Refine search

Reports

10 December 2020

Published

Transport 2020

Transport

Asset valuation

Cyber security

Financial reporting

Information technology

Infrastructure

Project management

1. Financial Reporting
Audit opinion	Unmodified audit opinions issued for the financial statements of all Transport cluster entities.
Quality and timeliness of financial reporting	All cluster agencies met the statutory deadlines for completing the early close and submitting the financial statements. Transport cluster agencies continued to experience some challenges with accounting for land and infrastructure assets. The former Roads and Maritime Services and Sydney Metro recorded prior period corrections to property, plant and equipment balances.
Impact of COVID-19 on passenger revenue and patronage	Total patronage and revenue for public transport decreased by approximately 18 per cent in 2019–20 due to COVID-19. The Transport cluster received additional funding from NSW Treasury during the year to support the reduced revenue and additional costs incurred such as cleaning on all modes of public transport and additional staff to manage physical distancing.
Completion of the CBD and South East Light Rail	The CBD and South East Light Rail project was completed and commenced operations in this financial year. At 30 June 2020, the total cost of the project related to the CBD and South East Light Rail was $3.3 billion. Of this total cost, $2.6 billion was recorded as assets, whilst $700 million was expensed.
2. Audit Observations
Internal control	While internal controls issues raised in management letters in the Transport cluster have decreased compared to the prior year, control weaknesses continue to exist in access security for financial systems. We identified 56 management letter findings across the cluster and 43 per cent of all issues were repeat issues. The majority of the repeat issues relate to information technology controls around user access management. There were three high risk issues identified - two related to financial reporting of assets and one for implementation of TAHE (see below).
Agency responses to emergency events	Transport for NSW established the COVID-19 Taskforce in March 2020 to take responsibility for the overall response of planning and coordination for the Transport cluster. It also implemented the COVIDSafe Transport Plan which incorporates guidance on physical distancing, increasing services to support social distancing and cleaning.
RailCorp transition to TAHE	On 1 July 2020, RailCorp was renamed Transport Asset Holding Entity of New South Wales (TAHE) and converted to a for-profit statutory State-Owned Corporation. TAHE is a commercial for-profit Public Trading Entity with the intent to provide a commercial return to its shareholders. A plan was established by NSW Treasury to transition RailCorp to TAHE which covered the period 1 July 2015 to 1 July 2019. A large portion of the planned arrangements were not implemented by 1 July 2020. As at the time of this report, the TAHE operating model, Statement of Corporate Intent (SCI) and other key plans and commercial agreements are not finalised. The State Owned Corporations Act 1989 generally requires finalisation of an SCI three months after the commencement of each financial year. However, under the Transport Administration Act 1988, TAHE received an extension from the voting shareholders, the Treasurer and Minister for Finance and Small Business, to submit its first SCI by 31 December 2020. In accordance with the original plan, interim commercial access arrangements were supposed to be in place with RailCorp prior to commencement of TAHE. Under the transitional arrangements, TAHE is continuing to operate in accordance with the asset and safety management plans of RailCorp. The final operating model is expected to include considerations of safety, operational, financial and fiscal risks. This should include a consideration of the potential conflicting objectives of a commercial return, and maintenance and safety measures. This matter has been included as a high risk finding in our management letter due to the significance of the financial reporting impacts and business risks for TAHE. Recommendation: TAHE management should: establish an operating model in line with the original intent of a commercial return finalise commercial agreements with the public rail operators confirm forecast financial information to assess valuation of TAHE infrastructure finalise asset and safety management plans. Resolution of the above matters are critical as they may significantly impact the financial reporting arrangements for TAHE for 2020–21, in particular, accounting policies adopted as well as measurement principles of its significant infrastructure asset base.
Completeness and accuracy of contracts registers	Across the Transport cluster, contracts and agreements are maintained by the transport agencies using disparate registers. Recommendation (repeat): Transport agencies should continue to implement a process to centrally capture all contracts and agreements entered. This will ensure: agencies are fully aware of contractual and other obligations appropriate assessment of financial reporting implications ongoing assessments of accounting standards, in particular AASB 16 ‘Leases’, AASB 15 'Revenue from Contract with Customers', AASB 1058 'Income of Not-for-Profit Entities' and new accounting standard AASB 1059 'Service Concession Arrangements: Grantors' are accurate and complete.

This report provides parliament and other users of the Transport cluster’s financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:

financial reporting
audit observations
the impact of emergencies and the pandemic.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Transport cluster for 2020, including any financial implications from the recent emergency events.

Section highlights

Total patronage and revenue for public transport decreased by approximately 18 per cent in 2019–20 due to COVID-19.
Unqualified audit opinions were issued on all Transport agencies' financial statements.
Transport cluster agencies continued to experience challenges with accounting of land and infrastructure assets.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

This chapter outlines our:

observations and insights from our financial statement audits of agencies in the Transport cluster
assessment of how well cluster agencies adapted their systems, policies and procedures, and governance arrangements in response to recent emergencies.

Section highlights

While there was a decrease in findings on internal controls across the Transport cluster, 43 per cent of all issues were repeat issues. Many repeat issues related to information technology controls around user access management.
RailCorp transitioned to TAHE on 1 July 2020. TAHE's operating model and commercial arrangements with public rail operators has not been finalised despite government original plans to be operating from 1 July 2019. TAHE management should finalise its operating model and commercial agreements with public rail operators as they may significantly impact the financial reporting arrangements for TAHE for 2020–21.
Completeness and accuracy of contracts registers remains an ongoing issue for the Transport cluster.

Appendix one – List of 2020 recommendations

Appendix two – Status of 2019, 2018 and 2017 recommendations

Appendix three – Management letter findings

Appendix four – Financial data

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

10 December 2020

Published

Stronger Communities 2020

Justice

Community Services

Asset valuation

Compliance

Financial reporting

Information technology

Internal controls and governance

Management and administration

Service delivery

This report analyses the results of our audits of financial statements of the agencies comprising the Stronger Communities cluster for the year ended 30 June 2020. The table below summarises our key observations.

1. Financial reporting
Quality of financial reporting	Unqualified audit opinions were issued for all agencies' 30 June 2020 financial statements.
Compliance with financial reporting requirements	The Treasury extended the statutory deadline for the submission of the 2019–20 financial statements. For agencies subject to Treasurer's Directions, Treasury required agencies to submit their 30 June 2020 financial statements by 5 August 2020. For other agencies, the deadline was extended to 31 October 2020. All agencies in the cluster met the revised statutory deadlines. Cluster agencies substantially completed the mandatory early close procedures set by NSW Treasury. However, nine agencies including the Department of Communities and Justice (the department) did not complete one or more mandatory requirements, such as assessing the impact of new and updated accounting standards.
Financial implications of recent emergencies	Emergency events significantly impacted cluster agencies in 2019–20. Our review of seven cluster agencies most affected highlighted some had incurred additional expenditure because of the bushfires and floods. Others lost revenue due to the COVID-19 pandemic. During the year these agencies collectively received additional funding of $1.1 billion from the State to respond to: increased demand for homeless people seeking temporary accommodation additional cleaning requirements bushfire recovery efforts emergency support for eligible small businesses. The Sydney Cricket Ground Trust, Venues NSW and Office of Sport lodged insurance claims of $51.3 million with the Treasury Managed Fund with respect to lost revenues from the pandemic. The losses were mainly due to event cancellations and covered various periods ranging from mid-March to 31 December 2020. The change in economic conditions caused by the COVID-19 pandemic resulted in the NSW Government cancelling the refurbishment of Stadium Australia it had previously approved in August 2019. Venues NSW wrote off $16.8 million of redevelopment costs during 2019–20.
Restatement of the Sydney Cricket Ground valuation	The valuation of the Sydney Cricket Ground (the Stadium) included costs of $28.6 million which were not eligible for capitalisation. The financial statements were restated to reflect the reduction in the value of the Stadium and the asset revaluation reserve.
Unresolved data quality issues in the VS Connect system	The department continues to address significant data quality issues resulting from its implementation of the VS Connect system (the System) in 2019. The issues relate to the completeness and accuracy of the data transferred from the legacy system. The System is used by the department to manage its Victims Support Services (VSS) and for financial reporting purposes. An independent actuary helps the department estimate its liability for VSS claims. The actuary's valuation at 30 June 2020 was again impacted by the data quality issues. Consequently, the actuary adopted a revised valuation methodology compared to previous years. Recommendation (repeat issue): The department should resolve the data quality issues in the VS Connect System before 31 March 2021.
AASB 16 'Leases' resulted in significant changes to agencies' financial position	Cluster agencies implemented three new accounting standards for the first time in 2019–20. Adoption of AASB 16 'Leases' resulted in cluster agencies collectively recognising right-of-use assets and lease liabilities of $1.7 billion and $1.1 billion respectively on 1 July 2019. Significant misstatements in how lease related balances had been calculated were found in 17 of the 29 cluster agencies. The cluster outsources the management of most of its owned and leased property portfolio to Property NSW, but cluster agencies remain responsible for any deliverables under that arrangement. The misstatements were mainly caused by late revisions of key assumptions and issues with the accuracy and completeness of Property NSW's lease information.
2. Audit observations
Internal control deficiencies	Our 2019–20 financial audits identified 191 internal control issues. Of these, two were high risk and almost one-third were repeat findings from previous audits. While repeat findings reduced by 5.7 percentage points in 2019–20, the number remains high. Recommendation (repeat issue): Cluster agencies should action recommendations to address internal control weaknesses promptly. Focus should be given to addressing high risk and repeat issues.
Agencies response to recent emergencies	The severity of the recent bushfires and floods meant natural disaster expenses incurred by emergency services agencies rose from $67.4 million in 2018–19 to $497 million in 2019–20. The COVID-19 pandemic presented unprecedented challenges for the cluster. Social distancing and other infection control measures disrupted the traditional means of delivering services. Agencies established committees or response teams to respond to these challenges. The department introduced measures to minimise the risk of the spread of COVID-19 amongst inmates in custodial settings.
Managing excess annual leave	Managing excess annual leave was a challenge for cluster agencies directly involved in the government's response to the emergency events. Employees in frontline cluster agencies deferred leave plans and many have taken little or no annual leave during the reporting period. Annual leave liabilities rose at the department, NSW Police Force, Fire and Rescue NSW, Office of the NSW Rural Fire Service, the Legal Aid Commission of New South Wales and the Office of the Director of Public Prosecutions. The combined liabilities increased from $620 million to $692 million or 11.6 per cent between 30 June 2019 and 30 June 2020.
Implementation of Machinery of Government (MoG) changes	Administrative Arrangement Orders effective from 1 July 2019, created the department of Communities and Justice and transferred functions and staff, together with associated assets and liabilities into the department from the former departments of Justice and Family and Community Services. The department continues to establish its governance arrangements following the MoG changes. Recommendation: The department should finalise appropriate governance arrangements for its new organisational structure as soon as possible. This includes: harmonising policies and procedures to ensure a unified approach across the department finalising risk management and monitoring processes across the department updating its delegation instruments to reflect the current organisational structure, delegation limits and roles and responsibilities.
Delivery of the Prison Bed Capacity Program	The department continued to expand prison system capacity through the NSW Government's $3.8 billion Prison Bed Capacity Program. The department reported it spent $480 million on the Program in 2019–20. Six prison expansion projects were completed during the year, which added 1,660 new and 395 refurbished beds to the NSW prison system. Data from the department shows the number of adult inmates in the NSW prison system reached a maximum of 14,165 during the year. Operational capacity was 16,096 beds on 19 August 2020.

This report provides parliament and other users of the financial statements of agencies in the Stronger Communities cluster with the results of our audits, our observations, analysis, conclusions and recommendations.

Agencies in the Stronger Communities cluster were significantly impacted by the bushfires, floods and the COVID-19 pandemic in 2019–20. Our 2019–20 financial audits of the seven cluster agencies most significantly impacted by the recent emergency events considered:

the financial implications of the emergency events
changes to agencies' operating models and control environments
delivery of new or expanded projects, programs or services at short notice.

Our findings on these seven agencies' responses to the recent emergencies are included throughout this report. These agencies are:

Department of Communities and Justice
Fire and Rescue NSW
NSW Police Force
Office of the NSW Rural Fire Service
Office of the NSW State Emergency Service
Sydney Cricket and Sports Ground Trust
Venues NSW.

The Department of Communities and Justice is the principal agency of the cluster. The names of all agencies in the Stronger Communities cluster are included in Appendix one.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Stronger Communities cluster for 2020, including any financial implications from the recent emergency events.

Section highlights

Unqualified audit opinions were issued for all agencies' 30 June 2020 financial statements. All agencies met the revised statutory deadlines for completing early close procedures and submitting their financial statements.
Emergency events significantly impacted cluster agencies in 2019–20. Agencies received additional funding of $1.1 billion to respond to the emergencies.
Cluster agencies implemented three new accounting standards in 2019–20. Adoption of AASB 16 'Leases' resulted in significant changes to agencies' financial statements.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

This chapter outlines our:

observations and insights from our financial statement audits of agencies in the Stronger Communities cluster
assessment of how well cluster agencies adapted their systems, policies and procedures, and governance arrangements in response to recent emergencies
review of how the cluster agencies managed the increased risks associated with new programs aimed at stemming the spread of COVID-19 and stimulating the economy.

Section highlights

Almost one-third of internal control issues reported were repeat findings. Cluster agencies should address these issues more promptly.
The severity of the recent bushfires and floods meant natural disaster expenses incurred by emergency services agencies increased by $430 million in 2019–20.
The department continues to establish its governance arrangements following Machinery of Government changes effective 1 July 2019.

Appendix one – Timeliness of financial reporting by agency

Appendix two – Management letter findings by agency

Appendix three – List of 2020 recommendations

Appendix four – Status of 2019 recommendations

Appendix five – Selected agencies for review of response to emergency events

Appendix six – Financial data

Copyright notice

26 November 2020

Published

Waste levy and grants for waste infrastructure

Planning

Environment

Management and administration

Regulation

Risk

Service delivery

The Auditor-General for New South Wales, Margaret Crawford, released a report today that examined the effectiveness of the waste levy and grants for waste infrastructure in minimising the amount of waste sent to landfill and increasing recycling rates.

The audit found that the waste levy has a positive impact on diverting waste from landfill. However, while the levy rates increase each year in line with the consumer price index, the EPA has not conducted a review since 2009 to confirm whether they are set at the optimal level. The audit also found that there were no objective and transparent criteria for which local government areas should pay the levy, and the list of levied local government areas has not been reviewed since 2014.

Grant funding programs for waste infrastructure administered by the EPA and the Environmental Trust have supported increases in recycling capacity. However, these grant programs are not guided by a clear strategy for investment in waste infrastructure.

The Auditor-General made six recommendations aimed at ensuring the waste levy is as effective as possible at meeting its objectives and ensuring funding for waste infrastructure is contributing effectively to recycling and waste diversion targets.

Overall, waste generation in New South Wales (NSW) is increasing. This leads to an increasing need to manage waste in ways that reduce the environmental impact of waste and promote the efficient use of resources. In 2014, the NSW Government set targets relating to recycling rates and diversion of waste from landfill, to be achieved by 2021–22. The NSW Waste and Resource Recovery (WARR) Strategy 2014–21 identifies the waste levy, a strong compliance regime, and investment in recycling infrastructure as key tools for achieving these waste targets.

This audit assessed the effectiveness of the NSW Government in minimising waste sent to landfill and increasing recycling rates. The audit focused on the waste levy, which is paid by waste facility operators when waste is sent to landfill, and grant programs that fund infrastructure for waste reuse and recycling.

The waste levy is regulated by the Environment Protection Authority (EPA) and is generally paid when waste is disposed in landfill. The waste levy rates are set by the NSW Government and prescribed in the Protection of Environment Operations (Waste) Regulation 2014. As part of its broader role in reviewing the regulatory framework for managing waste and recycling, the EPA can provide advice to the government on the operation of the waste levy.

The purpose of the waste levy is to act as an incentive for waste generators to reduce, re-use or recycle waste by increasing the cost of sending waste to landfill. In 2019–20, around $750 million was collected through the waste levy in NSW. The government spends approximately one third of the revenue raised through the waste levy on waste and environmental programs.

One of the waste programs funded through the one third allocation of the waste levy is Waste Less, Recycle More (WLRM). This initiative funds smaller grant programs that focus on specific aspects of waste management. This audit focused on five grant programs that fund projects that provide new or enhanced waste infrastructure such as recycling facilities. Four of these programs were administered by the Environmental Trust and one by the EPA.

Conclusion

The waste levy has a positive impact on diverting waste from landfill. However, aspects of the EPA's administration of the waste levy could be improved, including the frequency of its modelling of the waste levy impact and coverage, and the timeliness of reporting. Grant funding programs have supported increases in recycling capacity but are not guided by a clear strategy for investment in waste infrastructure which would help effectively target them to where waste infrastructure is most needed. Data published by the EPA indicates that the NSW Government is on track to meet the recycling target for construction and demolition waste, but recycling targets for municipal solid waste and commercial and industrial waste are unlikely to be met.

Waste levy

The waste levy rate, including a schedule of annual increases to 2016, was set by the NSW Government in 2009. Since 2016, the waste levy rate has increased in line with the consumer price index (CPI). The EPA has not conducted recent modelling to test whether the waste levy is set at the optimal level to achieve its objectives. The waste levy operation was last reviewed in 2012, although some specific aspects of the waste levy have been reviewed more recently, including reviews of waste levy rates for two types of waste. The waste levy is applied at different rates across the state. Decisions about which local government areas (LGAs) are subject to the levy, and which rate each LGA pays, were made in 2009 and potential changes were considered but not implemented in 2014. Currently, there are no objective and transparent criteria for determining which LGAs pay the levy. The EPA collects waste data from waste operators. This data has improved since 2015, but published data is at least one year out of date which limits its usefulness to stakeholders when making decisions relating to waste management.

Grants for waste infrastructure

All state funding for new and enhanced waste infrastructure in NSW is administered through grants to councils and commercial waste operators. The government's Waste and Resource Recovery (WARR) Strategy 2014–21 includes few priorities for waste infrastructure and there is no other waste infrastructure strategy in place to guide investment. The absence of a formal strategy to guide infrastructure investment in NSW limits the ability of the State Government to develop a shared understanding between planners, councils and the waste industry about waste infrastructure requirements and priorities. The Department of Planning, Industry and Environment is currently developing a 20-year waste strategy and there is an opportunity for the government to take a more direct role in planning the type, location and timing of waste infrastructure needed in NSW.

The grants administration procedures used for the grant programs reviewed in this audit were well designed. However, we identified some gaps in risk management, record-keeping and consistency of information provided to applicants and assessment teams. In four of the five programs we examined, there was no direct alignment between program objectives and the NSW Government's overall waste targets.

Achievement of the 2014–21 state targets for waste and resource recovery (WARR targets) is reliant in part on the availability of infrastructure that supports waste diversion and recycling. The state WARR targets dependent on waste infrastructure are:

Increase recycling rates to 70 per cent for municipal solid waste and commercial and industrial waste, and 80 per cent for construction and demolition waste.
Increase waste diverted from landfill to 75 per cent.

A further target — manage problem waste better by establishing or upgrading 86 drop-off facilities or services for managing household problem wastes state-wide — is dependent on accessible community waste drop-off facilities across NSW.

Exhibit 7 identifies the five grant programs that provide funding for new or enhanced waste infrastructure to increase capacity for reuse or recycling of waste. All five of these programs were examined in the audit.
In addition to the grant programs shown in Exhibit 7, other programs provide funding for infrastructure, but at a smaller scale. Examples of these include:

Bin Trim which provides rebates to small businesses for small scale recycling equipment such as cardboard and soft plastic balers.
Litter grants which provide funding for litter bins.
Weighbridges grants for installation of a weighbridge at waste facilities.
Landfill consolidation and environmental improvement grants for rural councils to replace old landfills with transfer stations or to improve the infrastructure at landfill sites.

Appendix one – Responses from audited agencies

Appendix two – About the audit

Appendix three – Performance auditing

Copyright notice

Parliamentary reference - Report number #343 - released 26 November 2020

24 November 2020

Published

Internal controls and governance 2020

Education

Environment

Community Services

Finance

Health

Industry

Justice

Premier and Cabinet

Transport

Treasury

Compliance

Cyber security

Information technology

Internal controls and governance

Management and administration

Procurement

The Auditor-General for New South Wales, Margaret Crawford today released her report on the findings and recommendations from the 2019–20 financial audits that relate to internal controls and governance at 40 of the largest agencies in the NSW public sector.

The bushfire and flood emergencies and the COVID‑19 pandemic continue to have a significant impact on the people and public sector of New South Wales. The scale of the government response to these events has been significant. The report focuses on the effectiveness of internal controls and governance processes, including relevant agencies’ response to the emergencies. In particular, the report focuses on:

financial and information technology controls
business continuity and disaster recovery planning arrangements
procurement, including emergency procurement
delegations that support timely and effective decision-making.

Due to the ongoing impact of COVID‑19 agencies have not yet returned to a business‑as‑usual environment. ‘Agencies will need to assess their response to the recent emergencies and update their business continuity, disaster recovery and other business resilience frameworks to reflect the lessons learnt from these events’ the Auditor-General said.

The report noted that special procurement provisions were put in place to allow agencies to better respond to the COVID-19 pandemic. The Auditor-General recommended agencies update their procurement policies to reflect the current requirements of the NSW Procurement Framework and the emergency procurement requirements.

Read the PDF report

This report analyses the internal controls and governance of 40 of the largest agencies in the NSW public sector for the year ended 30 June 2020. These 40 agencies constitute an estimated 85 per cent of total expenditure for all NSW public sector agencies.

1. Internal control trends

New, repeat and high risk findings

Internal control deficiencies increased by 13 per cent compared to last year. This is predominately due to a seven per cent increase in new internal control deficiencies and 24 per cent increase in repeat internal control deficiencies. There were ten high risk findings compared to four last year.

The recent emergencies have consumed agency time and resources and may have contributed to the increase in internal control deficiencies, particularly repeat deficiencies.

Agencies should:

prioritise addressing high-risk findings
address repeat internal control deficiencies by re-setting action plans and timeframes and monitoring the implementation status of recommendations.

Common findings

A number of findings remain common across multiple agencies over the last four years, including:

out of date or missing policies to guide appropriate decisions
poor record keeping and document retention
incomplete or inaccurate centralised registers or gaps in these registers.

2. Information technology controls

IT general controls

We found deficiencies in information security controls over key financial systems including:

user access administration deficiencies relating to inadequate oversight of the granting, review and removal of user access at 53 per cent of agencies
privileged users were not appropriately monitored at 43 per cent of agencies
deficient password controls that did not align to the agency's own password policies at 25 per cent of agencies.

The deficiencies above increase the risk of non-compliance with the NSW Cyber Security Policy, which requires agencies to have processes in place to manage user access, including privileged user access to sensitive information or systems and remove that access once it is not required or employment is terminated.

3. Business continuity and disaster recovery planning

Assessing risks to business continuity and Scenario testing

The response to the recent emergencies and the COVID-19 pandemic has encompassed a wide range of activities, including policy setting, on-going service delivery, safety and availability of staff, availability of IT and other systems and financial management. Agencies were required to activate their business continuity plans in response, and with the continued impact of COVID-19 have not yet returned to a business-as-usual environment.

Our audits focused on the preparedness of agency business continuity and disaster recovery planning arrangements prior to the onset of the COVID-19 pandemic.

We identified deficiencies in agency business continuity and disaster recovery planning arrangements. Twenty-three per cent of agencies had not conducted a business impact analysis (BIA) to identify critical business functions and determine business continuity priorities. Agencies can also improve the content of their BIA. For example, ten per cent of agencies' BIAs did not include recovery time objectives and six per cent of agencies did not identify key IT systems that support critical business functions. Scenario testing improves the effectiveness with which a live crisis is handled, but 40 per cent of agencies had not conducted a business continuity scenario testing exercise in the period from 1 January 2019 to 31 December 2019. There were also opportunities to improve the effectiveness of scenario testing exercises by:

involving key dependent or inter-dependent third parties who support or deliver critical business functions
testing one or more high impact scenarios identified in their business continuity plan
preparing a formalpost-exercise report documenting the outcome of their scenario testing.

Agencies have responded to the recent emergencies but addressing deficiencies will ensure agencies have adequate safeguards in their processes to again respond in the future, if required.

During 2020–21 we plan to conduct a performance audit on 'Business continuity and disaster recovery planning'. This audit will consider the effectiveness of agency business continuity planning arrangements to maintain business continuity through the recent emergencies and/or COVID-19 pandemic and return to a business-as-usual environment. We also plan to conduct a performance audit on whole-of-government 'Coordination of emergency responses'.

Responding to disruptions

We found agencies' governance functions could have been better informed about responses to disruptive incidents that had activated a business continuity or disaster recovery response between 1 January 2019 to 31 December 2019. For instance:

in 89 per cent of instances where a business continuity response was activated, a post-incident review had been performed. In 82 per cent of these instances, the outcomes were reported to a relevant governance or executive management committee

in 95 per cent of instances where a disaster recovery response was activated, a post incident review had been performed. In 86 per cent of these instances, the outcomes were reported to a relevant governance committee or executive management committee.

Examples of recorded incidents included extensive air quality issues and power outages due to bushfires, system and network outages, and infected and hijacked servers.

Agencies should assess their response to the recent emergencies and the COVID-19 pandemic and update business continuity, disaster recovery and other business resilience frameworks to incorporate lessons learned. Agencies should report to those charged with governance on the results and planned actions.

Management review and oversight

Eighty-two per cent and 86 per cent of agencies report to their audit and risk committees (ARC) on their business continuity and disaster recovery planning arrangements, respectively. Only 18 per cent and five per cent of ARCs are briefed on the results of respective scenario testing. Briefing ARCs on the results of scenario testing exercises helps inform their decisions about whether sound and effective business continuity and disaster recovery arrangements have been established.

4. Procurement, including emergency procurement

Policy framework	Agency procurement policies did not capture the requirements of several key NSW Procurement Board Directions (the Directions), increasing the risk of non-compliance with the Directions. We noted: 67 per cent of agencies did specify that procurement above $650,000 must be open to market unless exempt or procured through an existing Whole of Government Scheme or contract 36 per cent of agencies did specify that procurements above $500,000 payable in foreign currencies must be hedged 69 per cent of agencies' policies did specify that the agency head or cluster CFO must authorise the engagement of consultants where the engagement of the supplier does not comply with the standard commercial framework. Recommendation: Agencies should review their procurement policies and guidelines to ensure they capture the key requirements of the NSW Government Procurement Policy Framework, including NSW Procurement Board Directions.
Managing contracts	Eighty-eight per cent of agencies maintain a central contract register to record all details of contracts above $150,000, which is a requirement of GIPA legislation. Of the agencies that maintained registers, 13 per cent did not capture all contracts and eight per cent did not include all relevant contract details. Sixteen per cent of agencies did not periodically review their contract register. Timely review increases compliance with GIPA legislation, and enhances the effectiveness with which procurement business units monitor contract end dates, contract extensions and commence new procurement.
Training and support	Ninety-three per cent of agencies provide training to staff involved in procurement processes, and a further 77 per cent of agencies provide this training on an on-going basis. Of the seven per cent of agencies that had not provided training to staff, we noted gaps in aspects of their procurement activity, including: not conducting value for money assessments prior to renewing or extending the contract with their existing supplier not obtaining approval from a delegated authority to commence the procurement process procurement documentation not specifying certain key details such as the conditions for participation including any financial guarantees and dates for the delivery of goods or supply of services. Training on procurement activities ensures there is effective management of procurement processes to support operational requirements, and compliance with procurement directions.
Procurement activities	While agencies had implemented controls for tender activities above $650,000, 43 per cent of unaccredited agencies did not comply with the NSW Procurement Policy Framework because they had not had their procurement endorsed by an accredited agency within the cluster or by NSW Procurement. This endorsement aims to ensure the procurement is properly planned to deliver a value for money outcome before it commences.
Emergency procurement	As at 30 June 2020, agencies within the scope of this report reported conducting 32,239 emergency procurements with a total contract value of $316,908,485. Emergency procurement activities included the purchase of COVID-19 cleaning and hygiene supplies. The government, through NSW Procurement released the 'COVID-19 Emergency procurement procedure', which relaxed procurement requirements to allow agencies to make COVID-19 emergency procurements. Our review against the emergency procurement measures found most agencies complied with requirements. For example: 95 per cent of agencies documented an assessment of the need for the emergency procurement for the good and/or service 86 per cent of agencies obtained authorisation of the emergency procurement by the agency head or the nominated employee under Public Works and Procurement Regulation 2019 76 per cent of agencies reported the emergency procurement to the NSW Procurement Board. Complying with the procedure helps to ensure government resources are being efficiently, effectively, economically and in accordance with the law. Recommendation: Agency procurement frameworks should be reviewed and updated so they can respond effectively to emergency situations that may arise in the future. This includes: updating procurement policies and guidelines to define an emergency situation, specify who can approve emergency procurement and capture other key requirements using standard templates and documentation to prompt users to capture key requirements, such as needs analysis, supplier selection criteria, price assessment criteria, licence and insurance checks having processes for reporting on emergency procurements to those charged with governance and NSW Procurement.

5. Delegations

Instruments of delegation

We found that agencies have established financial and human resources delegations, but some had not revisited their delegation manuals following the legislative and machinery of government changes. For those agencies impacted by machinery of government changes we noted:

16 per cent of agencies had not updated their financial delegations to reflect the changes
16 per cent of agencies did not update their human resources delegations to reflect the changes.

Delegations manuals are not always complete; 16 per cent of agencies had no delegation for writing off bad debts and 26 per cent of agencies had no delegation for writing off capital assets.

Recommendation: Agencies should ensure their financial and human resources delegation manuals contain regular set review dates and are updated to reflect the Government Sector Finance Act 2018, machinery of government changes and their current organisational structure and roles and responsibilities.

Compliance with delegations

Agencies did not understand or correctly apply the requirements of the Government Sector Finance Act 2018 (GSF Act), resulting in non-compliance with the Act. We found that 18 per cent of agencies spent deemed appropriations without obtaining an authorised delegation from the relevant Minister(s), as required by sections 4.6(1) and 5.5(3) of the GSF Act.

Further detail on this issue will be included in our Auditor-General's Reports to Parliament on Central Agencies, Education, Health and Stronger Communities, which will be tabled throughout December 2020.

Recommendation: Agencies should review financial and human resources delegations to ensure they capture all key functions of laws and regulations, and clearly specify the relevant power or function being conferred on the officer.

6. Status of 2019 recommendations

Progress implementing last year's recommendations

Recommendations were made last year to improve transparency over reporting on gifts and benefits and improve the visibility management and those charged with governance had over actions taken to address conflicts of interest that may arise. This year, we continue to note:

38 per cent of agencies have not updated their gifts and benefits register to include all the key fields required under the minimum standards set by the Public Service Commission
56 per cent of agencies have not provided training to staff and 63 per cent of agencies have not implemented an annual attestation process for senior management
97 per cent of agencies have not published their gifts and benefits register on their website and 41 per cent of agencies are not reporting on trends in the gifts and benefits register to those charged with governance.

While we acknowledge the significance of the recent emergencies, which have consumed agency time and resources, we note limited progress has been made implementing these recommendations. Further detail on the status of implementing all recommendations is in Appendix 2.

Recommendation: Agencies should re-visit the recommendations made in last year's report on internal controls and governance and action these recommendations.

Internal controls are processes, policies and procedures that help agencies to:

operate effectively and efficiently
produce reliable financial reports
comply with laws and regulations
support ethical government.

This chapter outlines the overall trends for agency controls and governance issues, including the number of audit findings, the degree of risk those deficiencies pose to the agency, and a summary of the most common deficiencies we found across agencies. The rest of this report presents this year’s controls and governance findings in more detail.

Section highlights

We identified ten high risk findings, compared to four last year with two findings repeated from the previous year. There was an overall increase of 13 per cent in the number of internal control deficiencies compared to last year due to a seven per cent increase in new internal control deficiencies, and a 24 per cent increase in repeat internal control deficiencies. The recent emergencies have consumed agency time and resources and may have contributed to the increase in internal control deficiencies, particularly repeat deficiencies.

We identified a number of findings that remain common across multiple agencies over the last four years. Some of these findings related to areas that are fundamental to good internal control environments and effective organisational governance. Examples include:

out of date or missing policies to guide appropriate decisions
poor record keeping and document retention
incomplete or inaccurate centralised registers, or gaps in these registers.

Policies, procedures and internal controls should be properly designed, be appropriate for the current organisational structure and its business activities, and work effectively.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency controls to manage key financial systems.

Section highlights

Government agencies’ financial reporting is heavily reliant on information technology (IT). We continue to see a high number of deficiencies related to IT general controls, particularly those related to user access administration. These controls are key in adequately protecting IT systems from inappropriate access and misuse.

IT is also important to the delivery of agency services. These systems often provide the data to help monitor the efficiency and effectiveness of agency processes and services they deliver. Our financial audits do not review all agency IT systems. For example, IT systems used to support agency service delivery are generally outside the scope of our financial audit. However, agencies should also consider the relevance of our findings to these systems.

Agencies need to continue to focus on assessing the risks of inappropriate access and misuse and the implementation of controls to adequately protect their systems, focussing on the processes in place to grant, remove and monitor user access, particularly privileged user access.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency business continuity and disaster recovery planning arrangements.

Section highlights

We identified deficiencies in agency business continuity and disaster recovery planning arrangements and opportunities for agencies to enhance their business continuity management and disaster recovery planning arrangements. This will better prepare them to respond to a disruption to their critical functions, resulting from an emergency or other serious event. Twenty-three per cent of agencies had not conducted a business impact analysis (BIA) to identify critical business functions and determine business continuity priorities and 40 per cent of agencies had not conducted a business continuity scenario testing exercise in the period from 1 January 2019 to 31 December 2019. Scenario testing improves the effectiveness with which a live crisis is handled.

This section focusses on the preparedness of agency business continuity and disaster recovery planning arrangements prior to the onset of the COVID-19 pandemic. While agencies have responded to the recent emergencies, proactively addressing deficiencies will ensure agencies have adequate safeguards in their processes to again respond in the future, if required.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of procurement agency procurement policies and procurement activity.

Section highlights

We found agencies have procurement policies in place to manage procurement activity, but the content of these policies was not sufficiently detailed to ensure compliance with NSW Procurement Board Directions (the Directions). The Directions aim to ensure procurement activity achieves value for money and meets the principles of probity and fairness.

Agencies have generally implemented controls over their procurement process. In relation to emergency procurement activity, agencies reported conducting 32,239 emergency procurements with a total contract value of $316,908,485 up to 30 June 2020. Our review of emergency procurement activity conducted during 2019–20 identified areas where some agencies did not fully comply with the 'COVID-19 Emergency procurement procedure'.

We also found not all agencies are maintaining complete and accurate contract registers. This not only increases the risk of non-compliance with GIPA legislation, but also limits the effectiveness of procurement business units to monitor contract end dates, contract extensions and commence new procurement in a timely manner. We noted instances where agencies renewed or extended contracts without going through a competitive tender process during the year.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency compliance with financial and human resources delegations.

Section highlights

We found that agencies are not always regularly reviewing and updating their financial and human resources delegations when there are changes to legislation or other organisational changes within the agency or from machinery of government changes. For example, agencies did not understand or correctly apply the requirements of the GSF Act, resulting in non-compliance with the Act. We found that 18 per cent of agencies spent deemed appropriations without obtaining an authorised delegation from the relevant Minister(s), as required by sections 4.6(1) and 5.5(3) of the GSF Act.

In order for agencies to operate efficiently, make necessary expenditure and human resource decisions quickly and lawfully, particularly in emergency situations, it is important that delegations are kept up to date, provide clear authority to decision makers and are widely communicated.

Appendix one – List of 2020 recommendations

Appendix two – Status of 2019 recommendations

Appendix three – Cluster agencies

Copyright notice

17 August 2020

Published

Governance and internal controls over local infrastructure contributions

Local Government

Planning

Environment

Compliance

Financial reporting

Infrastructure

Internal controls and governance

Management and administration

Service delivery

The Auditor-General for New South Wales, Margaret Crawford, released a report today on how well four councils managed their local infrastructure contributions during the 2017-18 and 2018-19 financial years.

Local infrastructure contributions, also known as developer contributions, are collected from developers to pay for local infrastructure such as drainage, local roads, open space and community facilities. Controls over local infrastructure contributions help to ensure that all contributions owed are collected, funds are spent as intended, and any contributions paid in the form of works-in-kind or dedicated land are correctly valued.

The audit found that Blacktown City Council and City of Sydney Council provided effective governance over their local infrastructure contributions whereas Central Coast and Liverpool City Councils’ governance arrangements require improvement.

The audit found that three councils had spent local infrastructure contributions in accordance with approved contributions plans. Central Coast Council and the former Gosford City Council had spent $13.2 million on administration costs in breach of the Environmental Planning and Assessment Act 1979. These funds were repaid into the council’s local infrastructure fund during the course of the audit.

The Auditor-General made a number of recommendations for each council relating to improving controls over contributions and increasing transparency.

Read full report (PDF)

This audit examined the effectiveness of governance and internal controls over local infrastructure contributions, also known as developer contributions, held by four councils during the 2017–18 and 2018–19 financial years.

This performance audit was conducted with reference to the legislative and regulatory planning framework that was in place during that period.

Our work for this performance audit was completed at the end of March 2020 when we issued the final report to the four audited councils and the Department of Planning, Industry and Environment. We received their respective formal responses to the report’s recommendations during April and May 2020.

Concurrently to this audit, we sought Crown Solicitor’s advice (the ‘Advice’) regarding the use of local infrastructure contributions collected by local councils under the Environmental Planning and Assessment Act 1979 (‘the EPA Act’) for our financial audit work. The Advice clarified the applicable legislative requirements with reference to the application, investment and pooling of local infrastructure contributions. The Advice is included in Appendix 2 of this report. The Advice has not impacted on the findings and recommendations of this report.

Councils collect Local Infrastructure Contributions (LICs) from developers under the Environmental Planning and Assessment Act (1979), the Local Government Act (1993) and the City of Sydney Act (2000) (EP&A Act, LG Act and City of Sydney Act) to fund infrastructure required to service and support new development. At 30 June 2018, councils across NSW collectively held more than $3.0 billion in LICs collected from developers. Just over $1.37 billion in total was held by ten councils. Councils collecting LICs must prepare a contributions plan, which outlines how LICs will be calculated and apportioned across different types of infrastructure. Councils that deliver water and sewer services prepare a development servicing plan (DSP) which allows them to collect contributions for water and sewer infrastructure.

Development timeframes are such that there is often several years between when LICs are collected and the infrastructure is required. Good governance and internal controls are needed over these funds to ensure they are available when needed and spent appropriately.

This audit assessed the effectiveness of governance and internal controls over LICs collected by four councils during the 2017–18 and 2018–19 financial years: Blacktown City Council, Central Coast Council, City of Sydney Council and Liverpool City Council. As at June 2018 these councils held the four highest LIC balances, each in excess of $140 million.

Audit Conclusion

Three of the four councils audited were currently compliant with legislation, regulations and Ministerial Directions regarding LICs. All had gaps in governance and controls over LICs which limited effective oversight.

Three of the councils included in the audit complied with legislation, regulations and Ministerial Directions relating to LICs. Central Coast Council breached the EP&A Act between 2001 and 2019 when it used LICs for administration costs. These funds were repaid in late 2019.

While controls over the receipt and expenditure of contributions funds were largely in place at all councils, there were some exceptions relating to valuing work and land delivered in lieu of cash. Three councils do not provide probity guidance in policies relating to LICs delivered through works-in-kind. Three of the councils had contributions plans that were more than five years old.

Staff at all four councils are knowledgeable about LICs but not all councils keep procedures up to date. Three councils' governance frameworks operate effectively with senior officers from across the council involved in decisions about spending LICs, entering into voluntary planning agreements (VPAs) and reviewing contributions plans.

Transparency over key information relating to LICs is important for senior management so they can make informed decisions, and for the community who pay LICs and expect infrastructure to be provided. During the period of the audit, none of the councils included in the audit provided sufficient information to senior management or their councillors about the projected financial status of contributions plans. This information would be valuable when making broader strategic and financial decisions. Information about LIC levies and intended infrastructure is available to the community but not always easy to find.

A strong governance framework is important at each council to ensure that the funds are managed well, available when needed and spent as intended. The audit examined the following features of each council's governance framework as they apply to LICs:

decision-making by councillors and council officers relating to LICs
monitoring delivery of contributions plans and DSPs including:
- reviewing assumptions underlying the plans
- monitoring projected status of plans.

Internal controls over LICs are important to promote accountability, prevent fraud and deliver infrastructure to the required standard at the best possible price. If financial controls are weak or are not implemented well, there is a risk that LICs are misspent or that councils pay too much for infrastructure.

Not all councils' internal controls adequately addressed risks associated with the administration of LICs

The audit examined a number of internal controls that manage risks related to LICs. These included:

financial controls over receipt and expenditure of LIC funds
management of conflicts-of-interest when dealing with developers
independent valuations of works-in-kind and dedicated land
ensuring delivery and quality of works-in-kind, and obtaining security from developers in the event of non-delivery or poor quality work
management of variations to VPAs and works-in-kind agreements.

We reviewed controls included in policies and procedures and then checked samples of work to ensure that controls were implemented. We found variation in the controls that councils implemented, and some weaknesses in controls. It is a matter for each council to assess their financial risk and develop internal controls that support the collection, management, and expenditure of LICs. However, councils must be able to assure their communities and developers that they are doing everything possible to collect all LICs owing and that work conducted by developers in lieu of cash payments is properly valued and carried out to the required standard.

Further information about audit findings in relation to internal controls for each council are included in chapters five to eight. The exhibit below demonstrates variation in several controls implemented in the audited councils.

In a 2018 report, the Independent Commission Against Corruption noted that 'the appetite for transparency is expanding in both the public and private sectors'.

The Practice Note and S64 Guidance refer to transparency, including the importance of transparency over:

calculation and apportionment of LICs
funding of infrastructure, including where and when infrastructure is delivered
arrangements made with developers through VPAs.

The LIC system is largely transparent for community members who know where to look

Contributions plans and DSPs are public documents, exhibited to the public before being adopted by council. Councils included in the audit publish their contributions plans and DSPs on their websites and meet statutory requirements with regard to reporting and accessibility of information.

However, other public information relating to the LIC system is fragmented across different websites and reports and varies in detail across councils.

Exhibit 10: Published information about LICs at the four audited councils
	Blacktown City Council	Central Coast Council	City of Sydney Council	Liverpool City Council
Financial details about contributions collected and spent	Financial statements	Financial statements	Financial statements	Financial statements
Implementation plans for spending LICs	Contribution plans	S64 implementation plans in DSPs. S7.11 & S7.12 implementation plans developed annually within capital works plan	Contribution plans	Developed annually within capital works plan
Capital works underway or completed, funded by LICs	Capital works plan and annual report	Not published	Not published	Capital works plan

Source: Audit Office analysis.

The Practice Note states that councils are accountable for providing the infrastructure for which contributions are collected. Demonstrating that infrastructure has been provided is difficult with fragmented information. As an example of transparent reporting, Blacktown City Council's 2018–19 annual report includes information about infrastructure that has been delivered for every contributions plan, providing transparency over how LICs have been spent.

Use of LICs collected under VPAs is not always transparent

Contributions collected under VPAs are not required to demonstrate the same relationship to a development as LICs collected under section 7.11 of the EP&A Act. VPAs are often negotiated because a developer requests a change to a planning instrument, and it is important that these arrangements, and their outcomes, are transparent to the community.

The EP&A Regulation includes mechanisms to ensure that VPAs are partially transparent. VPAs are exhibited to the public and approved by the elected council. Councils must maintain a VPA Register and make the VPA Deeds of Agreement available on request. However, there is no obligation on council to report on the outcomes or delivery of developers' obligations under VPAs. The four audited councils vary in transparency and accessibility of information available about VPAs.

Exhibit 11: Published information about VPAs at the four audited councils
	Blacktown City Council	Central Coast Council	City of Sydney Council	Liverpool City Council
VPA Register	Council website and annual report	Annual report	Annual report	Council website and annual report
VPA Deeds of Agreement	Council website	Available on request	Available on request	Council website
Intended use of LICs collected under VPAs	In Deeds of Agreement	In Deeds of Agreement	In VPA Register and most Deeds of Agreement	In VPA Register and most Deeds of Agreement
Completion of work funded by cash collected under VPAs	Not published	Not published	Not published	Not published
Delivery of works-in-kind or land negotiated under VPAs	Not published	Not published	In VPA Register	Not published

Source: Audit Office analysis.

The Practice Note suggests that councils incorporate the intended use of LICs collected under VPAs in the Deed of Agreement, but there is no guidance relating to transparency over where and when funds have actually been spent. There is merit in councils providing greater transparency over public benefits delivered through VPAs to give communities confidence in VPAs as a planning tool.

Credit arrangements with developers are not always well documented or monitored

When levying LICs, section 7.11(6) of the EP&A Act requires councils to take into account land, money, or works-in-kind that the developer has contributed on other development sites over and above their LIC obligations. This section of the EP&A Act allows a developer to offset a LIC owed on one site against land or works contributed on another. This leads to some developers carrying 'credits' for work delivered to councils, to be paid back by reduced LICs on a future development. Blacktown City Council and Central Coast Council allow developers to carry credits. Liverpool City Council and City of Sydney Council do not permit credits and instead pay the developers for any additional work undertaken.

Councils should formally document credit arrangements and have a robust process to validate and keep track of credit balances and report on them. Central Coast Council does not keep good track of credit arrangements and neither Blacktown City Council or Central Coast Council aggregate or report on outstanding credit balances.

Blacktown City Council manages the largest LIC fund in NSW and negotiates more VPAs than any other council. Overall, Blacktown City Council demonstrates effective governance over the LIC funds but there is scope for improved oversight of the projected financial status of contributions plans and credit arrangements with developers. Blacktown City Council also needs to update its operating procedures relating to LICs and improve security over key information.

Blacktown City Council is managing areas with high growth. There is a risk that Blacktown City Council will be unable to collect sufficient LICs to fund the infrastructure required to support that growth. However, Blacktown City Council does not assess and report to senior management or its Audit, Risk and Improvement Committee about the projected financial status of contributions plans.

Blacktown City Council has policies in place to guide the management of LICs although management of credit arrangements with developers requires greater oversight. Policies relating to works-in-kind agreements provide no guidance about probity in negotiations with developers and valuations of works-in-kind are not independent as they are paid for by the developer. Blacktown City Council's S7.11 committee structure could act as a model for other councils. Blacktown City Council is spending LICs according to its contributions plans. Staff managing LICs demonstrate good knowledge of the regulatory environment. However, a number of administrative processes need attention such as outdated procedures, lack of security over key spreadsheets, and inappropriate retention of sensitive personal data.

Recommendations

By December 2020, Blacktown City Council should:

regularly report to senior management on the projected financial status of contributions plans
update council's works-in-kind policy to address probity risks during negotiations with developers
mitigate risks associated with lack of independence in valuations of works-in-kind
improve public reporting about expenditure of cash collected under VPAs
improve management oversight of credit arrangements with developers
update procedures for managing LICs
implement security measures over critical or personal information and spreadsheets.

Central Coast Council's governance and internal controls over LICs were not fully effective. Between 2001 and 2019, more than $13.0 million in LICs was misspent on administration costs in breach of the EP&A Act. There is scope for improved oversight of the projected financial status of contributions plans and credit arrangements with developers. Policies and procedures from the two former councils are not aligned.

In May 2016, the newly amalgamated Central Coast Council inherited 53 contributions plans from the former Gosford City and Wyong Shire Councils. Managing this number of contributions plans fragments the available funds and increases complexity. Central Coast Council is currently working on consolidating these plans. Between June 2016 and June 2019, its LIC balance doubled from $90.0 million to $196 million. Central Coast Council does not assess and report to senior management or its Audit, Risk and Improvement Committee about the projected financial status of contributions plans. Central Coast Council has a LIC committee but it has no formal charter and senior officers do not regularly attend meetings. This limits the committee's effectiveness as a decision-making body. A draft policy relating to works-in-kind agreements provide no guidance about probity in negotiations with developers. Valuations of works-in-kind and land dedications are not independent as they are paid for by the developer.

Central Coast Council has adjusted its accounts in 2018–19 by $13.2 million to repay the LIC fund for administration expenses that were not provided for in 40 contributions plans.

Recommendations

By June 2020, Central Coast Council should:

1. obtain independent validation of the adjustment made to the restricted asset accounts and general fund to repay LICs spent on administration, and adjustments made to each infrastructure category within the contributions plans

2. publish current contributions plans from the former Gosford City Council on the Central Coast Council website.

By December 2020, Central Coast Council should:

3. regularly report to senior management on the projected financial status of contributions plans

4. increase transparency of information available to the public about LIC works planned and underway, including intended use of contributions collected under VPAs

5. consolidate existing plans, ensuring the new contributions plans includes a regular review cycle

6. develop a formal charter for the developer contributions committee and increase the seniority of membership

7. complete and adopt council's works-in-kind policy currently under development, ensuring it addresses probity risks during negotiations with developers

8. mitigate risks associated with lack of independence in valuations of works-in-kind and dedicated land

9. improve public reporting about expenditure of cash collected under VPAs

10. improve management oversight of credit arrangements with developers

11. implement security measures to ensure the integrity of key spreadsheets used to manage LICs

12. align policies and procedures relating to LICs across the amalgamated council including developing policies and procedures for the management of S64 LICs

13. update council's VPA policy to address increased or indexed bank guarantees to accommodate cost increases.

City of Sydney Council manages a complex development environment across the Sydney CBD and inner suburbs. Overall, governance and internal controls over LICs are effective although there is scope for improved oversight of the projected financial status of contributions plans.

City of Sydney Council maintains a large balance of LICs, although not excessive relative to the annual level of LIC expenditure. Unspent contributions are largely associated with open space infrastructure that cannot be delivered until suitable land is available. Thirty per cent of cash contributions are collected under VPAs and there is limited transparency over how these funds are spent. City of Sydney Council does not assess and report to management or its Audit, Risk and Compliance Committee about the projected financial status of contributions plans.

In 2017–18 and 2018–19, LICs were spent in accordance with the corresponding contributions plans. City of Sydney Council staff are knowledgeable about the regulatory environment and are supported by up-to-date policies and procedures.

Recommendations

By December 2020, City of Sydney Council should:

regularly report to senior management on the projected financial status of contributions plans
improve public reporting about expenditure of cash collected under VPAs
periodically review the risk of unpaid LICs associated with complying development certificates and assess whether additional controls are required
implement security measures to ensure the integrity of key spreadsheets used to manage LICs.

During the audit period 2017–18 and 2018–19, Liverpool City Council did not have effective governance and internal controls over LICs. Liverpool City Council is addressing deficiencies and risks identified through an internal audit published in December 2018 although further work is required. There is scope for improved oversight of the projected financial status of contributions plans.

In the two years to 30 June 2019, the balance of unspent LICs increased by more than 60 per cent against a relatively low pattern of expenditure. Prior to an internal audit completed in late 2018, there was no regular reporting on the status of LICs and a lack of transparency when prioritising the expenditure of LIC funds. During 2019, and following the internal audit, Liverpool City Council engaged additional skilled resources to improve focus and accountability for LICs. A LIC committee has been established to manage contributions plans and support business units to initiate relevant infrastructure projects, although it is too early to assess whether this committee is operating effectively. From February 2019, Liverpool City Council commenced monthly reporting to its Chief Executive Officer (CEO) about the point-in-time status of LIC funds, and to its Audit, Risk and Improvement Committee about risks associated with LICs and the implementation of internal audit recommendations. There is limited reporting to senior management about the projected financial status of some contributions plans. Our audit found no evidence of misuse of funds during the audited period. Methods for valuing work and land are not aligned with policies and procedures and are implemented inconsistently. In addition, valuations of works-in-kind and land dedications are not independent as they are paid for by the developer. The policy relating to works-in-kind provides no guidance about managing probity risks when negotiating with developers.

Recommendations

By December 2020, Liverpool City Council should:

regularly report to senior management on the projected financial status of contributions plans
update council's policies and procedures to provide consistent guidance about how works and land offered by developers should be valued
update council's Works-in-Kind and Land Acquisition Policy to address probity risks during negotiations with developers
improve public reporting about expenditure of cash collected under VPAs
mitigate risks associated with lack of independence in valuations of works-in-kind and dedicated land
implement security measures over critical or private information.

Appendix one – Responses from councils and the Department of Planning, Industry and Environment

Appendix two – Advice from the Crown Solicitor

Appendix three – About the audit

Appendix four – Performance auditing

Copyright notice

Parliamentary reference - Report number #339 - released 17 August 2020

11 June 2020

Published

CBD South East Sydney Light Rail: follow-up performance audit

Transport

Infrastructure

Internal controls and governance

Management and administration

Procurement

Project management

Risk

Service delivery

This is a follow-up to the Auditor-General's November 2016 report on the CBD South East Sydney Light Rail project. This follow-up report assessed whether Transport for NSW has updated and consolidated information about project costs and benefits.

The audit found that Transport for NSW has not consistently and accurately updated project costs, limiting the transparency of reporting to the public.

The Auditor-General reports that the total cost of the project will exceed $3.1 billion, which is above the revised cost of $2.9 billion published in November 2019. $153.84 million of additional costs are due to omitted costs for early enabling works, the small business assistance package and financing costs attributable to project delays.

The report makes four recommendations to Transport for NSW to publicly report on the final project cost, the updated expected project benefits, the benefits achieved in the first year of operations and the average weekly journey times.

Read full report (PDF)

The CBD and South East Light Rail is a 12 km light rail network for Sydney. It extends from Circular Quay along George Street to Central Station, through Surry Hills to Moore Park, then to Kensington and Kingsford via Anzac Parade and Randwick via Alison Road and High Street.

Transport for NSW (TfNSW) is responsible for planning, procuring and delivering the Central Business District and South East Light Rail (CSELR) project. In December 2014, TfNSW entered into a public private partnership with ALTRAC Light Rail as the operating company (OpCo) responsible for delivering, operating and maintaining the CSELR. OpCo engaged Alstom and Acciona, who together form its Design and Construct Contractor (D&C).

On 14 December 2019, passenger services started on the line between Circular Quay and Randwick. Passenger services on the line between Circular Quay and Kingsford commenced on 3 April 2020.

In November 2016, the Auditor-General published a performance audit report on the CSELR project. The audit found that TfNSW would deliver the CSELR at a higher cost with lower benefits than in the approved business case, and recommended that TfNSW update and consolidate information about project costs and benefits and ensure the information is readily accessible to the public.

In November 2018, the Public Accounts Committee (PAC) examined TfNSW's actions taken in response to our 2016 performance audit report on the CSELR project. The PAC recommended that the Auditor-General consider undertaking a follow-up audit on the CSELR project. The purpose of this follow-up performance audit is to assess whether TfNSW has effectively updated and consolidated information about project costs and benefits for the CSELR project.

Conclusion

Transport for NSW has not consistently and accurately updated CSLER project costs, limiting the transparency of reporting to the public. In line with the NSW Government Benefits Realisation Management Framework, TfNSW intends to measure benefits after the project is completed and has not updated the expected project benefits since April 2015.

Between February 2015 and December 2019, Transport for NSW (TfNSW) regularly updated capital expenditure costs for the CSELR in internal monthly financial performance and risk reports. These reports did not include all the costs incurred by TfNSW to manage and commission the CSELR project.

Omitted costs of $153.84 million for early enabling works, the small business assistance package and financing costs attributable to project delays will bring the current estimated total cost of the CSELR project to $3.147 billion.

From February 2015, TfNSW did not regularly provide the financial performance and risk reports to key CSELR project governance bodies. TfNSW publishes information on project costs and benefits on the Sydney Light Rail website. However, the information on project costs has not always been accurate or current.

TfNSW is working with OpCo partners to deliver the expected journey time benefits. A key benefit defined in the business plan was that bus services would be reduced owing to transfer of demand to the light rail - entailing a saving. However, TfNSW reports that the full expected benefit of changes to bus services will not be realised due to bus patronage increasing above forecasted levels.

Appendix one – Response from agency

Appendix two – Governance and reporting arrangements for the CSELR

Appendix three – 2018 CSELR governance changes

Appendix four – About the audit

Appendix five – Performance auditing

Copyright notice

Parliamentary reference - Report number #335 - released 11 June 2020

30 April 2020

Published

Train station crowding

Transport

Management and administration

Risk

Service delivery

Workforce and capability

This report focuses on how Transport for NSW and Sydney Trains manage crowding at selected metropolitan train stations.

The audit found that while Sydney Trains has identified platform crowding as a key strategic risk, it does not have an overarching strategy to manage crowding in the short to medium term. Sydney Trains 'do not have sufficient oversight to know if crowding is being effectively managed’, the Auditor-General said.

Sydney Trains' operational response to crowding involves restricting customer access to platforms or station entries before crowding reaches unsafe levels or when it impacts on-time running. Assuming rail patronage increases, it is likely that Sydney Trains will restrict more customers from accessing platforms or station entries, causing customer delay. ‘Restricting customer access to platforms or station entries is not a sustainable approach to manage station crowding’, said the Auditor-General.

The Auditor-General made seven recommendations to improve Transport for NSW and Sydney Trains' management of station crowding. Transport for NSW have accepted these recommendations on behalf of the Transport cluster.

Public transport patronage has been impacted by COVID-19. This audit was conducted before these impacts occurred.

Read full report (PDF)

Sydney Trains patronage has increased by close to 34 per cent over the last five years, and Transport for NSW (TfNSW) expects the growth in patronage to continue over the next 30 years. As patronage increases there are more passengers entering and exiting stations, moving within stations to change services, and waiting on platforms. As a result, some Sydney metropolitan train stations are becoming increasingly crowded.

There are three main causes of station crowding:

patronage growth exceeding the current capacity limits of the rail network
service disruptions
special events.

Crowds can inhibit movement, cause discomfort and can lead to increased health and safety risks to customers. In the context of a train service, unmanaged crowds can affect service operation as trains spend longer at platforms waiting for customers to alight and board services which can cause service delays. Crowding can also prevent customers from accessing services.

Our 2017 performance audit, ‘Passenger Rail Punctuality’, found that rail agencies would find it hard to maintain train punctuality after 2019 unless they significantly increased the capacity of the network to carry trains and people. TfNSW and Sydney Trains have plans to improve the network to move more passengers. These plans are set out in strategies such as More Trains, More Services and in the continued implementation of new infrastructure such as the Sydney Metro. Since 2017, TfNSW and Sydney Trains have introduced 1,500 more weekly services to increase capacity. Additional network capacity improvements are in progress for delivery from 2022 onwards.

In the meantime, TfNSW and Sydney Trains need to use other ways of managing crowding at train stations until increased capacity comes on line.

This audit examined how effectively TfNSW and Sydney Trains are managing crowding at selected metropolitan train stations in the short and medium term. In doing so, the audit examined how TfNSW and Sydney Trains know whether there is a crowding problem at stations and how they manage that crowding.

TfNSW is the lead agency for transport in NSW. TfNSW is responsible for setting the standard working timetable that Sydney Trains must implement. Sydney Trains is responsible for operating and maintaining the Sydney metropolitan heavy rail passenger service. This includes operating, staffing and maintaining most metropolitan stations. Sydney Trains’ overall responsibility is to run a safe rail network to timetable.

Conclusion

Sydney Trains has identified platform crowding as a key strategic risk, but does not have an overarching strategy to manage crowding in the short to medium term. TfNSW and Sydney Trains devolve responsibility for managing crowding at stations to Customer Area Managers, but do not have sufficient oversight to know if crowding is being effectively managed. TfNSW is delivering a program to influence demand for transport in key precincts but the effectiveness of this program and its impact on station crowding is unclear as Transport for NSW has not evaluated the outcomes of the program.

TfNSW and Sydney Trains do not directly measure or collect data on station crowding. Data and observation on dwell time, which is the time a train waits at a platform for customers to get on and off trains, inform the development of operational approaches to manage crowding at stations. Sydney Trains has KPIs on reliability, punctuality and customer experience and use these to indirectly assess the impact of station crowding. TfNSW and Sydney Trains only formally assess station crowding as part of planning for major projects, developments or events.

Sydney Trains devolve responsibility for crowd management to Customer Area Managers, who rely on frontline Sydney Trains staff to understand how crowding affects individual stations. Station staff at identified key metropolitan train stations have developed customer management plans (also known as crowd management plans). However, Sydney Trains does not have policies to support the creation, monitoring and evaluation of these plans and does not systematically collect data on when station staff activate crowding interventions under these plans.

Sydney Trains stated focus is on providing a safe and reliable rail service. As such, management of station crowding is a by-product of its strategies to manage customer safety and ensure on-time running of services. Sydney Trains' operational response to crowding involves restricting customer access to platforms or stations before crowding reaches unsafe levels, or when it impacts on-time running. As rail patronage increases, it is likely that Sydney Trains will need to increase its use of interventions to manage crowding. As Sydney Trains restrict more customers from accessing platforms or station entries, it is likely these customers will experience delays caused by these interventions.

Since 2015, TfNSW has been delivering the 'Travel Choices' program which aims to influence customer behaviour and to manage the demand for public transport services in key precincts. TfNSW is unable to provide data demonstrating the overall effectiveness of this program and the impact the program has on distributing public transport usage out of peak AM and PM times. TfNSW and Sydney Trains continue to explore initiatives to specifically address crowd management.

Conclusion

TfNSW and Sydney Trains do not directly measure or collect data on station crowding. There are no key performance indicators directly related to station crowding. Sydney Trains uses performance indicators on reliability, punctuality and customer experience to indirectly assess the impact of station crowding. Sydney Trains does not have a routine process for identifying whether crowding contributed to minor safety incidents. TfNSW and Sydney Trains formally assess station crowding as part of planning for major projects, developments or events.

Conclusion

Sydney Trains has identified platform crowding as a strategic risk but does not have an overarching strategy to manage station crowding. Sydney Trains' stated focus is on providing a safe and reliable rail service. As such, management of station crowding is a by-product of its strategies to manage customer safety and ensure on-time running of services.

Sydney Trains devolve responsibility for managing crowding at stations to Customer Area Managers but does not have sufficient oversight to know that station crowding is effectively managed. Sydney Trains does not have policies to support the creation, monitoring or evaluation of crowd management plans at key metropolitan train stations. The use of crowding interventions is likely to increase due to increasing patronage, causing more customers to experience delays directly caused by these activities.

TfNSW and Sydney Trains have developed interventions to influence customer behaviour and to manage the demand for public transport services but are yet to evaluate these interventions. As such, their impact on managing station crowding is unclear.

Appendix one – Response from agency

Appendix two – Sydney rail network

Appendix three – Rail services contract

Appendix four – Crowding pedestrian modelling

Appendix five – Airport Link stations case study

Appendix six – About the audit

Appendix seven – Performance auditing

Copyright notice

Parliamentary reference - Report number #333 - released 30 April 2020

9 April 2020

Published

Destination NSW's support for major events

Treasury

Financial reporting

Management and administration

Procurement

Project management

Service delivery

This report focuses on whether Destination NSW (DNSW) can demonstrate that its support for major events achieves value for money.

The audit found that DNSW’s processes for assessing and evaluating the major events it funds are mostly effective, but its public reporting does not provide enough transparency.

DNSW provides clear information to event organisers seeking funding and has a comprehensive methodology for conducting detailed event assessments. However, the reasons for decisions to progress events from the initial assessment to the detailed assessment stage are not documented in sufficient detail.

DNSW does not publish detailed information about the events it funds or the outcomes of these events. This means that members of the public are unable to see whether its activities achieve value for money. However, DNSW’s internal reporting to its key decision‑makers, including the CEO, the Board and the Minister is appropriate.

The Auditor-General made four recommendations to DNSW, aimed at improving the transparency of its activities, improving the documentation of decisions and certain compliance matters, and streamlining its approach to assessing and evaluating events that receive smaller amounts of funding.

Read full report (PDF)

Destination NSW (DNSW) provides funding to attract a range of major events to New South Wales, including high-profile professional sports matches and tournaments, musicals, art and museum exhibitions, and participation-focused events such as festivals and sports events that members of the public can enter. The NSW Government's rationale for providing funding is to encourage event organisers to hold events in New South Wales, and to ensure that events held in New South Wales maximise the potential for attracting overseas and interstate visitors.

This audit assessed whether DNSW can demonstrate that its support for major events achieves value for money. In making this assessment, the audit examined whether:

DNSW effectively assesses proposals to support major events
DNSW effectively evaluates the impact of its support for major events.

This audit focused on DNSW's work to attract major events to New South Wales. It did not assess DNSW's tourism promotion or development work, which includes developing tourism strategies, marketing and advertising campaigns, national and international partnerships, and regional programs.

Conclusion

Destination NSW's processes for assessing event applications and evaluating its support for major events are mostly effective. DNSW's internal systems allow it to know whether its decisions are achieving value for money. Its public reporting does not provide enough information about its activities and their outcomes, although it is consistent with that of equivalent organisations in other Australian jurisdictions.

DNSW's process for assessing applications for funding from organisers of major events is mostly effective. Clear information is provided to event organisers seeking funding, and DNSW has a comprehensive methodology for conducting detailed event assessments. However, the reasons for decisions to progress events from the initial assessment to the detailed assessment stage are not documented in sufficient detail.

DNSW has a framework for disclosure and monitoring staff conflicts of interest. However, its forms for staff to disclose conflicts of interest on specific events they are working on are ambiguous. DNSW's management of gifts and benefits broadly complies with the minimum standards set by the Public Service Commission, but there are some gaps in its implementation of these.

DNSW conducts an evaluation of each major event it supports. DNSW articulates expected outcomes in contracts with event organisers and uses a sound methodology to evaluate events. Internal reporting to its key decision-makers, including the CEO, the Board and the Minister is appropriate. However, DNSW does not publish detailed information about the events it funds or the outcomes of these events. This means that members of the public are unable to see whether its activities achieve value for money.

Appendix one – Response from Destination NSW

Appendix two – About the audit

Appendix three – Performance auditing

Copyright Notice

Parliamentary reference - Report number #332 - released 9 April 2020.

20 December 2017

Published

Internal Controls and Governance 2017

Finance

Education

Community Services

Health

Justice

Whole of Government

Asset valuation

Compliance

Cyber security

Information technology

Internal controls and governance

Project management

Risk

Agencies need to do more to address risks posed by information technology (IT).

Effective internal controls and governance systems help agencies to operate efficiently and effectively and comply with relevant laws, standards and policies. We assessed how well agencies are implementing these systems, and highlighted opportunities for improvement.

1. Overall trends

New and repeat findings	The number of reported financial and IT control deficiencies has fallen, but many previously reported findings remain unresolved.
High risk findings	Poor systems implementations contributed to the seven high risk internal control deficiencies that could affect agencies.
Common findings	Poor IT controls are the most commonly reported deficiency across agencies, followed by governance issues relating to cyber security, capital projects, continuous disclosure, shared services, ethics and risk management maturity.

2. Information Technology

IT security	Only two-thirds of agencies are complying with their own policies on IT security. Agencies need to tighten user access and password controls.
Cyber security	Agencies do not have a common view on what constitutes a cyber attack, which limits understanding the extent of the cyber security threat.
Other IT systems	Agencies can improve their disaster recovery plans and the change control processes they use when updating IT systems.

3. Asset Management

Capital investment	Agencies report delays delivering against the significant increase in their budgets for capital projects.
Capital projects	Agencies are underspending their capital budgets and some can improve capital project governance.
Asset disposals	Eleven per cent of agencies were required to sell their real property through Property NSW but didn’t. And eight per cent of agencies can improve their asset disposal processes.

4. Governance

Governance arrangements	Sixty-four per cent of agencies’ disclosure policies support communication of key performance information and prompt public reporting of significant issues.
Shared services	Fifty-nine per cent of agencies use shared services, yet 14 per cent do not have service level agreements in place and 20 per cent can strengthen the performance standards they set.

5. Ethics and Conduct

Ethical framework	Agencies can reinforce their ethical frameworks by updating code‑of‑conduct policies and publishing a Statement of Business Ethics.
Conflicts of interest	All agencies we reviewed have a code of conduct, but they can still improve the way they update and manage their codes to reduce the risk of fraud and unethical behaviour.

6. Risk Management

Risk management maturity	All agencies have implemented risk management frameworks, but with varying levels of maturity.
Risk management elements	Many agencies can improve risk registers and strengthen their risk culture, particularly in the way that they report risks to their lead agency.

This report covers the findings and recommendations from our 2016–17 financial audits related to the internal controls and governance of the 39 largest agencies (refer to Appendix three) in the NSW public sector. These agencies represent about 95 per cent of total expenditure for all NSW agencies and were considered to be a large enough group to identify common issues and insights.

The findings in this report should not be used to draw conclusions on the effectiveness of individual agency control environments and governance arrangements. Specific financial reporting, controls and service delivery comments are included in the individual 2017 cluster financial audit reports tabled in Parliament from October to December 2017.

This new report offers strategic insight on the public sector as a whole

In previous years, we have commented on internal control and governance issues in the volumes we published on each ‘cluster’ or agency sector, generally between October and December. To add further value, we then commented more broadly about the issues identified for the public sector as a whole at the start of the following year.

This year, we have created this report dedicated to internal controls and governance. This will help Parliament to understand broad issues affecting the public sector, and help agencies to compare their own performance against that of their peers.

Without strong control measures and governance systems, agencies face increased risks in their financial management and service delivery. If they do not, for example, properly authorise payments or manage conflicts of interest, they are at greater risk of fraud. If they do not have strong information technology (IT) systems, sensitive and trusted information may be at risk of unauthorised access and misuse.

These problems can in turn reduce the efficiency of agency operations, increase their costs and reduce the quality of the services they deliver.

Our audits do not review every control or governance measure every year. We select a range of measures, and report on those that present the most significant risks that agencies should mitigate. This report divides these into the following six areas:

Overall trends
Information technology
Asset management
Governance
Ethics and conduct
Risk management.

Internal controls are processes, policies and procedures that help agencies to:

operate effectively and efficiently
produce reliable financial reports
comply with laws and regulations.

This chapter outlines the overall trends for agency controls and governance issues, including the number of findings, level of risk and the most common deficiencies we found across agencies. The rest of this volume then illustrates this year’s controls and governance findings in more detail.

Issues	Recommendations
1.1 New and repeat findings
The number of internal control deficiencies reduced over the past three years, but new higher-risk information technology (IT) control deficiencies were reported in 2016–17. Deficiencies repeated from previous years still make up a sizeable proportion of all internal control deficiencies.	Recommendation Agencies should focus on emerging IT risks, but also manage new IT risks, reduce existing IT control deficiencies, and address repeat internal control deficiencies on a more timely basis.
1.2 High risk findings
We found seven high risk internal control deficiencies, which might significantly affect agencies.	Recommendation Agencies should rectify high risk internal control deficiencies as a priority
1.3 Common findings
The most common internal control deficiencies related to poor or absent IT controls. We found some common governance deficiencies across multiple agencies.	Recommendation Agencies should coordinate actions and resources to help rectify common IT control and governance deficiencies.

Information technology (IT) has become increasingly important for government agencies’ financial reporting and to deliver their services efficiently and effectively. Our audits reviewed whether agencies have effective controls in place over their IT systems. We found that IT security remains the source of many control weakness in agencies.

Issues

Recommendations

2.1 IT security

User access administration

While 95 per cent of agencies have policies about user access, about two-thirds were compliant with these policies. Agencies can improve how they grant, change and end user access to their systems.

Recommendation

Agencies should strengthen user access administration to prevent inappropriate access to sensitive systems. Agencies should:

establish and enforce clear policies and procedures
review user access regularly
remove user access for terminated staff promptly
change user access for transferred staff promptly.

Privileged access

Sixty-eight per cent of agencies do not adequately manage who can access their information systems, and many do not sufficiently monitor or restrict privileged access.

Recommendation

Agencies should tighten privileged user access to protect their information systems and reduce the risks of data misuse and fraud. Agencies should ensure they:

only grant privileged access in line with the responsibilities of a position
review the level of access regularly
limit privileged access to necessary functions and data
monitor privileged user account activity on a regular basis.

Password controls

Forty-one per cent of agencies did not meet either their own standards or minimum standards for password controls.

Recommendation

Agencies should review and enforce password controls to strengthen security over sensitive systems. As a minimum, password parameters should include:

minimum password lengths and complexity requirements
limits on the number of failed log-in attempts
password history (such as the number of passwords remembered)
maximum and minimum password ages.

2.2 Cyber Security

Cyber security framework

Agencies do not have a common view on what constitutes a cyber attack, which limits understanding the extent of the cyber security threat.

Recommendation

The Department of Finance, Services and Innovation should revisit its existing framework to develop a shared cyber security terminology and strengthen the current reporting requirements for cyber incidents.

Cyber security strategies

While 82 per cent of agencies have dedicated resources to address cyber security, they can strengthen their strategies, expertise and staff awareness.

Recommendations

The Department of Finance, Services and Innovation should:

mandate minimum standards and require agencies to regularly assess and report on how well they mitigate cyber security risks against these standards
develop a framework that provides for cyber security training.

Agencies should ensure they adequately resource staff dedicated to cyber security.

2.3 Other IT systems

Change control processes

Some agencies need to improve change control processes to avoid unauthorised or inaccurate system changes.

Recommendation

Agencies should consistently perform user acceptance testing before system upgrades and changes. They should also properly approve and document changes to IT systems.

Disaster recovery planning

Agencies can do more to adequately assess critical business systems to enforce effective disaster recovery plans. This includes reviewing and testing their plans on a timely basis.

Recommendation

Agencies should complete business impact analyses to strengthen disaster recovery plans, then regularly test and update their plans.

Agency service delivery relies on developing and renewing infrastructure assets such as schools, hospitals, roads, or public housing. Agencies are currently investing significantly in new assets. Agencies need to manage the scale and volume of current capital projects in order to deliver new infrastructure on time, on budget and realise the intended benefits. We found agencies can improve how they:

manage their major capital projects
dispose of existing assets.

Issues

Recommendations or conclusions

3.1 Capital investment

Capital asset investment ratios

Most agencies report high capital investment ratios, but one-third of agencies’ capital investment ratios are less than one.

Recommendation

Agencies with high capital asset investment ratios should ensure their project management and delivery functions have the capacity to deliver their current and forward work programs.

Volume of capital spending

Most agencies have significant forward spending commitments for capital projects. However, agencies’ actual capital expenditure has been below budget for the last three years.

Conclusion

The significant increase in capital budget underspends warrant investigation, particularly where this has resulted from slower than expected delivery of projects from previous years.

3.2 Capital projects

Major capital projects

Agencies’ major capital projects were underspent by 13 percent against their budgets.

Conclusion

The causes of agency budget underspends warrant investigation to ensure the NSW Government’s infrastructure commitment is delivered on time.

Capital project governance

Agencies do not consistently prepare business cases or use project steering committees to oversee major capital projects.

Conclusion

Agencies that have project management processes that include robust business cases and regular updates to their steering committees (or equivalent) are better able to provide those projects with strategic direction and oversight.

3.3. Asset disposals

Asset disposal procedures

Agencies need to strengthen their asset disposal procedures.

Recommendations

Agencies should have formal processes for disposing of surplus properties.

Agencies should use Property NSW to manage real property sales unless, as in the case for State owned corporations, they have been granted an exemption.

Governance refers to the high-level frameworks, processes and behaviours that help an organisation to achieve its objectives, comply with legal and other requirements, and meet a high standard of probity, accountability and transparency.

This chapter sets out the governance lighthouse model the Audit Office developed to help agencies reach best practice. It then focuses on two key areas: continuous disclosure and shared services arrangements. The following two chapters look at findings related to ethics and risk management.

Issues

Recommendations or conclusions

4.1 Governance arrangements

Continuous disclosure

Continuous disclosure promotes improved performance and public trust and aides better decision-making. Continuous disclosure is only mandatory for NSW Government Businesses such as State owned corporations.

Conclusion

Some agencies promote transparency and accountability by publishing on their websites a continuous disclosure policy that provides for, and encourages:

regular public disclosure of key performance information
disclosure of both positive and negative information
prompt reporting of significant issues.

4.2 Shared services

Service level agreements

Some agencies do not have service level agreements for their shared service arrangements.

Many of the agreements that do exist do not adequately specify controls, performance or reporting requirements. This reduces the effectiveness of shared services arrangements.

Conclusion

Agencies are better able to manage the quality and timeliness of shared service arrangements where they have a service level agreement in place. Ideally, the terms of service should be agreed before services are transferred to the service provider and:

specify the controls a provider must maintain
specify key performance targets
include penalties for non-compliance.

Shared service performance

Some agencies do not set performance standards for their shared service providers or regularly review performance results.

Conclusion

Agencies can achieve better results from shared service arrangements when they regularly monitor the performance of shared service providers using key measures for the benefits realised, costs saved and quality of services received.

Before agencies extend or renegotiate a contract, they should comprehensively assess the services received and test the market to maximise value for money.

All government sector employees must demonstrate the highest levels of ethical conduct, in line with standards set by The Code of Ethics and Conduct for NSW government sector employees.

This chapter looks at how well agencies are managing these requirements, and where they can improve their policies and processes.

We found that agencies mostly have the appropriate codes, frameworks and policies in place. But we have highlighted opportunities to improve the way they manage those systems to reduce the risks of unethical conduct.

Issues

Recommendations or conclusions

5.1 Ethical framework

Code of conduct

All agencies we reviewed have a code of conduct, but they can still improve the way they update and manage their codes to reduce the risk of fraud and unethical behaviour.

Recommendation

Agencies should regularly review their code-of-conduct policies and ensure they keep their codes of conduct up-to-date.

Statement of business ethics

Most agencies maintain an ethical framework, but some can enhance their related processes, particularly when dealing with external clients, customers, suppliers and contractors.

Conclusion

Agencies can enhance their ethical frameworks by publishing a Statement of Business Ethics, which communicates their values and culture.

5.2 Potential conflicts of interest

Conflicts of interest

All agencies have a conflicts-of-interest policy, but most can improve how they identify, manage and avoid conflicts of interest.

Recommendation

Agencies should improve the way they manage conflicts of interest, particularly by:

requiring senior executives to make a conflict-of-interest declaration at least annually
implementing processes to identify and address outstanding declarations
providing annual training to staff
maintaining current registers of conflicts of interest.

Gifts and benefits

While all agencies already have a formal gifts-and-benefits policy, we found gaps in the management of gifts and benefits by some that increase the risk of unethical conduct.

Recommendation

Agencies should improve the way they manage gifts and benefits by promptly updating registers and providing annual training to staff.

Risk management is an integral part of effective corporate governance. It helps agencies to identify, assess and prioritise the risks they face and in turn minimise, monitor and control the impact of unforeseen events. It also means agencies can respond to opportunities that may emerge and improve their services and activities.

This year we looked at the overall maturity of the risk management frameworks that agencies use, along with two important risk management elements: risk culture and risk registers.

Issues

Recommendations or conclusions

6.1 Risk management maturity

All agencies have implemented risk management frameworks, but with varying levels of maturity in their application.

Agencies’ averaged a score of 3.1 out of five across five critical assessment criteria for risk management. While strategy and governance fared best, the areas that most need to improve are risk culture, and systems and intelligence.

Conclusion

Agencies have introduced risk management frameworks and practices as required by the Treasury’s:

'Risk Management Toolkit for the NSW Public Sector'
'Internal Audit and Risk Management Policy for the NSW Public Sector'.

However, more can be done to progress risk management maturity and embed risk management in agency culture.

6.2 Risk management elements

Risk culture

Most agencies have started to embed risk management into the culture of their organisation. But only some have successfully done so, and most agencies can improve their risk culture.

Conclusion

Agencies can improve their risk culture by:

setting an appropriate tone from the top
training all staff in effective risk management
ensuring desired risk behaviours and culture are supported, monitored, and reinforced through business plans, or the equivalent and employees' performance assessments.

Risk registers and reporting

Some agencies do not report their significant risks to their lead agency, which may impair the way resources are allocated in their cluster. Some agencies do not integrate risk registers at a divisional and whole-of-enterprise level.

Conclusion

Agencies not reporting significant risks at the cluster level increases the likelihood that significant risks are not being mitigated appropriately.

Effective risk management can improve agency decision-making, protect reputations and lead to significant efficiencies and cost savings. By embedding risk management directly into their operations, agencies can also derive extra value for their activities and services.

11 April 2017

Published

Passenger Rail Punctuality

Transport

Information technology

Infrastructure

Service delivery

A NSW Government priority is to ‘maintain or improve reliability of public transport services over the next four years’. Punctuality is a key element of reliability, and the level of patronage is a critical factor in the ability to maintain punctuality. Increasing patronage places pressure on the length of time trains need to wait at stations to load and offload passengers which can lead to delays. The NSW Long Term Transport Master Plan forecasts that rail patronage could increase by 26 per cent between 2012 and 2031.

Passenger rail services in NSW are provided under a purchaser-provider model. Transport for NSW enters contracts with:

Sydney Trains for Sydney suburban passenger rail services
NSW Trains for services that commence or terminate outside Sydney, including intercity services that operate between Central station and the South Coast, Southern Highlands, Blue Mountains and Central Coast and Newcastle.

Transport for NSW sets performance targets and standards for these services, develops the timetables, procures trains for the service providers, and is responsible for long term planning.

This audit assessed whether these rail agencies have plans and strategies to maintain or improve performance in getting the growing number of suburban and intercity rail passengers to their destinations on time.

Conclusion:

Rail agencies are well placed to manage the forecast increase in passengers up to 2019, including joining the Sydney Metro Northwest to the network at Chatswood. Their plans and strategies are evidence-based, and mechanisms to assure effective implementation are sound.

Based on forecast patronage increases, the rail agencies will find it hard to maintain punctuality after 2019 unless the capacity of the network to carry trains and people is increased significantly. If recent higher than forecast patronage growth continues, the network may struggle to maintain punctuality before 2019.

Transport for NSW has undertaken considerable work on developing strategies to increase capacity and maintain punctuality after 2019, but remains some way from putting a costed plan to the government. There is a significant risk that investments will not be made soon enough to handle future patronage levels. Ideally, planning and investment decisions should have been made already.

Punctuality measurement is satisfactory, but agencies could publish more information

Passenger rail punctuality indicators adopted in NSW are good practice. The key train punctuality indicator is better than indicators used by many other rail operators. It is also better than the on-time-running indicator that it replaced. Unlike the on-time-running indicator, the punctuality indicator classifies trains that have been cancelled or skipped stations as late and results are not adjusted to take account of delays caused by factors such as extreme weather or police operations.

NSW also has a customer delay measure which represents good practice. Work has started on refining and embedding customer delay as a key performance measure for the planned new Rail Operations Centre.

As train frequency approaches a ‘turn up and go’ level of service, rather than running to a timetable, more emphasis will need to be placed on excess waiting time and customer delay when assessing performance.

Measurement of punctuality is reasonably precise. There are some measurement inaccuracies which should be addressed, such as the estimated arrival time of a train being incorrect at some destination stations, but these do not affect punctuality results materially.

Train punctuality is reported publicly, but not to the detail of the indicators in the contracts between Transport for NSW and Sydney Trains and NSW Trains. There is very limited public reporting of customer delay.

Overall punctuality is good, but some services are relatively poor

System-wide train punctuality has usually exceeded target since 2005, but some services suffer from poor punctuality compared to the rest of the network.

The part of the network around North Sydney is creating problems for the punctuality of afternoon peak services heading through it and out to Western Sydney and to Hornsby via Strathfield. Transport for NSW and Sydney Trains are well advanced with strategies to address this up to 2019.

The East Hills express trains in the afternoon peak also performed well below target. The rail agencies recently analysed this issue and believe it relates to the train timetable and signalling which restricts how close trains can run behind each other into Campbelltown. It further advises that this will be corrected over the next three years.

Intercity train punctuality is below that of suburban trains and there was an extended period of declining punctuality between 2011 and 2014. Transport for NSW suggested that the old age of trains is a factor, and the recently announced intercity fleet acquisition may help address this. Apart from ensuring that train crew and station staff are available and perform their duties adequately, NSW Trains can do little to impact the punctuality of its intercity services directly. Train maintenance, track and signal maintenance, and management of trains on the rail network are performed by Sydney Trains. NSW Trains’ ability to influence improvement is hampered by key indicators in some contracts being undefined. Transport for NSW, Sydney Trains and NSW Trains are now working collaboratively to make improvements to the contracts.

Initiatives are in place or are planned to deliver good punctuality until 2019

Patronage increases, which can lead to overcrowding and trains having to wait longer at stations, are likely to present a significant challenge to maintaining punctuality into the future.

Based on patronage projections, the rail agencies have strategies to maintain punctuality up to and including joining the Sydney Metro Northwest to the network at Chatswood in 2019. These include improving infrastructure at particular parts of the network, increasing staff training, reducing the number of speed restrictions, and a new Rail Operations Centre. The projects are being managed by experienced staff, with good governance arrangements, quality assurance processes and planning systems in place. New timetables should provide more services and cater for more passengers, including off peak. They should increase network efficiency through better utilisation of capacity, but some passengers may face longer journey times and more may need to change trains mid-journey.

The planned Rail Operations Centre has the potential to make operational decision-making more customer-focussed, by placing more emphasis on minimising customer delay during disruptions. If implemented well, it will also generate information to help agencies better identify the root cause of incidents that delay trains and improve communication with passengers so they can make better real-time travel decisions.

Predicted passenger growth presents a risk to punctuality after 2019

The rail system will struggle to maintain punctuality much beyond 2019 based on current patronage forecasts and system limitations.

From 2024, the Sydney Metro City and Southwest will help by extending the metro network from Chatswood under Sydney Harbour, through the city and out to Bankstown. Announced fleet upgrades will also help. Transport for NSW advises that it is also working with the Greater Sydney Commission to ensure network capacity constraints are considered in future urban planning.

In addition to investment in new metro networks, sustained and substantial investment needs to be made into the existing heavy rail network to meet demand and ensure its ongoing reliability. Transport for NSW has been developing strategies for this purpose, including an Advanced Train Control system. Its aim is to put a costed plan to the government by the third quarter of this (2017) calendar year. Given the likely lead times involved with major infrastructure projects, there remains a significant risk of poor punctuality after 2019.

Punctuality could be at risk sooner if recent patronage growth continues

If patronage continues to increase at a faster rate than forecast, particularly during the morning peak, the network will struggle to cope before 2019. Transport for NSW forecast that between 2011 and 2026 morning peak rail patronage would increase each year by approximately 3.3 per cent. Between 2011 and 2016 the number of passengers travelling to the city during the morning peak grew by an average of 4.4 per cent each year, including annual growth of 6.6 per cent since May 2014.

A good understanding of patronage levels, trends and drivers is critical to effective planning. The audit identified some shortcomings in measurement of peak passenger loads. Transport for NSW advised that measurement approaches have been improved recently, and this will soon flow into improved data quality.

Given the increasing flexibility in work practices available to many city workers, the relatively new field of behavioural insights may offer opportunities to ‘nudge’ some passengers away from travelling at the height of the peak with benefits for them and the network.

Transport for NSW should ensure that programs to address rail patronage growth over the next five to ten years are provided to the government for Cabinet consideration as soon as possible.
Sydney Trains and Transport for NSW should:
a) maintain effective oversight and resourcing for all strategies designed to address rail patronage growth
b) adjust strategies for any patronage growth above projection.
Sydney Trains, NSW Trains and Transport for NSW should publish Customer Delay results by June 2018.
Transport for NSW, Sydney Trains and NSW Trains should agree by December 2017:
a) specific performance requirements for intercity train, track and signal availability and reliability
b) guidelines for train priorities during disruptions and indicators of control centre performance in implementing these guidelines.
Sydney Trains, NSW Trains and Transport for NSW should by June 2018:
a) improve the accuracy of patronage measurement and develop a better understanding of patronage growth trends
b) address small errors in the adjustment factors used for determining a train’s punctuality status
c) improve their understanding of the factors impacting on intercity punctuality.
Transport for NSW should, commencing June 2017, explore the potential to use behavioural insights to encourage more passengers to travel outside the height of the morning peak (8 am to 9 am).

Appendix one - Response from the agencies

Appendix two - Response from Audit Office

Appendix three - About the audit

Appendix four - Accuracy of punctuality measurement

Appendix five - Train and customer punctuality

Parliamentary reference - Report number #281 - released 11 April 2017

Audit progress

Sector

Year

Report type

Topic

Reports

1. Financial Reporting

2. Audit Observations

Section highlights

Section highlights

1. Financial reporting

2. Audit observations

Section highlights

Section highlights

Conclusion

1. Internal control trends

2. Information technology controls

3. Business continuity and disaster recovery planning

4. Procurement, including emergency procurement

5. Delegations

6. Status of 2019 recommendations

Audit Conclusion

Not all councils' internal controls adequately addressed risks associated with the administration of LICs

The LIC system is largely transparent for community members who know where to look

Use of LICs collected under VPAs is not always transparent

Credit arrangements with developers are not always well documented or monitored

City of Sydney Council manages a complex development environment across the Sydney CBD and inner suburbs. Overall, governance and internal controls over LICs are effective although there is scope for improved oversight of the projected financial status of contributions plans.

Conclusion

Conclusion

Conclusion

Conclusion

Conclusion

1. Overall trends

2. Information Technology

3. Asset Management

4. Governance

5. Ethics and Conduct

6. Risk Management

This new report offers strategic insight on the public sector as a whole

2.1 IT security

2.2 Cyber Security

2.3 Other IT systems

3.1 Capital investment

3.2 Capital projects

3.3. Asset disposals

4.1 Governance arrangements

4.2 Shared services

5.1 Ethical framework

5.2 Potential conflicts of interest

6.1 Risk management maturity

6.2 Risk management elements

Punctuality measurement is satisfactory, but agencies could publish more information

Overall punctuality is good, but some services are relatively poor

Initiatives are in place or are planned to deliver good punctuality until 2019

Predicted passenger growth presents a risk to punctuality after 2019

Punctuality could be at risk sooner if recent patronage growth continues