Reports
Actions for Internal Controls and Governance 2019
Internal Controls and Governance 2019
This report covers the findings and recommendations from the 2018–19 financial audits that relate to internal controls and governance at 40 of the largest agencies in the NSW public sector. The 40 agencies selected for this report constitute around 84 per cent of total expenditure for all NSW public sector agencies.
The report provides insights into the effectiveness of controls and governance processes across the NSW public sector. It evaluates how agencies identify, mitigate and manage risks related to:
- financial controls
- information technology controls
- gifts and benefits
- internal audit
- contingent labour
- sensitive data.
The Auditor-General recommended that agencies do more to prioritise and address vulnerabilities in their internal controls and governance. The Auditor-General also recommended agencies increase the transparency of their management of gifts and benefits by publishing their registers on their websites.
This report analyses the internal controls and governance of 40 of the largest agencies in the NSW public sector for the year ended 30 June 2019.
1. Internal control trends
New, repeat and high risk findings |
There was an increase in internal control deficiencies of 12 per cent compared to last year. The increase is predominately due to a 100 per cent increase in repeat financial and IT control deficiencies. Some agencies attributed the delay in actioning repeat findings to the diversion of staff from their regular activities to implement and operationalise the recent Machinery of Government changes. As a result, actions to address audit recommendations have been deferred or re prioritised, as the changes are implemented. Agencies need to ensure they are actively managing the risks associated with having these vulnerabilities in internal control systems unaddressed for extended periods of time. |
Common findings |
A number of findings were common to multiple agencies. These findings often related to areas that are fundamental to good internal control environments and effective organisational governance, such as:
|
2. Information technology controls
IT general controls |
We examined information security controls over key financial systems that support the preparation of agency financial statements. We found:
We also found 20 per cent of agencies had deficient IT program change controls, mainly related to segregation of duties in approval and authorisation processes, and user acceptance testing of program changes prior to deployment into production environments. User acceptance testing helps identify potential issues with software incompatibility, operational workflows, absent controls and software issues, as well as areas where training or user support may be required. |
3. Gifts and benefits
Gifts and benefits registers |
All agencies had a gifts and benefits policy and 90 per cent of agencies maintain a gifts and benefits register. However, 51 per cent of the gifts and benefits registers we examined contained incomplete declarations, such as missing details for the approving officer, value of the gift and/or benefit offered and reasons supporting the decision. In some cases, gaps in recorded information meant the basis for decisions around gifts and benefits was not always clear, making it difficult to determine whether decisions in those instances were appropriate, compliant with policy and were not direct or indirect inducements to the recipients to favour suppliers or service providers. Agencies should ensure their gifts and benefits register includes all key fields specified in the Public Service Commission's minimum standards for gifts and benefits. Agencies should also perform regular reviews of the register to ensure completeness and ensure any gift or benefit accepted by a staff member meets the public's expectations for ethical behaviour. |
Managing gifts and benefits |
We found opportunities to improve gifts and benefits processes and enhance transparency. For example, only three per cent of agencies publish their gifts and benefits registers on their websites. Agencies can improve management of gifts and benefits by:
|
Reporting and monitoring |
Only 35 per cent of agencies reported trends in the number and nature of gifts and benefits recorded in their registers to the agency's senior executive management and/or a governance committee. Agencies should regularly report to the agency executive or other governance committee on trends in the offer and acceptance of gifts and benefits. |
4. Internal audit
Obtaining value from the internal audit function |
Agencies have established and maintained internal audit functions to provide assurance on the effectiveness of agency controls and governance systems. However, we identified areas where agencies' internal audit functions could improve their processes to add greater value. For example, only 73 per cent of CAEs regularly attend meetings of the agency board or executive management committee. Internal audit functions can add greater value by involving the CAE more extensively in executive forums as an observer. Internal audit functions should also consider producing an annual report on internal audit. An annual report allows the internal audit function to report on their performance and add value by drawing to the attention of audit and risk committees and senior management strategic issues, thematic trends and emerging risks. |
Role of the Chief Audit Executive |
Forty-five per cent of agencies assigned responsibilities to the Chief Audit Executive (CAE) that were broader than internal audit, but 17 per cent of these had not documented safeguards to protect the independence of the CAE. The reporting lines and status of the CAE at some agencies also needs review. At two agencies, the CAE reported to the CFO. Agencies should ensure:
|
Quality assurance and improvement program |
Thirty-five per cent of agencies did not have a documented quality assurance and improvement program for its internal audit function. The policy and the International Standards for the Professional Practice of Internal Auditing require agencies to have a documented quality assurance and improvement program. The results of this program should be reported annually. Agencies should ensure there is a documented and operational Quality Assurance and Improvement Program for the internal audit function that covers both internal and external assessments. |
5. Managing contingent labour
Obtaining value for money from contingent labour |
According to NSW Procurement data, spend on contingent labour has increased by 75 per cent over the last five years, to $1.5 billion in 2018–19. Improvements in internal processes and a renewed focus on agency monitoring and oversight of contingent labour can help ensure agencies get the best value for money from their contingent workforces. Agencies can improve their management of contingent labour by:
We also found 57 per cent of the 23 agencies we examined with contingent labour spend of more than $5 million in 2018–19 have implemented the government's vendor management system and service provider 'Contractor Central'. |
6. Managing sensitive data
Identifying and assessing sensitive data |
Sixty-eight per cent of agencies maintain an inventory of their sensitive data and where it resides. However, these inventories are not always complete and risks may be overlooked. Agencies can improve processes to manage sensitive data by:
|
Managing data breaches |
Eighty-eight per cent of agencies have established policies to respond to potential data breaches when they are identified and 70 per cent of agencies maintain a register to record key information in relation to identified data breach incidents. Agencies should maintain a data breach register to effectively manage the actions undertaken to contain, evaluate and remediate each data breach. |
This report covers the findings and recommendations from our 2018–19 financial audits that relate to internal controls and governance at 40 of the largest agencies (refer to Appendix three) in the NSW public sector. The 40 agencies selected for this volume constitute around 84 per cent of total expenditure for all NSW public sector agencies.
Although the report includes several agencies that have changed as a result of the Machinery of Government changes that were effective from 1 July 2019, its focus on sector wide issues and insights means that its findings remain relevant to NSW public sector agencies, including newly formed agencies that have assumed the functions of abolished agencies.
This report offers insights into internal controls and governance in the NSW public sector
This is the third report dedicated to internal controls and governance at NSW State Government agencies. The report provides insights into the effectiveness of controls and governance processes in the NSW public sector by:
- highlighting the potential risks posed by weaknesses in controls and governance processes
- helping agencies benchmark the adequacy of their processes against their peers
- focusing on new and emerging risks, and the internal controls and governance processes that might address those risks.
Without strong governance systems and internal controls, agencies increase the risks associated with effectively managing their finances and delivering services to citizens. For example, if they do not have strong information technology controls, sensitive information may be at risk of unauthorised access and misuse.
Areas of specific focus of the report have changed since last year
Last year's report topics included transparency and performance reporting, management of purchasing cards and taxi use, and fraud and corruption control. We are reporting on new topics this year and re-visiting agency management of gifts and benefits, which we first covered in our 2017 report. Re-visiting topics from prior years provides a baseline to show the NSW public sectors’ progress implementing appropriate internal controls and governance processes to mitigate existing, new and emerging risks in the public sector.
Our audits do not review all aspects of internal controls and governance every year. We select a range of measures and report on those that present heightened risks for agencies to mitigate. This year the report focusses on:
- internal control trends
- information technology controls, including access to agency systems
- protecting sensitive information held within agencies
- managing large and diverse workforces (controls around employing and managing contingent workers)
- maintaining an ethical culture (management of gifts and benefits)
- effectiveness of internal audit function and its oversight by Audit and Risk Committees.
The findings in this report should not be used to draw conclusions on the effectiveness of individual agency control environments and governance arrangements. Specific financial reporting, internal controls and audit observations are included in the individual 2019 cluster financial audit reports, which will be tabled in parliament from November to December 2019.
Internal controls are processes, policies and procedures that help agencies to:
- operate effectively and efficiently
- produce reliable financial reports
- comply with laws and regulations
- support ethical government.
This chapter outlines the overall trends for agency controls and governance issues, including the number of audit findings, the degree of risk those deficiencies pose to the agency, and a summary of the most common deficiencies we found across agencies. The rest of this report presents this year’s controls and governance findings in more detail.
Key conclusions and sector wide learnings
- out of date policies or an absence of policies to guide appropriate decisions
- poor record keeping and document retention
- incomplete or inaccurate centralised registers or gaps in these registers.
Policies, procedures and internal controls should be properly designed, be appropriate for the current organisational structure and its business activities, and work effectively.
This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency controls to manage key financial systems.
This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency controls to manage gifts and benefits.
Key conclusions and sector wide learnings
We found most agencies have implemented the Public Service Commission's minimum standards for gifts and benefits. All agencies had a gifts and benefits policy and 90 per cent of agencies maintained a gifts and benefits register and provided some form of training to employees on the treatment of gifts and benefits.
Based on our analysis of agency registers, we found some areas where opportunities existed to make processes more effective. In some cases, gaps in recorded information meant the basis for decisions around gifts and benefits was not always clear, making it difficult to determine whether decisions in those instances were appropriate and compliant with policy. Fifty-one per cent of the gifts and benefits registers reviewed contained declarations where not all fields of information had been completed. Seventy-seven per cent of agencies that maintained a gifts and benefits register did not include all key fields suggested by the minimum standards.
Areas where agencies can improve their management of gifts and benefits include:
- ensuring agency policies comprehensively cover the elements necessary to make it effective in an operational environment, such as identifying risks specific to the agency and actions that will be taken in the event of a policy breach
- establishing and publishing a statement of business ethics on the agency's website to clearly communicate expected behaviours to clients, customers,suppliers and contractors
- updating gifts and benefits registers to include all key fields suggested by the minimum standards, as well as performing regular reviews of the register to ensure completeness
- providing on-going training, awareness activities and support to employees, not just at induction
- regularly reporting gifts and benefits to executive management and/or a governance committee such as the audit and risk committee, focussing on trends in the number and types of gifts and benefits offered to and accepted by agency staff
- publishing their gifts and benefits registers on their websites to demonstrate a commitment to a transparently ethical environment.
This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency internal audit functions.
Key conclusions and sector wide learnings
We found agencies have established and maintained internal audit functions to provide assurance on the effectiveness of agency controls and governance systems as required by TPP15-03 'Internal Audit and Risk Management Policy for the NSW Public Sector'. However, we identified areas where agencies' internal audit functions could improve their processes to add greater value, including:
- documenting and implementing safeguards to address conflicting roles performed by the Chief Audit Executive (CAE)
- ensuring the reporting lines for the CAE comply with the NSW Treasury policy, and the CAE reports neither functionally or administratively to the finance function or other significant recipients of internal audit services
- involving the CAE more extensively in executive forums as an observer
- documenting a Quality Assurance and Improvement Program for the internal audit function and performing both internal and external performance assessments to identify opportunities for continuous improvement
- reporting against key performance indicators or a balanced scorecard and producing an annual report on internal audit to bring to the attention of the audit and risk committee and senior management strategic issues, thematic trends and emerging risks that may require further attention or resources.
This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency controls to on-board, manage and off-board contingent labour.
Key conclusions and sector wide learnings
Agencies have implemented controls to manage contingent labour and most agencies have some level of reporting and oversight of contingent labour at an executive level. However, the increasing trend in spend on contingent labour warrants a renewed focus on agency monitoring and oversight of their use of contingent labour. Over the last five years spend on contingent labour has increased by 75 per cent, to $1.5 billion in 2018–19.
There are also some key gaps that limit the ability of agencies to effectively manage contingent labour. Key areas where agencies can improve their management of contingent labour include:
- preparing workforce plans to inform their resourcing strategy, and confirm prior to engaging contingent labour, that this solution aligns with the strategy and best meets business needs
- involving agency human resources units in decisions about engaging contingent labour
- regularly reporting on contingent labour use to agency executive teams, particularly in terms of trends in agency spend, tenure and compliance with policies and procedures
- strengthening on-boarding and off-boarding processes, including establishing checklists to on-board and off-board contingent labour, making provisions for knowledge transfer, and assessing, documenting and capturing performance information.
This chapter outlines our audit observations, conclusions and recommendations, arising from our review of governance and processes in relation to the management of sensitive data.
Key conclusions and sector wide learnings
Information technology risks are rapidly increasing. More interfaces between agencies and greater connectivity means the amounts of data agencies generate, access, store and share continue to increase. Some of this information is sensitive information, which is protected by the Privacy Act 1988.
It is important that agencies understand what sensitive data they hold, the risks associated with the inadvertent release of this information and how they are mitigating those risks. We found that agencies need to continue to identify and record their sensitive data, as well as expand the methods they use to identify sensitive data. This includes data held in unstructured repositories, such as network shared drives and by agency service providers.
Eighty-eight per cent of agencies have established policies to respond to potential data breaches when they are identified and 70 per cent of agencies maintain a register to record key information in relation to identified data breach incidents.
Key areas where agencies can improve their management of sensitive data include:
- identifying sensitive data, based on a comprehensive and structured process and maintaining an inventory of the data
- assessing the criticality and sensitivity of the data so that the protection of high risk data can be prioritised
- developing comprehensive data breach management policies to ensure data breaches are appropriately managed
- maintaining a data breach incident register to record key information in relation to identified data breaches incidents, including the estimated cost of the breach
- providing on-going training and awareness activities to employees in relation to sensitive data and managing data breaches.
Appendix one – List of 2019 recommendations
Appendix two – Status of 2018 recommendations
Appendix three – In-scope agencies
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Actions for Unsolicited proposal process for the lease of Ausgrid
Unsolicited proposal process for the lease of Ausgrid
In October 2016, the NSW Government accepted an unsolicited proposal from IFM Investors and AustralianSuper to lease 50.4 per cent of Ausgrid for 99 years. The deal followed the Federal Government’s rejection of two bids from foreign investors, for national security reasons.
A performance audit of the lease of Ausgrid has found shortcomings in the unsolicited proposal process. Releasing the audit findings today, the Auditor-General for New South Wales, Margaret Crawford said ‘this transaction involved a $20 billion asset owned by the people of New South Wales. As such, it warranted strict adherence to established guidelines’.
Ausgrid is a distributor of electricity to eastern parts of Sydney, the Central Coast, Newcastle and the Hunter Region.
In June 2014, the then government announced its commitment to lease components of the state's electricity network as part of the Rebuilding NSW plan. Implementation of the policy began after the government was re-elected in 2015. Between November 2015 and August 2016, the NSW Government held a competitive tender process to lease 50.4 per cent of Ausgrid for 99 years. The NSW Government abandoned the process on 19 August 2016 after the Australian Treasurer rejected two bids from foreign investors, for national security reasons. That day, the Premier and Treasurer released a media statement clarifying the government's objective to complete the transaction via a competitive process in time to include the proceeds in the 2017–18 budget.
On 31 August 2016, the state received an unsolicited proposal from IFM Investors and AustralianSuper to acquire an interest in Ausgrid under the same terms proposed by the state during the tender process. In October 2016, the government accepted the unsolicited proposal.
This audit examined whether the unsolicited proposal process for the partial long-term lease of Ausgrid was effectively conducted and in compliance with the government’s 2014 Unsolicited Proposals: Guide for Submission and Assessment (Unsolicited Proposals Guide or the Guide).
The audit focused on how the government-appointed Assessment Panel and Proposal Specific Steering Committee assessed key requirements in the Guide that unsolicited proposals must be demonstrably unique and represent value for money.
The evidence available does not conclusively demonstrate the unsolicited proposal was unique, and there were some shortcomings in the negotiation process, documentation and segregation of duties. That said, before the final commitment to proceed with the lease, the state obtained assurance that the proposal delivered value for money.
It is particularly important to demonstrate unsolicited proposals are unique, in order to justify the departure from other transaction processes that offer greater competition, transparency and certainty about value for money.
The Assessment Panel and the Proposal Specific Steering Committee determined the Ausgrid unsolicited proposal was unique, primarily on the basis that the proponent did not require foreign investment approval from the Australian Treasurer, and the lease transaction could be concluded earlier than through a second tender process. However, the evidence that persuaded the Panel and Committee did not demonstrate that no other proponent could conclude the transaction in time to meet the government’s deadline.
It is not appropriate to determine an unsolicited proposal is unique because it delivers an earlier outcome than possible through a tender process. The Panel and Committee did not contend, and it is not evident, that the unsolicited proposal was the only way to meet the government’s transaction deadline.
The evidence does not demonstrate that the proponent was the only party that would not have needed foreign investment approval to participate in the transaction. It also does not demonstrate that the requirement for foreign investment approval would have reduced the pool of foreign buyers to the degree that it would be reasonable to assume none would emerge.
The Panel, Committee and financial advisers determined that the final price represented value for money, and that retendering offered a material risk of a worse financial outcome. However, an acceptable price was revealed early in the negotiation process, and doing so made it highly unlikely that the proponent would offer a higher price than that disclosed. The Department of Premier and Cabinet (DPC) and NSW Treasury were not able to provide a documented reserve price, bargaining strategy or similar which put the negotiations in context. It is not evident that the Panel or Committee authorised, justified or endorsed negotiations in advance.
Key aspects of governance recommended by the Guide were in place. Some shortcomings relating to role segregation, record keeping and probity assurance weakened the effectiveness of the unsolicited proposal process adopted for Ausgrid.
The reasons for accepting that the proposal and proponent were unique are not compelling.
The Unsolicited Proposals Guide says the 'unique benefits of the proposal and the unique ability of the proponent to deliver the proposal' must be demonstrated.
The conclusion reached by the Panel and Committee that the proposal offered a ‘unique ability to deliver (a) strategic outcome’ was primarily based on the proponent not requiring foreign investment approval from the Australian Treasurer, and allowing the government to complete the lease transaction earlier than by going through a second tender process.
It is not appropriate to determine an unsolicited proposal is unique because it delivers an earlier outcome than possible through a tender process. The Panel and Committee did not contend, and it is not evident, that the unsolicited proposal was the only way to meet the government’s transaction deadline.
The evidence does not demonstrate that the proponent was the only party that would not have needed foreign investment approval to participate in the transaction. Nor does it demonstrate that the requirement for foreign investment approval would have reduced the pool of foreign buyers to the degree that it would be reasonable to assume none would emerge.
That said, the Australian Treasurer’s decision to reject the two bids from the previous tender process created uncertainty about the conditions under which he would approve international bids. The financial advisers engaged for the Ausgrid transaction informed the Panel and Committee that:
- it was not likely another viable proponent would emerge soon enough to meet the government’s transaction deadline
- the market would be unlikely to deliver a better result than offered by the proponent
- going to tender presented a material risk of a worse financial result.
The Unsolicited Proposals Guide says that a proposal to directly purchase or acquire a government-owned entity or property will generally not be unique. The Ausgrid unsolicited proposal fell into this category.
Recommendations:
DPC should ensure future Assessment Panels and Steering Committees considering a proposal to acquire a government business or asset:
- recognise that when considering uniqueness they should:
- require very strong evidence to decide that both the proponent and proposal are the only ones of their kind that could meet the government’s objectives
- give thorough consideration to any reasonable counter-arguments against uniqueness.
- rigorously consider all elements of the Unsolicited Proposals Guide when determining whether a proposal should be dealt with as an unsolicited proposal, and document these deliberations and all relevant evidence
- do not use speed of transaction compared to a market process as justification for uniqueness.
The Panel and Committee concluded the price represented value for money, based on peer-reviewed advice from their financial advisers and knowledge acquired from previous tenders. The financial advisers also told the Panel and Committee that there was a material risk the state would receive a lower price than offered by the unsolicited proposal if it immediately proceeded with a second market transaction.
The state commenced negotiations on price earlier than the Guide says they should have. Early disclosure of a price that the state would accept reduced the likelihood of achieving a price greater than this. DPC says the intent of this meeting was to quickly establish whether the proponents could meet the state’s benchmark rather than spending more time and resources on a proposal which had no prospect of proceeding.
DPC and NSW Treasury were not able to provide a documented reserve price, negotiation strategy or similar which put the negotiations and price achieved in context. It was not evident that the Panel or Committee authorised, justified or endorsed negotiations in advance. However, the Panel and Committee endorsed the outcomes of the negotiations.
The negotiations were informed by the range of prices achieved for similar assets and the specific bids for Ausgrid from the earlier market process.
Recommendations:
DPC should ensure any future Assessment Panels and Steering Committees considering a proposal to acquire a government business or asset:
- document a minimum acceptable price, and a negotiating strategy designed to maximise price, before commencing negotiations
- do not communicate an acceptable price to the proponent, before the negotiation stage of the process, and then only as part of a documented bargaining strategy.
The state established a governance structure in accordance with the Unsolicited Proposals Guide, including an Assessment Panel and Proposal Specific Steering Committee. The members of the Panel and Steering Committee were senior and experienced officers, as befitted the size and nature of the unsolicited proposal.
The separation of negotiation, assessment and review envisaged by the Guide was not maintained fully. The Chair of the Assessment Panel and a member of the Steering Committee were involved in negotiations with the proponent.
DPC could not provide comprehensive records of some key interactions with the proponent or a documented negotiation strategy. The absence of such records means the Department cannot demonstrate engagement and negotiation processes were authorised and rigorous.
The probity adviser reported there were no material probity issues with the transaction. The probity adviser also provided audit services. This is not good practice. The same party should not provide both advisory and audit services on the same transaction.
Recommendations:
DPC should ensure any future Assessment Panels and Steering Committees considering a proposal to acquire a government entity or asset:
• maintain separation between negotiation, assessment and review in line with the Unsolicited Proposals Guide
• keep an auditable trail of documentation relating to the negotiation process
• maintain separation between any probity audit services engaged and the probity advisory and reporting services recommended in the current Guide.
Appendix one - Response from agency
Appendix two - NSW Government’s summary of assessment of the Ausgrid unsolicited proposal
Appendix three - The definition and nature of unsolicited proposals
Appendix four - Ausgrid unsolicited proposal process
Appendix five - About the audit
Appendix six - Performance auditing
Parliamentary reference - Report number #309 - released 11 December 2018
Actions for Family and Community Services 2018
Family and Community Services 2018
The Auditor-General for New South Wales, Margaret Crawford released her report today on the Family and Community Services cluster. The report focuses on key observations and findings from the most recent financial audits of agencies in the cluster. Cluster entities received unqualified audit opinions for their 30 June 2018 financial statements. Opportunities to improve the quality of financial reporting were identified and reported to management.
This report analyses the results of our audits of financial statements of the Family and Community Services cluster for the year ended 30 June 2018. The table below summarises our key observations.
This report provides NSW Parliament and other users of the financial statements of Family and Community Services' agencies with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:
- financial reporting
- audit observations
- service delivery.
Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.
This chapter outlines our audit observations related to the financial reporting of agencies in the Family and Community Services cluster for 2018.
Observation | Conclusions and recommendations |
2.1 Quality of financial reporting | |
Unqualified audit opinions were issued for all cluster agencies' financial statements. | Conclusion: Sufficient audit evidence was obtained to conclude the financial statements were free of material misstatement. |
Agencies complied with NSW Treasury’s mandatory early close requirements. Completing other early close procedures was inconsistent and not always supported by adequate evidence. |
Conclusion: There are opportunities for agencies to improve the quality of financial reporting by:
|
2.2 Timeliness of financial reporting | |
Agencies completed revaluations of property, plant and equipment and submitted 31 March 2018 financial statements by the due date as required by NSW Treasury. Agencies submitted year-end financial statements by the statutory deadline. |
Conclusion: Early revaluations of property, plant and equipment contributes to agencies meeting the year-end statutory reporting deadline. |
Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.
This chapter outlines our observations and insights from:
- our financial statement audits of agencies in the Family and Community Services cluster for 2018
- the areas of focus identified in the Audit Office annual work program.
The Audit Office Annual Work Program provides a summary of all audits to be conducted within the proposed time period as well as detailed information on the areas of focus for each NSW Government cluster.
Observation | Conclusions and recommendations |
3.1 Internal controls | |
The 2017–18 audits reported 47 internal control weaknesses. While none were high risk, there were 15 repeat issues. |
Conclusion: Management accepted audit findings and advised they are actioning recommendations. Timely action is important to ensure internal controls operate effectively. |
Twenty-two of these internal control weaknesses related to information technology processes and control environment. | Conclusion: Control weaknesses in information systems may compromise the integrity and security of financial data used for decision making and financial reporting. Recommendation: Agencies should strengthen user access administration to prevent inappropriate access to key IT systems by:
|
The Department, NSW Land and Housing Corporation (LAHC) and three other cluster agencies’ contract registers are incomplete and/or inaccurate. | Recommendation: Agencies should ensure their contract registers are complete and accurate so they can more effectively govern contracts and manage compliance obligations. |
3.2 Audit Office annual work program | |
Financial impact of the commissioning approach. The transfer of disability services to the National Disability Insurance Scheme and other commissioning of service delivery has contributed to a 36 per cent decrease in frontline employee numbers since 2015–16. Similarly, corporate services’ employee numbers reduced by 34 per cent. The Department’s salary costs have reduced by $232 million or 18 per cent from 2016–17. |
Conclusion: The ratio of corporate services employee numbers to support frontline and support services has remained at 1:10 since 2015–16, which indicates restructures have been planned to align with the transfer of disability services. |
Impact of the new social housing maintenance contract Maintenance expenses have increased by about 40 per cent since the new maintenance contract commenced in April 2016. LAHC measures the benefits of the new maintenance contract such as improved tenant satisfaction. |
Conclusion: The new maintenance contract has contributed to some positive social outcomes such as tenants being employed by the contractors to conduct maintenance, as call centre operators and in administration. However, more can be done to ensure value for money is being achieved. |
ChildStory IT Project Whilst phase one of the ChildStory IT project went 'live' in 2017–18, the planned timetable has not been met and the revised date for full implementation is end of 2018. According to the 2014–15 NSW Budget, the budget for ChildStory was $100 million over a four-year period. During the design and implementation stage, this amount was revised to $128 million, with approval of the Expenditure Review Committee. The actual cost incurred over the four years until 30 June 2018, is approximately $131 million. We identified issues with the data migration from the legacy systems to ChildStory. |
Conclusion: To inform future IT projects, we understand the Department is capturing our findings, along with the findings from the Department of Finance, Services and Innovation’s ‘Healthchecks’. |
This chapter outlines certain service delivery outcomes for 2017–18. The data on activity levels and performance is provided by Cluster agencies. The Audit Office does not have a specific mandate to audit performance information. Accordingly, the information in this chapter is unaudited.
In our recent performance audit, Progress and measurement of Premier's Priorities, we identified 12 limitations of performance measurement and performance data. We recommended that the Department of Premier and Cabinet ensure that processes to check and verify data are in place for all agency data sources.
Actions for Internal Controls and Governance 2018
Internal Controls and Governance 2018
The Auditor-General for New South Wales Margaret Crawford found that as NSW state government agencies’ digital footprint increases they need to do more to address new and emerging information technology (IT) risks. This is one of the key findings to emerge from the second stand-alone report on internal controls and governance of the 40 largest NSW state government agencies.
This report analyses the internal controls and governance of the 40 largest agencies in the NSW public sector for the year ended 30 June 2018.
This report covers the findings and recommendations from our 2017–18 financial audits that relate to internal controls and governance at the 40 largest agencies (refer to Appendix three) in the NSW public sector.
This report offers insights into internal controls and governance in the NSW public sector
This is our second report dedicated to internal controls and governance at NSW State Government agencies. The report provides insights into the effectiveness of controls and governance processes in the NSW public sector by:
- highlighting the potential risks posed by weaknesses in controls and governance processes
- helping agencies benchmark the adequacy of their processes against their peers
- focusing on new and emerging risks, and the internal controls and governance processes that might address those risks.
Without strong governance systems and internal controls, agencies increase the risks associated with effectively managing their finances and delivering services to citizens. The way agencies deliver services increasingly relies on contracts and partnerships with the private sector. Many of these arrangements deliver front line services, but others provide less visible back office support. For example, an agency may rely on an IT service provider to manage a key system used to provide services to the community. The contract and service level agreements are only truly effective where they are actively managed to reduce risks to continuous quality service delivery, such as interruptions caused by system outages, cyber security attacks and data security breaches.
Our audits do not review all aspects of internal controls and governance every year. We select a range of measures, and report on those that present heightened risks for agencies to mitigate. This report divides these into the following five areas:
- Internal control trends
- Information technology (IT), including IT vendor management
- Transparency and performance reporting
- Management of purchasing cards and taxis
- Fraud and corruption control.
The findings in this report should not be used to draw conclusions on the effectiveness of individual agency control environments and governance arrangements. Specific financial reporting, controls and service delivery comments are included in the individual 2018 cluster financial audit reports, which will be tabled in Parliament from November to December 2018.
The focus of the report has changed since last year
Last year's report topics included asset management, ethics and conduct, and risk management. We are reporting on new topics this year. We plan to introduce new topics and re-visit our previous topics in subsequent reports on a cyclical basis. This will provide a baseline against which to measure the NSW public sectors’ progress in implementing appropriate internal controls and governance processes to mitigate existing, new and emerging risks in the public sector.
Agencies selected for the volume account for 95 per cent of the state's expenditure
While we have covered only 40 agencies in this report, those selected are a large enough group to identify common issues and insights. They represent about 95 per cent of total expenditure for all NSW public sector agencies.
Internal controls are processes, policies and procedures that help agencies to:
- operate effectively and efficiently
- produce reliable financial reports
- comply with laws and regulations
- support ethical government.
This chapter outlines the overall trends for agency controls and governance issues, including the number of findings, level of risk and the most common deficiencies we found across agencies. The rest of this volume presents this year’s controls and governance findings in more detail.
Observation | Conclusions and recommendations |
---|---|
2.1 High risk findings | |
We found six high risk findings (seven in 2016–17), one of which was repeated from both last year and 2015–16. | Recommendation: Agencies should reduce risk by addressing high risk internal control deficiencies as a priority. |
2.2 Common findings | |
We found several internal controls and governance findings common to multiple agencies. | Conclusion: Central agencies or the lead agency in a cluster can play a lead role in helping ensure agency responses to common findings are consistent, timely, efficient and effective. |
2.3 New and repeat findings | |
Although internal control deficiencies decreased over the last four years, this year has seen a 42 per cent increase in internal control deficiencies. | The increase in new IT control deficiencies and repeat IT control deficiencies signifies an emerging risk for agencies. |
IT control deficiencies feature in this increase, having risen by 63 per cent since last year. The number of repeat IT control deficiencies has doubled and is driven by the increasing digital footprint left by agencies as government prioritises on-line interfaces with citizens, and the number of transactions conducted through digital channels increases |
Recommendation: Agencies should reduce IT risks by:
|
Government agencies’ financial reporting is now heavily reliant on information technology (IT). IT is also increasingly important to the delivery of agency services. These systems often provide the data to help monitor the efficiency and effectiveness of agency processes and services they deliver. Our audits reviewed whether agencies have effective controls in place to manage both key financial systems and IT service contracts.
Observation | Conclusions and recommendations |
---|---|
3.1 Management of IT vendors | |
Contract management framework Although 87 per cent of agencies have a contract management policy to manage IT vendors, one fifth require review. |
Conclusion: Agencies can more effectively manage IT vendor contracts by developing policies and procedures to ensure vendor management frameworks are kept up to date, plans are in place to manage vendor performance and risk, and compliance with the framework is monitored by:
|
Contract risk management Forty-one per cent of agencies are not using contract management plans and do not assess contract risks. Half of the agencies that did assess contract risks, had not updated the risk assessments since the commencement of the contract. |
Conclusion: Instead of applying a 'set and forget' approach in relation to management of contract risks, agencies should assess risk regularly and develop a plan to actively manage identified risks throughout the contract lifecycle - from negotiation and commencement, to termination. |
Performance management Only 24 per cent of agencies sought assurance about the accuracy of vendor reporting against KPIs, yet sixty-seven per cent of the IT contracts allow agencies to determine performance based payments and/or penalise underperformance. |
Conclusion: Agencies are monitoring IT vendor performance, but could improve outcomes and more effectively manage under-performance by:
|
Transitioning services Where IT vendor contracts do make provision for transitioning-out, only 28 per cent of agencies have developed a transitioning-out plan with their IT vendor. |
Conclusion: Contract transition/phase out clauses and plans can mitigate risks to service disruption, ensure internal controls remain in place, avoid unnecessary costs and reduce the risk of 'vendor lock-in'. |
Contract Registers Eleven out of forty agencies did not have a contract register, or have registers that are not accurate and/or complete. |
Conclusion: A contract register helps to manage an agency’s compliance obligations under the Government Information (Public Access) Act 2009 (the GIPA Act). However, it also helps agencies more effectively manage IT vendors by:
Recommendation: Agencies should ensure their contract registers are complete and accurate so they can more effectively govern contracts and manage compliance obligations. |
3.2 IT general controls | |
Governance Ninety-five per cent of agencies have established policies to manage key IT processes and functions within the agency, with ten per cent of those due for review. |
Conclusion: Regular review of IT policies ensures risks are considered and appropriate strategies and procedures are implemented to manage these risks on a consistent basis. An absence of policies can lead to ad-hoc responses to risks, and failure to consider emerging IT risks and changes to agency IT environments. |
User access administration
|
Recommendation: Agencies should strengthen the administration of user access to prevent inappropriate access to key systems. |
Privileged access Forty per cent of agencies do not periodically review logs of the activities of privileged users to identify suspicious or unauthorised activities. |
Recommendation: Agencies should:
|
Password controls Twenty-three per cent of agencies did not comply with their own policy on password parameters. |
Recommendation: Agencies should ensure IT password settings comply with their password policies. |
Program changes Fifteen per cent of agencies had deficient IT program change controls mainly related to segregation of duties and authorisation and testing of IT program changes prior to deployment. |
Recommendation: Agencies should maintain appropriate segregation of duties in their IT functions and test system changes before they are deployed. |
This chapter outlines our audit observations, conclusions and recommendations from our review of how agencies reported their performance in their 2016–17 annual reports. The Annual Reports (Statutory Bodies) Regulation 2015 and Annual Reports (Departments) Regulation 2015 (annual reports regulation) currently prescribes the minimum requirements for agency annual reports.
Observation | Conclusion or recommendation |
4.1 Reporting on performance | |
Only 57 per cent of agencies linked reporting on performance to their strategic objectives. The use of targets and reporting performance over time was limited and applied inconsistently. |
Conclusion: There is significant disparity in the quality and consistency of how agencies report on their performance in their annual reports. This limits the reliability and transparency of reported performance information. Agencies could improve performance reporting by clearly linking strategic objectives to reported outcomes, and reporting on performance against targets over time. NSW Treasury may need to provide more guidance to agencies to support consistent and high-quality performance reporting in annual reports. |
There is no independent assurance that the performance metrics agencies report in their annual reports are accurate. Prior performance audits have noted issues related to the collection of performance information. For example, our 2016 Report on Red Tape Reduction highlighted inaccuracies in how the dollar-value of red tape reduction had been reported. |
Conclusion: The ability of Parliament and the public to rely on reported information as a relevant and accurate reflection of an agency's performance is limited. The relevance and accuracy of performance information is enhanced when:
|
4.2 Reporting on reports | |
Agency reporting on major projects does not meet the requirements of the annual reports regulation. Forty-seven per cent of agencies did not report on costs to date and estimated completion dates for major works in progress. Of the 47 per cent of agencies that reported on major works, only one agency reported detail about significant cost overruns, delays, amendments, deferments or cancellations. |
NSW Treasury produce an annual report checklist to help agencies comply with their annual report obligations. Recommendation: Agencies should comply with the annual reports regulation and report on all mandatory fields, including significant cost overruns and delays, for their major works in progress. |
The information the annual reports regulation requires agencies to report deals only with major works in progress. There is no requirement to report on completed works. Sixteen of 30 agencies reported some information on completed major works. |
Conclusion: Agencies could improve their transparency if they reported, or were required to report:
|
This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency preventative and detective controls over purchasing card and taxi use for 2017–18.
Observation | Conclusion or recommendation |
5.1 Management of purchasing cards | |
Volume of credit card spend Purchasing card expenditure has increased by 76 per cent over the last four years in response to a government review into the cost savings possible from using purchasing cards for low value, high volume procurement. |
Conclusion: The increasing use of purchasing cards highlights the importance of an effective framework for the use and management of purchasing cards. |
Policy framework We found all agencies that held purchasing cards had a policy in place, but 26 per cent of agencies have not reviewed their purchasing card policy by the scheduled date, or do not have a scheduled revision date stated within their policy. |
Recommendation: Agencies should mitigate the risks associated with increased purchasing card use by ensuring policies and purchasing card frameworks remain current and compliant with the core requirements of TPP 17–09 'Use and Management of NSW Government Purchasing Cards'. |
Preventative controls We found that:
|
Agencies have designed and implemented preventative controls aimed at deterring the potential misuse of purchasing cards. Conclusion: Further opportunities exist for agencies to better control the use of purchasing cards, such as:
|
Detective controls Major reviews, such as data analytics (29 per cent of agencies) and independent spot checks (49 per cent of agencies) are not widely used. |
Agencies have designed and implemented detective controls aimed at identifying potential misuse of purchasing cards. Conclusion: More effective monitoring using purchasing card data can provide better visibility over spending activity and can be used to:
|
5.2 Management of taxis | |
Policy framework Thirteen per cent of agencies have not developed and implemented a policy to manage taxi use. In addition:
|
Conclusion: Agencies can promote savings and provide more options to staff where their taxi use policies:
|
Detective controls All agencies approve taxi expenditure by expense reimbursement, purchasing card and Cabcharge, and have implemented controls around this approval process. However, beyond this there is minimal monitoring and review activity, such as data monitoring, independent spot checks or internal audit reviews. |
Conclusion: Taxi spend at agencies is not significant in terms of its dollar value, but it is significant from a probity perspective. Agencies can better address the probity risk by incorporating taxi use into a broader purchasing card or fraud monitoring program. |
Fraud and corruption control is one of the 17 key elements of our governance lighthouse. Recent reports from ICAC into state agencies and local government councils highlight the need for effective fraud control and ethical frameworks. Effective frameworks can help protect an agency from events that risk serious reputational damage and financial loss.
Our 2016 Fraud Survey found the NSW Government agencies we surveyed reported 1,077 frauds over the three year period to 30 June 2015. For those frauds where an estimate of losses was made, the reported value exceeded $10.0 million. The report also highlighted that the full extent of fraud in the NSW public sector could be higher than reported because:
- unreported frauds in organisations can be almost three times the number of reported frauds
- our 2015 survey did not include all NSW public sector agencies, nor did it include any NSW universities or local councils
- fraud committed by citizens such as fare evasion and fraudulent state tax self-assessments was not within the scope of our 2015 survey
- agencies did not estimate a value for 599 of the 1,077 (56 per cent) reported frauds.
Commissioning and outsourcing of services to the private sector and the advancement of digital technology are changing the fraud and corruption risks agencies face. Fraud risk assessments should be updated regularly and in particular where there are changes in agency business models. NSW Treasury Circular TC18-02 NSW Fraud and Corruption Control Policy now requires agencies develop, implement and maintain a fraud and corruption control framework, effective from 1 July 2018.
Our Fraud Control Improvement Kit provides guidance and practical advice to help organisations implement an effective fraud control framework. The kit is divided into ten attributes. Three key attributes have been assessed below; prevention, detection and notification systems.
This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency fraud and corruption controls for 2017–18.
Observation | Conclusion or recommendation |
6.1 Prevention systems | |
Prevention systems Only 54 per cent of agencies have an employment screening policy and all agencies have IT security policies, but gaps in IT security controls could undermine their policies. |
Conclusion: Most agencies have implemented fraud prevention systems to reduce the risk of fraud. However poor IT security along with other gaps in agency prevention systems, such as employment screening practices heightens the risk of fraud and inappropriate use of data. Agencies can improve their fraud prevention systems by:
|
Twenty-three per cent of agencies were not performing fraud risk assessments and some agency fraud risk assessments may not be as robust as they could be. | Conclusion: Agencies' systems of internal controls may be less effective where new and emerging fraud risks have been overlooked, or known weaknesses have not been rectified. |
6.2 Detection systems | |
Detection systems Several agencies reported they were developing a data monitoring program, but only 38 per cent of agencies had already implemented a program. |
Studies have shown data monitoring, whereby entire populations of transactional data are analysed for indicators of fraudulent activity, is one of the most effective methods of early detection. Early detection decreases the duration a fraud remains undetected thereby limiting the extent of losses. Conclusion: Data monitoring is an effective tool for early detection of fraud and is more effective when informed by a comprehensive fraud risk assessment. |
6.3 Notification systems | |
Notification system All agencies have notification systems for reporting actual or suspected fraud and corruption. Most agencies provide multiple reporting lines, provide training and publicise options for staff to report actual or suspected fraud and corruption. |
Conclusion: Training staff about their obligations and the use of fraud notification systems promotes a fraud-aware culture |
Actions for Progress and measurement of the Premier's Priorities
Progress and measurement of the Premier's Priorities
The Premier’s Implementation Unit uses a systematic approach to measuring and reporting progress towards the Premier’s Priorities performance targets, but public reporting needed to improve, according to a report released today by the Auditor-General of NSW, Margaret Crawford.
The Premier of New South Wales has established 12 Premier’s Priorities. These are key performance targets for government.
The 12 Premier's Priorities | |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
Source: Department of Premier and Cabinet, Premier’s Priorities website.
Each Premier’s Priority has a lead agency and minister responsible for achieving the performance target.
The Premier’s Implementation Unit (PIU) was established within the Department of Premier and Cabinet (DPC) in 2015. The PIU is a delivery unit that supports agencies to measure and monitor performance, make progress toward the Premier’s Priorities targets, and report progress to the Premier, key ministers and the public.
This audit assessed how effectively the NSW Government is progressing and reporting on the Premier's Priorities.
The Premier’s Implementation Unit (PIU) is effective in assisting agencies to make progress against the Premier’s Priorities targets. Progress reporting is regular but transparency to the public is weakened by the lack of information about specific measurement limitations and lack of clarity about the relationship of the targets to broader government objectives.The PIU promotes a systematic approach to measuring performance and reporting progress towards the Premier’s Priorities’ performance targets. Public reporting would be improved with additional information about the rationale for choosing specific targets to report on broader government objectives.
The PIU provides a systematic approach to measuring performance and reporting progress towards the Premier's Priorities performance targets. Public reporting would be improved with additional information about the rationale for choosing specific targets to report on broader government objectives. The data used to measure the Premier’s Priorities comes from a variety of government and external datasets, some of which have known limitations. These limitations are not revealed in public reporting, and only some are revealed in progress reported to the Premier and ministers. This limits the transparency of reporting.
The PIU assists agencies to avoid unintended outcomes that can arise from prioritising particular performance measures over other areas of activity. The PIU has adopted a collaborative approach to assisting agencies to analyse performance using data, and helping them work across organisational silos to achieve the Premier’s Priorities targets.
Data used to measure progress for some of the Premier’s Priorities has limitations which are not made clear when progress is reported. This reduces transparency about the reported progress. Public reporting would also be improved with additional information about the relationship between specific performance measures and broader government objectives.
The PIU is responsible for reporting progress to the Premier, key ministers and the public. Agencies provide performance data and some play a role in preparing progress reports for the Premier and ministers. For 11 of the Premier's Priorities, progress is reported against measurable and time-related performance targets. For the infrastructure priority, progress is reported against project milestones.
Progress of some Priorities is measured using data that has known limitations, which should be noted wherever progress is reported. For example, the data used to report on housing completions does not take housing demolitions into account, and is therefore overstating the contribution of this performance measure to housing supply. This known limitation is not explained in progress reports or on the public website.
Data used to measure progress is sourced from a mix of government and external datasets. Updated progress data for most Premier’s Priorities is published on the Premier’s Priorities website annually, although reported to the Premier and key ministers more frequently. The PIU reviews the data and validates it through fieldwork with front line agencies. The PIU also assists agencies to avoid unintended outcomes that can arise from prioritising single performance measures. Most, but not all, agencies use additional indicators to check for misuse of data or perverse outcomes.
We examined the reporting processes and controls for five of the Premier’s Priorities. We found that there is insufficient assurance over the accuracy of the data on housing approvals.
The relationships between performance measures and broader government objectives is not always clearly explained on the Premier’s Priority website, which is the key source of public information about the Premier’s Priorities. For example, the Premier’s Priority to reduce litter volumes is communicated as “Keeping our Environment Clean.” While the website explains why reducing litter is important, it does not clearly explain why that particular target has been chosen to measure progress in keeping the environment clean.
By December 2018, the Department of Premier and Cabinet should:
- improve transparency of public reporting by:
- providing information about limitations of reported data and associated performance
- clarifying the relationship between the Premier’s Priorities performance targets and broader government objectives.
- ensure that processes to check and verify data are in place for all agency data sources
- encourage agencies to develop and implement additional supporting indicators for all Premier’s Priority performance measures to prevent and detect unintended consequences or misuse of data.
The Premier's Implementation Unit is effective in supporting agencies to deliver progress towards the Premier’s Priority targets.
The PIU promotes a systematic approach to monitoring and reporting progress against a target, based on a methodology used in delivery units elsewhere in the world. The PIU undertakes internal self-evaluation, and commissions regular reviews of methodology implementation from the consultancy that owns the methodology and helped to establish the PIU. However, the unit lacks periodic independent reviews of their overall effectiveness. The PIU has adopted a collaborative approach and assists agencies to analyse performance using data, and work across organisational silos to achieve the Premier’s Priorities targets.
Agency representatives recognise the benefits of being responsible for a Premier's Priority and speak of the value of being held to account and having the attention of the Premier and senior ministers.
By June 2019, the Department of Premier and Cabinet should:
- establish routine collection of feedback about PIU performance including:
- independent assurance of PIU performance
- opportunity for agencies to provide confidential feedback.
Appendix one: Response from agency
Appendix three: About the audit
Appendix four: Performance auditing
Parliamentary reference - Report number #307 - released 13 September 2018
Actions for Managing Antisocial behaviour in public housing
Managing Antisocial behaviour in public housing
The Department of Family and Community Services (FACS) has not adequately supported or resourced its staff to manage antisocial behaviour in public housing according to a report released today by the Deputy Auditor-General for New South Wales, Ian Goodwin.
In recent decades, policy makers and legislators in Australian states and territories have developed and implemented initiatives to manage antisocial behaviour in public housing environments. All jurisdictions now have some form of legislation or policy to encourage public housing tenants to comply with rules and obligations of ‘good neighbourliness’. In November 2015, the NSW Parliament changed legislation to introduce a new approach to manage antisocial behaviour in public housing. This approach is commonly described as the ‘strikes’ approach.
When introduced in the NSW Parliament, the ‘strikes’ approach was described as a means to:
- improve the behaviour of a minority of tenants engaging in antisocial behaviour
- create better, safer communities for law abiding tenants, including those who are ageing and vulnerable.
FACS has a number of tasks as a landlord, including a responsibility to collect rent and organise housing maintenance. FACS also has a role to support tenants with complex needs and manage antisocial behaviour. These roles have some inherent tensions. The FACS antisocial behaviour management policy aims are:
to balance the responsibilities of tenants, the rights of their neighbours in social housing, private residents and the broader community with the need to support tenants to sustain their public housing tenancies.
This audit assessed the efficiency and effectiveness of the ‘strikes’ approach to managing antisocial behaviour in public housing environments.
We examined whether:
- the approach is being implemented as intended and leading to improved safety and security in social housing environments
- FACS and its partner agencies have the capability and capacity to implement the approach
- there are effective mechanisms to monitor, report and progressively improve the approach.
Conclusion
FACS has not adequately supported or resourced its staff to implement the antisocial behaviour policy. FACS antisocial behaviour data is incomplete and unreliable. Accordingly, there is insufficient data to determine the nature and extent of the problem and whether the implementation of the policy is leading to improved safety and security. FACS management of minor and moderate incidents of antisocial behaviour is poor. FACS has not dedicated sufficient training to equip frontline housing staff with the relevant skills to apply the antisocial behaviour management policy. At more than half of the housing offices we visited, staff had not been trained to:
When frontline housing staff are informed about serious and severe illegal antisocial behaviour incidents, they generally refer them to the FACS Legal Division. Staff in the Legal Division are trained and proficient in managing antisocial behaviour in compliance with the policy and therefore, the more serious incidents are managed effectively using HOMES ASB.
|
Parliamentary reference - Report number #306 - released 10 August 2018
Actions for Internal Controls and Governance 2017
Internal Controls and Governance 2017
Agencies need to do more to address risks posed by information technology (IT).
Effective internal controls and governance systems help agencies to operate efficiently and effectively and comply with relevant laws, standards and policies. We assessed how well agencies are implementing these systems, and highlighted opportunities for improvement.
1. Overall trends
New and repeat findings |
The number of reported financial and IT control deficiencies has fallen, but many previously reported findings remain unresolved. |
High risk findings |
Poor systems implementations contributed to the seven high risk internal control deficiencies that could affect agencies. |
Common findings |
Poor IT controls are the most commonly reported deficiency across agencies, followed by governance issues relating to cyber security, capital projects, continuous disclosure, shared services, ethics and risk management maturity. |
2. Information Technology
IT security |
Only two-thirds of agencies are complying with their own policies on IT security. Agencies need to tighten user access and password controls. |
Cyber security |
Agencies do not have a common view on what constitutes a cyber attack, which limits understanding the extent of the cyber security threat. |
Other IT systems |
Agencies can improve their disaster recovery plans and the change control processes they use when updating IT systems. |
3. Asset Management
Capital investment |
Agencies report delays delivering against the significant increase in their budgets for capital projects. |
Capital projects |
Agencies are underspending their capital budgets and some can improve capital project governance. |
Asset disposals |
Eleven per cent of agencies were required to sell their real property through Property NSW but didn’t. And eight per cent of agencies can improve their asset disposal processes. |
4. Governance
Governance arrangements |
Sixty-four per cent of agencies’ disclosure policies support communication of key performance information and prompt public reporting of significant issues. |
Shared services |
Fifty-nine per cent of agencies use shared services, yet 14 per cent do not have service level agreements in place and 20 per cent can strengthen the performance standards they set. |
5. Ethics and Conduct
Ethical framework |
Agencies can reinforce their ethical frameworks by updating code‑of‑conduct policies and publishing a Statement of Business Ethics. |
Conflicts of interest |
All agencies we reviewed have a code of conduct, but they can still improve the way they update and manage their codes to reduce the risk of fraud and unethical behaviour. |
6. Risk Management
Risk management maturity |
All agencies have implemented risk management frameworks, but with varying levels of maturity. |
Risk management elements |
Many agencies can improve risk registers and strengthen their risk culture, particularly in the way that they report risks to their lead agency. |
This report covers the findings and recommendations from our 2016–17 financial audits related to the internal controls and governance of the 39 largest agencies (refer to Appendix three) in the NSW public sector. These agencies represent about 95 per cent of total expenditure for all NSW agencies and were considered to be a large enough group to identify common issues and insights.
The findings in this report should not be used to draw conclusions on the effectiveness of individual agency control environments and governance arrangements. Specific financial reporting, controls and service delivery comments are included in the individual 2017 cluster financial audit reports tabled in Parliament from October to December 2017.
This new report offers strategic insight on the public sector as a whole
In previous years, we have commented on internal control and governance issues in the volumes we published on each ‘cluster’ or agency sector, generally between October and December. To add further value, we then commented more broadly about the issues identified for the public sector as a whole at the start of the following year.
This year, we have created this report dedicated to internal controls and governance. This will help Parliament to understand broad issues affecting the public sector, and help agencies to compare their own performance against that of their peers.
Without strong control measures and governance systems, agencies face increased risks in their financial management and service delivery. If they do not, for example, properly authorise payments or manage conflicts of interest, they are at greater risk of fraud. If they do not have strong information technology (IT) systems, sensitive and trusted information may be at risk of unauthorised access and misuse.
These problems can in turn reduce the efficiency of agency operations, increase their costs and reduce the quality of the services they deliver.
Our audits do not review every control or governance measure every year. We select a range of measures, and report on those that present the most significant risks that agencies should mitigate. This report divides these into the following six areas:
- Overall trends
- Information technology
- Asset management
- Governance
- Ethics and conduct
- Risk management.
Internal controls are processes, policies and procedures that help agencies to:
- operate effectively and efficiently
- produce reliable financial reports
- comply with laws and regulations.
This chapter outlines the overall trends for agency controls and governance issues, including the number of findings, level of risk and the most common deficiencies we found across agencies. The rest of this volume then illustrates this year’s controls and governance findings in more detail.
Issues |
Recommendations |
1.1 New and repeat findings |
|
The number of internal control deficiencies reduced over the past three years, but new higher-risk information technology (IT) control deficiencies were reported in 2016–17. Deficiencies repeated from previous years still make up a sizeable proportion of all internal control deficiencies. |
Recommendation Agencies should focus on emerging IT risks, but also manage new IT risks, reduce existing IT control deficiencies, and address repeat internal control deficiencies on a more timely basis. |
1.2 High risk findings |
|
We found seven high risk internal control deficiencies, which might significantly affect agencies. |
Recommendation Agencies should rectify high risk internal control deficiencies as a priority |
1.3 Common findings |
|
The most common internal control deficiencies related to poor or absent IT controls. We found some common governance deficiencies across multiple agencies. |
Recommendation Agencies should coordinate actions and resources to help rectify common IT control and governance deficiencies. |
Information technology (IT) has become increasingly important for government agencies’ financial reporting and to deliver their services efficiently and effectively. Our audits reviewed whether agencies have effective controls in place over their IT systems. We found that IT security remains the source of many control weakness in agencies.
Issues | Recommendations |
2.1 IT security |
|
User access administration While 95 per cent of agencies have policies about user access, about two-thirds were compliant with these policies. Agencies can improve how they grant, change and end user access to their systems. |
Recommendation Agencies should strengthen user access administration to prevent inappropriate access to sensitive systems. Agencies should:
|
Privileged access Sixty-eight per cent of agencies do not adequately manage who can access their information systems, and many do not sufficiently monitor or restrict privileged access. |
Recommendation Agencies should tighten privileged user access to protect their information systems and reduce the risks of data misuse and fraud. Agencies should ensure they:
|
Password controls Forty-one per cent of agencies did not meet either their own standards or minimum standards for password controls. |
Recommendation Agencies should review and enforce password controls to strengthen security over sensitive systems. As a minimum, password parameters should include:
|
2.2 Cyber Security |
|
Cyber security framework Agencies do not have a common view on what constitutes a cyber attack, which limits understanding the extent of the cyber security threat. |
Recommendation The Department of Finance, Services and Innovation should revisit its existing framework to develop a shared cyber security terminology and strengthen the current reporting requirements for cyber incidents. |
Cyber security strategies While 82 per cent of agencies have dedicated resources to address cyber security, they can strengthen their strategies, expertise and staff awareness. |
Recommendations The Department of Finance, Services and Innovation should:
Agencies should ensure they adequately resource staff dedicated to cyber security. |
2.3 Other IT systems |
|
Change control processes Some agencies need to improve change control processes to avoid unauthorised or inaccurate system changes. |
Recommendation Agencies should consistently perform user acceptance testing before system upgrades and changes. They should also properly approve and document changes to IT systems. |
Disaster recovery planning Agencies can do more to adequately assess critical business systems to enforce effective disaster recovery plans. This includes reviewing and testing their plans on a timely basis. |
Recommendation Agencies should complete business impact analyses to strengthen disaster recovery plans, then regularly test and update their plans. |
Agency service delivery relies on developing and renewing infrastructure assets such as schools, hospitals, roads, or public housing. Agencies are currently investing significantly in new assets. Agencies need to manage the scale and volume of current capital projects in order to deliver new infrastructure on time, on budget and realise the intended benefits. We found agencies can improve how they:
- manage their major capital projects
- dispose of existing assets.
Issues | Recommendations or conclusions |
3.1 Capital investment |
|
Capital asset investment ratios Most agencies report high capital investment ratios, but one-third of agencies’ capital investment ratios are less than one. |
Recommendation Agencies with high capital asset investment ratios should ensure their project management and delivery functions have the capacity to deliver their current and forward work programs. |
Volume of capital spending Most agencies have significant forward spending commitments for capital projects. However, agencies’ actual capital expenditure has been below budget for the last three years. |
Conclusion The significant increase in capital budget underspends warrant investigation, particularly where this has resulted from slower than expected delivery of projects from previous years. |
3.2 Capital projects |
|
Major capital projects Agencies’ major capital projects were underspent by 13 percent against their budgets. |
Conclusion The causes of agency budget underspends warrant investigation to ensure the NSW Government’s infrastructure commitment is delivered on time. |
Capital project governance Agencies do not consistently prepare business cases or use project steering committees to oversee major capital projects. |
Conclusion Agencies that have project management processes that include robust business cases and regular updates to their steering committees (or equivalent) are better able to provide those projects with strategic direction and oversight. |
3.3. Asset disposals |
|
Asset disposal procedures Agencies need to strengthen their asset disposal procedures. |
Recommendations Agencies should have formal processes for disposing of surplus properties. Agencies should use Property NSW to manage real property sales unless, as in the case for State owned corporations, they have been granted an exemption. |
Governance refers to the high-level frameworks, processes and behaviours that help an organisation to achieve its objectives, comply with legal and other requirements, and meet a high standard of probity, accountability and transparency.
This chapter sets out the governance lighthouse model the Audit Office developed to help agencies reach best practice. It then focuses on two key areas: continuous disclosure and shared services arrangements. The following two chapters look at findings related to ethics and risk management.
Issues | Recommendations or conclusions |
4.1 Governance arrangements |
|
Continuous disclosure Continuous disclosure promotes improved performance and public trust and aides better decision-making. Continuous disclosure is only mandatory for NSW Government Businesses such as State owned corporations. |
Conclusion Some agencies promote transparency and accountability by publishing on their websites a continuous disclosure policy that provides for, and encourages:
|
4.2 Shared services |
|
Service level agreements Some agencies do not have service level agreements for their shared service arrangements. Many of the agreements that do exist do not adequately specify controls, performance or reporting requirements. This reduces the effectiveness of shared services arrangements. |
Conclusion Agencies are better able to manage the quality and timeliness of shared service arrangements where they have a service level agreement in place. Ideally, the terms of service should be agreed before services are transferred to the service provider and:
|
Shared service performance Some agencies do not set performance standards for their shared service providers or regularly review performance results. |
Conclusion Agencies can achieve better results from shared service arrangements when they regularly monitor the performance of shared service providers using key measures for the benefits realised, costs saved and quality of services received. Before agencies extend or renegotiate a contract, they should comprehensively assess the services received and test the market to maximise value for money. |
All government sector employees must demonstrate the highest levels of ethical conduct, in line with standards set by The Code of Ethics and Conduct for NSW government sector employees.
This chapter looks at how well agencies are managing these requirements, and where they can improve their policies and processes.
We found that agencies mostly have the appropriate codes, frameworks and policies in place. But we have highlighted opportunities to improve the way they manage those systems to reduce the risks of unethical conduct.
Issues | Recommendations or conclusions |
5.1 Ethical framework |
|
Code of conduct All agencies we reviewed have a code of conduct, but they can still improve the way they update and manage their codes to reduce the risk of fraud and unethical behaviour. |
Recommendation Agencies should regularly review their code-of-conduct policies and ensure they keep their codes of conduct up-to-date. |
Statement of business ethics Most agencies maintain an ethical framework, but some can enhance their related processes, particularly when dealing with external clients, customers, suppliers and contractors. |
Conclusion Agencies can enhance their ethical frameworks by publishing a Statement of Business Ethics, which communicates their values and culture. |
5.2 Potential conflicts of interest |
|
Conflicts of interest All agencies have a conflicts-of-interest policy, but most can improve how they identify, manage and avoid conflicts of interest. |
Recommendation Agencies should improve the way they manage conflicts of interest, particularly by:
|
Gifts and benefits While all agencies already have a formal gifts-and-benefits policy, we found gaps in the management of gifts and benefits by some that increase the risk of unethical conduct. |
Recommendation Agencies should improve the way they manage gifts and benefits by promptly updating registers and providing annual training to staff. |
Risk management is an integral part of effective corporate governance. It helps agencies to identify, assess and prioritise the risks they face and in turn minimise, monitor and control the impact of unforeseen events. It also means agencies can respond to opportunities that may emerge and improve their services and activities.
This year we looked at the overall maturity of the risk management frameworks that agencies use, along with two important risk management elements: risk culture and risk registers.
Issues | Recommendations or conclusions |
6.1 Risk management maturity |
|
All agencies have implemented risk management frameworks, but with varying levels of maturity in their application. Agencies’ averaged a score of 3.1 out of five across five critical assessment criteria for risk management. While strategy and governance fared best, the areas that most need to improve are risk culture, and systems and intelligence. |
Conclusion Agencies have introduced risk management frameworks and practices as required by the Treasury’s:
However, more can be done to progress risk management maturity and embed risk management in agency culture. |
6.2 Risk management elements |
|
Risk culture Most agencies have started to embed risk management into the culture of their organisation. But only some have successfully done so, and most agencies can improve their risk culture.
|
Conclusion Agencies can improve their risk culture by:
|
Risk registers and reporting Some agencies do not report their significant risks to their lead agency, which may impair the way resources are allocated in their cluster. Some agencies do not integrate risk registers at a divisional and whole-of-enterprise level. |
Conclusion Agencies not reporting significant risks at the cluster level increases the likelihood that significant risks are not being mitigated appropriately. |
Effective risk management can improve agency decision-making, protect reputations and lead to significant efficiencies and cost savings. By embedding risk management directly into their operations, agencies can also derive extra value for their activities and services.
Actions for 2016 - An overview
2016 - An overview
This report focuses on key observations and findings from 2016 audits and highlights key areas of focus for financial and performance audits in 2017.
Financial reporting | |
Observation | Conclusion |
Only one qualified audit opinion was issued on the 2015–16 financial statements of NSW public sector agencies, compared to two in 2014–15. | The quality of financial reporting continued to improve across the NSW public sector. |
More 2015–16 financial statements and audit opinions were signed within three months of the year end. | Timely financial reporting was facilitated by more agencies resolving significant accounting issues early, completing asset valuations on time and compiling sufficient evidence to support financial statement balances. |
NSW Treasury’s early close procedures in 2015–16 were again successful in improving the quality and timeliness of financial reporting, largely facilitated by the early resolution of accounting issues. For 2016–17, NSW Treasury has narrowed the scope of mandatory early close procedures. |
The narrowed scope of mandatory early close procedures may diminish the good performance in ensuring the quality and timeliness of financial reporting achieved in recent years. To mitigate this risk, NSW Treasury has mandated that agencies perform non-financial asset valuations and prepare proforma financial statements in their early close procedures. It also encourages them to continue with the good practices embedded in recent years. |
Although most agencies complied with NSW Treasury’s early close asset revaluation procedures we identified areas where they can improve. | Asset revaluations need to commence early enough to ensure all assets are identified and the results are analysed, recorded and reflected accurately in the early close financial statements. |
Number of misstatements | |||||
Year ended 30 June | 2015-16 | 2014-15 | 2013-14 | 2012-13 | 2011-12 |
Total reported misstatements | 298 | 396 | 459 | 661 | 1,077 |
All material misstatements identified by agencies and audit teams were corrected before the financial statements and audit opinions were signed. A material misstatement relates to an incorrect amount, classification, presentation or disclosure in the financial statements that could reasonably be expected to influence the economic decisions of users.
Significant matters reported to the portfolio Minister, Treasurer and Agency Head
In 2015–16, we reported the following significant matters to the portfolio Minister, Treasurer and agency head in our Statutory Audit Reports:
Appropriate financial controls help ensure the efficient and effective use of resources and the implementation and administration of agency policies. They are essential for quality and timely decision making.
In 2015–16, our audit teams made the following key observations on the financial controls of NSW public sector agencies.
Financial controls | |
Observation | Conclusion |
More needs to be done to implement audit recommendations on a timely basis. We found 212 internal control issues identified in previous audits had not been adequately addressed by 30 June 2016. |
Delays in implementing audit recommendations can impact the quality of financial information and the effectiveness of decision making. Agencies need to ensure they have action plans, timeframes and assigned responsibilities to address recommendations in a timely manner. |
Agencies continue to face challenges managing information security. Most information technology issues we identified related to poor IT user administration in areas like password controls and inappropriate access. | Agencies should review the design and effectiveness of information security controls to ensure data is adequately protected. |
We found shared service provider agreements did not always adequately address information security requirements. |
Where agencies use shared service providers they should consider whether the service level arrangements adequately address information security. |
Thirteen of 108 agencies required to attest to having a minimum set of information security controls did not do so in their 2015 annual reports. | The 'NSW Government Digital Information Security Policy' recognises the growing need for effective information security. With cyber security threats continuing to increase as digital services expand we plan to look at cyber security as part of our 2017–18 performance audit program. |
We identified instances where service level agreements with shared service providers were outdated, signed too late or did not exist. | Corporate and shared service arrangements are more effective when service level arrangements are negotiated and signed in time, clearly detail rights and responsibilities and include meaningful KPIs, fee arrangements and dispute resolution processes. |
Internal controls at GovConnect, the private sector provider of transactional and information technology services to many NSW public sector agencies were ineffective in 2015–16. We found mitigating actions taken to manage transition risks from ServiceFirst to GovConnect were ineffective in ensuring effective control over client transactions and data. | The Department of Finance, Services and Innovation should ensure GovConnect addresses the control deficiencies. It should also examine the breakdowns in the transition of the shared service arrangements and apply the learnings to other services being transitioned to the private sector. |
Maintenance backlogs exist in several NSW public sector agencies, including Roads and Maritime Services, Sydney Trains, NSW Health, the Department of Education and the Department of Justice. | To address backlog maintenance it is important for agencies to have asset lifecycle planning strategies that ensure newly built and existing assets are funded and maintained to a desired service level. |
Actions for Building the readiness of the non-government sector for the NDIS
Building the readiness of the non-government sector for the NDIS
The Department of Family and Community Services has managed the risks of the transition to the National Disability Insurance Scheme (NDIS) in New South Wales effectively by increasing the overall capacity of the non-government sector and investing in provider capability.
The National Disability Insurance Scheme (NDIS) is a major reform that aims to change the way disability support is provided and received. Responsibility for overseeing the system to support people with disability in New South Wales will transfer from the NSW Government to the National Disability Insurance Agency (NDIA), an independent statutory agency of the Australian Government. Eligible people with disability will receive individual funding from the NDIA and purchase support from their chosen service providers, rather than being referred to services funded or provided by government. The NSW Government will transfer all disability services it currently provides to the non-government sector.
Approximately 78,000 people received NSW Government-funded disability support in 2015–16 at a cost of around $3.3 billion. An estimated 142,000 people will have an individual NDIS support plan in New South Wales, with total funding rising to around $6.8 billion in 2018–19. NDIS trials began in New South Wales in 2013. The full scheme was introduced in July 2016 and is scheduled to be operating across the state by July 2018.
This audit assessed the effectiveness of the NSW Department of Family and Community Services' (the Department's) management of the risks of the NDIS transition in New South Wales. It focused on the Department's work to build the readiness of the non-government sector for the NDIS. To make this assessment, we asked whether:
- the Department supported the non-government sector to build capacity to meet the expected increase in demand under the NDIS
- the Department supported disability service providers in NSW to improve their capability to deliver NDIS services
- the Department's work to prepare for the NDIS has been coordinated with the Australian Government's NDIS readiness work.
In addition to the audit questions above, this audit identified principles governments should consider when building the capacity and capability of the non-government sector to deliver human services.
Conclusion
The Department of Family and Community Services has managed the risks of the transition to the NDIS in New South Wales effectively by increasing the overall capacity of the sector and investing in provider capability building initiatives. More work is needed to build the sector's capacity to provide services to people with more complex support needs and to help existing providers complete the transition to the NDIS successfully.
The Department expanded the capacity of the non-government sector over the past decade in a way that was consistent with NDIS objectives. The development of a national market and workforce for the NDIS is an Australian Government responsibility and the Department has supported the Australian Government's work. More targeted work will be needed to build the capacity of the non-government sector to provide services to people with the most complex support and access needs.
The Department invested in provider capability building by funding programs that were delivered in partnership with sector peak bodies. The larger programs were evaluated and received positive feedback, but many providers will need more support to transition to the NDIS. The overall impact of the programs on provider readiness for the NDIS is not clear because baseline information on provider capability was not collected and targets for improvement were not set.
The Department managed the transition coordination risks by establishing comprehensive governance arrangements, contributing to the Australian Government's sector development work through national policy coordination forums and sharing lessons from New South Wales.
Building the capacity of the non-government sector
The Department supported an increase in the capacity of non-government providers
The Department started building the capacity of the non-government sector before the NDIS was developed. This included moving services provided by government into the non‑government sector, funding early intervention and community-based disability support, and introducing some individual support packages. The Department checks that the business and operational systems of non-government disability providers are adequate. However, its understanding of the outcomes for people using the services is limited.
Service gaps are possible for people with more complex support or access needs
There are risks to the supply of services to people who have more complex support or access needs, including people who need specialist clinical support, people in remote areas, Aboriginal and Torres Strait Islander communities and culturally and linguistically diverse communities. The Department has supported the NDIA's initial market development work and funded some programs to help providers build their capacity to support these groups. However, there is a risk the market will not expand quickly enough to meet the increase in demand for services.
Sector sustainability depends on support from outside the disability services sector
The sustainability of funded disability services provided by the non-government sector depends on support from outside the sector. Most people with disability receive significant unpaid support from family members, so carers will play a key role in the sustainability of the NDIS. There are opportunities for organisations that do not provide specific disability services to contribute to sector sustainability by providing some NDIS services. To do this, many will need help to make their services more accessible and inclusive to people with disability.
Helping non-government providers develop their capability
The Department invested in capability building programs for providers
The Department has spent more than $30 million over six years on programs that aim to improve the capability of disability support providers. This work began before the NDIS was established and was adjusted to focus on NDIS readiness from December 2012. It was guided by an industry development strategy that was developed after consultation with the sector and delivered in partnership with sector peak bodies. This approach gave the sector some responsibility for developing its own capability, which is important because the sector will not receive support from the NSW Government after the transition to the NDIS.
The overall impact of the programs on the capability of providers is not clear
The overall effectiveness of the Department's spending on provider capability is not clear. The Department had some information on the general financial health and organisational capability of providers from previous industry development work. However, baseline information on provider capability was not collected before programs commenced and targets for improvements in provider capability were not set. Without this information, the Department cannot demonstrate clearly that the capability building programs it funded represent good value for money.
Most providers will need more support to transition to the NDIS effectively
In late 2015, the Department assessed the transition progress of providers in New South Wales. This assessment indicates almost one third of providers are highly likely to need additional assistance to transition to the NDIS successfully, with only 14 per cent unlikely to need further assistance. We conducted a survey of 299 providers in New South Wales in August 2016. Most reported that they feel they are on track to transition to the NDIS successfully. Sixty-two per cent said the Department-funded programs and resources they had used had improved their readiness for the NDIS. Fifty-four per cent said the changes made because of using these programs and resources had a lasting impact on their organisation.
Coordinating sector development
Governance systems and planning processes for the NDIS transition were established
The Department developed governance arrangements for the transition in New South Wales. It contributed actively to the development of national policy and strategy documents including a strategy for national market development.
The Department shared sector readiness lessons with the Australian Government
Two NDIS sector readiness programs funded by the NSW Government were later expanded to national programs through funding from the Australian Government. New South Wales only received around five per cent of the total Australian Government funding for NDIS sector readiness initiatives. A report by the Australian National Audit Office in 2016 found there was limited evidence of a strategic approach by the Australian Government when allocating this funding to states and territories.
The Department has monitored transition issues and mitigated these where possible
The Department has monitored administrative issues for providers, which have included the changes in funding arrangements and registering for the NDIS. It has taken action to mitigate these where possible, although some issues, such as the operation of NDIA administrative systems, are beyond its control.
The National Disability Insurance Scheme (NDIS)
The NDIS is a fundamental change to the disability support system
The NDIS is a major reform that aims to make significant changes to the way disability support is provided and received. Under the NDIS, the administration of funding for disability support in New South Wales will transfer from the NSW Government to the National Disability Insurance Agency (NDIA), an independent statutory agency of the Australian Government. The NSW and Australian Governments will both contribute to funding the NDIS. The size of the disability services sector in New South Wales is expected to more than double when the NDIS is fully operational (Exhibit 1).
Measure of sector capacity | Pre-NDIS (2015-16) | NDIS (2018-19) |
---|---|---|
Funding for services | $3.3 billion | $6.8 billion |
People receiving support | 78,000 | 142,000 |
Workforce required | 25,000-30,000 | 48,000-59,000 |
Number of providers | 699 | Determined by the market |
One of the main objectives of the NDIS is to increase the choice and control that people with disability have over the support they receive. Under the NDIS, people with disability receive individual funding packages which they can use to pay their chosen providers for the support they need, instead of being referred to services that are deemed appropriate for their needs. This is a fundamental change to the nature of disability support. Before the NDIS, people with disability were moved around the system according to decisions made by government or other organisations providing disability support. Under the NDIS, the funding will move around the system based on the choices people with disability make. The development of the new market for NDIS disability services is expected to take up to ten years because the changes to the system are so extensive.
In addition to increasing choice and control for participants, the NDIS aims to:
- improve outcomes for people with disability by intervening early to help reduce the need for support later in life
- increase integration by helping people with disability access mainstream government services such as health and education
- increase the involvement of people with disability in the community by making it easier to access community services such as sports clubs and community groups.
The transition to the NDIS is underway
The transition to the NDIS is underway in most Australian states and territories, following trials over the last three years. In New South Wales, a trial site was established in the Hunter area in July 2013. Early roll out of the NDIS began in July 2015 for people aged under 18 in the Nepean Blue Mountains area. On 30 June 2016, about 7,800 people had an NDIS plan in the Hunter trial site and around 1,800 people had a plan in the Nepean Blue Mountains area.
The full roll out of the NDIS began in about half of New South Wales in July 2016. The NDIS will start operating in the rest of the state from July 2017 and the transition is scheduled to be completed by July 2018 (Exhibit 2).
For the rest of the transition, the Department of Family and Community Services should:
- Work with the Australian Government, NDIA and other NSW Government agencies to identify gaps and develop the capacity of specialist clinical services, focusing on regional and rural areas.
- Continue to implement projects to increase the number of organisations that can support Aboriginal and Torres Strait Islander and culturally and linguistically diverse communities.
- Target remaining capability building assistance to less prepared providers, including via one-to-one support and mentoring in identified areas of weakness.
- Continue working with the Australian Government and the NDIA to ensure lessons from sector capability programs are shared.
Principles for developing the non-government sector
- Commence work to increase the capacity of the non-government sector early to allow time for service capacity to be built in a sustainable way.
- Decide whether to increase the capacity of the sector by supporting existing providers to expand their operations, attracting new organisations from outside the existing provider group, or some combination of these.
- Tailor approaches to supporting groups that have additional support or access needs because of cultural or geographic factors.
- Define the desired outcomes for people using services and, where possible, include outcomes in service delivery contracts.
- Invest in the sector by partnering with sector peak bodies to deliver capability programs.
- Include one-to-one support and mentoring in capability building programs where possible to improve the targeting of support to the specific needs of providers.
- Collect baseline information on provider capability before commencing programs and build robust tracking and evaluation into their design.
- Establish whole-of-government governance arrangements to ensure roles, responsibilities and accountability for delivery are clear.
Parliamentary reference - Report number #280 - released 23 February 2017
Actions for Implementation of the NSW Government’s program evaluation initiative
Implementation of the NSW Government’s program evaluation initiative
The NSW Government’s ‘program evaluation initiative’, introduced to assess whether service delivery programs achieve expected outcomes and value for money, is largely ineffective according to a report released today by NSW Auditor-General, Margaret Crawford.
Government services, in areas such as public order and safety, health and education, are delivered by agencies through a variety of programs. In 2016–17, the NSW Government estimates that it will spend over $73 billion on programs to deliver services.
Parliamentary reference - Report number #277 - released 3 November 2016