Refine search Expand filter

Reports

Published

Actions for Service NSW's handling of personal information

Service NSW's handling of personal information

Premier and Cabinet
Finance
Cyber security
Fraud
Information technology
Internal controls and governance
Management and administration
Risk
Service delivery

The Auditor-General for New South Wales, Margaret Crawford, released a report today examining the effectiveness of Service NSW’s handling of customers’ personal information to ensure its privacy.

The audit found that Service NSW is not effectively handling personal customer and business information to ensure its privacy. Service NSW continues to use business processes that pose a risk to the privacy of personal information. This includes the routine emailing of personal information between Service NSW service centres and other agencies, which is one of the processes that contributed to the data breach earlier this year. The audit found that previously identified risks and recommended solutions had not been implemented on a timely basis.

The Auditor-General made eight recommendations aimed at ensuring improved processes, technologies, and governance arrangements for how Service NSW handles customers’ personal information.

The Hon. Victor Dominello, MP, Minister for Customer Service, requested this audit under section 27(B)(3)(c) of the Public Finance and Audit Act 1983 following public reports in May 2020 of a cyber security attack which had led to a breach of Service NSW customer information. This audit also included the Department of Customer Service which supports Service NSW with privacy, risk and governance functions.

Service NSW was established in 2013 with the intention that it would, over time, 'become the primary interaction point for customers accessing New South Wales Government transaction services'.

Service NSW's functions are set out in the Service NSW (One stop Access to Government Services) Act 2013. This legislation allows for other NSW Government agencies to delegate to and enter into agreements with the Chief Executive Officer of Service NSW in order for Service NSW to undertake service functions for the agency.

Service NSW now has agreements with 36 NSW Government client agencies to facilitate over 1,200 types of interactions and transactions for the community.

The nature of each agreement between Service NSW and its client agencies varies. Some client agencies have delegated authority to allow Service NSW staff to conduct transactions on their behalf in the agencies' systems. Other arrangements do not include the same degree of delegation. In these cases, Service NSW provides services such as responding to enquiries and validating documents.

In addition, Service NSW conducts transactions for its own programs, such as the Seniors Card. Personal information for these programs, as well as information for customers' MyServiceNSW accounts, are stored by Service NSW on its Salesforce Customer Relationship Management (CRM) system.

In March 2020, Service NSW suffered two cyber security attacks in short succession. Technical analysis undertaken by the Department of Customer Service (DCS) concluded that these attacks resulted from a phishing exercise through which external threat actors gained access to the email accounts of 47 staff members. These attacks resulted in the breach of a large amount of personal customer information that was contained in these email accounts. See Section 1.1 for further details.

This audit is being conducted in response to a request from the Hon. Victor Dominello, Minister for Customer Service, under section 27B(3)(c) of the Public Finance and Audit Act 1983. Minister Dominello requested that the Auditor General conduct a performance audit in relation to Service NSW's handling of sensitive customer and business information.

This audit assessed how effectively Service NSW handles personal customer and business information to ensure its privacy.

It addressed the following:

  • Does Service NSW have processes and governance in place to identify and manage risks to the privacy of personal customer and business information?
  • Does Service NSW have policies, processes and systems in place that support the effective handling of personal customer and business information to ensure its privacy?
  • Has Service NSW effectively implemented its policies, processes and systems for managing personal customer and business information?

Conclusion

Service NSW is not effectively handling personal customer and business information to ensure its privacy. It continues to use business processes that pose a risk to the privacy of personal information. These include routinely emailing personal customer information to client agencies, which is one of the processes that contributed to the March 2020 data breach. Previously identified risks and recommended solutions had not been implemented on a timely basis.

Service NSW identifies privacy as a strategic risk in both its Risk Management Guideline and enterprise risk register and sets out a zero level appetite for privacy risk in its risk appetite statement. That said, the governance, policies, and processes established by Service NSW to mitigate privacy risk are not effective in ensuring the privacy of personal customer and business information. While Service NSW had risk identification and management processes in place at the time of the March 2020 data breach, these did not prevent the breach occurring.

Some of the practices that contributed to the data breach are still being followed by Service NSW staff. For example, business processes still require Service NSW staff to scan and email personal information to some client agencies.

The lack of multi factor authentication has been identified as another key contributing factor to the March 2020 data breach as this enabled the external threat actors to gain access to staff email accounts once they had obtained the user account details through a phishing exercise. Service NSW had identified the lack of multi factor authentication on its webmail platform as a risk more than a year prior to the breach and had committed to addressing this by June 2019. It was not implemented until after the breach occurred.

There are weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce Customer Relationship Management (CRM) system, which holds the personal information of over four million NSW residents.

Internal audits carried out by Service NSW, including one completed in August 2020, have identified significant weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce CRM system. These include deficiencies in the management of role based access, monitoring and audit of user access, and partitioning of program specific transaction information. These deficiencies create an increased risk of unauthorised access to the personal information of over four million customers held in the system.

Lines of responsibility for meeting privacy obligations are not clearly drawn between Service NSW and its client agencies.

Service NSW has agreements in place with client agencies. However, the agreements lack detail and clarity about the roles and responsibilities of the agencies in relation to the collection, storage and security of customer's personal information. This lack of clarity raises the risk that privacy obligations will become confused and missed between the agencies.

Service NSW carries out privacy impact assessments for major new projects but does not routinely review existing processes and systems.

Service NSW carries out privacy impact assessments as part of its routine processes for implementing major new projects, ensuring that privacy management is considered as part of project design. Service NSW does not regularly undertake privacy impact assessments or reviews of existing or legacy processes and systems, which has resulted in some processes continuing despite posing significant risks to the privacy of personal information, such as the scanning, emailing, and storing of identification documents.

1. Key findings

Service NSW identifies privacy risks, but the controls and processes it put in place to mitigate these privacy risks were not adequate to prevent or limit the extent of the data breach that occurred in March 2020

Service NSW’s approach to risk management is framed by its Risk Management Guideline, which defines 'privacy and compliance' as one of the key types of risk for the agency. Service NSW's enterprise risk register identifies four strategic privacy related risks. Service NSW has set out a zero level appetite for privacy risk in its risk appetite statement.

Service NSW has assessed the adequacy of its controls for privacy risks as needing improvement. To be fully effective, the Risk Management Guideline says that these controls should have a focus that is ‘largely preventative and address the root causes’.

One of the business processes that was a key contributing factor to the data breach was the emailing of personal information by Service NSW staff to client agencies.

This process had been identified as a risk prior to the breach and some steps had been put in place to mitigate the risk. In particular, staff were required to manually delete emails that contained personal information. However, these measures were ineffective in preventing the breach, as the external threat actors still gained access to 47 staff email accounts that contained a large amount of personal information.

It is unclear why Service NSW did not effectively mitigate this risk prior to the breaches. However, Service NSW has advised that it implemented measures in June and October 2020 to automatically archive emails likely to contain personal information. This is expected to limit the quantity of information retained in email accounts for extended periods.

Service NSW has not put in place any technical or other solutions to avoid Service NSW staff having to scan and email personal information to some client agencies. Urgent action is needed to remove the requirement for staff to email personal information to client agencies, thereby mitigating the risk inherent in sending and storing this information using email.

There are weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce CRM system, which holds the personal information of over four million customers

There are weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce CRM system. These weaknesses include deficiencies in governance of role based access, monitoring and audit of staff access, and partitioning of program specific transaction information. These deficiencies create an increased risk of unauthorised access to the personal information of over four million customers which is stored in this system.

In addition, there is an absence of important controls to safeguard customers' privacy, such as multi factor authentication and reviewable logs of access history to their information. Such controls, when properly implemented, would enhance the control that customers are able to exercise over their personal information.

A privacy impact assessment conducted on Service NSW’s Salesforce CRM system in 2015 recommended that the system include the ability for customers to review access history to their personal information, as well as the option for customers to apply multi factor authentication to their accounts. While both these recommendations appeared positively received by Service NSW, neither have been implemented.

Since its inception, Service NSW’s use of Salesforce has extended to storing transaction data, particularly for transactions for which Service NSW is responsible, such as the Seniors Card. It also holds details of over four million MyServiceNSW account holders, including name, email address and phone number, and optional address details. It was not originally intended for the system to hold this volume and nature of customer information.

Lines of responsibility for meeting privacy obligations are unclear between Service NSW and its client agencies

Service NSW's privacy management plan does not clearly set out the privacy obligations of Service NSW and its client agencies. It sets out that 'compliance with the privacy principles will primarily be the responsibility of that [client] agency'. However, Service NSW has its own obligations under the security principles of the Privacy and Personal Information Protection Act 1998 (PPIP Act) to take reasonable steps to prevent unauthorised access to personal information, which is not made clear in the privacy management plan.

The agreements between Service NSW and client agencies reviewed for this audit only include general and high level references to privacy. Most do not include details of each parties' privacy responsibilities such as: which agency will provide the customer with a privacy notice explaining how their personal information will be handled, how personal information will be kept secure, how long Service NSW will retain information, what processes will be followed for internal reviews, and what specific planning is in place to respond to data breaches.

Service NSW's privacy management plan has not been updated to include new programs and governance changes

Service NSW's privacy management plan includes most of the matters required by law or good practice, with some exceptions. It does not explain any exemptions that the agency commonly relies on under the PPIP Act and does not address any health information that Service NSW may handle. It had also not been updated to reflect governance changes and the fact that, at the time this audit commenced, Service NSW was disclosing the content of internal review applications (the formal expression for 'complaints') to the Department of Customer Service (DCS). These governance changes were part of the centralisation of Service NSW's corporate support functions into DCS in late 2019, though internal review staff were seconded back into Service NSW during the course of this audit.

The current July 2019 privacy management plan has also not been updated since the rollout of a number of major new initiatives in 2020. These include 2019–20 bushfire emergency recovery initiatives (such as small business grants) and COVID 19 pandemic response initiatives (such as small business grants, border permits and the COVID safe check in app).

Service NSW routinely conducts privacy impact assessments for new initiatives, though privacy risks remain in legacy systems and processes

Service NSW routinely conducts privacy impact assessments for major new initiatives and the assessments reviewed for this audit largely accorded with good practice guidance.

Service NSW does not routinely review existing processes and systems to ensure that they are effective in ensuring the privacy of customer personal information. Business processes that create the highest risk to privacy, such as emailing of personal information, are more common in these longstanding legacy systems.

Service NSW's significant and rapid growth has outpaced the establishment of a robust control environment which has exacerbated privacy risks

Since it was established in 2013, Service NSW has experienced significant growth in the number and diversity of the types of transactions it provides, as well as the number of client agencies with which it works. The pace and extent of this growth has contributed to important controls not being properly implemented on a timely basis, which has heightened privacy risks, particularly in regard to existing, legacy systems and processes.

The pace of change and increasing demand for new program implementation has limited the opportunity for Service NSW, in collaboration with its client agencies, to revisit and redesign legacy business practices which pose a greater privacy risk. This includes the scanning and emailing of personal information.

While 2019–20 has seen additional demands placed on Service NSW in responding to the 2019–20 bushfire emergency and COVID 19 pandemic, it is the nature of the agency’s work that it operates in a fast paced and complex environment, where it is required to respond to multiple client agencies and stakeholders. Ensuring customer privacy should be integral to Service NSW’s business as usual operations.

2. Recommendations

Service NSW commissioned a number of external reviews and investigations stemming from the data breaches. The Auditor General's recommendations below have taken these other reviews into account. In order to offer assurance that it is appropriately protecting the privacy of its customers, Service NSW should address the full breadth of findings and recommendations made across all relevant reviews.

As a matter of urgency, Service NSW should:

1. in consultation with relevant client agencies and the Department of Customer Service, implement a solution for a secure method of transferring personal information between Service NSW and client agencies

2. review the need to store scanned copies of personal information and, if still required, implement a more secure method of storing this information and regular deletion of material.

By March 2021, Service NSW should:

3. ensure that all new agreements entered into with client agencies from 1 April 2021 address the deficiencies identified in this audit, including that they provide clarity on:

  • the content and provision of privacy collection notices
  • the terms by which personal information will be retained, stored, archived, and disposed of when no longer required
  • steps that will be taken by each agency to ensure that personal information is kept secure
  • the circumstances in which, and processes by which, applications for internal review will be referred by one agency to the other
  • how identified breaches of privacy will be handled between agencies

4. in collaboration with the Department of Customer Service, review its privacy management plan to address the deficiencies raised in this audit, including:

  • to clarify Service NSW's understanding of how responsibility for meeting privacy obligations are delineated between Service NSW and client agencies
  • to better reflect the full scope and complexity of personal information handled by Service NSW
  • to better explain how applications for internal review are handled between Service NSW and the Department of Customer Service
  • to ensure regular ongoing review, either according to a schedule or when Service NSW experiences substantial change to its programs and handling of personal information

5. in consultation with the Department of Customer Service, review its policies and processes for the management of privacy risks, including to:

  • ensure that there are appropriate mechanisms to escalate identified privacy risks from business units to the Executive Leadership Team
  • ensure that there are action plans to address strategic privacy risks that are assessed as having ineffective controls.
By June 2021, Service NSW should:

6. address deficiencies in the controls over, and security for, its Salesforce customer relationship management and related systems that hold customer personal information, including:

  • establish policies and processes for regular access reviews and monitoring of user activity in these systems, including for privileged users
  • enable partitioning and role based access restrictions to personal information collected for different programs
  • provide customers the choice to use multi factor authentication to further secure their MyServiceNSW accounts
  • enable customers to view the transaction history of their personal information to detect possible mishandling.
By December 2021, Service NSW should:

7. ensure that all existing agreements with client agencies address the deficiencies identified in this audit, including that they provide clarity on:

  • the content and provision of privacy collection notices
  • the terms by which personal information will be retained, stored, archived, and disposed of when no longer required
  • steps that will be taken by each agency to ensure that personal information is kept secure
  • the circumstances in which, and processes by which, applications for internal review will be referred by one agency to the other
  • how identified breaches of privacy will be handled between agencies

8. carry out a risk assessment of all processes, systems and transactions that involve the handling of personal information and undertake a privacy impact assessment for those that:

  • are identified as high risk and have not previously had a privacy impact assessment
  • have had major changes or updates since the privacy impact assessment was completed.

Appendix one – Responses from agencies

Appendix two – About the audit

 

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Published

Actions for Procurement and reporting of consultancy services

Procurement and reporting of consultancy services

Finance
Education
Community Services
Industry
Justice
Planning
Premier and Cabinet
Health
Treasury
Transport
Environment
Information technology

Agencies need to improve their compliance with requirements governing the procurement of consultancy services. These requirements help agencies access procurement savings. Also, some agencies have under-reported consultancy fees in their annual reports for the 2016-17 financial year, according to a report released today by the Auditor-General for New South Wales, Margaret Crawford. The report examined twelve agencies' compliance with procurement and reporting obligations for consultancy services. It notes that it is difficult to quantify total government expenditure on consultants as agencies define ‘consultants’ differently.

NSW Government agencies engage consultants to provide professional advice to inform their decision‑making. The spend on consultants is measured and reported in different ways for different purposes and the absence of a consistently applied definition makes quantification difficult.

The NSW Government’s procurement principles aim to help agencies obtain value for money and be fair, ethical and transparent in their procurement activities. All NSW Government agencies, with the exception of State Owned Corporations, must comply with the NSW Procurement Board’s Direction when engaging suppliers of business advisory services. Business advisory services include consultancy services. NSW Government agencies must disclose certain information about their use of consultants in their annual reports. The table below illustrates the detailed procurement and reporting requirements.

  Relevant guidance Requirements
Procurement of consultancy services PBD 2015 04 Engagement of major suppliers of consultancy and other services (the Direction) including the Standard Commercial Framework
(revised on 31 January 2018, shortly before it was superseded by 'PBD 2018 01')
 
Required agencies to seek the Agency Head or Chief Financial Officer's approval for engagements over $50,000 and report the engagements in the Major Suppliers' Portal (the Portal). 
  PBD 2018 01 Engagement of professional services suppliers
(replaced 'PBD 2015 04' in May 2018)
Requires agencies to seek the Agency Head or Chief Financial Officer's approval for engagements that depart from the Standard Commercial Framework and report the engagements in the Portal. Exhibit 3 in the report includes the key requirements of these three Directions.
 
Reporting of consultancy expenditure Annual Reports (Departments) Regulation 2015 and Annual Reports (Statutory Bodies) Regulation 2015 Requires agencies to disclose, in their annual reports, details of consultants engaged in a reporting year.
  Premier's Memorandum 
'M2002 07 Engagement and Use of Consultants'
 
Outlines additional reporting requirements for agencies to describe the nature and purpose of consultancies in their annual reports.

We examined how 12 agencies complied with their procurement and reporting obligations for consultancy services between 1 July 2016 and 31 March 2018. Participating agencies are listed in Appendix two. We also examined how NSW Procurement supports the functions of the NSW Procurement Board within the Department of Finance, Services and Innovation.

This audit assessed:

  • agency compliance with relevant procurement requirements for their use of consultants
  • agency compliance with disclosure requirements about consultancy expenditure in their annual reports 
  • the effectiveness of the NSW Procurement Board (the Board) in fulfilling its functions to oversee and support agency procurement of consultancy services. 
Conclusion
No participating agency materially complied with procurement requirements when engaging consultancy services. Eight participating agencies under reported consultant fees in their annual reports. The NSW Procurement Board is not fully effective in overseeing and supporting agencies' procurement of consultancy services.
All 12 agencies that we examined did not materially comply with the NSW Procurement Board Direction for the use of consultants between 1 July 2016 and 31 March 2018. 
Eight agencies did not comply with annual reporting requirements in the 2016–17 financial reporting year. Three agencies did not report expenditure on consultants that had been capitalised as part of asset costs, and one agency did not disclose consultancy fees incurred by its subsidiaries. Agencies also defined ‘consultants’ inconsistently.
The NSW Procurement Board's Direction was revised in January 2018, and mandates the use of the Standard Commercial Framework. The Direction aims to drive value for money, reduce administrative costs and simplify the procurement process. In practice, agencies found the Framework challenging to use. To better achieve the Direction’s intent, the Board needs to simplify procurement and compliance processes. 
The Board is yet to publish any statistics or analysis of agencies’ procurement of business advisory services due to issues with the quality of data and systems limitations. Also, the Board’s oversight of agency and supplier compliance with the Framework is limited as it relies on self reporting, and the information provided is insufficient to properly monitor compliance. NSW Procurement is yet to develop an effective procurement and business intelligence system for use by government agencies. Better procurement support, benefit realisation monitoring and reporting by NSW Procurement will help promote value for money in the engagement of consultants.

Published

Actions for 2016 - An overview

2016 - An overview

Education
Community Services
Finance
Health
Industry
Justice
Local Government
Planning
Premier and Cabinet
Transport
Treasury
Universities
Whole of Government
Environment
Asset valuation
Compliance
Cyber security
Financial reporting
Fraud
Information technology
Infrastructure
Internal controls and governance
Management and administration
Procurement
Project management
Regulation
Risk
Service delivery
Shared services and collaboration
Workforce and capability

This report focuses on key observations and findings from 2016 audits and highlights key areas of focus for financial and performance audits in 2017.

The quality and timeliness of financial reporting continued to improve across the NSW public sector in 2016. Only one qualified audit opinion was issued and most agencies signed their financial statements on time.

We found the Government’s cluster governance arrangements were unclear and inconsistently implemented across the sector in 2016. Clearer arrangements would improve cooperation and coordination amongst cluster agencies and help deliver government priorities that cut across agencies.

This report focuses on key observations and common issues identified from our financial, performance and compliance audits in 2016, and identifies examples of good practice. It also looks forward to where we will focus our efforts in 2017.

We have summarised our observations and findings for 2016 in four chapters:

  • Financial Performance and Reporting
  • Financial Controls
  • Governance
  • Service Delivery.

Key observations and common issues identified across several agencies will often apply more broadly across the NSW public sector. For this reason, we hope this report is a useful tool for agency management and Audit and Risk Committees to assess our observations and common issues and consider the impact on their agencies. The report provides links to other reports and refers to other useful reference material.

Our financial audits provide independent opinions on NSW agencies’ financial statements. They consider whether agencies have complied with accounting standards, relevant laws, regulations and government directions. They also identify and report internal control weaknesses and matters of governance interest, and make recommendations to address deficiencies.

Our performance and compliance audits build on the financial audits by reviewing and concluding on whether taxpayers’ money is being spent efficiently, effectively, economically and in accordance with the law.

Financial Reporting
Financial Reporting The quality and timeliness of financial reporting
continued to improve across the NSW public sector.
NSW Treasury’s early close procedures helped
facilitate this.
Financial Controls
Internal Controls More needs to be done to implement audit
recommendations on a timely basis.
Information Technology Agencies continue to face challenges in managing information security.
Internal controls at shared service providers Clients of ServiceFirst and GovConnect were unable to rely on the service providers’ internal controls increasing the risks of fraud, error and inappropriate access to data.
Governance
Cluster governance Cluster governance arrangements that support cluster accountability, performance monitoring, risk and compliance management are unclear.
Management oversight We identified deficiencies in the oversight and management of Crown Land, specifically sale and lease transactions.
Project governance Project cost and time overruns continue to occur.
Service Delivery
Premiers and State Priorities

According to agency data, which we have not audited, some Premier's and State Priorities are at risk of not being achieved.

A comprehensive report of performance against the State Priorities is not published.

Delivering Government Services The NSW Government's program evaluation initiative has been largely ineffective. We found government decision makers are not always receiving enough information to make evidence based decisions.
Reporting on Performance We found agencies’ performance was not routinely measured, evaluated or publicly reported.

Financial performance and reporting

The quality and timeliness of financial reporting continues to improve

Only one qualified opinion was issued on the 2015–16 financial statements of NSW public sector agencies, compared to two in 2014–15. The audit opinion for the Office of the NSW State Emergency Service was qualified because effective controls over fundraising activities did not operate for the entire year.

Since NSW Treasury introduced its ‘early close procedures’ initiative in 2011–12, the number of reported misstatements and significant matters have fallen considerably across the NSW public sector. The number of misstatements has fallen from 1,077 in 2011–12 to 298 in  2015–16.

Most agencies submitted and signed their financial statements on time, which enabled more audits to be completed within three months of year end. In 2015–16, 204 of 286 agencies’ financial statements and audit opinions were signed within three months of the year end, compared to only 67 in 2010–11.  

NSW Treasury has narrowed the scope of mandatory early close procedures 

NSW Treasury’s early close procedures in 2015–16 were again successful in improving the quality and timeliness of financial reporting, largely facilitated by the early resolution of accounting issues. For 2016–17, NSW Treasury has narrowed the scope of mandatory early close procedures, which may diminish the good performance achieved in recent years.   

To mitigate this risk, NSW Treasury has mandated that agencies perform non-financial asset valuations and prepare proforma financial statements in their early close procedures. It also encourages them to continue with the good practices embedded in recent years. These include:

  • resolving all past audit issues
  • performing key account reconciliations
  • agreeing and confirming inter and intra (cluster) agency balances and transactions
  • identifying material, complex and one-off transactions
  • preparing quality workpapers to support balances with variance analysis and meaningful explanations for movements
  • adequate review by management and Audit and Risk Committees.

Financial controls

More needs to be done to implement audit recommendations

More needs to be done to implement audit recommendations on a timely basis. Internal control issues were identified in previous audits, but had not been adequately addressed. Delays in implementing audit recommendations can impact the quality of financial information and the effectiveness of decision making. Agencies need to ensure they have action plans, timeframes and assigned responsibilities to address recommendations in a timely manner.

Agencies continue to face challenges managing information security

Our financial audits identified opportunities to improve IT control environments, with most information technology issues relating to information security. We also found service level arrangements with IT service providers did not always adequately address information security risks.

Agencies should ensure information security controls and contractual arrangements with IT service providers adequately protect their data.

Internal controls at GovConnect were ineffective in 2015–16

GovConnect provides information technology and transactional services to agencies within the NSW Public Sector. Service levels fell during the transition of shared services from ServiceFirst to GovConnect and NSW public sector agencies using these services were unable to rely on controls over financial transactions and information. We found mitigating actions taken to manage transition risks from ServiceFirst to GovConnect did not ensure effective control over client transactions and data. This increased the risk of fraud and error, and inappropriate access to information.

Governance

Cluster governance arrangements are unclear

Currently, cluster governance arrangements are unclear and inconsistently implemented across the NSW public sector. Implementing cluster governance frameworks is complex because clusters bring together entities with different enabling legislation, organisational and legal structures, information systems and processes, risk profiles and governance frameworks.  

Clear cluster governance arrangements would improve cooperation and coordination amongst cluster agencies, help deliver government priorities that cut across agencies and improve service delivery outcomes.  

We recommended the Department of Premier and Cabinet release a revised NSW Public Sector Governance Framework that clearly articulates cluster governance arrangements, the role of the cluster Secretary, Chief Finance Officer, Chief Information Officer and Chief Risk Officer. The Department of Premier and Cabinet has indicated the framework will be updated to provide guidance on cluster governance, and how accountability and performance information are monitored and reported.  

The sale and lease of Crown land is not being managed effectively

Our 2016 performance audit found limited oversight of sales and leases of Crown land by the Department of Industry - Lands. The Department has only just started monitoring whether tenants are complying with lease conditions, and does not have a clear view of what is happening on most leased Crown land.  

Most guidance to staff had not been updated for a decade, contributing to staff sometimes incorrectly implementing policies on rental rebates, unpaid rent, rent redeterminations and the direct negotiation of sales and leases on Crown land. Between 2012 and 2015, 97 per cent of leases and 50 per cent of sales were negotiated directly between the Department and individuals, without a public expression of interest process.  

Project cost and time overruns continue to occur

Our audits continue to highlight project management, cost and time issues. The Government’s 2016–17 Infrastructure Statement forecasts a $73.3 billion investment program to 2019–20. Good governance of individual projects is critical to ensure the investment program delivers the intended outcomes to the desired quality, on time and on budget.   

A strong risk culture is fundamental to successful risk management

Our assessment of a sample of 33 agencies found that while agencies have risk management governance structures in place, they need to focus on developing stronger risk cultures and fit-for-purpose systems to capture risks and incidents.

Agencies are not fully complying with the GIPA Act

Our review of 13 agencies from across each cluster found varying degrees of non-compliance with recording and disclosure aspects of the GIPA Act by each agency. Our 2016 Special Report 'Compliance with the GIPA Act' details our findings and makes recommendations to help agencies comply with the requirements of the Act.

Service delivery

Some Premier's and State Priorities at risk of not being achieved

Agency data, which we have not audited, indicates some Premier's and State Priorities are at risk of not being achieved. We found that although performance reporting against the Premier’s Priorities is publicly reported, comprehensive performance reporting against the 18 State Priorities is not.  

We will continue to report on performance against the targets to assess whether agency initiatives are delivering intended outcomes.

Government does not always get enough information for evidence-based decisions 

The NSW Government’s program evaluation initiative has been largely ineffective. A performance audit looked at the Justice, Industry, Skills and Regional Development, Planning and Environment, Premier and Cabinet and Treasury clusters and made recommendations for improvements to program evaluation.

Performance is not always measured, evaluated or publicly reported

Inadequate performance measures and reporting that is primarily internal reduces the transparency of agency performance and makes it hard for the public to assess if the agencies are doing a good job. Our audits found instances where performance outcomes were not being measured, evaluated or publicly reported.  

Agencies need to consider whether their performance measurement frameworks adequately measure performance and outcomes so they can make evidence-based decisions and be publicly accountable.

Commissioning and contestability continues to increase

New ways of delivering services across NSW Government are being developed and implemented, including commissioning and contestability arrangements. Commissioning services and introducing new systems can be challenging and it is important for this to be managed well. The learnings from decommissioning ServiceFirst and commissioning GovConnect should be applied to future commissioning arrangements.

NSW Treasury has developed a 'Government Commissioning and Contestability Policy', which is supported by the 'NSW Government Commissioning and Contestability Practice Guide'.

In 2017, we will build on our 2016 financial audits and continue to report our observations and findings as they relate to financial performance and reporting, financial controls, governance and service delivery. We also plan to review agencies' compliance with government travel policies at key agencies in each cluster.

In 2017, we will restructure our financial audit volumes to report our observations and findings on agencies’ financial controls and governance in one cross-sector report to Parliament in September. This will provide the Parliament with more timely reporting on these aspects of our audits. Our observations and findings on agencies’ financial performance and reporting, and service delivery will continue to be reported on a cluster by cluster basis through November and early December.

Our 2017 performance audits will have regard to what we see as key risks and opportunities for the NSW Government, and the Premier's and State Priorities. The program will aim to cover each NSW Government cluster, and focus on how efficiently, effectively and economically they deliver services and other outcomes.

Legislative reforms in the Local Government Amendment (Governance and Planning) Act 2016 have extended the Auditor-General's mandate to the Local Government sector. The expanded mandate includes auditing all NSW local council financial statements and conducting performance audits across the local government sector. The reforms generally bring NSW in line with most other Australian States.

We will report financial audit outcomes and our observations after the 30 June 2017 council audits are completed. Most are expected to complete by the end of October 2017. Our 2017 performance audits will examine and report on whether councils are operating efficiently, effectively, economically and in accordance with the law. In 2017–18, our performance audits will consider how councils are reporting on service delivery, managing shared services and the risk of fraud.

2017 – Issues, risks and opportunities impacting the NSW Government

Our 2017 audits will consider some of the following issues, risks and opportunities impacting the NSW Government.

In mid-2017, we will publish our rolling three-year performance audit program. This will include the performance audits we expect to perform in 2017–18 and the next two financial years. The program can be located at http://www.audit.nsw.gov.au/audit-program

Area of focus  Considerations Audit Office response
Ensuring services meet citizen needs The primary role of state and local government is to provide services to citizens. Today's society is less satisfied with one-size-fits-all services and its citizens want to have a say on the services they need and how they are delivered. This challenges governments to improve engagement with citizens, design services with them and support them in selecting the services that best meet their needs. At the same time, governments have to provide the services within constrained financial environments, and cater for ageing populations and strong population growth, particularly in metropolitan areas.

We will:

  • focus our work on services that are important to citizens
  • keep abreast of best practice and strategies used elsewhere to create more citizen centric services
  • develop our understanding of the key trends putting pressure on government service delivery
  • seek opportunities to engage with citizens in undertaking our work.
Leveraging digital opportunities We live in a digital world, and government is no exception. Digital technologies and the mass of data now available to governments presents opportunities to deliver better services more efficiently and economically. Services can be delivered through digital channels, and data analytics can inform demand, the supply of services and identify potential efficiencies. These opportunities come with risks, including cyber-attacks and privacy breaches.

We will:

  • examine how well state agencies and councils are taking advantage of digital opportunities and managing risks
  • use data analytics to enhance the quality of our audit work
  • use technology to improve how we communicate our key messages.
Having good checks and balances Citizens put faith in government agencies to make decisions in their best interests. It is imperative for government agencies to be clear about what they are trying to achieve and inform citizens on how they are meeting these objectives. While ethics, transparency, and effective governance and stewardship are critical, it is important for the checks and balances not to be so directive or cumbersome they hamper innovation, efficiency and agility.

We will consider the usual issues in our financial audits of agencies and councils. New areas and areas of focus will include:

  • asset management processes,including quality and timeliness of asset valuations and the management of surplus land and property assets
  • oversight and administration of significant grant programs
  • standby assets, the cost to maintain them and their readiness for use
  • benefits realisation for major projects and programs
  • the financial and administrative impact of machinery of government changes
  • engaging with state agencies and councils through workshops and seminars to promote good practices
  • examining governance and internal controls
  • publishing better practice guidance and promoting our Governance Lighthouse.
Getting value from commissioning

Governments, including the NSW Government, are increasingly outsourcing to or partnering with private and non-government organisations to deliver government services. Because outsourced service providers are not directly accountable to the NSW Parliament for their use of public resources, independent assurance that they are using tax payers’ funds efficiently and effectively would improve accountability. In other jurisdictions Auditors-General have been given powers to ‘go beyond’ the boundaries of agencies commissioning services and into the entities providing the services (‘follow the dollar’ powers). This is not the case in New South Wales.

Commissioning brings with it new challenges needing different skills, such as developing and nurturing markets, and transitioning services into and out of government. The NSW Government's recently released Commissioning and Contestability Policy supports agencies entering into commissioning arrangements.

We will:

  • audit agency and council commissioning arrangements and assess whether they are delivering the intended outcomes
  • assess the capability of agencies entering into commissioning arrangements to manage them effectively.
  • report the impact of not being able to provide assurance on the use of taxpayers’ dollars by non-government organisations
  • identify and communicate lessons identified in our audits
  • apply commissioning to our own activities.
Breaking down the silos Government agencies working in silos can diminish service quality through inefficient duplication and overlap. Silos also increase the risk of people falling through the cracks. To achieve best value, silos can be broken down through a clear focus on outcomes and better collaboration, coordination, partnerships, shared services and joined-up government. This has been recognised for many years, but now with both the commitment and tools, inroads can be made to improve citizens' experiences. Governance arrangements, incentives and culture are critical to success.

We will:

  • focus our efforts on areas where there are opportunities to break down silos
  • identify barriers and enablers to joined-up-government, partnerships and collaboration
  • promote good practice and publicise the benefits, both potential and realised
  • work collaboratively and constructively with those we audit
  • partner with and learn from private sector organisations we engage to provide audit services on our behalf.
Looking after future generations and the vulnerable Governments need to plan for the long-term and consider future generations. They have an important stewardship role. Their decisions need to ensure inter-generational equity and prevent environmental degradation.
A core role of government is to look after the vulnerable. Governments intervene in various ways to provide a social safety net. When they do so, it is critical that these interventions are equitable and deliver desired outcomes at a reasonable cost. Increasingly, it is about giving vulnerable people a bigger say in the services they receive.

We will:

  • review the efficacy of projections upon which services are planned
  • adopt a future focus in our work to identify emerging risks and encourage action before they materialise
  • examine the effectiveness and efficiency of interventions designed to address disadvantage and improve equity
  • identify emerging trends and good practice in designing and delivering services to the vulnerable.
A capable and diverse public sector The public sector's lifeblood is its workforce. The effectiveness and efficiency of organisations comes directly from the good ideas, effort, commitment and ethics of the people they employ. Workforce management and succession planning, constructive and respected leaders, and diverse backgrounds and thoughts can enhance agency and council performance and customers' experiences. These attributes require good frameworks to develop key capabilities, manage staff performance and clarify responsibilities and accountabilities.

We will:

  • monitor progress in delivering the NSW Government’s priority to have a diverse workforce
  • examine strategies and programs designed to enhance key capabilities in councils and agencies
  • identify areas where capability and diversity are lagging or are at risk,and offer practical improvement opportunities
  • promote diversity in our own organisation through our diversity and inclusion plan, which includes strategies to increase female representation at all levels and participation in an Aboriginal internship program.
Investing in infrastructure to meet the needs of a growing population

The Government’s 2016–17 Infrastructure Statement forecasts a $73.3 billion investment program to 2019–20. Infrastructure investments of this magnitude carry significant risks. In light of weaknesses we identified in the past with the management of significant infrastructure projects, the Government needs to ensure it has the capability to manage project risks effectively.

Governments also need to make sure infrastructure built today will meet future needs without creating an ongoing burden for future generations.

We will:

  • review infrastructure planning and approval processes
  • examine alternative financing and partnership models, including philanthropic and private sector involvement through vehicles such as social benefit bonds
  • assess risk frameworks and project governance arrangements
  • monitor maintenance spending and asset management practices
  • identify and promote good practice and innovation.
Improving performance through transparency and accountability

NSW Treasury is implementing its Financial Management Transformation (FMT) program to replace ‘service group’ budgeting and reporting with program based budgeting and reporting. A project of this scale and complexity has many risks, which need to be carefully managed if the desired benefits are to be realised.

The NSW Government's move to program budgeting and performance measurement will require appropriate key performance measures and indicators to track whether the programs are delivering the intended outcomes.

Independent assurance over the appropriateness and accuracy of agency key performance measures and indicators would improve confidence in the reliability of the NSW Government performance data.

We will:

  • review and assess the implementation and report on the impact of NSW Treasury's Financial Management Transformation program
  • encourage transparency in reporting,and be transparent in our own practices, performance and reporting.
Preparing for changes to Australian Accounting Standards

For the first time, not-for-profit entities in the NSW public sector need to make disclosures about related parties in their 2017 financial statements. Identifying who the related parties are, and collecting and collating relevant information will be challenging.

Other imminent changes to accounting standards have significant financial reporting implications for Government entities. Entities will need to plan and implement changes to systems and processes well in advance of the new requirements becoming effective.

We will:

  • review and assess policies, systems and processes entities use to identify related parties and transactions, and the completeness and accuracy of the disclosures in the financial statements of agencies and councils
  • work with NSW Treasury, the Office of Local Government, agencies and councils to determine the implications of the accounting standard changes and assess entities’ preparedness to implement them
  • work with the Office of Local Government to streamline the Code of Accounting Practice.
Working together with local councils Legislative reforms have resulted in significant changes to the Local Government sector. These include merging certain councils and extending the Auditor-General's mandate to audit all NSW local council financial statements and conduct performance audits across the Local Government sector.

We will:

  • use our mandate to encourage consistency and promote learnings that enhance financial management,fiscal responsibility and public accountability across the local government sector
  • use findings from our financial audits to inform our performance audit program
  • work alongside councils and their audit committees as they implement changes to governance structures and business planning processes
  • build our internal capacity, capability and knowledge of the Local Government sector to deliver a valuable and cost-effective service.

Financial performance and reporting are important elements of good governance. Confidence in public sector decision making and transparency is enhanced when financial and performance reporting are accurate and timely.  

The preparation of accurate and timely financial statements by agencies is an important tool to ensure accountability and transparency in the use of public resources. As the NSW Government moves to program budgeting with a greater focus on performance and outcomes it will need to ensure the key performance indicators and data used to measure the outcomes are relevant, accurate and reliable. The NSW Government’s Financial Management Transformation (FMT) program aims to address this.

In 2015–16, our audit teams made the following key observations on the financial reporting of NSW public sector agencies.

 

Financial reporting
Observation Conclusion
Only one qualified audit opinion was issued on the 2015–16 financial statements of NSW public sector agencies, compared to two in 2014–15. The quality of financial reporting continued to improve across the NSW public sector.
More 2015–16 financial statements and audit opinions were signed within three months of the year end. Timely financial reporting was facilitated by more agencies resolving significant accounting issues early, completing asset valuations on time and compiling sufficient evidence to support financial statement balances.

NSW Treasury’s early close procedures in 2015–16 were again successful in improving the quality and timeliness of financial reporting, largely facilitated by the early resolution of accounting issues.

For 2016–17, NSW Treasury has narrowed the scope of mandatory early close procedures.

The narrowed scope of mandatory early close procedures may diminish the good performance in ensuring the quality and timeliness of financial reporting achieved in recent years.

To mitigate this risk, NSW Treasury has mandated that agencies perform non-financial asset valuations and prepare proforma financial statements in their early close procedures. It also encourages them to continue with the good practices embedded in recent years.

Although most agencies complied with NSW Treasury’s early close asset revaluation procedures we identified areas where they can improve. Asset revaluations need to commence early enough to ensure all assets are identified and the results are analysed, recorded and reflected accurately in the early close financial statements.

Financial reporting

The quality and timeliness of financial reporting continues to improve across the NSW public sector.

Quality of financial reporting

Only one qualified audit opinion was issued on 2015–16 financial statements

Only one qualified opinion was issued on the 2015–16 financial statements of NSW public sector agencies, down from two in 2014–15. The audit opinion for the Office of the NSW State Emergency Service was qualified because effective controls over fundraising activities did not operate for the entire year. For further details, refer to page 16 in our Report on Law and Order, Emergency Services and the Arts.

Unqualified audit opinion issued for TAFE NSW after remediation

TAFE NSW’s audit opinion on its financial statements was qualified in 2014–15 due to system limitations, which prevented it from providing sufficient evidence to support its student revenue, student receivables, accrued income and unearned revenue balances. TAFE NSW dedicated considerable resources to address this issue in the short term.

Management resolved over 250,000 data exceptions and found revenue had been understated by $138 million in 2014–15. This was recorded as a prior-period error in the 2015–16 financial statements. For further details, refer to pages 17–18 in our Report on Industry, Skills, Electricity and Water.

The quality of financial reporting continues to improve

Since NSW Treasury introduced its mandatory ‘early close procedures’ initiative in 2011–12, the number of reported misstatements and significant matters in agency financial statements submitted for audit have fallen considerably across the NSW public sector. This is largely attributed to the early resolution of accounting issues, which helps agencies meet earlier reporting deadlines and improve the quality and accuracy of financial reporting. Whilst the quality and timeliness of financial reporting has continued to improve, the NSW Government will need to continue focusing on strong financial management across the NSW public sector to maximise performance and effectively manage assets and liabilities.

The table below shows the fall in misstatements over five years across NSW public sector agencies since mandatory early close procedures were introduced in 2011–12.

Number of misstatements
Year ended 30 June 2015-16 2014-15 2013-14 2012-13 2011-12
Total reported misstatements 298 396 459 661 1,077

All material misstatements identified by agencies and audit teams were corrected before the financial statements and audit opinions were signed. A material misstatement relates to an incorrect amount, classification, presentation or disclosure in the financial statements that could reasonably be expected to influence the economic decisions of users.  

Significant matters reported to the portfolio Minister, Treasurer and Agency Head

In 2015–16, we reported the following significant matters to the portfolio Minister, Treasurer and agency head in our Statutory Audit Reports:

  • Transport for NSW needs to assess whether a $179 million fall in the carrying value of the bus fleet leased from the State Transit Authority has similar implications for the value of the bus fleet leased from private operators
  •  issues were identified with how the Northern NSW Local Health District implemented its new rostering system, including rosters being 'force approved' by the system administrator, users having inappropriate access, no review of payroll exceptions and inadequate project governance over the system’s rollout
  • the Aboriginal and Torres Strait Islander Health Practice Council of New South Wales’ financial statements were not prepared on a ‘going concern’ basis because it had insufficient funding to continue operating
  • the Department of Industry, Skills and Regional Development needs to improve the recording and accounting for Crown Land (repeat issue)
  • the financial reporting requirements for Local Land Services local boards, established under the Local Land Service Act 2013, need to be clarified (repeat issue)
  • significant limitations exist in TAFE NSW’s student administration system (repeat issue)
  • Hunter Water Corporation contracted to sell Kooragang Island Advanced Water Treatment Plant, which is conditional on the purchaser obtaining a water licence for use of the plant, for $35.5 million. This resulted in a $20.5 million decrease in the revaluation reserve
  • Hunter Water Corporation received $28.1 million from the sale of land impacted by the NSW Government’s decision not to construct Tillegra Dam. This was $62.4 million less than the carrying value of the land
  • Sydney Water Corporation needs to ensure it has robust governance over the development and implementation of a new customer billing system and an integrated enterprise resource planning system, budgeted to cost $184 million and $54.5 million respectively.

Timeliness of financial reporting

More financial statements and audit opinions signed within three months of year end

Most agencies submitted and signed their financial statements on time, which enabled more audits to be completed within three months of year end.

In 2015–16, 204 of 286 agencies’ financial statements and audit opinions were signed within three months of the year end. This compares to only 67 in 2010–11, the year before NSW Treasury introduced mandatory early close procedures.

Early close procedures improved the timeliness of financial reporting

Agencies were broadly successful in performing early close procedures in 2015–16. However, we did identify opportunities for improvement across the NSW public sector.  

The timeliness of financial reporting can be improved further if agencies:

  • resolve all significant accounting issues during the early close process, or document a clear path towards timely resolution
  • establish internal timetables and work with their service providers to ensure supporting work papers are prepared on time
  • assess and document the impact of new and revised accounting standards effective in the current or future years
  • prepare reconciliations, which are properly supported and reviewed
  • analyse and clear suspense accounts on a timely basis
  • complete asset valuations on time (also refer below).

Agencies will not always be able to fully resolve significant and complex accounting issues as part of the early close process. If this is the case, it is important they document a clear path towards timely resolution and ensure relevant stakeholders, including NSW Treasury, are kept informed. The documentation should set out the issue, status, key aspects needing resolution, and who is responsible for the expected deliverables.

Changes in accounting standards can materially impact agencies’ financial statements. Agencies will need to ensure they review the impact of, and have appropriate systems and processes in place to address these changes. Because of the lead time required, agencies need to start preparing for imminent changes now. The more significant changes that will come into effect over the next two years include:

  • service concession arrangements - where private sector entities design, build, finance and/or operate infrastructure to provide public services, such as toll roads, utilities, prisons and hospitals
  • the classification, measurement, recognition and de-recognition of financial instruments
  • leasing arrangements - lessees will no longer classify leases as operating or finance leases; leases will be ‘capitalised’ with financial liabilities being recognised for future lease payments.

NSW Treasury has narrowed the scope of mandatory early close procedures

NSW Treasury Circular 16-13 'Agency guidelines for the 2016–17 Mandatory Early Close' has narrowed the scope of mandatory early close procedures to non-financial asset valuations and proforma financial statements. Early close procedures that are no longer mandatory, but considered to be good practice by NSW Treasury, include:

  • resolving all past audit issues
  • performing key account reconciliations
  • agreeing and confirming inter and intra (cluster) agency balances and transactions
  • identifying material, complex and one-off transactions
  • preparing quality workpapers to support balances with variance analysis and meaningful explanations for movements
  • adequate review by management and Audit and Risk Committees.

If agencies do not perform the good practice procedures, the early close process may not be as effective in ensuring the quality and timeliness of financial reporting. We will monitor and report on the impact of this change on the timeliness and quality of the 2016–17 financial statements.

NSW Treasury piloted a hard-close initiative

NSW Treasury conducted a ‘hard-close pilot’ with nine agencies in 2015–16 to assess the benefits, and whether they should be applied more widely across the NSW public sector. While NSW Treasury has evaluated the results of the pilot, it has not mandated agencies complete hard close procedures in 2016–17. NSW Treasury Circular 16–13 gives agencies the option to complete hard close procedures.  

Hard close procedures involve applying year-end procedures to the fullest extent practicable at a preliminary month end date to further improve the quality and timeliness of financial reporting.

Processes for asset valuations can be improved

Although most agencies complied with NSW Treasury’s early close asset revaluation procedures, we identified areas where they can be improved.  

Asset valuations can be complex. They can involve the valuation of a large, geographically dispersed asset base, require significant judgement to estimate fair value and require substantial resources to complete.

Asset revaluations are successful when:

  • revaluation projects commence early enough to obtain the results and to reflect this in the early close pro forma financial statements, fixed asset register and general ledger
  • all assets are identified, recorded and reconciled before being provided to the valuer and the valuation methodology is agreed and documented
  • quality work papers are prepared setting out management’s proposed accounting treatments, judgements and assumptions
  • management engages with the valuers and interrogates the valuation results with scepticism
  • valuation issues are resolved before preparing the year-end financial statements.

NSW Treasury Policy Paper TPP14-01 also provides guidance to agencies to help manage the revaluation process.

Performance reporting

In 2017 and 2018, NSW Treasury is implementing its Financial Management Transformation (FMT) program. The program will replace the current ‘service group’ budgeting and reporting structure with program based budgeting and reporting. The program expects to have the legislation, policy framework and financial reporting system rolled out for the 2017–18 financial year.  

The program will implement a modern IT system, PRIME, as NSW Treasury's key tool to support whole-of-government budgeting and reporting. PRIME is expected to give the NSW Government strategic, relevant and timely information to plan and deliver its policy priorities and the Budget. It is expected to capture and monitor financial and non-financial performance data, and provide business intelligence and analytics. The roll-out of PRIME commenced in November 2016 and the 2017–18 Budget will be delivered using PRIME.

A project of this scale and complexity has many risks, which need to be carefully managed if the desired benefits are to be realised. To manage the risks, NSW Treasury is running PRIME in parallel with the existing IT systems for an extended period that covers preparation of the 2017–18 budget.

Independent assurance over the appropriateness and accuracy of agency key performance measures and indicators would improve confidence in the reliability of the NSW Government performance data.

Monitoring and guiding program performance will mean:

  • developing and implementing high level frameworks, policies and guidance
  • establishing measures and setting targets for performance
  • ensuring the availability of and access to high quality data and other information
  • obtaining independent assurance over the quality of the data.

The FMT program aims to achieve:

  • better performance and outcomes management
  • improved management of the State’s balance sheet, revenues and expenditures
  • stronger interagency collaboration
  • clearer accountabilities
  • better reporting of performance and outcomes.

This should give the NSW Government greater visibility on whether programs are delivering value for money, with emphasis not just on whether they are meeting compliance requirements, but whether they are also meeting performance expectations. This will require agencies to have the expertise they need to analyse how programs are performing and meeting expected outcomes.

 Appropriate financial controls help ensure the efficient and effective use of resources and the implementation and administration of agency policies. They are essential for quality and timely decision making.  

In 2015–16, our audit teams made the following key observations on the financial controls of NSW public sector agencies.

Financial controls
Observation Conclusion
More needs to be done to implement audit recommendations on a timely basis. We found 212 internal control issues identified in previous audits had not been adequately addressed by 30 June 2016.

Delays in implementing audit recommendations can impact the quality of financial information and the effectiveness of decision making.

Agencies need to ensure they have action plans, timeframes and assigned responsibilities to address recommendations in a timely manner.

Agencies continue to face challenges managing information security. Most information technology issues we identified related to poor IT user administration in areas like password controls and inappropriate access. Agencies should review the design and effectiveness of information security controls to ensure data is adequately protected.

We found shared service provider agreements did not always adequately address information security requirements.

Where agencies use shared service providers they should consider whether the service level arrangements adequately address information security.

Thirteen of 108 agencies required to attest to having a minimum set of information security controls did not do so in their 2015 annual reports. The 'NSW Government Digital Information Security Policy' recognises the growing need for effective information security. With cyber security threats continuing to increase as digital services expand we plan to look at cyber security as part of our 2017–18 performance audit program.
We identified instances where service level agreements with shared service providers were outdated, signed too late or did not exist. Corporate and shared service arrangements are more effective when service level arrangements are negotiated and signed in time, clearly detail rights and responsibilities and include meaningful KPIs, fee arrangements and dispute resolution processes.
Internal controls at GovConnect, the private sector provider of transactional and information technology services to many NSW public sector agencies were ineffective in 2015–16. We found mitigating actions taken to manage transition risks from ServiceFirst to GovConnect were ineffective in ensuring effective control over client transactions and data. The Department of Finance, Services and Innovation should ensure GovConnect addresses the control deficiencies. It should also examine the breakdowns in the transition of the shared service arrangements and apply the learnings to other services being transitioned to the private sector.
Maintenance backlogs exist in several NSW public sector agencies, including Roads and Maritime Services, Sydney Trains, NSW Health, the Department of Education and the Department of Justice. To address backlog maintenance it is important for agencies to have asset lifecycle planning strategies that ensure newly built and existing assets are funded and maintained to a desired service level.

Internal controls

Agency internal controls

We report deficiencies in internal controls, matters of governance interest and unresolved issues identified during our audits to management and those charged with governance of the agencies. We do this through management letters, which include our observations, related implications, recommendations and risk ratings.

We identified and reported 837 issues during our 30 June 2016 audits. Common internal control weaknesses identified during these audits included: 

  • non-compliance with processes and legislation
  • incomplete and inaccurate central registers, such as those for managing conflicts of interest, legislative compliance and contract management
  • weaknesses in information technology controls (see further details below)
  • financial performance and reporting issues, such as inadequate review of manual journals and poor quality and review of general ledger account reconciliations
  • deficiencies in purchasing and payables processes, such as poor review of vendor master file changes, limited use of purchase orders and inadequate payment approval processes.

Fewer internal control weaknesses were assessed as being high risk than in previous years. High risk internal control deficiencies should be addressed by the relevant agencies as a matter of urgency.

More needs to be done to implement audit recommendations

More needs to be done to implement audit recommendations on a timely basis. We found 212 internal control issues identified in previous audits had not been adequately addressed by 30 June 2016. The highest proportion of these issues were in the following clusters:

  • Family and Community Services cluster - 11 of 31 issues were repeat issues.
  • Planning and Environment cluster - 26 of 88 issues were repeat issues
  • Finance, Services and Innovation cluster - 31 of 111 issues were repeat issues
  • Justice cluster - 33 of 124 issues were repeat issues
  • Transport cluster - 18 of 68 issues were repeat issues
  • Health cluster - 33 of 126 issues were repeat issues.

Two of the 212 issues were classified as high risk and related to:

  • an agency’s lack of effective controls over fundraising activities
  • recognition of a loan and the agency’s capacity to repay the loan

Of the remainder, 126 were classified as moderate risk and 84 as low risk. Delays in implementing audit recommendations can impact the quality of financial information and the effectiveness of decision making. They expose agencies to reputational risks and financial loss.

Some issues can take longer to address due to resource constraints and/or the complexity of the issue. Agencies need to ensure they have action plans, timeframes and assigned responsibilities to address recommendations in a timely manner. Audit and Risk Committees play an important role in monitoring and advising agency heads on how agencies are implementing measures to address audit findings and recommendations.

Internal controls at shared service providers

Cluster corporate and shared service models are common across NSW Government

Corporate and shared service models are common across NSW Government, with most clusters having moved to or planning to move to some form of shared service arrangement. Shared service arrangements are designed to achieve efficiencies and reduce costs by centralising service delivery in areas such as human resources, governance and risk, procurement, finance and information technology. Corporate and shared service models can:

  • consolidate information systems and standardise processes through common policies and procedures. This should provide greater transparency to the cluster lead agency of agencies' and cluster-wide performance
  • deliver better information management and decision support services
  • increase efficiencies and reduce costs.

Agencies need to carefully manage the risks associated with these arrangements, such as:

  • failing to deliver integrated systems and processes across the cluster
  • limiting flexibility, which may hinder agencies from implementing fit for purpose frameworks, such as those for governance and risk
  • sub-optimal performance by service providers and/or ineffective controls at the service provider
  • poor governance, strategic leadership and direction over shared service arrangements.

The NSW Commission of Audit, in its May 2012 report on ‘Government Expenditure’, recommended improvements in the delivery of corporate and shared services across the NSW Government sector.

Service level arrangements are not always in place or are signed too late

We found instances where service level agreements with shared service providers were outdated, signed too late or did not exist. For example:

  • service agreements, which include performance requirements for safety and quality, service access and patient flow, finance and activity, population health and people between the Secretary of NSW Health and local health districts/specialty networks, need to be signed earlier to clarify roles, responsibilities, performance measures, budgets and service volumes and levels
  •  the NSW Department of Industry, Skills and Regional Development and the Department of Justice did not always have service agreements in place with agencies to which they provide financial and corporate services.

Corporate and shared service agreements are more effective when:

  • Service level agreements are negotiated and signed on time
  • the services provided and the rights and responsibilities of each party are clear
  • meaningful KPIs are agreed and there is a process to monitor performance against the KPIs
  • security over data and information is maintained and rights of access to information are established
  • fee arrangements are agreed
  • dispute resolution processes are in place

Agencies need to seek internal control certifications from service providers

NSW Treasury Policy TPP 14–05 'Certifying the Effectiveness of Internal Controls Over Financial Information' requires agencies to obtain certification on the effectiveness of internal controls from outsourced service providers. We found:

  • agencies using the services of GovConnect were unable to rely on controls over financial transactions and information (further details below), which negated the certification process over controls at the service provider. This required the impacted agencies to implement controls to mitigate the control deficiencies at the service provider
  • the Department of Justice did not always provide written certifications on the design and effectiveness of internal controls to client agencies
  • some private sector service providers do not provide independent certifications on the effectiveness of their controls to agencies.

The NSW Treasury Policy notes that, in some instances, client agencies may consider it appropriate to seek additional assurance in the form of an independent opinion on the design and operating effectiveness of controls in the service organisation. Agencies should consider the nature and extent of the services provided by their service provider when determining whether independent assurance is required.

Internal controls at GovConnect were ineffective in 2015–16

GovConnect provides information technology and transactional services to agencies within the NSW Public Sector. Service levels fell during the transition of shared services from ServiceFirst to GovConnect and NSW public sector agencies using these services were unable to rely on controls over financial transactions and information.  

We found mitigating actions taken to manage transition risks from ServiceFirst to GovConnect were ineffective in ensuring effective control over client transactions and data. This increased the risk of fraud and error, and inappropriate access to information.  

The Department of Finance, Services and Innovation should ensure GovConnect addresses the control deficiencies identified in GovConnect’s Independent Auditor’s Assurance reports. It should also examine the breakdowns in the transition of the shared service arrangements and apply the learnings to other services being transitioned to the private sector. Refer to pages 19-20 in our Report on Finance, Services and Innovation for further details.

Information technology

Digital Information Security

Agencies continue to face challenges managing information security

We audited the information systems of 72 agencies in 2016. The audits focused on the information technology (IT) processes and controls supporting the integrity, availability and security of financial data used to prepare the financial statements.

The audits identified opportunities to improve IT control environments, with a large proportion of our findings relating to information security. We recommended agencies review and strengthen information security controls. The key control weaknesses we found related to user administration, password parameters and privileged access.

Over the last three years the number of information systems issues we identified has improved, as shown below: 

  • 2015–16: 72 audits - 121 issues reported
  • 2014–15: 73 audits - 169 issues reported
  • 2013–14: 77 audits - 198 issues reported.

Of the 121 issues reported in 2015–16, two were classified as high risk, 80 as moderate risk and 39 as low risk. The two high risk issues related to:

  • poor password configuration management
  • inappropriate user access accounts and inadequate review of users’ access to the agency’s network, finance applications, database and servers.

Twenty-three per cent of the issues reported in 2014–15 were repeated in 2015–16. The percentage of repeat issues has fallen compared to 2013–14. 

Governance refers to the high-level frameworks, processes and behaviours established to ensure an entity meets its intended purpose, conforms with legislative and other requirements, and meets the expectations of probity, accountability and transparency.  

Governance models need to be adapted for the specific goals and outcomes required for different situations; one size does not fit all. High standards of public sector governance and accountability enable effective and efficient use of public resources. They also help to ensure agencies act impartially and lawfully, deliver program/project benefits within expected costs and timeframes and provide useful information about their activities and achievements.

In 2015–16, our audit teams made the following key observations on governance in NSW public sector agencies

Governance
Observation Conclusion
Cluster governance arrangements that support cluster accountability, performance monitoring, risk and compliance management are unclear.

Currently, cluster governance arrangements are unclear and inconsistently implemented across the NSW public sector. Implementing cluster governance frameworks is complex.

The Department of Premier and Cabinet (DPC) has indicated the NSW Public Sector Governance Framework will be updated to give guidance on cluster governance and how accountability and performance are monitored and reported.

The ‘whole-of-government’ does not have a dedicated audit and risk committee. NSW Government agencies would benefit from a dedicated independent audit and risk committee for the ‘whole-of-government’ that focuses on common issues and risks across the NSW public sector, and recommends and oversights coordinated responses to sector wide issues.

We identified many deficiencies in the oversight and management of Crown Land, including the sale and lease of such land.

We recommended the Department of Industry-Lands improve its processes for the sale and lease of Crown Land.

Our assessment of a sample of 33 agencies found that agencies have risk management governance structures in place, but need to focus on developing stronger risk cultures and fit-for-purpose systems to capture risks and incidents. Agencies need to focus on developing strong risk cultures and fit-for-purpose systems to capture risks and incidents.
We found project cost and time overruns continue to occur. In 2016–17, we will assess risk management maturity and processes focusing on effective risk management in project governance.
Our 2015–16 fraud survey indicates fraud controls are improving, but highlighted areas where agencies can do more. Agencies can review their fraud control measures against our Fraud Control Improvement Kit.
Our review of 13 agencies’ compliance with reporting and disclosure aspects of the GIPA Act found varying degrees of non-compliance at each. Our 2016 Special Report 'Compliance with the GIPA Act' makes recommendations to help agencies comply with the requirements of the Act.

Governance and Accountability

With the NSW public sector changing and becoming more complex, good governance becomes more important so the public's confidence in government and its agencies is maintained. Governance across the NSW public sector is complex and needs to accommodate risks arising from:

  • the Government’s cluster arrangements having no legal basis
  • many agencies not having conventional board structures
  • agencies only being able to do what their enabling legislation allows
  • agencies having for profit or not-for-profit objectives, and/or only being established to achieve a particular purpose
  • capability limitations that may exist in governing bodies
  • stakeholders having high expectations around accountability, transparency and conflicts of interest in public sector agencies.

Adding to this complexity is the continually changing nature of the public sector and the way it delivers services. Often, governance arrangements are impacted by:

  • changes in service delivery models, such as commissioning and contestability arrangements
  • machinery of government changes, leading to agencies being formed, amalgamated or abolished
  • complex financing and other contractual arrangements, such as public private partnerships impacting the structure and risks agencies face.

Those charged with governance are accountable for the decisions they make and need relevant, accurate and up-to-date information on which to base their decisions. Consequently, they need to satisfy themselves the governance frameworks, and the design and effectiveness of internal systems and controls provides sufficient assurance the agency’s activities are in line with expectations and comply with standards and legal requirements.  

Our audits identified deficiencies in some agencies’ governance frameworks, including:

  • not having frameworks to manage and ensure compliance with legislation
  • outdated policies and procedures, including those for fraud and corruption
  • inconsistent risk management frameworks
  • not having effective internal audit functions
  • some smaller agencies not having an Audit and Risk Committee
  • poor frameworks for identifying and managing conflicts of interest and gifts and benefits.

Agencies can assess their governance frameworks against our Governance Lighthouse.

Effective cluster/agency and program/project governance is characterised by:

  • leaders who set the right tone from the top, that shapes the culture and demonstrates the desired values and ethics through the behaviours they model when working with management and external stakeholders
  • a clear strategic purpose and direction, based on a clear understanding of stakeholder expectations, realistic medium and long-term outcomes, short-term priorities and expenditure/investment choices and budgets
  • a shared and strong understanding of the strategy to inform decisions
    strong oversight of progress against the strategy, significant deviations from it, emerging risks and planned benefits from change programs
  • regular reviews of and updates to the strategy to adapt to changing circumstances
    a clear purpose at specific project/program levels
  • charters with structures that include clearly distinct governance and management roles, principles, and processes
  • clearly defined roles and responsibilities that make differing interests transparent and improve decision-making – these should be revisited periodically
  • visible leadership when agencies/projects/programs face difficult issues
    clearly allocated and delegated decision-making for governance and management
  • different people in the roles of chair, project sponsor, manager of the division responsible for delivering a project, the line manager of the project director
  • the right mix of people with different perspectives and skills, who robustly debate issues, but support agreed decisions
  • independent quality assurance 
  • effective risk management that identifies, analyses, mitigates, monitors and communicates risks
  • a defined risk management framework and register that is widely understood and aligned to the agency’s strategy, risk appetite, objectives, business plan and stakeholder expectations
  • a mature risk management culture and reporting structure that is built into the agency or project governance framework
  • clear roles for Audit and Risk Committees, with competent and independent members who have a clear purpose
  • governance arrangements and practices that continually evolve to manage risk and conflicts of interest.

Cluster governance

Cluster governance arrangements, including accountability, are unclear

Currently, cluster governance arrangements are unclear and inconsistently implemented across the NSW public sector. Implementing cluster governance frameworks is complex because clusters bring together entities with different enabling legislation, organisational and legal structures, information systems and processes, risk profiles and governance frameworks. They require Ministers, boards, department Secretaries, agency heads and management to work together to ensure effective cluster governance and accountability arrangements are in place.

Clear cluster governance arrangements would improve cooperation and coordination amongst cluster agencies, help deliver government priorities that cut across agencies and improve service delivery outcomes. We recommended DPC release a revised NSW Public Sector Governance Framework that clearly articulates cluster governance arrangements, the role of the cluster Secretary, Chief Finance Officer, Chief Information Officer and Chief Risk Officer.

DPC has indicated the framework will be updated shortly to provide guidance on governance at a cluster level, including how cluster-level accountability and performance information is monitored and reported. We understand DPC will work with NSW Treasury to revise the framework by mid-2017. It is important for these agencies to collaborate and ensure the outcomes of NSW Treasury's Financial Management Transformation (FMT) program are considered when updating the framework.

The FMT program aims to revise financial governance, budgeting and reporting arrangements in the NSW public sector, and clarify the administrative and accountability arrangements for cluster operations. Further information on FMT is included in the Financial Performance and Reporting and Service Delivery chapters.  

Management oversight and capability

Those charged with governance are ultimately responsible for establishing an appropriate governance framework and system of internal control. However, management is accountable to those charged with governance and their oversight plays an important role in ensuring appropriate policies, procedures and internal controls are designed and working properly.

Sale and lease of Crown land is not being managed effectively

Our 2016 performance audit found limited oversight of sales and leases of Crown land by the Department of Industry - Lands. The Department has only just started monitoring whether tenants were complying with lease conditions, and does not have a clear view of what is happening on most leased Crown land. Most guidance to staff had not been updated for a decade, contributing to staff sometimes incorrectly implementing policies on rental rebates, unpaid rent, rent redeterminations and the direct negotiation of sales and leases on Crown land.  

Decisions on the sale and lease of Crown land were not transparent to the public and the Department has not provided consistent opportunities for the public and interested parties to participate in decisions about Crown land. Between 2012 and 2015, 97 per cent of leases and 50 per cent of sales were negotiated directly between the Department and individuals, without a public expression of interest process.  

Adding to this, our financial audit findings have identified significant deficiencies for several years in recording and accounting for Crown land assets in the Crown Land Information Database and the Department’s general ledger.

A key objective of the Department of Industry - Lands is for Crown land to be occupied, used, sold, leased, licensed or otherwise dealt with in the best interests of the State. A major part of the State’s land holding is Crown land, which had an estimated value of $12 billion in  2015–16. Crown land comprises approximately 42 per cent of all land in New South Wales and supports a wide range of important environmental, economic, social and community activities.  

The Crown Land Management Act 2016 (the Act) received assent from Parliament on 14 November 2016. The Act consolidated eight pieces of legislation. Most of the Act is expected to commence in early 2018. It is expected to reduce complexity and duplication, deliver better social, environmental and economic outcomes and facilitate community involvement in Crown land.

Good progress is being made on implementing public sector management reforms

Our performance audit on ‘Public Sector Management Reforms' found the Public Service Commission was making good progress leading the implementation of public sector management reforms. The Commission developed a sound evidence base for the reforms and gained wide public sector support by engaging with agency heads and using public sector working groups to develop options.  

The Commission needs to do more to report on how the reforms are contributing to better public services and to issue its guidance material to agencies promptly. The audit noted that the capacity and capability of human resource units in some agencies remains an impediment to the successful implementation of the reforms.

In early 2012, the NSW Commission of Audit Interim report identified a range of issues with workforce management in New South Wales. The Public Service Commission (PSC), which was established in late 2011, was tasked to address some of these issues and build the capability of the public sector. The Government Sector Employment Act 2013 (GSE Act), which provides the legislative basis for reforms, commenced in February 2014.

The public sector management reforms are ambitious, covering a substantial workforce and requiring a lot to be done in a short time. To achieve the intended outcomes, the reforms needed to be supported by sound evidence, have clear objectives and performance indicators, and be evaluated at appropriate stages.

Risk Management

The increasing complexity of government business transactions reinforces the need for whole of government approaches to deal with inter-related and inter-dependent risks across government agencies. It is important that safeguards in place to manage these risks are commensurate to the risk posed.

Findings from some of our 2016 performance audits, which looked at how areas of high risk are managed across NSW Government, are detailed below:

Our performance audit on managing unsolicited proposals in New South Wales concluded that governance arrangements for unsolicited proposals were adequate, but greater transparency and public reporting is needed. Unsolicited proposals warrant greater scrutiny and disclosure as they pose a greater risk to value for money than open, competitive and transparent tender processes.

 

Our performance audit on government advertising concluded the peer review process provides sufficient assurance that government advertising programs are needed and are cost effective. Government advertising is an activity that is high risk because of the potential for it to be used for political purposes. In NSW, the Government Advertising Act 2011 requires government advertising campaigns estimated to cost over $50,000 to be independently peer reviewed before launch.  

Cluster-wide risk management

Cluster wide risk management is inconsistent

Agencies within clusters have their own risk profiles and risk management frameworks. We found varying approaches and levels of maturity on how agency risks are captured and escalated to a cluster level so cluster heads can assess how they are being managed, treated and reported. We recommended some clusters review how agency level risks are escalated and reported at a cluster level.

Enterprise-wide risk management

Agency enterprise-wide risk management across the public sector is improving

In 2016, we assessed risk management processes at 33 agencies across the NSW public sector against the criteria in our Risk Assessment Tool. In 2015, we asked 77 agencies to perform a self-assessment of their risk management maturity. The table below compares the overall results of our assessment against the agencies self-assessments. The comparison indicates that risk management is improving.

Our assessments found that agencies have risk management governance structures in place, but need to focus on developing stronger risk cultures and fit-for-purpose systems to capture risks and incidents.

The environment in which services are delivered to the people of NSW is constantly changing. Services need to remain relevant and support the public's changing needs and expectations. People expect high quality services to be delivered in cost effective ways. To do this, agencies need to determine how best to deliver the services. Governments can deliver their services through agencies or through commissioning the right mix of services from public, private and not for profit sector providers.  

Agencies also need to consider how they collaborate with each other to improve the quality of their services and help drive down costs. Changes in innovation and technology can help agencies adapt to changing circumstances and to deliver better services in different ways.

In 2015–16, our audit teams made the following key observations on service delivery by NSW public sector agencies.

Service delivery
Observation Conclusion
New ways of delivering services across NSW Government are being identified, with commissioning and contestability arrangements being introduced or considered.

It is important for accountability to be maintained when services are outsourced.

Commissioning services and introducing new systems can be challenging. It is important for this to be managed well through:

  • strong project governance and leadership to manage risks
  • entering into binding commitments with clear accountabilities
  • good preparation, including adequate training and support for staff
  • sound financial management to control costs.
We found government decision makers are not always receiving enough information to make evidence-based investment decisions. The NSW Government’s program evaluation initiative has been largely ineffective. A performance audit looked at the Justice, Industry, Skills and Regional Development, Planning and Environment, Premier and Cabinet and Treasury clusters and recommended improvements to program evaluation.
We found agencies' performance is not routinely measured, evaluated or publicly reported. Agencies can improve transparency over their performance with a stronger focus on measuring performance and outcomes so they can make evidence-based decisions and maintain public accountability.
According to unaudited agency data, some Premier's and State Priorities are at risk of not being achieved. Independent assurance over the reliability and accuracy of the data would increase confidence in the performance indicators used to measure achievement of the Government’s priorities.
A comprehensive report of performance against the State Priorities is not published. We understand the NSW Government is considering public reporting against the State Priorities and developing reporting options.

Commissioning and Contesting the Delivery of Services

The publics' rising expectations, and rapidly changing and increasingly complex needs mean agencies cannot be complacent even when they deliver good services. To meet changing expectations and needs, agencies need to build on their strengths and leverage opportunities a modern, technology driven and information rich environment provides.

Government outcomes can be achieved through the effective commissioning of the right mix of services from the public, private and not-for-profit sectors. Commissioning involves agencies assessing citizens’ needs, determining priorities, designing and sourcing appropriate services, and monitoring and evaluating performance. NSW Treasury's 'Government Commissioning and Contestability Policy', published in November 2016, aims to provide a clear and consistent policy direction, definition and set of principles to guide NSW Government agencies when commissioning and contesting services.

It is important for agencies to understand the Government's strategic direction and objectives when partnering with others or commissioning the delivery of services. They must be prepared and able to work together and with others in different ways to deliver the best quality public services possible. Agencies face challenges and opportunities when commissioning services. These include:
 
  • determining the size, variety and location of services needed to meet customer needs and expectations
  • doing things differently to ensure public services are delivered efficiently and effectively
  • developing and nurturing markets, and transitioning services into and out of government
  • partnering with other public and private sector entities, and non-government organisations (NGOs)
  • establishing and maintaining clear accountabilities for jointly delivered services
  • using new approaches that leverage improvements in technology
  • involving the people of NSW in designing, planning, and delivering services
  • using, sharing and communicating information about service delivery
  • building agencies' capacity and capability
  • measuring and benchmarking service performance.

Effective commissioning can be achieved through:

  • strong governance and leadership to manage relationships and risks effectively within risk appetite levels
  • good information systems and tools 
  • being well prepared with the right capability and number of employees who are well trained and supported
  • adopting approaches that best fit the circumstances
  • regularly monitoring and assessing if expected outcomes are being achieved 
  • having a common purpose with clear outcomes
  •  being flexible and prepared to make trade-offs
  •  binding commitments with clear accountabilities
  •  sound financial management to control costs
  •  adequate development and testing of new systems before going live.

Commissioning and contestability continues to increase

We continue to see new ways of delivering services across NSW Government agencies. Some examples of commissioning and contestability include:

  • commissioning of GovConnect to provide information technology and transactional services to several agencies within the NSW Public Sector (refer Financial Controls chapter for further detail)
  • contestability testing within NSW Health, including linen services, non-emergency patient transport, warehousing, hospital support services, pathology and radiology
  • commissioning NGOs to provide some services traditionally provided by the Department of Family and Community Services ($2.8 billion received by NGOs in 2015–16 for the delivery of these services).

Our performance audit on franchising of the Sydney Ferries network found the decision to do so was justified and Transport for NSW’s management of the franchise was largely effective. The franchising has resulted in cost savings, good service performance and effective risk transfer from Government to the private sector operator. Scheduled ferry services are now provided under a seven-year contract managed by Transport for NSW.

Our 2016–17 performance audit program includes a review of Roads and Maritime Services' (RMS) Sydney region road maintenance contracts to assess whether RMS has realised the expected benefits of outsourcing road maintenance for the Sydney Region West and South zones under its Stewardship Maintenance Contracts. We also recently tabled a performance audit report, which focused on the Department of Family and Community Services work to build the readiness of the non-government sector for the National Disability Insurance Scheme.

Accountability needs to be maintained when services are outsourced

Generally, contractual arrangements allow an agency that is outsourcing services to review and assess the performance of the service provider. However, outsourced service providers are not directly accountable to the NSW Parliament for their use of public resources.

Governments are increasingly outsourcing to or partnering with private and NGO providers to deliver government services. Consequently, many parliaments now have legislation that enables Auditors-General to ‘go beyond’ the boundaries of the agencies commissioning services and into the entities providing the services to examine how effectively and efficiently they are providing the services (‘follow the money’ powers). New South Wales legislation does not currently provide the Auditor–General with such powers.

Delivering Government Services

Evidence-based decision making

Government services are being delivered by agencies through a variety of programs

To do this effectively agencies need to be able to make evidence based decisions. In August 2013, the NSW Government commenced a program evaluation initiative, which required agencies to periodically evaluate their programs. Since then, NSW Treasury and DPC have worked with agencies to implement the initiative. Agencies are required to prioritise programs for evaluation based on size, strategic significance and degree of risk, recognising their available capability and resources to conduct evaluations.

Our performance audit on 'Implementation of the NSW Government’s program evaluation initiative' showed the initiative was largely ineffective and government decision makers were not receiving enough information to make evidence-based investment decisions. The audit looked at the Justice, Industry, Skills and Regional Development, Planning and Environment, Premier and Cabinet and Treasury clusters.

Our performance audit also recommended NSW Treasury develop an evaluation framework to support the program budgeting and reporting component of the Financial Management Transformation (FMT) program, and ensure the program evaluation initiative is integrated into the new framework.

The FMT program budgeting, reporting and evaluation initiative aims to provide evidence-based information to inform investment decisions on programs. Adopting program budgeting and reporting as a key component of the FMT program requires a proven and systematic evidence-based methodology for measuring the efficiency and effectiveness of the programs.

Service delivery performance

Our performance audits found mixed service delivery performance

Performance audits build on our financial audits by reviewing whether taxpayers' money is spent efficiently, effectively, economically and in accordance with the law. Many of our performance audits focus on whether agencies are delivering good services to citizens at a reasonable cost. Findings from some of our 2016 audits, which focused on service delivery performance, are outlined below:

New South Wales has a lower rate of foodborne illness than the national average. This reflects some good practices in the NSW Food Authority’s approach to monitoring food safety standards. To ensure foodborne illnesses remain low, the Authority needs to better monitor its arrangements with local councils that inspect retail food businesses on its behalf, and receive additional and more timely information from them on compliance with food safety standards.

 

The Department of Education is doing a reasonable job of managing how well students with a disability transition to new schools and in supporting teachers to improve the students’ educational outcomes. We found enrolments in quality early childhood education were increasing, but were still below benchmark and funding could be better targeted to disadvantaged children in long day care.

 

Juvenile Justice NSW prepares and helps young people reintegrate into the community reasonably well after detention, given their complex needs, but access to post-release services is problematic.

 

Citizens will benefit if red tape is reduced. Overall, NSW Government initiatives and processes to prevent and reduce red tape have not been effective. In the absence of an accurate red tape savings figure and a stocktake of regulation, the NSW Government does not have a clear view of the impact its reported savings had on the overall net burden of red tape in New South Wales. Its ‘one-on, two-off’ initiative to reduce legislative regulatory burden achieved its numerical target, but the cost of the total legislative burden increased by $16.1 million over the same period.

Reporting on Service Delivery Performance

As agencies partner and collaborate more, measuring performance becomes more important. Sharing, using and making information available enables agencies to collectively understand and improve their service performance. This also gives agencies an opportunity to achieve efficiencies in collating and using research and performance data within privacy and legislative constraints. Where appropriate, agencies should consider obtaining independent assurance over the reliability and accuracy of the performance data they use.

Complaints are an important and free source of information that can provide valuable insights into poor service, systemic errors or problems with specific processes. How agencies manage and respond to complaints demonstrates their commitment to high standards of service delivery. Complaints also give agencies an opportunity to understand the expectations and experiences of people using their services. Government agencies need to ensure complaints are easy to make, consistently recorded and analysed, and openly reported and actioned.

Transparency over performance

Performance is not always measured, evaluated or publicly reported

A key objective of public sector reform is to improve performance and create a culture of accountability. Inadequate performance measures and primarily internal reporting, reduces transparency of agency performance and makes it hard for the public to assess if agencies are doing a good job. A sample of our audits found:
 
  • the effectiveness of Corrective Services NSWs performance framework was limited because performance information was not readily available to correctional centres to make more informed decisions on how best to manage their centres
  • red tape savings figures were not accurate and there was no central oversight of red tape reduction strategies
  • a lack of detailed costings meant we could not be sure regulation of early childhood education was efficient even though processes appeared to be good
  • while the Department of Family and Community Services has transparent performance reporting which is regularly published, the use and reporting of targets and benchmarks is limited
  • while icare collects performance information it does not use this information to assess the success of the return to work program. The return to work rate has increased from 85.5 per cent to 88.3 per cent since the workers’ compensation reforms were introduced in 2012, but there was no benchmark to assess if this result is meeting the desired objectives of the reforms
  •  the Environment Protection Authority has not developed measures and targets to assess achievement of outcomes associated with illegal dumping initiatives.

Agencies should consider whether their performance measurement frameworks:

  • measure the right things, focus on outcomes and integrate with decision making processes
  • set baselines and establish targets and timeframes for key performance indicators
  • require the use of reliable, up to date and accurate information
  • require information to be publicly reported to increase transparency.

The Government will not get the same level of reliance on performance information as it does for financial statements if that information is not independently assured. We will continue to focus on how well agencies assess and report the performance of their initiatives in achieving desired outcomes.

Premier's and State Priorities

The NSW Government released State Priorities 'NSW: Making it Happen' in September 2015. It includes 12 Premier's Priorities and 18 State Priorities with measures and targets to track the Government's performance in key priority areas.

The Premier's Priorities are detailed below.

  • Protecting our kids
  • Improving service levels in hospitals
  • Improving education results
  • Driving public sector diversity
  • Keeping our environment clear
  • Faster housing approvals
  • Reducing domestic violence
  • Tackling childhood obesity
  • Reducing youth homelessness
  • Improving government services
  • Creating jobs
  • Building infrastructure

Performance against the Premier's and State Priorities is not audited

The Premier's and State Priorities have not been independently audited to provide assurance the performance information is accurate. The Commonwealth, Victorian and Western Australian Auditors-General have varying powers that provide for auditing the appropriateness of agency key performance indicators and determine whether they fairly represent actual performance. NSW legislation does not currently provide the Auditor-General with such powers.

Premier's Priorities

Some Premier's Priorities are at risk of not being achieved

Our 2015–16 reports commented on the Government's performance against some of the Premier’s and State Priorities. Published data, which we have not audited, indicates the following Premier's Priorities may be at risk of not being achieved:

  • the proportion of domestic violence perpetrators re-offending within 12 months was 15.9 per cent, which is 6.7 percentage points higher than the target of 9.2 per cent (refer page 52–53 in Report on Law and Order, Emergency Services and the Arts for further details)
  • the percentage of children and young people re-reported at risk of significant harm was 40 per cent, which is 5.6 percentage points higher than the target of 34.4 per cent (refer page 31–32 in Report on Family and Community Services)
  • in 2015–16, 32.5 per cent of students achieved results in in the top two NAPLAN bands for reading and numeracy, marginally below the baseline of 32.7 per cent and below the 2019 target of 35.2 per cent (refer page 40–41 in Report on Education for further details)
  • the rate of patients leaving emergency departments within four hours was 74.2 per cent, 6.8 percentage points below the target of 81 per cent (refer page 53 in Report on Health for further details).

Published data, which we have not audited, indicates the following Premiers Priorities have been achieved or are on track to be achieved:

Progress against all 12 priorities can be found at https://www.nsw.gov.au/improving-nsw/premiers-priorities.

State Priorities

Some State Priorities at risk of not being achieved

Data, which we have not audited, indicates the following State Priorities may be at risk of not being achieved:

  • journey time reliability was 86 per cent in 2015–16, four percentage points below the 90 per cent target for peak travel on key routes being on time (refer page 48 in Report on Transport for further details)
  • in 2015–16, 9.1 per cent of Aboriginal and Torres Strait Islander students achieved results in the top two NAPLAN bands for reading and numeracy, which shows no improvement on the baseline of 9.1 per cent and is below the 2019 target of 11.6 per cent (refer page 42–43 in Report on Education for further details)
  • reducing the rate of adult re-offending by five per cent by 2019 – the rate increased 2.3 percentage points over the five years since 2010 to 36.7 per cent for the year ended 31 December 2014 (refer page 53–54 in Report on Law and Order, Emergency Services and the Arts for further details).

Data, which we have not audited, indicates the following State Priorities have been achieved or are on track to be achieved:

  • the State maintained its AAA credit rating (refer page 25 in Report on State Finances for further details)
  • general government expenditure growth was 4.4 per cent in 2015–16 and continued to be below long term revenue growth of 5.6 per cent (refer page 25 in Report on State Finances for further details)
  • 70,077 new dwelling approvals were granted in 2015–16, higher than the target of 50,000 approvals (refer page 35 in Report on Planning and Environment for further details)
  • the time taken to assess planning applications for complex state significant developments fell 46 per cent in 2015–16 from the 2013–14 baseline. A further four percentage point reduction is required to meet the target of halving the time to perform these assessments (refer page 35 in Report on Planning and Environment for further details)

A comprehensive report of performance against the State Priorities is not published

The Department of Premier and Cabinet has defined targets and measures in ‘NSW: Making it Happen’ so Ministers and individual agencies know which targets they are accountable for and how they will be measured. While some measures are publicly reported through agency annual reports or other sources, a comprehensive report of performance against the 18 State priorities is not published. We understand the NSW Government is considering this matter and developing reporting options.

Agencies are responsible for the priorities and they report progress at least bi-annually to the Department of Premier and Cabinet for reporting to the Premier. We will continue to report performance against the targets set in the Premier's and State Priorities.

Contract Management

Our audits identified deficiencies in contract management processes

Our audits continue to identify deficiencies in contract management processes, including:

  • agencies not having central contract registers detailing key contractual obligations and commitments
  • incomplete and inaccurate contract registers and/or no policy or procedures to update and maintain contract registers
  • no monitoring of contract performance.

We recommended agencies in the Family and Community Services and Planning and Environment clusters improve contract management processes. A robust contract management framework helps ensure all parties meet their obligations, contractual relationships are well managed, value for money is achieved and deliverables meet the required standards and agreed timeframes.

A 2014 performance audit ‘'Making the most of government purchasing power – telecommunications' developed a Better Practice Contract Management Framework (Framework) with nine key elements. Agencies can refer to this framework when assessing the adequacy of their contract management framework.

Benefits realisation

Benefits realisation approach for the Service NSW initiative is not as effective as it could be

Effective benefits realisation is critical to achieving intended outcomes expected from investments.  

Our performance audit on 'Realising the benefits of the Service NSW initiative' found the benefits realisation approach for the Service NSW initiative is not as effective as it could be. While customers think Service NSW provides a convenient and practical way to access all government transaction services:  

  • it was unclear who should monitor and report on the achievement of whole-of-government benefits and savings anticipated from the initiative
  • there was insufficient data to fully value or identify individual agency and whole-of-government savings and benefits.

This makes it difficult for the NSW Government to demonstrate the expected economic benefits of Service NSW will outweigh costs by the estimated five to one, and that savings will accrue after 2016–17.

The Department of Finance, Services and Innovation has developed a benefits realisation management framework, which can be found at www.finance.nsw.gov.au/publication-and-resources/benefits-realisation-management-framework. The Department of Education has established a benefits realisation plan for the Learning Management and Business Reform Program (LMBR) following our performance audit on the LMBR program. The Department of Planning and Environment is planning a benefits realisation review on the implementation of stage one of the ePlanning system.  

We will continue to review whether agencies have implemented effective benefit realisation frameworks for major projects and programs and examine the outcomes of benefit realisation reviews.