Recommendation: Agencies should reduce IT risks by:

• assigning ownership of recommendations to address IT control deficiencies, with timeframes and actions plans for implementation
• ensuring audit and risk committees and agency management regularly monitor the implementation status of recommendations.

Conclusion: Agencies can more effectively manage IT vendor contracts by developing policies and procedures to ensure vendor management frameworks are kept up to date, plans are in place to manage vendor performance and risk, and compliance with the framework is monitored by:

• internal audit focusing on key contracting activities
• experienced officers who are independent of contract administration performing spot checks or peer reviews
• targeted analysis of data in contract registers.

Performance management
Eighty-six per cent of agencies meet with vendors to discuss performance. 

Only 24 per cent of agencies sought assurance about the accuracy of vendor reporting against KPIs, yet sixty-seven per cent of the IT contracts allow agencies to determine performance based payments and/or penalise underperformance.

Conclusion: Agencies are monitoring IT vendor performance, but could improve outcomes and more effectively manage under-performance by:

• a more active, rigorous approach to both risk and performance management
• checking the accuracy of vendor reporting against those KPIs and where appropriate seeking assurance over their accuracy
• invoking performance based payments clauses in contracts when performance falls below agreed standards.

Transitioning services
Forty-three per cent of the IT vendor contracts did not contain transitioning-out provisions.

Where IT vendor contracts do make provision for transitioning-out, only 28 per cent of agencies have developed a transitioning-out plan with their IT vendor.

Conclusion: A contract register helps to manage an agency’s compliance obligations under the Government Information (Public Access) Act 2009 (the GIPA Act). However, it also helps agencies more effectively manage IT vendors by:

• monitoring contract end dates and contract extensions, and commence new procurements through their central procurement teams in a timely manner
• managing their contractual commitments, budgeting and cash flow requirements.

Recommendation: Agencies should ensure their contract registers are complete and accurate so they can more effectively govern contracts and manage compliance obligations.

User access administration
Seventy-two deficiencies were identified related to user access administration, including:

• thirty issues related to granting user access across 43 per cent of agencies
• sixteen issues related to removing user access across 30 per cent of agencies
• twenty-six issues related to periodic reviews of user access across 50 per cent of agencies.

Recommendation: Agencies should:

• review the number of, and access granted to privileged users, and assess and document the risks associated with their activities
• monitor user access to address risks from unauthorised activity.

Only 57 per cent of agencies linked reporting on performance to their strategic objectives.

The use of targets and reporting performance over time was limited and applied inconsistently.

Conclusion: There is significant disparity in the quality and consistency of how agencies report on their performance in their annual reports. This limits the reliability and transparency of reported performance information.

Agencies could improve performance reporting by clearly linking strategic objectives to reported outcomes, and reporting on performance against targets over time. NSW Treasury may need to provide more guidance to agencies to support consistent and high-quality performance reporting in annual reports.

There is no independent assurance that the performance metrics agencies report in their annual reports are accurate.

Prior performance audits have noted issues related to the collection of performance information. For example, our 2016 Report on Red Tape Reduction highlighted inaccuracies in how the dollar-value of red tape reduction had been reported.

Conclusion: The ability of Parliament and the public to rely on reported information as a relevant and accurate reflection of an agency's performance is limited.

The relevance and accuracy of performance information is enhanced when:

• policies and guidance support the consistent and accurate collection of data
• internal review processes and management oversight are effective
• independent review processes are established to provide effective challenge to the assumptions, judgements and methodology used to collect the reported performance information.

Agency reporting on major projects does not meet the requirements of the annual reports regulation.

Forty-seven per cent of agencies did not report on costs to date and estimated completion dates for major works in progress. Of the 47 per cent of agencies that reported on major works, only one agency reported detail about significant cost overruns, delays, amendments, deferments or cancellations.

NSW Treasury produce an annual report checklist to help agencies comply with their annual report obligations.

Recommendation: Agencies should comply with the annual reports regulation and report on all mandatory fields, including significant cost overruns and delays, for their major works in progress.

The information the annual reports regulation requires agencies to report deals only with major works in progress. There is no requirement to report on completed works.

Sixteen of 30 agencies reported some information on completed major works.

Conclusion: Agencies could improve their transparency if they reported, or were required to report:

• on both works in progress and projects completed during the year
• actual costs and completion dates, and forecast completion dates for major works, against original and revised budgets and original expected completion dates
• explanations for significant cost overruns, delays and key project performance metrics.

• all agencies maintained purchasing card registers
• seventy-six per cent provided training to cardholders prior to being issued with a card
• eighty-nine per cent appointed a program administrator, but only half of these had clearly defined roles and responsibilities
• thirty-two per cent of agencies place merchant blocks on purchasing cards
• forty-seven per cent of agencies place geographic restrictions on purchasing cards.

Agencies have designed and implemented preventative controls aimed at deterring the potential misuse of purchasing cards.

Conclusion: Further opportunities exist for agencies to better control the use of purchasing cards, such as:

• updating purchasing card registers to contain all mandatory fields required by TPP17–09
• appointing a program administrator for the agency's purchasing card framework and defining their role and responsibility for the function
• strengthening preventive controls to prevent misuse.

Detective controls
Ninety-two per cent of agencies have designed and implemented at least one control to monitor purchasing card activity.

Major reviews, such as data analytics (29 per cent of agencies) and independent spot checks (49 per cent of agencies) are not widely used.

Agencies have designed and implemented detective controls aimed at identifying potential misuse of purchasing cards.

Conclusion: More effective monitoring using purchasing card data can provide better visibility over spending activity and can be used to:

• detect misuse and investigate exceptions
• analyse trends to highlight cost saving opportunities.

• a further 41 per cent of agencies have not reviewed their policies by the scheduled revision date, or do not have a scheduled revision date
• more than half of all agencies’ policies do not offer alternative travel options. For example, only 36 per cent of policies promoted the use of general Opal cards.

• limit the circumstances where taxi use is appropriate
• offer alternate, lower cost options to using taxis, such as general Opal cards and rideshare.

Prevention systems
Ninety-two per cent of agencies have a fraud control plan in place, 81 per cent maintain a fraud database and 79 per cent report fraud and corruption matters as a standing item on audit and risk committee agendas.

Only 54 per cent of agencies have an employment screening policy and all agencies have IT security policies, but gaps in IT security controls could undermine their policies.

Conclusion: Most agencies have implemented fraud prevention systems to reduce the risk of fraud. However poor IT security along with other gaps in agency prevention systems, such as employment screening practices heightens the risk of fraud and inappropriate use of data.

Agencies can improve their fraud prevention systems by:

• completing regular fraud risk assessments, embedding fraud risk assessment into their enterprise risk management process and reporting the results of the assessment to the audit and risk committee
• maintaining a fraud database and reviewing it regularly for systemic issues and reporting a redacted version of the database on the agency's website to inform corruption prevention networks
• developing policies and procedures for employee screening and benchmarking their current processes against ICAC's publication ‘Strengthening Employment Screening Practices in the NSW Public Sector’
• developing and maintaining up to date IT security policies and monitoring compliance with the policy.

Studies have shown data monitoring, whereby entire populations of transactional data are analysed for indicators of fraudulent activity, is one of the most effective methods of early detection. Early detection decreases the duration a fraud remains undetected thereby limiting the extent of losses.

Conclusion: Data monitoring is an effective tool for early detection of fraud and is more effective when informed by a comprehensive fraud risk assessment.

New and repeat findings

High risk findings

Common findings

IT security

Cyber security

Other IT systems

Capital investment

Capital projects

Asset disposals

Governance arrangements

Shared services

Ethical framework

Conflicts of interest

Risk management maturity

Risk management elements

1.1 New and repeat findings

The number of internal control deficiencies reduced over the past three years, but new higher-risk information technology (IT) control deficiencies were reported in 2016–17.

Deficiencies repeated from previous years still make up a sizeable proportion of all internal control deficiencies.

Recommendation

Agencies should focus on emerging IT risks, but also manage new IT risks, reduce existing IT control deficiencies, and address repeat internal control deficiencies on a more timely basis.

We found seven high risk internal control deficiencies, which might significantly affect agencies.

Recommendation

Agencies should rectify high risk internal control deficiencies as a priority

The most common internal control deficiencies related to poor or absent IT controls.

We found some common governance deficiencies across multiple agencies.

Recommendation

Agencies should coordinate actions and resources to help rectify common IT control and governance deficiencies.

User access administration

While 95 per cent of agencies have policies about user access, about two-thirds were compliant with these policies. Agencies can improve how they grant, change and end user access to their systems.

Recommendation

Agencies should strengthen user access administration to prevent inappropriate access to sensitive systems. Agencies should:

• establish and enforce clear policies and procedures
• review user access regularly
• remove user access for terminated staff promptly
• change user access for transferred staff promptly.

Privileged access

Sixty-eight per cent of agencies do not adequately manage who can access their information systems, and many do not sufficiently monitor or restrict privileged access.

Recommendation

Agencies should tighten privileged user access to protect their information systems and reduce the risks of data misuse and fraud. Agencies should ensure they:

• only grant privileged access in line with the responsibilities of a position
• review the level of access regularly
• limit privileged access to necessary functions and data
• monitor privileged user account activity on a regular basis.

Password controls

Forty-one per cent of agencies did not meet either their own standards or minimum standards for password controls.

Recommendation

Agencies should review and enforce password controls to strengthen security over sensitive systems. As a minimum, password parameters should include:

• minimum password lengths and complexity requirements
• limits on the number of failed log-in attempts
• password history (such as the number of passwords remembered)
• maximum and minimum password ages.

Cyber security framework

Agencies do not have a common view on what constitutes a cyber attack, which limits understanding the extent of the cyber security threat.

Recommendation

The Department of Finance, Services and Innovation should revisit its existing framework to develop a shared cyber security terminology and strengthen the current reporting requirements for cyber incidents.

Cyber security strategies

While 82 per cent of agencies have dedicated resources to address cyber security, they can strengthen their strategies, expertise and staff awareness.

Recommendations

The Department of Finance, Services and Innovation should:

• mandate minimum standards and require agencies to regularly assess and report on how well they mitigate cyber security risks against these standards
• develop a framework that provides for cyber security training.

Agencies should ensure they adequately resource staff dedicated to cyber security.

Change control processes

Some agencies need to improve change control processes to avoid unauthorised or inaccurate system changes.

Recommendation

Agencies should consistently perform user acceptance testing before system upgrades and changes. They should also properly approve and document changes to IT systems.

Disaster recovery planning

Agencies can do more to adequately assess critical business systems to enforce effective disaster recovery plans. This includes reviewing and testing their plans on a timely basis.

Recommendation

Agencies should complete business impact analyses to strengthen disaster recovery plans, then regularly test and update their plans.

Capital asset investment ratios

Most agencies report high capital investment ratios, but one-third of agencies’ capital investment ratios are less than one.

Recommendation

Agencies with high capital asset investment ratios should ensure their project management and delivery functions have the capacity to deliver their current and forward work programs.

Volume of capital spending

Most agencies have significant forward spending commitments for capital projects. However, agencies’ actual capital expenditure has been below budget for the last three years.

Conclusion

The significant increase in capital budget underspends warrant investigation, particularly where this has resulted from slower than expected delivery of projects from previous years.

Major capital projects

Agencies’ major capital projects were underspent by 13 percent against their budgets.

Conclusion

The causes of agency budget underspends warrant investigation to ensure the NSW Government’s infrastructure commitment is delivered on time.

Capital project governance

Agencies do not consistently prepare business cases or use project steering committees to oversee major capital projects.

Conclusion

Agencies that have project management processes that include robust business cases and regular updates to their steering committees (or equivalent) are better able to provide those projects with strategic direction and oversight.

Asset disposal procedures

Agencies need to strengthen their asset disposal procedures.

Recommendations

Agencies should have formal processes for disposing of surplus properties.

Agencies should use Property NSW to manage real property sales unless, as in the case for State owned corporations, they have been granted an exemption.

Continuous disclosure

Continuous disclosure promotes improved performance and public trust and aides better decision-making. Continuous disclosure is only mandatory for NSW Government Businesses such as State owned corporations.

Conclusion

Some agencies promote transparency and accountability by publishing on their websites a continuous disclosure policy that provides for, and encourages:

• regular public disclosure of key performance information
• disclosure of both positive and negative information
• prompt reporting of significant issues.

Service level agreements

Some agencies do not have service level agreements for their shared service arrangements.

Many of the agreements that do exist do not adequately specify controls, performance or reporting requirements. This reduces the effectiveness of shared services arrangements.

Conclusion

Agencies are better able to manage the quality and timeliness of shared service arrangements where they have a service level agreement in place. Ideally, the terms of service should be agreed before services are transferred to the service provider and:

• specify the controls a provider must maintain
• specify key performance targets
• include penalties for non-compliance.

Shared service performance

Some agencies do not set performance standards for their shared service providers or regularly review performance results.

Conclusion

Agencies can achieve better results from shared service arrangements when they regularly monitor the performance of shared service providers using key measures for the benefits realised, costs saved and quality of services received.

Before agencies extend or renegotiate a contract, they should comprehensively assess the services received and test the market to maximise value for money.

Code of conduct

All agencies we reviewed have a code of conduct, but they can still improve the way they update and manage their codes to reduce the risk of fraud and unethical behaviour.

Recommendation

Agencies should regularly review their code-of-conduct policies and ensure they keep their codes of conduct up-to-date.

Statement of business ethics

Most agencies maintain an ethical framework, but some can enhance their related processes, particularly when dealing with external clients, customers, suppliers and contractors.

Conclusion

Agencies can enhance their ethical frameworks by publishing a Statement of Business Ethics, which communicates their values and culture.

Conflicts of interest

All agencies have a conflicts-of-interest policy, but most can improve how they identify, manage and avoid conflicts of interest.

Recommendation

Agencies should improve the way they manage conflicts of interest, particularly by:

• requiring senior executives to make a conflict-of-interest declaration at least annually
• implementing processes to identify and address outstanding declarations
• providing annual training to staff
• maintaining current registers of conflicts of interest.

Gifts and benefits

While all agencies already have a formal gifts-and-benefits policy, we found gaps in the management of gifts and benefits by some that increase the risk of unethical conduct.

Recommendation

Agencies should improve the way they manage gifts and benefits by promptly updating registers and providing annual training to staff.

All agencies have implemented risk management frameworks, but with varying levels of maturity in their application.

Agencies’ averaged a score of 3.1 out of five across five critical assessment criteria for risk management. While strategy and governance fared best, the areas that most need to improve are risk culture, and systems and intelligence.

Conclusion

Agencies have introduced risk management frameworks and practices as required by the Treasury’s:

• 'Risk Management Toolkit for the NSW Public Sector'
• 'Internal Audit and Risk Management Policy for the NSW Public Sector'.

However, more can be done to progress risk management maturity and embed risk management in agency culture.

Risk culture

Most agencies have started to embed risk management into the culture of their organisation. But only some have successfully done so, and most agencies can improve their risk culture.

Conclusion

Agencies can improve their risk culture by:

• setting an appropriate tone from the top
• training all staff in effective risk management
• ensuring desired risk behaviours and culture are supported, monitored, and reinforced through business plans, or the equivalent and employees' performance assessments.

Risk registers and reporting

Some agencies do not report their significant risks to their lead agency, which may impair the way resources are allocated in their cluster. Some agencies do not integrate risk registers at a divisional and whole-of-enterprise level.

Conclusion

Agencies not reporting significant risks at the cluster level increases the likelihood that significant risks are not being mitigated appropriately.

Unqualified audit opinions were issued for 39 of the 45 cluster agencies' financial statements.

Issues identified during the financial statement audits of seven smaller agencies delayed their completion. Six audits remain incomplete at the date of this report.

Apart from these seven small agency audits, the quality of financial reporting across the cluster remained at a high standard.

Seven agencies' financial statement audits were not completed by the statutory deadline with six audits incomplete at the date of this report.

Water and Electricity utility agencies continue to operate with low liquidity ratios.

A liquidity ratio below one is an indicator that an entity may not be able to pay its debts as and when they fall due.

Whilst liquidity ratios were below one, utility agencies demonstrated they can continue to support ongoing operations due to:

• access to regulated revenue streams

• assets with long useful lives to generate revenue

• debt funding limits approved by the NSW Treasurer under the Public Authorities (Financial Arrangements) Act 1987.

One in six internal control weaknesses reported in 2016–17 were repeat issues.

Delays in implementing audit recommendations can prolong the risk of fraud and error.

Recommendation (repeat issue): anagement letter recommendations to address internal control weaknesses should be actioned promptly, with a focus on addressing repeat issues.

Nine of these internal control weaknesses related to the creation, modification, deletion and review of user access to financial systems.

These control weaknesses may compromise the integrity and security of financial data.

Recommendation (repeat issue): Management of user administration over financial systems should be strengthened to prevent inappropriate access to financial information.

One priority target was achieved in 2016–17, two targets are on track to be achieved and progress towards one target slowed.

Progress against one target cannot be determined.

Housing Completion

Housing supply

Major project assessment

Housing acceleration fund

Program business cases were not developed for projects in Housing Acceleration Fund Rounds 1 to 4.

The Department advised a program business case will be developed for Housing Acceleration Fund Round 5 projects.

A benefit realisation review process has not yet been approved for Housing Acceleration Fund projects.

The Department of Planning and Environment advised it is developing a benefit realisation review process.

Greater Sydney Commission

ePlanning system

Hunter Water Corporation's water recycling and water conservation performance has been stable over recent years.

The volume of Sydney Water Corporation’s recycled water reduced by 12 per cent in 2016–17 compared to the previous year.

NSW Health recorded an operating surplus of $407 million in 2016–17.

Eleven local health districts/specialty networks recorded operating deficits in 2016–17, four more than 2015–16.


Expenses across NSW Health increased by 4.4 per cent in 2016–17 (6.0 per cent in
2015–16).

The capital replacement ratio of local health districts/specialty networks ranged from 0.5 to 5.7 in 2016–17. Seven local health districts had capital replacement ratio higher than one.

The statewide operating surplus was $84 million higher than 2015–16. Net surpluses contribute to NSW Health’s ability to invest in new facilities, upgrades and redevelopments.

The 2016–17 financial results were once again impacted by the NSW Government initiative to improve cash management across the sector.

The expense growth rate for NSW Health is 1.6 percentage points lower than the expected long term annual expense growth rate.

Substantial ongoing investment in hospitals and other assets across NSW Health is evidenced by high capital replacement ratios for some health entities in 2016–17.

Thirty-five per cent of NSW Health’s workforce have excess annual leave balances.

NSW Ambulance had the highest average sick leave rate in NSW Health of 85.2 hours per FTE in 2016–17 (78.7 hours in 2015–16). This was higher than the statewide average of 62.1 hours (62.0 hours in 2015–16).

NSW Ambulance’s overtime payments in 2016–17 totalled $74.6 million; $2.8 million more than 2015–16 and significantly higher than other health entities

Other NSW Health entities are generally managing overtime well.

Unapproved employee timesheets continue to be a problem for health entities. Weak timesheet approval controls increase the risk of staff claiming and being paid for hours they have not worked.

Managing excess annual leave is a continual challenge for health entities.

Recommendation: Health entities should further review the approach to managing excess annual leave in 2017–18. They should:

• monitor current and projected leave balances to the end of the financial year on a monthly basis
• agree formal leave plans with employees to reduce leave balances over an acceptable timeframe.

NSW Ambulance continues to face significant challenges in managing sick leave.

Recommendation: NSW Ambulance should further implement and monitor targeted human resource strategies to address the high rates of sick leave taken

Recommendation: NSW Ambulance should further review the effectiveness of its rostering practices to identify strategies to reduce excessive overtime payments.

Recommendation: Health entities should conduct a risk‑based review of time and leave recording practices to ensure control weaknesses are identified and fixed.

Most of the service agreements between the Secretary of NSW Health and health entities were signed earlier than prior years.

Thirteen local health districts/specialty networks signed their service agreements by the 31 July 2017 due date. This is a significant improvement with only seven local health districts/specialty networks meeting the date in 2015–16.

Data provided by the Ministry indicates NSW Health again, on average, met emergency department triage response time targets across all triage categories for the fourth consecutive year.

The Ministry manages performance across NSW Health to ensure patients presenting at emergency departments receive care in a clinically appropriate timeframe.

Based on the Ministry’s data, local health districts/specialty networks are, on average, meeting triage targets despite increasing emergency department attendances.

The data shows eleven local health districts met all triage targets in 2016–17, compared to eight in
2015–16. 

The Ministry manages public patient access to emergency services in public hospitals.

It has an emergency treatment performance target of 81 per cent of patients leaving emergency departments within four hours.

Data provided by the Ministry indicates NSW Health maintained its overall emergency treatment performance in 2016–17, but did not achieve its target. The State average emergency treatment performance was 74.2 per cent (74.2 per cent in 2015–16).

Based on the Ministry’s data, only four local health districts achieved the target in 2016–17, five in
2015–16.

Data provided by the Ministry indicates NSW Health, on average, did not reduce the rate of unplanned hospital re‑admissions in 2016–17. The Ministry has a target of reducing unplanned hospital re‑admissions compared to the previous financial year.

Low re‑admission rates may indicate good patient management practices and post-discharge care.

NSW Health aims to reduce the number of unplanned and emergency re‑presentations to emergency departments.

The Ministry’s 2016–17 data shows the State average of emergency department re‑presentations decreased marginally from 5.0 per cent in 2015–16 to 4.9 per cent.

The Bureau of Health Information analyses and reports on the results of patient surveys.

The Bureau’s survey shows 65 per cent of adult admitted patients rated the care they received in hospital as ‘very good’ and 29 per cent rated it as ‘good’.

User access administration over financial systems remains an area of weakness. Sixteen moderate risk and ten low risk issues related to user access administration across eight agencies were identified. 

Recommendation: Agencies should review user access administration to critical systems to ensure:

• policies for user access creation, modification and deactivation are documented
• approval is being obtained to establish, modify or delete user accounts
• regular user access reviews are performed and highly privileged user account activity is logged and monitored
• evidence of review is maintained.

Transitioning of services to outsourced service providers can be improved. Our 2016–17 audits identified one high risk issue relating to Property NSW's outsourcing of property and facility management services to the private sector.

While a high risk issue was identified in 2015–16 from the Department of Finance, Services and Innovation's outsourcing of transactional and information technology services to GovConnect there has been an improvement in GovConnect's internal control environment throughout
2016–17.

The Department of Premier and Cabinet monitors the achievement of targets and the implementation of initiatives to deliver the 12 Premier’s Priorities.

Responsible ministers and agencies manage the 18 State Priorities. A comprehensive report of performance against the 18 State Priorities is yet to be published.

Performance against the State Priority to make NSW the easiest state to start a business is not currently published.

A key aspect of making NSW the easiest state to start a business is making regulatory obligations easier to understand and implement.

The Strategy’s priorities and enablers aim to support digital innovation. Targets and measures will need to be set to assess and monitor progress against the Strategy.

Failure to comply with the DISP increases the risk of noncompliance with legislation, information security breaches and difficulty restoring data or maintaining business continuity in the event of a disaster or disruption.

Property NSW's performance reporting could be
improved. M2012-20 'Government Property NSW
and Government Property Principles' required
Property NSW to set key performance indicators
to measure property and asset utilisation
performance. 

Property NSW's performance reporting would be enhanced by developing and reporting on customer satisfaction, reporting against set targets and benchmarking cost of service to the private sector.

The SAS Trustee Corporation (STC) Pooled Fund and the Parliamentary Contributory Superannuation (PCS) Fund are not required to comply with the prudential and reporting standards issued by the Australian Prudential Regulation Authority (APRA). Amendments to relevant legislation allows the Minister for Finance, Services and Property to prescribe applicable prudential standards and audit requirements.

Currently, Green Slips in NSW are the most expensive in Australia. Average premiums for Sydney Metropolitan vehicles increased by 10.4 per cent between 1 January 2016 and 31 December 2016.