber-attacks and privacy breaches.	We will: examine how well state agencies and councils are taking advantage of digital opportunities and managing risks use data analytics to enhance the quality of our audit work use technology to improve how we communicate our key messages.
Having good checks and balances	Citizens put faith in government agencies to make decisions in their best interests. It is imperative for government agencies to be clear about what they are trying to achieve and inform citizens on how they are meeting these objectives. While ethics, transparency, and effective governance and stewardship are critical, it is important for the checks and balances not to be so directive or cumbersome they hamper innovation, efficiency and agility.	We will consider the usual issues in our financial audits of agencies and councils. New areas and areas of focus will include: asset management processes,including quality and timeliness of asset valuations and the management of surplus land and property assets oversight and administration of significant grant programs standby assets, the cost to maintain them and their readiness for use benefits realisation for major projects and programs the financial and administrative impact of machinery of government changes engaging with state agencies and councils through workshops and seminars to promote good practices examining governance and internal controls publishing better practice guidance and promoting our Governance Lighthouse.
Getting value from commissioning	Governments, including the NSW Government, are increasingly outsourcing to or partnering with private and non-government organisations to deliver government services. Because outsourced service providers are not directly accountable to the NSW Parliament for their use of public resources, independent assurance that they are using tax payers’ funds efficiently and effectively would improve accountability. In other jurisdictions Auditors-General have been given powers to ‘go beyond’ the boundaries of agencies commissioning services and into the entities providing the services (‘follow the dollar’ powers). This is not the case in New South Wales. Commissioning brings with it new challenges needing different skills, such as developing and nurturing markets, and transitioning services into and out of government. The NSW Government's recently released Commissioning and Contestability Policy supports agencies entering into commissioning arrangements.	We will: audit agency and council commissioning arrangements and assess whether they are delivering the intended outcomes assess the capability of agencies entering into commissioning arrangements to manage them effectively. report the impact of not being able to provide assurance on the use of taxpayers’ dollars by non-government organisations identify and communicate lessons identified in our audits apply commissioning to our own activities.
Breaking down the silos	Government agencies working in silos can diminish service quality through inefficient duplication and overlap. Silos also increase the risk of people falling through the cracks. To achieve best value, silos can be broken down through a clear focus on outcomes and better collaboration, coordination, partnerships, shared services and joined-up government. This has been recognised for many years, but now with both the commitment and tools, inroads can be made to improve citizens' experiences. Governance arrangements, incentives and culture are critical to success.	We will: focus our efforts on areas where there are opportunities to break down silos identify barriers and enablers to joined-up-government, partnerships and collaboration promote good practice and publicise the benefits, both potential and realised work collaboratively and constructively with those we audit partner with and learn from private sector organisations we engage to provide audit services on our behalf.
Looking after future generations and the vulnerable	Governments need to plan for the long-term and consider future generations. They have an important stewardship role. Their decisions need to ensure inter-generational equity and prevent environmental degradation. A core role of government is to look after the vulnerable. Governments intervene in various ways to provide a social safety net. When they do so, it is critical that these interventions are equitable and deliver desired outcomes at a reasonable cost. Increasingly, it is about giving vulnerable people a bigger say in the services they receive.	We will: review the efficacy of projections upon which services are planned adopt a future focus in our work to identify emerging risks and encourage action before they materialise examine the effectiveness and efficiency of interventions designed to address disadvantage and improve equity identify emerging trends and good practice in designing and delivering services to the vulnerable.
A capable and diverse public sector	The public sector's lifeblood is its workforce. The effectiveness and efficiency of organisations comes directly from the good ideas, effort, commitment and ethics of the people they employ. Workforce management and succession planning, constructive and respected leaders, and diverse backgrounds and thoughts can enhance agency and council performance and customers' experiences. These attributes require good frameworks to develop key capabilities, manage staff performance and clarify responsibilities and accountabilities.	We will: monitor progress in delivering the NSW Government’s priority to have a diverse workforce examine strategies and programs designed to enhance key capabilities in councils and agencies identify areas where capability and diversity are lagging or are at risk,and offer practical improvement opportunities promote diversity in our own organisation through our diversity and inclusion plan, which includes strategies to increase female representation at all levels and participation in an Aboriginal internship program.
Investing in infrastructure to meet the needs of a growing population	The Government’s 2016–17 Infrastructure Statement forecasts a $73.3 billion investment program to 2019–20. Infrastructure investments of this magnitude carry significant risks. In light of weaknesses we identified in the past with the management of significant infrastructure projects, the Government needs to ensure it has the capability to manage project risks effectively. Governments also need to make sure infrastructure built today will meet future needs without creating an ongoing burden for future generations.	We will: review infrastructure planning and approval processes examine alternative financing and partnership models, including philanthropic and private sector involvement through vehicles such as social benefit bonds assess risk frameworks and project governance arrangements monitor maintenance spending and asset management practices identify and promote good practice and innovation.
Improving performance through transparency and accountability	NSW Treasury is implementing its Financial Management Transformation (FMT) program to replace ‘service group’ budgeting and reporting with program based budgeting and reporting. A project of this scale and complexity has many risks, which need to be carefully managed if the desired benefits are to be realised. The NSW Government's move to program budgeting and performance measurement will require appropriate key performance measures and indicators to track whether the programs are delivering the intended outcomes. Independent assurance over the appropriateness and accuracy of agency key performance measures and indicators would improve confidence in the reliability of the NSW Government performance data.	We will: review and assess the implementation and report on the impact of NSW Treasury's Financial Management Transformation program encourage transparency in reporting,and be transparent in our own practices, performance and reporting.
Preparing for changes to Australian Accounting Standards	For the first time, not-for-profit entities in the NSW public sector need to make disclosures about related parties in their 2017 financial statements. Identifying who the related parties are, and collecting and collating relevant information will be challenging. Other imminent changes to accounting standards have significant financial reporting implications for Government entities. Entities will need to plan and implement changes to systems and processes well in advance of the new requirements becoming effective.	We will: review and assess policies, systems and processes entities use to identify related parties and transactions, and the completeness and accuracy of the disclosures in the financial statements of agencies and councils work with NSW Treasury, the Office of Local Government, agencies and councils to determine the implications of the accounting standard changes and assess entities’ preparedness to implement them work with the Office of Local Government to streamline the Code of Accounting Practice.
Working together with local councils	Legislative reforms have resulted in significant changes to the Local Government sector. These include merging certain councils and extending the Auditor-General's mandate to audit all NSW local council financial statements and conduct performance audits across the Local Government sector.	We will: use our mandate to encourage consistency and promote learnings that enhance financial management,fiscal responsibility and public accountability across the local government sector use findings from our financial audits to inform our performance audit program work alongside councils and their audit committees as they implement changes to governance structures and business planning processes build our internal capacity, capability and knowledge of the Local Government sector to deliver a valuable and cost-effective service.

Financial performance and reporting are important elements of good governance. Confidence in public sector decision making and transparency is enhanced when financial and performance reporting are accurate and timely.

The preparation of accurate and timely financial statements by agencies is an important tool to ensure accountability and transparency in the use of public resources. As the NSW Government moves to program budgeting with a greater focus on performance and outcomes it will need to ensure the key performance indicators and data used to measure the outcomes are relevant, accurate and reliable. The NSW Government’s Financial Management Transformation (FMT) program aims to address this.

In 2015–16, our audit teams made the following key observations on the financial reporting of NSW public sector agencies.

Financial reporting
Observation	Conclusion
Only one qualified audit opinion was issued on the 2015–16 financial statements of NSW public sector agencies, compared to two in 2014–15.	The quality of financial reporting continued to improve across the NSW public sector.
More 2015–16 financial statements and audit opinions were signed within three months of the year end.	Timely financial reporting was facilitated by more agencies resolving significant accounting issues early, completing asset valuations on time and compiling sufficient evidence to support financial statement balances.
NSW Treasury’s early close procedures in 2015–16 were again successful in improving the quality and timeliness of financial reporting, largely facilitated by the early resolution of accounting issues. For 2016–17, NSW Treasury has narrowed the scope of mandatory early close procedures.	The narrowed scope of mandatory early close procedures may diminish the good performance in ensuring the quality and timeliness of financial reporting achieved in recent years. To mitigate this risk, NSW Treasury has mandated that agencies perform non-financial asset valuations and prepare proforma financial statements in their early close procedures. It also encourages them to continue with the good practices embedded in recent years.
Although most agencies complied with NSW Treasury’s early close asset revaluation procedures we identified areas where they can improve.	Asset revaluations need to commence early enough to ensure all assets are identified and the results are analysed, recorded and reflected accurately in the early close financial statements.

Financial reporting

The quality and timeliness of financial reporting continues to improve across the NSW public sector.

Quality of financial reporting

Only one qualified audit opinion was issued on 2015–16 financial statements

Only one qualified opinion was issued on the 2015–16 financial statements of NSW public sector agencies, down from two in 2014–15. The audit opinion for the Office of the NSW State Emergency Service was qualified because effective controls over fundraising activities did not operate for the entire year. For further details, refer to page 16 in our Report on Law and Order, Emergency Services and the Arts.

Unqualified audit opinion issued for TAFE NSW after remediation

TAFE NSW’s audit opinion on its financial statements was qualified in 2014–15 due to system limitations, which prevented it from providing sufficient evidence to support its student revenue, student receivables, accrued income and unearned revenue balances. TAFE NSW dedicated considerable resources to address this issue in the short term.

Management resolved over 250,000 data exceptions and found revenue had been understated by $138 million in 2014–15. This was recorded as a prior-period error in the 2015–16 financial statements. For further details, refer to pages 17–18 in our Report on Industry, Skills, Electricity and Water.

The quality of financial reporting continues to improve

Since NSW Treasury introduced its mandatory ‘early close procedures’ initiative in 2011–12, the number of reported misstatements and significant matters in agency financial statements submitted for audit have fallen considerably across the NSW public sector. This is largely attributed to the early resolution of accounting issues, which helps agencies meet earlier reporting deadlines and improve the quality and accuracy of financial reporting. Whilst the quality and timeliness of financial reporting has continued to improve, the NSW Government will need to continue focusing on strong financial management across the NSW public sector to maximise performance and effectively manage assets and liabilities.

The table below shows the fall in misstatements over five years across NSW public sector agencies since mandatory early close procedures were introduced in 2011–12.

Number of misstatements
Year ended 30 June	2015-16	2014-15	2013-14	2012-13	2011-12
Total reported misstatements	298	396	459	661	1,077

All material misstatements identified by agencies and audit teams were corrected before the financial statements and audit opinions were signed. A material misstatement relates to an incorrect amount, classification, presentation or disclosure in the financial statements that could reasonably be expected to influence the economic decisions of users.

Significant matters reported to the portfolio Minister, Treasurer and Agency Head

In 2015–16, we reported the following significant matters to the portfolio Minister, Treasurer and agency head in our Statutory Audit Reports:

Transport for NSW needs to assess whether a $179 million fall in the carrying value of the bus fleet leased from the State Transit Authority has similar implications for the value of the bus fleet leased from private operators
issues were identified with how the Northern NSW Local Health District implemented its new rostering system, including rosters being 'force approved' by the system administrator, users having inappropriate access, no review of payroll exceptions and inadequate project governance over the system’s rollout
the Aboriginal and Torres Strait Islander Health Practice Council of New South Wales’ financial statements were not prepared on a ‘going concern’ basis because it had insufficient funding to continue operating
the Department of Industry, Skills and Regional Development needs to improve the recording and accounting for Crown Land (repeat issue)
the financial reporting requirements for Local Land Services local boards, established under the Local Land Service Act 2013, need to be clarified (repeat issue)
significant limitations exist in TAFE NSW’s student administration system (repeat issue)
Hunter Water Corporation contracted to sell Kooragang Island Advanced Water Treatment Plant, which is conditional on the purchaser obtaining a water licence for use of the plant, for $35.5 million. This resulted in a $20.5 million decrease in the revaluation reserve
Hunter Water Corporation received $28.1 million from the sale of land impacted by the NSW Government’s decision not to construct Tillegra Dam. This was $62.4 million less than the carrying value of the land
Sydney Water Corporation needs to ensure it has robust governance over the development and implementation of a new customer billing system and an integrated enterprise resource planning system, budgeted to cost $184 million and $54.5 million respectively.

Timeliness of financial reporting

More financial statements and audit opinions signed within three months of year end

Most agencies submitted and signed their financial statements on time, which enabled more audits to be completed within three months of year end.

In 2015–16, 204 of 286 agencies’ financial statements and audit opinions were signed within three months of the year end. This compares to only 67 in 2010–11, the year before NSW Treasury introduced mandatory early close procedures.

Early close procedures improved the timeliness of financial reporting

Agencies were broadly successful in performing early close procedures in 2015–16. However, we did identify opportunities for improvement across the NSW public sector.

Agencies will not always be able to fully resolve significant and complex accounting issues as part of the early close process. If this is the case, it is important they document a clear path towards timely resolution and ensure relevant stakeholders, including NSW Treasury, are kept informed. The documentation should set out the issue, status, key aspects needing resolution, and who is responsible for the expected deliverables.

Changes in accounting standards can materially impact agencies’ financial statements. Agencies will need to ensure they review the impact of, and have appropriate systems and processes in place to address these changes. Because of the lead time required, agencies need to start preparing for imminent changes now. The more significant changes that will come into effect over the next two years include:

service concession arrangements - where private sector entities design, build, finance and/or operate infrastructure to provide public services, such as toll roads, utilities, prisons and hospitals
the classification, measurement, recognition and de-recognition of financial instruments
leasing arrangements - lessees will no longer classify leases as operating or finance leases; leases will be ‘capitalised’ with financial liabilities being recognised for future lease payments.

NSW Treasury has narrowed the scope of mandatory early close procedures

NSW Treasury Circular 16-13 'Agency guidelines for the 2016–17 Mandatory Early Close' has narrowed the scope of mandatory early close procedures to non-financial asset valuations and proforma financial statements. Early close procedures that are no longer mandatory, but considered to be good practice by NSW Treasury, include:

resolving all past audit issues
performing key account reconciliations
agreeing and confirming inter and intra (cluster) agency balances and transactions
identifying material, complex and one-off transactions
preparing quality workpapers to support balances with variance analysis and meaningful explanations for movements
adequate review by management and Audit and Risk Committees.

If agencies do not perform the good practice procedures, the early close process may not be as effective in ensuring the quality and timeliness of financial reporting. We will monitor and report on the impact of this change on the timeliness and quality of the 2016–17 financial statements.

NSW Treasury piloted a hard-close initiative

NSW Treasury conducted a ‘hard-close pilot’ with nine agencies in 2015–16 to assess the benefits, and whether they should be applied more widely across the NSW public sector. While NSW Treasury has evaluated the results of the pilot, it has not mandated agencies complete hard close procedures in 2016–17. NSW Treasury Circular 16–13 gives agencies the option to complete hard close procedures.

Hard close procedures involve applying year-end procedures to the fullest extent practicable at a preliminary month end date to further improve the quality and timeliness of financial reporting.

Processes for asset valuations can be improved

Although most agencies complied with NSW Treasury’s early close asset revaluation procedures, we identified areas where they can be improved.

Asset valuations can be complex. They can involve the valuation of a large, geographically dispersed asset base, require significant judgement to estimate fair value and require substantial resources to complete.

Asset revaluations are successful when:

revaluation projects commence early enough to obtain the results and to reflect this in the early close pro forma financial statements, fixed asset register and general ledger
all assets are identified, recorded and reconciled before being provided to the valuer and the valuation methodology is agreed and documented
quality work papers are prepared setting out management’s proposed accounting treatments, judgements and assumptions
management engages with the valuers and interrogates the valuation results with scepticism
valuation issues are resolved before preparing the year-end financial statements.

NSW Treasury Policy Paper TPP14-01 also provides guidance to agencies to help manage the revaluation process.

Performance reporting

In 2017 and 2018, NSW Treasury is implementing its Financial Management Transformation (FMT) program. The program will replace the current ‘service group’ budgeting and reporting structure with program based budgeting and reporting. The program expects to have the legislation, policy framework and financial reporting system rolled out for the 2017–18 financial year.

The program will implement a modern IT system, PRIME, as NSW Treasury's key tool to support whole-of-government budgeting and reporting. PRIME is expected to give the NSW Government strategic, relevant and timely information to plan and deliver its policy priorities and the Budget. It is expected to capture and monitor financial and non-financial performance data, and provide business intelligence and analytics. The roll-out of PRIME commenced in November 2016 and the 2017–18 Budget will be delivered using PRIME.

A project of this scale and complexity has many risks, which need to be carefully managed if the desired benefits are to be realised. To manage the risks, NSW Treasury is running PRIME in parallel with the existing IT systems for an extended period that covers preparation of the 2017–18 budget.

Independent assurance over the appropriateness and accuracy of agency key performance measures and indicators would improve confidence in the reliability of the NSW Government performance data.

Monitoring and guiding program performance will mean:

developing and implementing high level frameworks, policies and guidance
establishing measures and setting targets for performance
ensuring the availability of and access to high quality data and other information
obtaining independent assurance over the quality of the data.

The FMT program aims to achieve:

better performance and outcomes management
improved management of the State’s balance sheet, revenues and expenditures
stronger interagency collaboration
clearer accountabilities
better reporting of performance and outcomes.

This should give the NSW Government greater visibility on whether programs are delivering value for money, with emphasis not just on whether they are meeting compliance requirements, but whether they are also meeting performance expectations. This will require agencies to have the expertise they need to analyse how programs are performing and meeting expected outcomes.

Appropriate financial controls help ensure the efficient and effective use of resources and the implementation and administration of agency policies. They are essential for quality and timely decision making.

In 2015–16, our audit teams made the following key observations on the financial controls of NSW public sector agencies.

Financial controls
Observation	Conclusion
More needs to be done to implement audit recommendations on a timely basis. We found 212 internal control issues identified in previous audits had not been adequately addressed by 30 June 2016.	Delays in implementing audit recommendations can impact the quality of financial information and the effectiveness of decision making. Agencies need to ensure they have action plans, timeframes and assigned responsibilities to address recommendations in a timely manner.
Agencies continue to face challenges managing information security. Most information technology issues we identified related to poor IT user administration in areas like password controls and inappropriate access.	Agencies should review the design and effectiveness of information security controls to ensure data is adequately protected.
We found shared service provider agreements did not always adequately address information security requirements.	Where agencies use shared service providers they should consider whether the service level arrangements adequately address information security.
Thirteen of 108 agencies required to attest to having a minimum set of information security controls did not do so in their 2015 annual reports.	The 'NSW Government Digital Information Security Policy' recognises the growing need for effective information security. With cyber security threats continuing to increase as digital services expand we plan to look at cyber security as part of our 2017–18 performance audit program.
We identified instances where service level agreements with shared service providers were outdated, signed too late or did not exist.	Corporate and shared service arrangements are more effective when service level arrangements are negotiated and signed in time, clearly detail rights and responsibilities and include meaningful KPIs, fee arrangements and dispute resolution processes.
Internal controls at GovConnect, the private sector provider of transactional and information technology services to many NSW public sector agencies were ineffective in 2015–16. We found mitigating actions taken to manage transition risks from ServiceFirst to GovConnect were ineffective in ensuring effective control over client transactions and data.	The Department of Finance, Services and Innovation should ensure GovConnect addresses the control deficiencies. It should also examine the breakdowns in the transition of the shared service arrangements and apply the learnings to other services being transitioned to the private sector.
Maintenance backlogs exist in several NSW public sector agencies, including Roads and Maritime Services, Sydney Trains, NSW Health, the Department of Education and the Department of Justice.	To address backlog maintenance it is important for agencies to have asset lifecycle planning strategies that ensure newly built and existing assets are funded and maintained to a desired service level.

Internal controls

Agency internal controls

We report deficiencies in internal controls, matters of governance interest and unresolved issues identified during our audits to management and those charged with governance of the agencies. We do this through management letters, which include our observations, related implications, recommendations and risk ratings.

We identified and reported 837 issues during our 30 June 2016 audits. Common internal control weaknesses identified during these audits included:

non-compliance with processes and legislation
incomplete and inaccurate central registers, such as those for managing conflicts of interest, legislative compliance and contract management
weaknesses in information technology controls (see further details below)
financial performance and reporting issues, such as inadequate review of manual journals and poor quality and review of general ledger account reconciliations
deficiencies in purchasing and payables processes, such as poor review of vendor master file changes, limited use of purchase orders and inadequate payment approval processes.

Fewer internal control weaknesses were assessed as being high risk than in previous years. High risk internal control deficiencies should be addressed by the relevant agencies as a matter of urgency.

More needs to be done to implement audit recommendations

More needs to be done to implement audit recommendations on a timely basis. We found 212 internal control issues identified in previous audits had not been adequately addressed by 30 June 2016. The highest proportion of these issues were in the following clusters:

Family and Community Services cluster - 11 of 31 issues were repeat issues.
Planning and Environment cluster - 26 of 88 issues were repeat issues
Finance, Services and Innovation cluster - 31 of 111 issues were repeat issues
Justice cluster - 33 of 124 issues were repeat issues
Transport cluster - 18 of 68 issues were repeat issues
Health cluster - 33 of 126 issues were repeat issues.

Two of the 212 issues were classified as high risk and related to:

an agency’s lack of effective controls over fundraising activities
recognition of a loan and the agency’s capacity to repay the loan

Of the remainder, 126 were classified as moderate risk and 84 as low risk. Delays in implementing audit recommendations can impact the quality of financial information and the effectiveness of decision making. They expose agencies to reputational risks and financial loss.

Some issues can take longer to address due to resource constraints and/or the complexity of the issue. Agencies need to ensure they have action plans, timeframes and assigned responsibilities to address recommendations in a timely manner. Audit and Risk Committees play an important role in monitoring and advising agency heads on how agencies are implementing measures to address audit findings and recommendations.

Internal controls at shared service providers

Cluster corporate and shared service models are common across NSW Government

Corporate and shared service models are common across NSW Government, with most clusters having moved to or planning to move to some form of shared service arrangement. Shared service arrangements are designed to achieve efficiencies and reduce costs by centralising service delivery in areas such as human resources, governance and risk, procurement, finance and information technology. Corporate and shared service models can:

consolidate information systems and standardise processes through common policies and procedures. This should provide greater transparency to the cluster lead agency of agencies' and cluster-wide performance
deliver better information management and decision support services
increase efficiencies and reduce costs.

Agencies need to carefully manage the risks associated with these arrangements, such as:

failing to deliver integrated systems and processes across the cluster
limiting flexibility, which may hinder agencies from implementing fit for purpose frameworks, such as those for governance and risk
sub-optimal performance by service providers and/or ineffective controls at the service provider
poor governance, strategic leadership and direction over shared service arrangements.

The NSW Commission of Audit, in its May 2012 report on ‘Government Expenditure’, recommended improvements in the delivery of corporate and shared services across the NSW Government sector.

Service level arrangements are not always in place or are signed too late

We found instances where service level agreements with shared service providers were outdated, signed too late or did not exist. For example:

service agreements, which include performance requirements for safety and quality, service access and patient flow, finance and activity, population health and people between the Secretary of NSW Health and local health districts/specialty networks, need to be signed earlier to clarify roles, responsibilities, performance measures, budgets and service volumes and levels
the NSW Department of Industry, Skills and Regional Development and the Department of Justice did not always have service agreements in place with agencies to which they provide financial and corporate services.

Agencies need to seek internal control certifications from service providers

NSW Treasury Policy TPP 14–05 'Certifying the Effectiveness of Internal Controls Over Financial Information' requires agencies to obtain certification on the effectiveness of internal controls from outsourced service providers. We found:

agencies using the services of GovConnect were unable to rely on controls over financial transactions and information (further details below), which negated the certification process over controls at the service provider. This required the impacted agencies to implement controls to mitigate the control deficiencies at the service provider
the Department of Justice did not always provide written certifications on the design and effectiveness of internal controls to client agencies
some private sector service providers do not provide independent certifications on the effectiveness of their controls to agencies.

The NSW Treasury Policy notes that, in some instances, client agencies may consider it appropriate to seek additional assurance in the form of an independent opinion on the design and operating effectiveness of controls in the service organisation. Agencies should consider the nature and extent of the services provided by their service provider when determining whether independent assurance is required.

Internal controls at GovConnect were ineffective in 2015–16

GovConnect provides information technology and transactional services to agencies within the NSW Public Sector. Service levels fell during the transition of shared services from ServiceFirst to GovConnect and NSW public sector agencies using these services were unable to rely on controls over financial transactions and information.

We found mitigating actions taken to manage transition risks from ServiceFirst to GovConnect were ineffective in ensuring effective control over client transactions and data. This increased the risk of fraud and error, and inappropriate access to information.

The Department of Finance, Services and Innovation should ensure GovConnect addresses the control deficiencies identified in GovConnect’s Independent Auditor’s Assurance reports. It should also examine the breakdowns in the transition of the shared service arrangements and apply the learnings to other services being transitioned to the private sector. Refer to pages 19-20 in our Report on Finance, Services and Innovation for further details.

Information technology

Digital Information Security

Agencies continue to face challenges managing information security

We audited the information systems of 72 agencies in 2016. The audits focused on the information technology (IT) processes and controls supporting the integrity, availability and security of financial data used to prepare the financial statements.

The audits identified opportunities to improve IT control environments, with a large proportion of our findings relating to information security. We recommended agencies review and strengthen information security controls. The key control weaknesses we found related to user administration, password parameters and privileged access.

Over the last three years the number of information systems issues we identified has improved, as shown below:

2015–16: 72 audits - 121 issues reported
2014–15: 73 audits - 169 issues reported
2013–14: 77 audits - 198 issues reported.

Of the 121 issues reported in 2015–16, two were classified as high risk, 80 as moderate risk and 39 as low risk. The two high risk issues related to:

poor password configuration management
inappropriate user access accounts and inadequate review of users’ access to the agency’s network, finance applications, database and servers.

Twenty-three per cent of the issues reported in 2014–15 were repeated in 2015–16. The percentage of repeat issues has fallen compared to 2013–14.

Governance refers to the high-level frameworks, processes and behaviours established to ensure an entity meets its intended purpose, conforms with legislative and other requirements, and meets the expectations of probity, accountability and transparency.

Governance models need to be adapted for the specific goals and outcomes required for different situations; one size does not fit all. High standards of public sector governance and accountability enable effective and efficient use of public resources. They also help to ensure agencies act impartially and lawfully, deliver program/project benefits within expected costs and timeframes and provide useful information about their activities and achievements.

In 2015–16, our audit teams made the following key observations on governance in NSW public sector agencies

Governance
Observation	Conclusion
Cluster governance arrangements that support cluster accountability, performance monitoring, risk and compliance management are unclear.	Currently, cluster governance arrangements are unclear and inconsistently implemented across the NSW public sector. Implementing cluster governance frameworks is complex. The Department of Premier and Cabinet (DPC) has indicated the NSW Public Sector Governance Framework will be updated to give guidance on cluster governance and how accountability and performance are monitored and reported.
The ‘whole-of-government’ does not have a dedicated audit and risk committee.	NSW Government agencies would benefit from a dedicated independent audit and risk committee for the ‘whole-of-government’ that focuses on common issues and risks across the NSW public sector, and recommends and oversights coordinated responses to sector wide issues.
We identified many deficiencies in the oversight and management of Crown Land, including the sale and lease of such land.	We recommended the Department of Industry-Lands improve its processes for the sale and lease of Crown Land.
Our assessment of a sample of 33 agencies found that agencies have risk management governance structures in place, but need to focus on developing stronger risk cultures and fit-for-purpose systems to capture risks and incidents.	Agencies need to focus on developing strong risk cultures and fit-for-purpose systems to capture risks and incidents.
We found project cost and time overruns continue to occur.	In 2016–17, we will assess risk management maturity and processes focusing on effective risk management in project governance.
Our 2015–16 fraud survey indicates fraud controls are improving, but highlighted areas where agencies can do more.	Agencies can review their fraud control measures against our Fraud Control Improvement Kit.
Our review of 13 agencies’ compliance with reporting and disclosure aspects of the GIPA Act found varying degrees of non-compliance at each.	Our 2016 Special Report 'Compliance with the GIPA Act' makes recommendations to help agencies comply with the requirements of the Act.

Governance and Accountability

With the NSW public sector changing and becoming more complex, good governance becomes more important so the public's confidence in government and its agencies is maintained. Governance across the NSW public sector is complex and needs to accommodate risks arising from:

the Government’s cluster arrangements having no legal basis
many agencies not having conventional board structures
agencies only being able to do what their enabling legislation allows
agencies having for profit or not-for-profit objectives, and/or only being established to achieve a particular purpose
capability limitations that may exist in governing bodies
stakeholders having high expectations around accountability, transparency and conflicts of interest in public sector agencies.

Adding to this complexity is the continually changing nature of the public sector and the way it delivers services. Often, governance arrangements are impacted by:

changes in service delivery models, such as commissioning and contestability arrangements
machinery of government changes, leading to agencies being formed, amalgamated or abolished
complex financing and other contractual arrangements, such as public private partnerships impacting the structure and risks agencies face.

Those charged with governance are accountable for the decisions they make and need relevant, accurate and up-to-date information on which to base their decisions. Consequently, they need to satisfy themselves the governance frameworks, and the design and effectiveness of internal systems and controls provides sufficient assurance the agency’s activities are in line with expectations and comply with standards and legal requirements.

Our audits identified deficiencies in some agencies’ governance frameworks, including:

not having frameworks to manage and ensure compliance with legislation
outdated policies and procedures, including those for fraud and corruption
inconsistent risk management frameworks
not having effective internal audit functions
some smaller agencies not having an Audit and Risk Committee
poor frameworks for identifying and managing conflicts of interest and gifts and benefits.

Agencies can assess their governance frameworks against our Governance Lighthouse.

Effective cluster/agency and program/project governance is characterised by:

leaders who set the right tone from the top, that shapes the culture and demonstrates the desired values and ethics through the behaviours they model when working with management and external stakeholders
a clear strategic purpose and direction, based on a clear understanding of stakeholder expectations, realistic medium and long-term outcomes, short-term priorities and expenditure/investment choices and budgets
a shared and strong understanding of the strategy to inform decisions
strong oversight of progress against the strategy, significant deviations from it, emerging risks and planned benefits from change programs
regular reviews of and updates to the strategy to adapt to changing circumstances
a clear purpose at specific project/program levels
charters with structures that include clearly distinct governance and management roles, principles, and processes
clearly defined roles and responsibilities that make differing interests transparent and improve decision-making – these should be revisited periodically
visible leadership when agencies/projects/programs face difficult issues
clearly allocated and delegated decision-making for governance and management
different people in the roles of chair, project sponsor, manager of the division responsible for delivering a project, the line manager of the project director
the right mix of people with different perspectives and skills, who robustly debate issues, but support agreed decisions
independent quality assurance
effective risk management that identifies, analyses, mitigates, monitors and communicates risks
a defined risk management framework and register that is widely understood and aligned to the agency’s strategy, risk appetite, objectives, business plan and stakeholder expectations
a mature risk management culture and reporting structure that is built into the agency or project governance framework
clear roles for Audit and Risk Committees, with competent and independent members who have a clear purpose
governance arrangements and practices that continually evolve to manage risk and conflicts of interest.

Cluster governance

Cluster governance arrangements, including accountability, are unclear

Currently, cluster governance arrangements are unclear and inconsistently implemented across the NSW public sector. Implementing cluster governance frameworks is complex because clusters bring together entities with different enabling legislation, organisational and legal structures, information systems and processes, risk profiles and governance frameworks. They require Ministers, boards, department Secretaries, agency heads and management to work together to ensure effective cluster governance and accountability arrangements are in place.

Clear cluster governance arrangements would improve cooperation and coordination amongst cluster agencies, help deliver government priorities that cut across agencies and improve service delivery outcomes. We recommended DPC release a revised NSW Public Sector Governance Framework that clearly articulates cluster governance arrangements, the role of the cluster Secretary, Chief Finance Officer, Chief Information Officer and Chief Risk Officer.

DPC has indicated the framework will be updated shortly to provide guidance on governance at a cluster level, including how cluster-level accountability and performance information is monitored and reported. We understand DPC will work with NSW Treasury to revise the framework by mid-2017. It is important for these agencies to collaborate and ensure the outcomes of NSW Treasury's Financial Management Transformation (FMT) program are considered when updating the framework.

The FMT program aims to revise financial governance, budgeting and reporting arrangements in the NSW public sector, and clarify the administrative and accountability arrangements for cluster operations. Further information on FMT is included in the Financial Performance and Reporting and Service Delivery chapters.

Management oversight and capability

Those charged with governance are ultimately responsible for establishing an appropriate governance framework and system of internal control. However, management is accountable to those charged with governance and their oversight plays an important role in ensuring appropriate policies, procedures and internal controls are designed and working properly.

Sale and lease of Crown land is not being managed effectively

Our 2016 performance audit found limited oversight of sales and leases of Crown land by the Department of Industry - Lands. The Department has only just started monitoring whether tenants were complying with lease conditions, and does not have a clear view of what is happening on most leased Crown land. Most guidance to staff had not been updated for a decade, contributing to staff sometimes incorrectly implementing policies on rental rebates, unpaid rent, rent redeterminations and the direct negotiation of sales and leases on Crown land.

Decisions on the sale and lease of Crown land were not transparent to the public and the Department has not provided consistent opportunities for the public and interested parties to participate in decisions about Crown land. Between 2012 and 2015, 97 per cent of leases and 50 per cent of sales were negotiated directly between the Department and individuals, without a public expression of interest process.

Adding to this, our financial audit findings have identified significant deficiencies for several years in recording and accounting for Crown land assets in the Crown Land Information Database and the Department’s general ledger.

A key objective of the Department of Industry - Lands is for Crown land to be occupied, used, sold, leased, licensed or otherwise dealt with in the best interests of the State. A major part of the State’s land holding is Crown land, which had an estimated value of $12 billion in 2015–16. Crown land comprises approximately 42 per cent of all land in New South Wales and supports a wide range of important environmental, economic, social and community activities.

The Crown Land Management Act 2016 (the Act) received assent from Parliament on 14 November 2016. The Act consolidated eight pieces of legislation. Most of the Act is expected to commence in early 2018. It is expected to reduce complexity and duplication, deliver better social, environmental and economic outcomes and facilitate community involvement in Crown land.

Good progress is being made on implementing public sector management reforms

In early 2012, the NSW Commission of Audit Interim report identified a range of issues with workforce management in New South Wales. The Public Service Commission (PSC), which was established in late 2011, was tasked to address some of these issues and build the capability of the public sector. The Government Sector Employment Act 2013 (GSE Act), which provides the legislative basis for reforms, commenced in February 2014.

The public sector management reforms are ambitious, covering a substantial workforce and requiring a lot to be done in a short time. To achieve the intended outcomes, the reforms needed to be supported by sound evidence, have clear objectives and performance indicators, and be evaluated at appropriate stages.

Risk Management

The increasing complexity of government business transactions reinforces the need for whole of government approaches to deal with inter-related and inter-dependent risks across government agencies. It is important that safeguards in place to manage these risks are commensurate to the risk posed.

Findings from some of our 2016 performance audits, which looked at how areas of high risk are managed across NSW Government, are detailed below:

Our performance audit on managing unsolicited proposals in New South Wales concluded that governance arrangements for unsolicited proposals were adequate, but greater transparency and public reporting is needed. Unsolicited proposals warrant greater scrutiny and disclosure as they pose a greater risk to value for money than open, competitive and transparent tender processes.

Our performance audit on government advertising concluded the peer review process provides sufficient assurance that government advertising programs are needed and are cost effective. Government advertising is an activity that is high risk because of the potential for it to be used for political purposes. In NSW, the Government Advertising Act 2011 requires government advertising campaigns estimated to cost over $50,000 to be independently peer reviewed before launch.

Cluster-wide risk management

Cluster wide risk management is inconsistent

Agencies within clusters have their own risk profiles and risk management frameworks. We found varying approaches and levels of maturity on how agency risks are captured and escalated to a cluster level so cluster heads can assess how they are being managed, treated and reported. We recommended some clusters review how agency level risks are escalated and reported at a cluster level.

Enterprise-wide risk management

Agency enterprise-wide risk management across the public sector is improving

In 2016, we assessed risk management processes at 33 agencies across the NSW public sector against the criteria in our Risk Assessment Tool. In 2015, we asked 77 agencies to perform a self-assessment of their risk management maturity. The table below compares the overall results of our assessment against the agencies self-assessments. The comparison indicates that risk management is improving.

Our assessments found that agencies have risk management governance structures in place, but need to focus on developing stronger risk cultures and fit-for-purpose systems to capture risks and incidents.

The environment in which services are delivered to the people of NSW is constantly changing. Services need to remain relevant and support the public's changing needs and expectations. People expect high quality services to be delivered in cost effective ways. To do this, agencies need to determine how best to deliver the services. Governments can deliver their services through agencies or through commissioning the right mix of services from public, private and not for profit sector providers.

Agencies also need to consider how they collaborate with each other to improve the quality of their services and help drive down costs. Changes in innovation and technology can help agencies adapt to changing circumstances and to deliver better services in different ways.

In 2015–16, our audit teams made the following key observations on service delivery by NSW public sector agencies.

Service delivery
Observation	Conclusion
New ways of delivering services across NSW Government are being identified, with commissioning and contestability arrangements being introduced or considered.	It is important for accountability to be maintained when services are outsourced. Commissioning services and introducing new systems can be challenging. It is important for this to be managed well through: strong project governance and leadership to manage risks entering into binding commitments with clear accountabilities good preparation, including adequate training and support for staff sound financial management to control costs.
We found government decision makers are not always receiving enough information to make evidence-based investment decisions.	The NSW Government’s program evaluation initiative has been largely ineffective. A performance audit looked at the Justice, Industry, Skills and Regional Development, Planning and Environment, Premier and Cabinet and Treasury clusters and recommended improvements to program evaluation.
We found agencies' performance is not routinely measured, evaluated or publicly reported.	Agencies can improve transparency over their performance with a stronger focus on measuring performance and outcomes so they can make evidence-based decisions and maintain public accountability.
According to unaudited agency data, some Premier's and State Priorities are at risk of not being achieved.	Independent assurance over the reliability and accuracy of the data would increase confidence in the performance indicators used to measure achievement of the Government’s priorities.
A comprehensive report of performance against the State Priorities is not published.	We understand the NSW Government is considering public reporting against the State Priorities and developing reporting options.

Commissioning and Contesting the Delivery of Services

The publics' rising expectations, and rapidly changing and increasingly complex needs mean agencies cannot be complacent even when they deliver good services. To meet changing expectations and needs, agencies need to build on their strengths and leverage opportunities a modern, technology driven and information rich environment provides.

Government outcomes can be achieved through the effective commissioning of the right mix of services from the public, private and not-for-profit sectors. Commissioning involves agencies assessing citizens’ needs, determining priorities, designing and sourcing appropriate services, and monitoring and evaluating performance. NSW Treasury's 'Government Commissioning and Contestability Policy', published in November 2016, aims to provide a clear and consistent policy direction, definition and set of principles to guide NSW Government agencies when commissioning and contesting services.

It is important for agencies to understand the Government's strategic direction and objectives when partnering with others or commissioning the delivery of services. They must be prepared and able to work together and with others in different ways to deliver the best quality public services possible. Agencies face challenges and opportunities when commissioning services. These include:

determining the size, variety and location of services needed to meet customer needs and expectations
doing things differently to ensure public services are delivered efficiently and effectively
developing and nurturing markets, and transitioning services into and out of government
partnering with other public and private sector entities, and non-government organisations (NGOs)
establishing and maintaining clear accountabilities for jointly delivered services
using new approaches that leverage improvements in technology
involving the people of NSW in designing, planning, and delivering services
using, sharing and communicating information about service delivery
building agencies' capacity and capability
measuring and benchmarking service performance.

Effective commissioning can be achieved through:

strong governance and leadership to manage relationships and risks effectively within risk appetite levels
good information systems and tools
being well prepared with the right capability and number of employees who are well trained and supported
adopting approaches that best fit the circumstances
regularly monitoring and assessing if expected outcomes are being achieved
having a common purpose with clear outcomes
being flexible and prepared to make trade-offs
binding commitments with clear accountabilities
sound financial management to control costs
adequate development and testing of new systems before going live.

Commissioning and contestability continues to increase

We continue to see new ways of delivering services across NSW Government agencies. Some examples of commissioning and contestability include:

commissioning of GovConnect to provide information technology and transactional services to several agencies within the NSW Public Sector (refer Financial Controls chapter for further detail)
contestability testing within NSW Health, including linen services, non-emergency patient transport, warehousing, hospital support services, pathology and radiology
commissioning NGOs to provide some services traditionally provided by the Department of Family and Community Services ($2.8 billion received by NGOs in 2015–16 for the delivery of these services).

Our performance audit on franchising of the Sydney Ferries network found the decision to do so was justified and Transport for NSW’s management of the franchise was largely effective. The franchising has resulted in cost savings, good service performance and effective risk transfer from Government to the private sector operator. Scheduled ferry services are now provided under a seven-year contract managed by Transport for NSW.

Our 2016–17 performance audit program includes a review of Roads and Maritime Services' (RMS) Sydney region road maintenance contracts to assess whether RMS has realised the expected benefits of outsourcing road maintenance for the Sydney Region West and South zones under its Stewardship Maintenance Contracts. We also recently tabled a performance audit report, which focused on the Department of Family and Community Services work to build the readiness of the non-government sector for the National Disability Insurance Scheme.

Accountability needs to be maintained when services are outsourced

Generally, contractual arrangements allow an agency that is outsourcing services to review and assess the performance of the service provider. However, outsourced service providers are not directly accountable to the NSW Parliament for their use of public resources.

Governments are increasingly outsourcing to or partnering with private and NGO providers to deliver government services. Consequently, many parliaments now have legislation that enables Auditors-General to ‘go beyond’ the boundaries of the agencies commissioning services and into the entities providing the services to examine how effectively and efficiently they are providing the services (‘follow the money’ powers). New South Wales legislation does not currently provide the Auditor–General with such powers.

Delivering Government Services

Evidence-based decision making

Government services are being delivered by agencies through a variety of programs

To do this effectively agencies need to be able to make evidence based decisions. In August 2013, the NSW Government commenced a program evaluation initiative, which required agencies to periodically evaluate their programs. Since then, NSW Treasury and DPC have worked with agencies to implement the initiative. Agencies are required to prioritise programs for evaluation based on size, strategic significance and degree of risk, recognising their available capability and resources to conduct evaluations.

Our performance audit on 'Implementation of the NSW Government’s program evaluation initiative' showed the initiative was largely ineffective and government decision makers were not receiving enough information to make evidence-based investment decisions. The audit looked at the Justice, Industry, Skills and Regional Development, Planning and Environment, Premier and Cabinet and Treasury clusters.

Our performance audit also recommended NSW Treasury develop an evaluation framework to support the program budgeting and reporting component of the Financial Management Transformation (FMT) program, and ensure the program evaluation initiative is integrated into the new framework.

The FMT program budgeting, reporting and evaluation initiative aims to provide evidence-based information to inform investment decisions on programs. Adopting program budgeting and reporting as a key component of the FMT program requires a proven and systematic evidence-based methodology for measuring the efficiency and effectiveness of the programs.

Service delivery performance

Our performance audits found mixed service delivery performance

Performance audits build on our financial audits by reviewing whether taxpayers' money is spent efficiently, effectively, economically and in accordance with the law. Many of our performance audits focus on whether agencies are delivering good services to citizens at a reasonable cost. Findings from some of our 2016 audits, which focused on service delivery performance, are outlined below:

Reporting on Service Delivery Performance

As agencies partner and collaborate more, measuring performance becomes more important. Sharing, using and making information available enables agencies to collectively understand and improve their service performance. This also gives agencies an opportunity to achieve efficiencies in collating and using research and performance data within privacy and legislative constraints. Where appropriate, agencies should consider obtaining independent assurance over the reliability and accuracy of the performance data they use.

Complaints are an important and free source of information that can provide valuable insights into poor service, systemic errors or problems with specific processes. How agencies manage and respond to complaints demonstrates their commitment to high standards of service delivery. Complaints also give agencies an opportunity to understand the expectations and experiences of people using their services. Government agencies need to ensure complaints are easy to make, consistently recorded and analysed, and openly reported and actioned.

Transparency over performance

Performance is not always measured, evaluated or publicly reported

A key objective of public sector reform is to improve performance and create a culture of accountability. Inadequate performance measures and primarily internal reporting, reduces transparency of agency performance and makes it hard for the public to assess if agencies are doing a good job. A sample of our audits found:

the effectiveness of Corrective Services NSWs performance framework was limited because performance information was not readily available to correctional centres to make more informed decisions on how best to manage their centres
red tape savings figures were not accurate and there was no central oversight of red tape reduction strategies
a lack of detailed costings meant we could not be sure regulation of early childhood education was efficient even though processes appeared to be good
while the Department of Family and Community Services has transparent performance reporting which is regularly published, the use and reporting of targets and benchmarks is limited
while icare collects performance information it does not use this information to assess the success of the return to work program. The return to work rate has increased from 85.5 per cent to 88.3 per cent since the workers’ compensation reforms were introduced in 2012, but there was no benchmark to assess if this result is meeting the desired objectives of the reforms
the Environment Protection Authority has not developed measures and targets to assess achievement of outcomes associated with illegal dumping initiatives.

Agencies should consider whether their performance measurement frameworks:

measure the right things, focus on outcomes and integrate with decision making processes
set baselines and establish targets and timeframes for key performance indicators
require the use of reliable, up to date and accurate information
require information to be publicly reported to increase transparency.

The Government will not get the same level of reliance on performance information as it does for financial statements if that information is not independently assured. We will continue to focus on how well agencies assess and report the performance of their initiatives in achieving desired outcomes.

Premier's and State Priorities

The NSW Government released State Priorities 'NSW: Making it Happen' in September 2015. It includes 12 Premier's Priorities and 18 State Priorities with measures and targets to track the Government's performance in key priority areas.

The Premier's Priorities are detailed below.

Protecting our kids Improving service levels in hospitals Improving education results	Driving public sector diversity Keeping our environment clear Faster housing approvals
Reducing domestic violence Tackling childhood obesity Reducing youth homelessness	Improving government services Creating jobs Building infrastructure

Performance against the Premier's and State Priorities is not audited

The Premier's and State Priorities have not been independently audited to provide assurance the performance information is accurate. The Commonwealth, Victorian and Western Australian Auditors-General have varying powers that provide for auditing the appropriateness of agency key performance indicators and determine whether they fairly represent actual performance. NSW legislation does not currently provide the Auditor-General with such powers.

Premier's Priorities

Some Premier's Priorities are at risk of not being achieved

Our 2015–16 reports commented on the Government's performance against some of the Premier’s and State Priorities. Published data, which we have not audited, indicates the following Premier's Priorities may be at risk of not being achieved:

the proportion of domestic violence perpetrators re-offending within 12 months was 15.9 per cent, which is 6.7 percentage points higher than the target of 9.2 per cent (refer page 52–53 in Report on Law and Order, Emergency Services and the Arts for further details)
the percentage of children and young people re-reported at risk of significant harm was 40 per cent, which is 5.6 percentage points higher than the target of 34.4 per cent (refer page 31–32 in Report on Family and Community Services)
in 2015–16, 32.5 per cent of students achieved results in in the top two NAPLAN bands for reading and numeracy, marginally below the baseline of 32.7 per cent and below the 2019 target of 35.2 per cent (refer page 40–41 in Report on Education for further details)
the rate of patients leaving emergency departments within four hours was 74.2 per cent, 6.8 percentage points below the target of 81 per cent (refer page 53 in Report on Health for further details).

Published data, which we have not audited, indicates the following Premiers Priorities have been achieved or are on track to be achieved:

creating 150,000 new jobs by 2019 has been reported as achieved (refer page 47 in Report on Industry, Skills, Electricity and Water for further details)
current trends indicate the target of reducing the volume of litter by 40 per cent by 2020 may be achieved (refer page 38–39 in Report on Planning and Environment for further details).

Progress against all 12 priorities can be found at https://www.nsw.gov.au/improving-nsw/premiers-priorities.

State Priorities

Some State Priorities at risk of not being achieved

Data, which we have not audited, indicates the following State Priorities may be at risk of not being achieved:

journey time reliability was 86 per cent in 2015–16, four percentage points below the 90 per cent target for peak travel on key routes being on time (refer page 48 in Report on Transport for further details)
in 2015–16, 9.1 per cent of Aboriginal and Torres Strait Islander students achieved results in the top two NAPLAN bands for reading and numeracy, which shows no improvement on the baseline of 9.1 per cent and is below the 2019 target of 11.6 per cent (refer page 42–43 in Report on Education for further details)
reducing the rate of adult re-offending by five per cent by 2019 – the rate increased 2.3 percentage points over the five years since 2010 to 36.7 per cent for the year ended 31 December 2014 (refer page 53–54 in Report on Law and Order, Emergency Services and the Arts for further details).

Data, which we have not audited, indicates the following State Priorities have been achieved or are on track to be achieved:

the State maintained its AAA credit rating (refer page 25 in Report on State Finances for further details)
general government expenditure growth was 4.4 per cent in 2015–16 and continued to be below long term revenue growth of 5.6 per cent (refer page 25 in Report on State Finances for further details)
70,077 new dwelling approvals were granted in 2015–16, higher than the target of 50,000 approvals (refer page 35 in Report on Planning and Environment for further details)
the time taken to assess planning applications for complex state significant developments fell 46 per cent in 2015–16 from the 2013–14 baseline. A further four percentage point reduction is required to meet the target of halving the time to perform these assessments (refer page 35 in Report on Planning and Environment for further details)

A comprehensive report of performance against the State Priorities is not published

The Department of Premier and Cabinet has defined targets and measures in ‘NSW: Making it Happen’ so Ministers and individual agencies know which targets they are accountable for and how they will be measured. While some measures are publicly reported through agency annual reports or other sources, a comprehensive report of performance against the 18 State priorities is not published. We understand the NSW Government is considering this matter and developing reporting options.

Agencies are responsible for the priorities and they report progress at least bi-annually to the Department of Premier and Cabinet for reporting to the Premier. We will continue to report performance against the targets set in the Premier's and State Priorities.

Contract Management

Our audits identified deficiencies in contract management processes

Our audits continue to identify deficiencies in contract management processes, including:

agencies not having central contract registers detailing key contractual obligations and commitments
incomplete and inaccurate contract registers and/or no policy or procedures to update and maintain contract registers
no monitoring of contract performance.

We recommended agencies in the Family and Community Services and Planning and Environment clusters improve contract management processes. A robust contract management framework helps ensure all parties meet their obligations, contractual relationships are well managed, value for money is achieved and deliverables meet the required standards and agreed timeframes.

A 2014 performance audit ‘'Making the most of government purchasing power – telecommunications' developed a Better Practice Contract Management Framework (Framework) with nine key elements. Agencies can refer to this framework when assessing the adequacy of their contract management framework.

Benefits realisation

Benefits realisation approach for the Service NSW initiative is not as effective as it could be

Effective benefits realisation is critical to achieving intended outcomes expected from investments.

Our performance audit on 'Realising the benefits of the Service NSW initiative' found the benefits realisation approach for the Service NSW initiative is not as effective as it could be. While customers think Service NSW provides a convenient and practical way to access all government transaction services:

it was unclear who should monitor and report on the achievement of whole-of-government benefits and savings anticipated from the initiative
there was insufficient data to fully value or identify individual agency and whole-of-government savings and benefits.

This makes it difficult for the NSW Government to demonstrate the expected economic benefits of Service NSW will outweigh costs by the estimated five to one, and that savings will accrue after 2016–17.

Audit progress

Sector

Year

Report type

Topic

Reports

Conclusion

There are weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce Customer Relationship Management (CRM) system, which holds the personal information of over four million NSW residents.

Lines of responsibility for meeting privacy obligations are not clearly drawn between Service NSW and its client agencies.

Service NSW carries out privacy impact assessments for major new projects but does not routinely review existing processes and systems.

1. Key findings

Service NSW identifies privacy risks, but the controls and processes it put in place to mitigate these privacy risks were not adequate to prevent or limit the extent of the data breach that occurred in March 2020

There are weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce CRM system, which holds the personal information of over four million customers

Lines of responsibility for meeting privacy obligations are unclear between Service NSW and its client agencies

Service NSW's privacy management plan has not been updated to include new programs and governance changes

Service NSW routinely conducts privacy impact assessments for new initiatives, though privacy risks remain in legacy systems and processes

Service NSW's significant and rapid growth has outpaced the establishment of a robust control environment which has exacerbated privacy risks

2. Recommendations

As a matter of urgency, Service NSW should:

By March 2021, Service NSW should:

By June 2021, Service NSW should:

By December 2021, Service NSW should:

Recommendations

Documented justification of procurement needs

Segregation of duties

Assessment of supplier performance

Centralised contract register

Evaluation of community outcomes and value for money

Procurement training

Conclusion

1. Internal control trends

2. Information technology controls

3. Business continuity and disaster recovery planning

4. Procurement, including emergency procurement

5. Delegations

6. Status of 2019 recommendations

Conclusion

Conclusion

Conclusion

Section highlights

Section highlights

Section highlights

Section highlights

1. Overall trends

2. Information Technology

3. Asset Management

4. Governance

5. Ethics and Conduct

6. Risk Management

This new report offers strategic insight on the public sector as a whole

2.1 IT security

2.2 Cyber Security

2.3 Other IT systems

3.1 Capital investment

3.2 Capital projects

3.3. Asset disposals

4.1 Governance arrangements

4.2 Shared services

5.1 Ethical framework

5.2 Potential conflicts of interest

6.1 Risk management maturity

6.2 Risk management elements

Financial performance and reporting

The quality and timeliness of financial reporting continues to improve

NSW Treasury has narrowed the scope of mandatory early close procedures

Financial controls

More needs to be done to implement audit recommendations

Agencies continue to face challenges managing information security

Internal controls at GovConnect were ineffective in 2015–16

Governance

Cluster governance arrangements are unclear

The sale and lease of Crown land is not being managed effectively

Project cost and time overruns continue to occur

A strong risk culture is fundamental to successful risk management

Agencies are not fully complying with the GIPA Act

Service delivery

Some Premier's and State Priorities at risk of not being achieved

Government does not always get enough information for evidence-based decisions

Performance is not always measured, evaluated or publicly reported

Commissioning and contestability continues to increase