Refine search

Reports

10 December 2020

Published

Central Agencies 2020

Premier and Cabinet

Treasury

Financial reporting

Internal controls and governance

Management and administration

Risk

This report analyses the results of our audits of the financial statements of the Treasury, Premier and Cabinet, Customer Service cluster agencies (central agencies), and the Legislature for the year ended 30 June 2020. The table below summarises our key observations.

1. Financial reporting

Audit opinions and timeliness of reporting	Unqualified audit opinions were issued on the 2019–20 financial statements of central agencies and the Legislature. The audit opinion on the Social and Affordable Housing NSW Fund's compliance with the payment requirements of the Social and Affordable Housing NSW Fund Act 2016 was qualified. All agencies met statutory deadlines for submitting financial statements.
Agencies were financially impacted by recent emergency events	The NSW Government allocated $1.4 billion to provide small business support and bushfire recovery relief, support COVID-19 quarantine compliance management, recruit more staff to respond to increased customer demand, and meet additional COVID-19 cleaning requirements. Agencies spent $901 million (64 per cent of the allocated funding) for the financial year ended 30 June 2020. NSW Self Insurance Corporation reported an increase of $850 million in its liability for claims related to emergency events.
AASB 16 'Leases' resulted in significant changes to agencies' financial position	The implementation of new accounting standards was challenging for many agencies. The New South Wales Government Telecommunications Authority was not well-prepared to implement AASB 16 'Leases' and had not completely assessed contracts that contained leases. This resulted in understatements of leased assets and liabilities by $56 million which were subsequently corrected.
Implementation of new revenue standards	NSW Treasury did not adequately implement the new revenue standard AASB 1058 ‘Income of Not-for-Profit Entities’ for the Crown Entity. This resulted in understatements of $274 million in opening equity and $254 million to current year revenue, which have been corrected in the final financial statements.

2. Audit observations

Management letter findings and repeat issues	Our 2019–20 audits identified nine high risk and 122 moderate risk issues across central agencies and the Legislature. The high risk issues were identified in the audits of: Insurance and Care NSW New South Wales Government Telecommunications Authority Rental Bond Board Independent Commission Against Corruption NSW Treasury Crown Entity Department of Premier and Cabinet. High risk findings include: Insurance and Care NSW (icare) allocates service costs to the Workers Compensation Nominal Insurer, and the other schemes it supports. The documentation supporting cost allocations does not demonstrate how these allocations reflect actual costs. There is a risk of the Workers Compensation Nominal Insurer being overcharged. New South Wales Government Telecommunications Authority's delay in capitalisation and valuation of material capital projects; and insufficient work performed to implement the new accounting standard AASB 16 ‘Leases’. NSW Treasury's four-year plan to transition RailCorp to a for-profit State Owned Corporation called Transport Asset Holding Entity of New South Wales (TAHE) by 1 July 2019, remains to be implemented. On 1 July 2020, RailCorp converted to TAHE. A large portion of the planned arrangements are still to be implemented. As at the time of the audit, the TAHE operating model, Statement of Corporate Intent (SCI) and other key plans and commercial agreements were not finalised. In the absence of commercial arrangements with the public rail operators, there is a lack of evidence to demonstrate TAHE’s ability to create a commercial return in the long term. This matter has been included as a high risk finding in our management letter as there may be financial reporting implications to the State if TAHE does not generate a commercial return for its shareholders in line with the original intent. NSW Treasury and TAHE should ensure the commercial arrangements, operating model and SCI are finalised in 2020–21. Of the 122 moderate risk issues, 36 per cent were repeat issues. The most common repeat issue related to weaknesses in controls over information technology user access administration, which increases the risk of inappropriate access to systems and records.
Grants administration for disaster relief	Service NSW delivers grants responding to emergency events on behalf of other NSW Public Sector agencies. Since the first grant program commenced in January 2020, Service NSW processed approximately $791 million to NSW citizens and businesses impacted by emergency events for the financial year ended 30 June 2020. A performance audit of grants administration for disaster relief is planned for 2020–21. It will assess whether grants programs administered under the Small Business Support Fund were effectively designed and implemented to provide disaster relief.
Internal controls at GovConnect NSW service providers require enhancement	GovConnect NSW provides transactional and information technology services to central agencies. It engages an independent service auditor (service auditor) from the private sector to perform annual assurance reviews of controls at service providers, namely Infosys, Unisys and the Department of Customer Service (DCS). The service auditor issued: unqualified opinions on information technology and business process controls at Infosys and Unisys, but there was an increase in control deficiencies identified in the user access controls at these service providers a qualified opinion on DCS's information technology (IT) security monitoring controls because security tools were not implemented and monitored for the entire financial year. Responsibility for IT security monitoring transitioned from Unisys to DCS in 2019–20. These control deficiencies can increase the risk of fraud and inappropriate use of sensitive data. These may impact on the ability of agencies to detect and respond to a cyber incident. Recommendation: We recommend DCS work with GovConnect service providers to resolve the identified control deficiencies as a matter of priority.
The NSW Public Sector's cyber security resilience needs to improve	The NSW Cyber Security Policy requires agencies to provide a maturity self-assessment against the Australian Cyber Security Centre (ACSC) Essential 8 to the head of the agency and Cyber Security NSW annually. Completed self-assessment returns highlighted limited progress in implementing the Essential 8. Repeat recommendation: Cyber Security NSW and NSW government agencies need to prioritise improvements to their cyber security resilience as a matter of urgency
Three Insurance and Care NSW (icare) entities had net asset deficiencies at 30 June 2020	The Workers Compensation Nominal Insurer, NSW Self Insurance Corporation and the Lifetime Care and Support Authority of NSW all had negative net assets at 30 June 2020. These icare entities did not hold sufficient assets to meet the estimated present value of all of their future payment obligations at 30 June 2020. The deterioration in net assets was largely due to increases in outstanding claims liabilities. Notwithstanding the overall net asset deficiencies, the financial statements for these entities were prepared on a going concern basis. This is because future payment obligations are not all due within the next 12 months. Settlement is instead expected to occur over years into the future, depending on the nature of the benefits provided by each scheme.
icare has not been able to demonstrate that its allocation of costs reflects the actual costs incurred by the Workers Compensation Nominal Insurer and other schemes	Costs are incurred by icare as the 'service entity' of the statutory scheme it administers, and then subsequently recovered from the schemes through 'service fees'. In the absence of documentation supported by robust supporting analysis, there is a risk of the schemes being overcharged, and the allocation of costs being in breach of legislative requirements. Recommendation: icare should ensure its approach to allocating service fees to the Workers Compensation Nominal Insurer and the other schemes it manages, is transparent and reflects actual costs.
icare did not comply with GIPA requirements	icare did not comply with the Government Information (Public Access) Act 2009 (GIPA) contract disclosure requirements in 2019–20 and has not complied for several years. A total of 417 contracts were identified by management as not having been published on the NSW Government’s eTendering website. The final upload of these past contracts occurred on 20 August 2020.
Implementation of Machinery of Government (MoG) changes	MoG changes impacted the governance and business processes of some agencies. Our audits identified and reported areas for improvement in the consolidation of corporate functions following MoG implementation processes at Infrastructure NSW and in the Customer Service cluster.

This report provides Parliament and other users of NSW Government central agencies' financial statements and the Legislature's financial statements with the results of our financial audits, observations, analyses, conclusions and recommendations.

Emergency events, such as bushfires, floods and the COVID-19 pandemic significantly impacted agencies in 2019–20. Our findings on nine agencies that were most impacted by recent emergency events are included throughout this report.

Refer to Appendix one for the names of all central agencies and Appendix four for the nine agencies most impacted by emergency events.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely. This chapter outlines our audit observations on the financial reporting of central agencies and the Legislature for 2020, including the financial implications from recent emergency events.

Section highlights

Unqualified audit opinions were issued on the 2019–20 financial statements of central agencies and the Legislature. All agencies met the statutory deadlines for submitting their financial statements.
The audit opinion on the Social and Affordable Housing NSW Fund's compliance with the payment requirements of the Social and Affordable Housing NSW Fund Act 2016 was qualified as a result of a payment made without a Treasurer's delegation.
Agencies were impacted by emergency events during 2019–20. This included additional grants to fund specific deliverables.
The implementation of new accounting standards was challenging for many agencies. The New South Wales Government Telecommunications Authority was not well-prepared to implement AASB 16 'Leases' and had not completely assessed contracts that contained leases. This resulted in understatements of leased assets and liabilities by $56 million which were subsequently corrected.
NSW Treasury did not adequately implement the new revenue standard AASB 1058 ‘Income of Not-for-Profit Entities’ for the Crown Entity. This resulted in understatements of $274 million in opening equity and $254 million to current year revenue in the financial statements. These misstatements were due to incorrect revenue calculations performed by the Transport agencies. The Crown Entity relies on information from Transport agencies as they are responsible for carrying out the State’s contractual obligations for Commonwealth funded transport projects. The extent of misstatements could have been reduced with more robust quality review processes in place by Treasury and Transport.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

This chapter outlines:

our observations and insights from the financial statement audits of agencies in the central agencies and the Legislature
our assessment of how well agencies adapted their systems, policies, procedures and governance arrangements in response to recent emergencies.

Section highlights

The 2019–20 audits identified nine high risk and 122 moderate risk issues across the agencies. Of the 122 moderate risk issues, 44 (36 per cent) were repeat issues. The most common repeat issue relates to weaknesses in controls over information technology user access administration.
Service NSW delivers grants responding to emergency events on behalf of other NSW Public Sector agencies. Since the first grant program commenced in January 2020, Service NSW processed approximately $791 million to NSW citizens and businesses impacted by these emergency events for the financial year ended 30 June 2020.
GovConnect NSW engaged an independent auditor (the service auditor) from the private sector to evaluate the internal controls of its service providers. DCS's information technology security monitoring controls were qualified by the service auditor because security tools were not implemented and monitored for the entire financial year. These may impact on the ability of agencies to detect and respond to a cyber incident.
NSW Government agency self-assessment results show that the NSW Public Sector's cyber security resilience needs urgent attention.
The Workers Compensation Nominal Insurer, NSW Self Insurance Corporation and the Lifetime Care and Support Authority of NSW all had negative net assets at 30 June 2020. The financial statements for these entities continued to be prepared on a going concern basis as their liabilities are not all due for settlement within the next 12 months.
icare did not comply with the Government Information (Public Access) Act 2009 (GIPA) contract disclosure requirements in 2019–20, and has not complied for several years. A total of 417 contracts were identified by management as not having been published on the NSW Government’s eTendering website. The final upload of these past contracts occurred on 20 August 2020.
Machinery of Government (MoG) changes impacted the governance and business processes of affected agencies. Our audits identified and reported areas for improvement in the consolidation of corporate functions following MoG changes at Infrastructure NSW and in the Customer Service cluster.

Appendix one – Timeliness of financial reporting by agency

Appendix two – List of 2020 recommendations

Appendix three – Status of 2019 recommendations

Appendix four – Agencies most impacted by recent emergency events

Appendix five – Management letter findings by agency

Appendix six – Financial data

9 December 2020

Published

Managing the health, safety and wellbeing of nurses and junior doctors in high demand hospital environments

Health

Internal controls and governance

Management and administration

Workforce and capability

The Auditor-General for New South Wales, Margaret Crawford, released a report today examining NSW Health’s management of health and safety risks to nurses and junior doctors in high demand hospital wards over the past five years, including during the first six months of the 2020 COVID-19 health emergency.

The Auditor-General found that while NSW Health effectively managed most incidents and risks to the physical health and safety of hospital staff during ‘business as usual’ activities, systems and resources are not fully effective to manage staff psychological and wellbeing risks, particularly for nurses.

The Auditor-General found that NSW Health was effective in managing most COVID-19 health and safety risks to hospital staff. Overall effectiveness could have been improved had pandemic preparedness training been delivered across all Local Health Districts. Additionally, state-wide communication systems could have been improved to provide hospital clinicians with access to a ‘single source of truth’ with the latest advice from NSW Health authorities.

NSW Health’s planning and preparation for the supply of Personal Protective Equipment (PPE) was partially effective. At various times, some PPE items could not be sourced from established suppliers. Face masks, goggles and protective gowns were substituted with products that differed in shape, size and fitting from usual items, and in some hospitals, substituted masks were used without being locally fit tested by hospital staff.

The Auditor-General made seven recommendations aimed at enhancing hospital health and safety risk reporting practices, along with a recommendation that NSW Health conduct a post pandemic 'lessons learned' review and make policy and operational recommendations for future pandemic responses.

Over the past decade, there have been increases in the numbers of health and safety incidents affecting nurses and junior doctors in NSW hospitals. These increases have been associated with higher numbers of patients with acute mental health conditions, age-related cognitive impairments, and patients presenting in emergency departments under the influence of drugs and alcohol.

This audit commenced in August 2019, with a focus on the health, safety and wellbeing of nurses and junior doctors in high demand hospital wards. Our audit focused on emergency departments, mental health wards and aged care wards during 'business as usual’ periods of hospital operations.

In the early months of 2020, the novel coronavirus (COVID-19) brought new health and safety risks to hospital staff. These risks included the potential for infection amongst health workers, increased staff workloads, and impacts on staff wellbeing.

In May 2020, we expanded the focus of the audit to assess the effectiveness of NSW Health’s management of the health and safety risks to staff during the COVID-19 health emergency. We assessed the impacts on emergency departments and intensive care units, as these were the wards where staff were most likely to come into contact with COVID-19.

The Audit Office acknowledges the ongoing health and safety challenges that the pandemic has brought to NSW Health staff – in particular to hospital clinicians and the managers who support them.

This audit assessed the effectiveness of NSW Health’s:

systems, forums and workplace cultures to support reporting and generate data about risk
initiatives to support safe workplaces and effectively respond to health and safety incidents
actions to continuously improve staff health, safety and wellbeing in hospital environments.

The first three chapters of this report describe the effectiveness of NSW Health’s ‘business as usual’ health and safety risk management. The fourth and fifth chapters describe the effectiveness of NSW Health’s health and safety risk management during the COVID-19 pandemic.

Conclusion

NSW Health’s management of health and safety risks in NSW hospitals

NSW Health is effectively monitoring and managing most incidents and risks to the physical health and safety of nurses and junior doctors in NSW hospitals. However, systems and resources are not fully effective across all Local Health Districts for monitoring or managing psychological and wellbeing risks - particularly in relation to nurses.

NSW Health’s incident management system is effective for recording health and safety incidents in hospital wards where incidents occur infrequently, and staff have time to log incident details during shift hours. However, in high demand wards where incidents and risks are common, staff report that they are unable to log all incidents due to the frequency of events, and the time it takes to record incidents in the system.

NSW Health is taking reasonable steps to manage and respond to physical health and safety incidents in NSW hospitals, but psychological and wellbeing risks and incidents are not routinely recorded or escalated to managers. Stress debriefing is not consistently available to staff after difficult or traumatic workplace incidents.

The Ministry of Health could improve its information sharing and data reporting on state-wide health and safety risks in NSW hospitals, and communicate risk trends to the wider NSW health system. This would assist managers to identify common health and safety issues, and target their responses. The Ministry has not set up systems or strategies to identify or support the expansion of successful health and safety initiatives across the NSW health system.

NSW Health’s management of health and safety risks associated with COVID-19

To date, NSW Health has effectively managed most COVID-19 related health and safety risks to hospital staff. The overall effectiveness of NSW Health's preparations and responses to COVID-19 could have been improved in the early phases of the health emergency - from January to early April 2020 - by ensuring that hospital staff in all Local Health Districts had access to pandemic training, that all emergency response policies had been updated and circulated, that state-wide communication systems were able to be rapidly upscaled to deliver consistent messages to hospital staff across the health system, and that PPE supply lines could provide sufficient stock to meet requirements during all pandemic response phases.

Local Health District executives and hospital managers effectively guided and supported nurses and junior doctors to manage and minimise most COVID-19 health and safety risks in hospital environments. However, communication with frontline staff could have been improved in the early stages of the pandemic. The Ministry did not set up a centralised communication channel to communicate consistent messages and advice to hospital clinicians until April 2020. This finding is consistent with a finding from the 2009 review into NSW Health’s response to the H1N1 influenza outbreak. Clinical staff advised that the lack of a centralised communication channel, substantially increased their workloads as they checked numerous sources for the latest and most authoritative advice.

Prior to COVID-19, pandemic response training was limited across the NSW Health system. Nurse managers of emergency departments and intensive care units reported that there was limited training or familiarisation with the NSW Pandemic Plan. Key policies describing infection control principles for emergency departments and intensive care units were outdated and had not been revised within required timelines.

NSW Health's planning and preparation for the supply and management of personal protective equipment (PPE) has been partially effective, with PPE available to hospital staff at all times. However, at various intervals, some PPE could not be sourced from established suppliers. Face masks, goggles and protective gowns were substituted with products that differed in shape, size and fitting, from the usual PPE stock. Staff reported that in the early stages of the pandemic, substituted masks were not locally fit tested by hospital staff in some emergency departments.

1. Audit recommendations

By December 2021, NSW Health should:

Evaluate the effectiveness of the new incident management system to enable full reporting of health and safety incidents and risks in all hospital wards, including those where incidents and risks are common, and monitor for consistency of reporting over time
Expand the categories of hospital incident data reported to Ministry executives in the Work Health and Safety Dashboard reports, including by linking injury data to incident types by hospital ward category, and monitor in conjunction with Local Health Districts for emerging trends and improvement over time
Ensure that nurses and junior doctors have regular opportunities to report on risks to their psychological health and wellbeing, and that system managers have access to aggregate data to guide responses to mitigate these risks
Develop and implement an evidence-based guiding framework and strategy to support hospital staff in the aftermath of traumatic or unexpected workplace incidents, and monitor implementation
At regular intervals, publicly report aggregate Root Cause Analysis data detailing the hospital system factors that contribute to clinical incidents
Develop and implement a systemwide platform for sharing research and information about hospital health and safety initiatives across the health system
Conduct a post-pandemic 'lessons learned' review focusing on the effectiveness of key strategies deployed in the management of the COVID-19 pandemic and make policy and operational recommendations for future pandemic responses. In particular, ensure:
- regular scenario-based pandemic training for hospital staff
- updated policies and protocols for hospital infection controls
- capability to upscale authoritative communication with frontline health workers at the earliest notification of a health emergency and for the duration of the emergency
- systems and safeguards to ensure the supply and availability of clinically appropriate personal protective equipment (PPE) during all phases of a pandemic.

Local Health Districts were effective in leading health and safety infection control activity

According the NSW Health Influenza Pandemic Plan (Pandemic Plan), the Chief Executives of Local Health Districts have ultimate responsibility for public health unit preparations during health emergencies. If necessary, they can ‘draw on the support of the State Pandemic Management Team and local emergency management resources’.

During the preparations and early response phases to the COVID-19 pandemic, Local Health Districts were at the forefront of most NSW hospital activity. They took the lead role in developing hospital infection control protocols and guidance about the appropriate uses of Personal Protective Equipment (PPE). Each Local Health District established its own responses to the health emergency, based on the best clinical advice available to them. The localised approach meant that there were some minor differences in infection control practices across the NSW health system.

Throughout February and March 2020, there was limited centralised policy or guidance from the Ministry and its Pillar Health agencies about COVID-19 infection control practices. It was not possible to mandate practices at a time when information about the virus was evolving. Clinical responses were changing as more became known about COVID-19, especially about its patterns of transmission and its impacts on people with the disease.

During February and March 2020, Local Health District executives communicated with hospital staff via a range of methods. Some sent daily e-memos with the latest updates. Some scheduled more regular meetings with hospital clinicians. Some Districts set up extensive staff training sessions and information briefings to keep all personnel updated with the latest advice. Physical distancing made it difficult to bring staff together in large groups, so a range of communications measures were implemented.

Clinical staff also utilised their clinical training and expertise to prepare their wards and train frontline staff in infection control procedures. Some sourced information from national and international colleagues to add to localised knowledge of the virus.

When the first evidence of COVID-19 community transmission was identified in the Northern Sydney Local Health District, hospital staff followed infection control protocols that were based on local guidance and information. With the support from the District executive team and infectious diseases experts, hospital clinicians set up their own infection control protocols and PPE protections. Within a week the District had produced a matrix to guide staff in the uses of PPE during COVID-19 procedures, and had circulated the guidance to all hospital clinicians.

At the end of March 2020, a version of the Northern Sydney PPE matrix was published on the Clinical Excellence Commission’s website and it has now become NSW Health’s standard guideline for PPE during COVID-19 procedures. Once this guideline was published centrally, infection control practices were standardised across NSW hospitals.

This form of District-led policy making is not ‘business as usual’ practice for NSW Health. Policy making processes were somewhat reversed during the early response phases to COVID-19. This flexible policy approach supports the governance arrangements described in the Pandemic Plan, which assigns responsibility for ‘supporting and maintaining quality care across health services and implementing infection control measures as appropriate’ to Local Health Districts.

In non-health emergency situations, clinical policy and protocols are usually initiated and developed by the Ministry and the Clinical Excellence Commission and are subsequently shared across the health system after a quality control process. The localised approach adopted in the months from February to March 2020, allowed for rapid and flexible responses to changing information – to protect the health and safety of the hospital workforce and the wider community.

Hospital staff across NSW would have been better prepared for COVID-19 if pandemic training had been delivered across all Local Health Districts in the past decade

Local Health Districts are responsible for training hospital staff in preparation for public health emergencies. NSW’s policy describing Public Health Emergency Response Preparedness Minimum Standards requires that clinical staff participate in at least one annual emergency training exercise if they hold a position where they are likely to be called upon in an emergency. Staff must participate in an actual response exercise or a relevant training session. The training must also include re-familiarisation with PPE.

Available evidence about emergency response training in NSW indicates that at least two Local Health Districts have delivered pandemic focussed training in the past decade. Our interviews with managers of emergency departments and intensive care units indicates that most other Districts have focused their emergency training on mass patient trauma incidents such as plane crashes, train crashes and terrorist attacks. While the potential for these types of mass trauma events is real, and warrants training and preparation, significant global outbreaks of diseases have also had potential to threaten NSW communities. In previous decades, global health communities have been at risk of diseases such as the Severe Acute Respiratory Syndrome (SARS) and Middle East Respiratory Syndrome (MERS).

In the two Districts where pandemic training was provided in NSW, staff participated in community influenza vaccination exercises. These were focused on upskilling staff to follow emergency command structures, manage high volume patient flows, and organise sanitisation logistics during a hospital-based training exercise.

Our interviews with nurse managers in emergency departments and intensive care units indicate that in the majority of other Local Health Districts, key personnel were unaware of the NSW Pandemic Plan. Interviewed staff also reported insufficient scenario-based training in pandemic responses over the last ten years.

The Ministry, the Clinical Excellence Commission and the Health Education and Training Institute (HETI) are responsible for online training and 'state-wide strategies and resources to maintain high levels of compliance with infection control and patient safety recommendations'. The HETI website contains online training modules in infection control and PPE donning and doffing procedures. Other infection control information and research is available on the websites of the Clinical Excellence Commission and the Agency for Clinical Innovation.

Online training modules are effective for upskilling staff in a range of skills, but are not a substitute for real-time, rapid incident response training. Face-to-face training provides opportunities for first responders to test procedures in hospital environments. Incident response training provides opportunities for staff to assess their levels of compliance with protocols and their competence with equipment in scenario situations. It is the responsibility of Local Health Districts to provide this form of training to the health staff in their District.

Two NSW Health policies that govern clinical arrangements during pandemics are outdated

The Ministry had not updated two policies that had the potential to assist emergency departments and intensive care units in aspects of their ward preparation for the COVID-19 pandemic. Both policies were on the NSW Health website, but neither were shared with hospital staff in the planning phases for the pandemic. Both policies are out of date and have not been revised within required timeframes.

The 2010 Influenza Pandemic - Providing Critical Care policy was due for review in May 2015 and was not updated at the time of the COVID-19 health emergency. Similarly, the 2007 policy Hospital Response to Pandemic Influenza Part 1: Emergency Department Response was due for review in June 2012 and has not been updated.

These policies were designed to assist clinical staff to make necessary ward arrangements for infection control. They set out the steps for rapid identification of contingent workforces, isolation procedures, and management of patient flows to separate those with suspected infection from other patient cohorts. They were a potential addendum to the NSW Pandemic Plan which describes the command and control responsibilities of health agencies in health emergencies.

Our interviews with nurse managers from emergency departments and intensive care units indicate that in the absence of pandemic policy, they sought clinical guidance from external sources and Local Health District experts. Interviewees told us that a lack of policy guidance about ward arrangements and infection control practices in a pandemic increased their workloads and hours of overtime in the early response phases to COVID-19. With the support of Local Health Districts, clinical staff made rapid adjustments in order to respond to changing testing requirements and ward arrangements.

The Ministry was slow to establish a centralised communication channel to communicate with frontline staff

NSW Health’s governance and communication arrangements during a pandemic are set out in the Pandemic Plan. The Plan requires that government agencies ‘commence enhanced arrangements, establish communications measures’ and confirm ‘governance arrangements’ when there is evidence of person to person transmission during an influenza outbreak. NSW Health received the first notifications of the novel coronavirus risks in January 2020.

During the preparation and early response phases to COVID-19, the Ministry and its central agencies were slow in establishing a single, authoritative channel through which to communicate consistent messages to frontline staff. Clinical staff required up-to-date information about COVID-19 testing criteria as requirements were changing rapidly, sometimes daily. While there was no expectation for fixed policy at this time, hospital staff required the latest instructions about treatment requirements, and updates on the numbers of COVID-19 infections in their region.

As information about COVID-19 was evolving, information was communicated across the health system via ‘multiple channels and sources’. While the Ministry and its central agencies communicated extensively with Local Health Districts during March 2020, hospital staff reported to us that they weren’t always sure where they could find the latest advice about testing protocols or infection controls.

Frontline staff told audit office staff that they were checking multiple sources and time-stamping advice to ensure they had the most up to date information on a daily basis. While some Local Health Districts managed clear communication links with frontline staff, nurse managers told us that communication was ‘chaotic’ during the early phases of pandemic preparation. Key personnel were not always available outside business hours and nurse managers advise that they spent hours at the end of shifts, seeking and printing the latest advice for weekend and night shift personnel. By the end of March 2020, the Ministry and the Clinical Excellence Commission websites became better organised to communicate with frontline clinicians.

A recommendation to the Ministry of Health after H1N1 swine flu could be equally applied in the COVID-19 context. The NSW Government’s report: Key Recommendations on Pandemic (H1N1) 2009 Influenza recommended the establishment of ‘clear pathways of communication … so that all employees have confidence in where their information will come from and who they should approach if they need additional information.’

NSW Health acknowledges the challenges and the lessons from the early phases of the COVID-19 pandemic. For example, a strategy released in August 2020, sets out NSW Health’s own recommendation for the future management of PPE including: ‘Aligning a single source of truth for PPE education and evidence-based guidance to ensure clarity of information on appropriate use, supported by an influential network of Infection Prevention and Control (IPC) practitioners at the forefront.

Ministry executives advise that communication with health staff has improved since the early phases of the pandemic. The Ministry now sends weekly COVID-19 updates to over 130,000 health staff via email. In addition, NSW Health now has two COVID-19 tabs on its website with current information, including COVID-19 testing advice. According to Ministry executives, these communication channels could be used or replicated if needed for future health emergencies. The Ministry also provides health information and updates via a phone application called Med App. This App is preferred by doctors and is less likely to be used by nurses. As at October 2020, there are 13,000 users of Med App. Push notifications can be made on Med App through SMS alerts.

Personal protective equipment (PPE) was not always available in required sizes and some hospital masks and gowns were substituted with products that differed from the usual items

Since the emergence of COVID-19 in Australia, all clinicians in NSW hospitals have had access to some form of PPE for their clinical requirements. If staff did not have appropriate equipment for each COVID-19 related procedure, they were guided by the formal advice issued to the NSW Health workforce on 11 March 2020 stating that: ‘The safety of NSW Health staff is a priority at all times, especially during COVID-19. Where safe working practices confirm specific PPE (e.g. face shields/masks or other equipment) are required for the protection of staff due to COVID-19, in all circumstances:

staff are to wear prescribed PPE as instructed
staff are not to undertake or be required to undertake tasks requiring PPE if the PPE is not available for use. Any such tasks are not to proceed until required PPE is available
any staff member who is concerned about their safety must raise their concerns immediately to their manager.’

At periods during March and April 2020, some PPE items were not available in the required sizes or the regular brands to which staff were accustomed. HealthShare NSW was not able to source PPE from usual suppliers. HealthShare NSW sourced PPE including N95 masks from non-traditional suppliers. Some PPE items differed in shape and size from the usual hospital equipment. While senior executives from HealthShare NSW advise that all products were approved by the Therapeutic Goods Administration (TGA), in some hospitals, nurse managers advise that staff were not able to ‘fit test’ substituted masks. Fit testing determines the type and the size of the respirator mask that achieves an adequate seal on an individual’s face.

In March and April 2020, ‘duck bill’ (N95) masks were not available in some hospitals. According to stock managers and clinical managers in Local Health Districts, duck bills are the preferred mask for staff with smaller faces, particularly female staff members. The duck bill mask is a standard PPE product, and as such, is fit tested during mandatory PPE training. During the early response phases to COVID-19, most Local Health Districts were provided with substitute N95 masks. Fit testing of the substituted N95 masks was not able to be conducted in all NSW hospitals during the early phases of COVID-19. During the first wave of COVID-19 in March and April 2020, hospital staff told audit staff that there was no time and a lack of equipment to appropriately fit test substituted N95 masks.

Nurse managers in emergency departments advise that in some instances, staff made adaptations to PPE to improve protections, such as doubling masks, adding elastics or bringing their own equipment. These adaptations were not consistent with guidelines. Nurse managers advise that in some cases, adaptations to PPE or ill-fitting masks created pressure sores and contact dermatitis. Just over half of the stock managers of Local Health Districts advised that PPE stock was procured from outside the HealthShare NSW system. Stock managers in some Districts advise that facial shields and goggles sourced from non-traditional suppliers by HealthShare NSW were of a lesser quality than standard equipment. Stock managers and nurse managers reported that the changes in PPE products caused confusion and stress amongst staff.

Local Health Districts were proactive in assisting hospital staff to mitigate risks of COVID-19 infections. Some Local Health Districts assigned ‘tiger teams’ to assist staff with their PPE practices. Tiger teams provide clinical expertise and advice to staff, answer questions about infection control and provide training on PPE practice in hospital ward environments. They assist and support PPE donning and doffing practices to ensure the appropriate sequencing of applying and removing PPE for effective infection control. They provide mask fit checking guidance to assist staff in correct PPE practices.

Districts ran extensive refresher PPE training sessions for clinical staff. Some hospitals ran regular PPE demonstrations so that staff could observe correct PPE procedures at set times during the day. These activities assisted staff to implement appropriate infection control in the period before the Clinical Excellence Commission’s web-based materials and videos became available in late March and early April 2020. These online resources now provide comprehensive guidance to hospital staff in PPE practices.

HealthShare NSW placed limits or caps on some high-demand PPE items that were too low to meet requirements in some Local Health Districts and had to be adjusted to meet actual demand

The NSW Pandemic Plan describes the responsibilities of the Ministry and its central agencies to manage and maintain the State Medical Stockpile of essential PPE supplies and antiviral medications. During a pandemic, HealthShare NSW has responsibility for warehousing, monitoring and distributing health supplies to the health workforce.

Due to a reported global shortage of PPE and limits to the NSW stockpile, HealthShare NSW placed limits on the provision of approximately 100 high-demand items to NSW hospitals. HealthShare NSW advise that the PPE order capping ceilings were implemented ‘to ensure local stockpiling does not occur’. A centralised ordering process was established with Local Health Districts so that PPE product ordering occurred through single hospital locations (214 across the State), rather than at the ward level. Escalation processes were established to allow Districts to request one-off increases to supply, and a process was set up to permanently increase the order cap limit for any PPE item by facility.

According to HealthShare NSW, ‘as incoming central supply has improved, order caps have subsequently increased in line with strong engagement and governance with the Local Health Districts to ensure the appropriate levels of supply are provided’. The original capped levels were determined by assessing PPE usage in wards during the flu season of 2019. As the flu season case numbers of 2019 were relatively low, some Local Health District managers advised that the levels of PPE during 2019 were not comparable to the level of PPE required for the COVID-19 pandemic.

After advocacy from hospital stock managers and clinicians, HealthShare NSW increased capped PPE levels in many Local Health Districts.

Executive members of the State Health Emergency Operations Centre (SHEOC) advise that its PPE supply strategy needs to be carefully developed as there are vast differences in PPE usage rates during 'business as usual' periods and pandemic periods. If NSW Health kept the level of PPE required in planning for a worst-case scenario, this would equate to an extensive surplus of PPE that could not be utilised during business as usual periods. The SHEOC Executive advise that it is not feasible or economical to store this level of PPE. They advise that given the costs of PPE, and the fact that the products have a shelf life, a diversified supply line is a more reliable method for ensuring PPE during surge and non-surge periods.

Early data modelling showed ICU patient numbers at levels not manageable with levels of ventilators and equipment

Early projections of patient numbers requiring acute care for COVID-19, were at levels that would not have been manageable with the equipment and resources of NSW hospitals. Throughout March through to May 2020, government data modelling indicated significant surges of community infections and surges in intensive care patients.

Early estimates were based on overseas trends, and if actual cases had matched projections, NSW hospitals would not have had sufficient ventilators to meet demand. The knowledge of this shortfall caused high levels of anxiety among nursing and medical staff.

While the data was based on the best available information, it had negative implications for the health and safety of the nurse and junior doctor workforce. Managers of intensive care wards and emergency departments reported stress amongst the workforce. Staff concerns were primarily about being faced with ‘the unmanageable’, along with heightened fears about contracting the virus with the knowledge that there was insufficient equipment to treat acute patients.

As it transpired, overall numbers of COVID-19 infections were lower than projected during the early months of the pandemic. The lower infection rates in the general population have meant fewer instances of patients requiring intensive care in NSW hospitals. In addition, HealthShare NSW has been able to increase the numbers of ventilators in NSW hospitals to prepare for future surges in patients requiring acute respiratory care.

SHEOC Executive advise that NSW Health undertook an accelerated procurement strategy in early 2020 to increase its stock of ventilators, and that ventilator capacity has always far-exceeded actual requirements.

NSW Health has developed a strategy to improve the management of PPE for the NSW health workforce

In August 2020, NSW Health released a strategy that sets out its future management and planning approaches to the provision of PPE for the NSW Health workforce. NSW Health’s Personal Protective Equipment (PPE) Strategy describes the learnings and challenges during the COVID-19 pandemic in sourcing and distributing PPE. It sets out the systems and methods for distributing PPE to staff and patients and focuses on how staff are kept informed on the appropriate use of PPE at all times. A supporting communications strategy has been developed to support its implementation.

The strategy contains enhanced transparency measures to regularly inform staff about PPE stock levels and to provide data about PPE usage rates by item types in wards in NSW hospitals. The NSW Health PPE strategy describes a changed approach to ordering, storing and allocating PPE. This includes diversifying the supply lines for PPE products to increase supply options in circumstances where supply lines become disrupted. It includes a centralised system for coordinating the supply of hospital PPE through Local Heath District coordination points and centralised distribution points in large hospitals.

Our interviews with hospital PPE stock managers and nurse managers indicate that staff find the new ordering system to be an improvement upon the previous stock ordering method.

According to the Personal Protective Equipment (PPE) Strategy, NSW health is upgrading its models for monitoring and benchmarking PPE usage across the health system. Systems are being improved for forecasting demand volumes during business as usual periods and during health emergency surges.

Appendix one – Response from agency

Appendix two – Audit methodology

Appendix three – About the audit

Appendix four – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #344 - released 9 December 2020

24 November 2020

Published

Internal controls and governance 2020

Education

Environment

Community Services

Finance

Health

Industry

Justice

Premier and Cabinet

Transport

Treasury

Compliance

Cyber security

Information technology

Internal controls and governance

Management and administration

Procurement

The Auditor-General for New South Wales, Margaret Crawford today released her report on the findings and recommendations from the 2019–20 financial audits that relate to internal controls and governance at 40 of the largest agencies in the NSW public sector.

The bushfire and flood emergencies and the COVID‑19 pandemic continue to have a significant impact on the people and public sector of New South Wales. The scale of the government response to these events has been significant. The report focuses on the effectiveness of internal controls and governance processes, including relevant agencies’ response to the emergencies. In particular, the report focuses on:

financial and information technology controls
business continuity and disaster recovery planning arrangements
procurement, including emergency procurement
delegations that support timely and effective decision-making.

Due to the ongoing impact of COVID‑19 agencies have not yet returned to a business‑as‑usual environment. ‘Agencies will need to assess their response to the recent emergencies and update their business continuity, disaster recovery and other business resilience frameworks to reflect the lessons learnt from these events’ the Auditor-General said.

The report noted that special procurement provisions were put in place to allow agencies to better respond to the COVID-19 pandemic. The Auditor-General recommended agencies update their procurement policies to reflect the current requirements of the NSW Procurement Framework and the emergency procurement requirements.

Read the PDF report

This report analyses the internal controls and governance of 40 of the largest agencies in the NSW public sector for the year ended 30 June 2020. These 40 agencies constitute an estimated 85 per cent of total expenditure for all NSW public sector agencies.

1. Internal control trends

New, repeat and high risk findings

Internal control deficiencies increased by 13 per cent compared to last year. This is predominately due to a seven per cent increase in new internal control deficiencies and 24 per cent increase in repeat internal control deficiencies. There were ten high risk findings compared to four last year.

The recent emergencies have consumed agency time and resources and may have contributed to the increase in internal control deficiencies, particularly repeat deficiencies.

Agencies should:

prioritise addressing high-risk findings
address repeat internal control deficiencies by re-setting action plans and timeframes and monitoring the implementation status of recommendations.

Common findings

A number of findings remain common across multiple agencies over the last four years, including:

out of date or missing policies to guide appropriate decisions
poor record keeping and document retention
incomplete or inaccurate centralised registers or gaps in these registers.

2. Information technology controls

IT general controls

We found deficiencies in information security controls over key financial systems including:

user access administration deficiencies relating to inadequate oversight of the granting, review and removal of user access at 53 per cent of agencies
privileged users were not appropriately monitored at 43 per cent of agencies
deficient password controls that did not align to the agency's own password policies at 25 per cent of agencies.

The deficiencies above increase the risk of non-compliance with the NSW Cyber Security Policy, which requires agencies to have processes in place to manage user access, including privileged user access to sensitive information or systems and remove that access once it is not required or employment is terminated.

3. Business continuity and disaster recovery planning

Assessing risks to business continuity and Scenario testing

The response to the recent emergencies and the COVID-19 pandemic has encompassed a wide range of activities, including policy setting, on-going service delivery, safety and availability of staff, availability of IT and other systems and financial management. Agencies were required to activate their business continuity plans in response, and with the continued impact of COVID-19 have not yet returned to a business-as-usual environment.

Our audits focused on the preparedness of agency business continuity and disaster recovery planning arrangements prior to the onset of the COVID-19 pandemic.

We identified deficiencies in agency business continuity and disaster recovery planning arrangements. Twenty-three per cent of agencies had not conducted a business impact analysis (BIA) to identify critical business functions and determine business continuity priorities. Agencies can also improve the content of their BIA. For example, ten per cent of agencies' BIAs did not include recovery time objectives and six per cent of agencies did not identify key IT systems that support critical business functions. Scenario testing improves the effectiveness with which a live crisis is handled, but 40 per cent of agencies had not conducted a business continuity scenario testing exercise in the period from 1 January 2019 to 31 December 2019. There were also opportunities to improve the effectiveness of scenario testing exercises by:

involving key dependent or inter-dependent third parties who support or deliver critical business functions
testing one or more high impact scenarios identified in their business continuity plan
preparing a formalpost-exercise report documenting the outcome of their scenario testing.

Agencies have responded to the recent emergencies but addressing deficiencies will ensure agencies have adequate safeguards in their processes to again respond in the future, if required.

During 2020–21 we plan to conduct a performance audit on 'Business continuity and disaster recovery planning'. This audit will consider the effectiveness of agency business continuity planning arrangements to maintain business continuity through the recent emergencies and/or COVID-19 pandemic and return to a business-as-usual environment. We also plan to conduct a performance audit on whole-of-government 'Coordination of emergency responses'.

Responding to disruptions

We found agencies' governance functions could have been better informed about responses to disruptive incidents that had activated a business continuity or disaster recovery response between 1 January 2019 to 31 December 2019. For instance:

in 89 per cent of instances where a business continuity response was activated, a post-incident review had been performed. In 82 per cent of these instances, the outcomes were reported to a relevant governance or executive management committee

in 95 per cent of instances where a disaster recovery response was activated, a post incident review had been performed. In 86 per cent of these instances, the outcomes were reported to a relevant governance committee or executive management committee.

Examples of recorded incidents included extensive air quality issues and power outages due to bushfires, system and network outages, and infected and hijacked servers.

Agencies should assess their response to the recent emergencies and the COVID-19 pandemic and update business continuity, disaster recovery and other business resilience frameworks to incorporate lessons learned. Agencies should report to those charged with governance on the results and planned actions.

Management review and oversight

Eighty-two per cent and 86 per cent of agencies report to their audit and risk committees (ARC) on their business continuity and disaster recovery planning arrangements, respectively. Only 18 per cent and five per cent of ARCs are briefed on the results of respective scenario testing. Briefing ARCs on the results of scenario testing exercises helps inform their decisions about whether sound and effective business continuity and disaster recovery arrangements have been established.

4. Procurement, including emergency procurement

Policy framework	Agency procurement policies did not capture the requirements of several key NSW Procurement Board Directions (the Directions), increasing the risk of non-compliance with the Directions. We noted: 67 per cent of agencies did specify that procurement above $650,000 must be open to market unless exempt or procured through an existing Whole of Government Scheme or contract 36 per cent of agencies did specify that procurements above $500,000 payable in foreign currencies must be hedged 69 per cent of agencies' policies did specify that the agency head or cluster CFO must authorise the engagement of consultants where the engagement of the supplier does not comply with the standard commercial framework. Recommendation: Agencies should review their procurement policies and guidelines to ensure they capture the key requirements of the NSW Government Procurement Policy Framework, including NSW Procurement Board Directions.
Managing contracts	Eighty-eight per cent of agencies maintain a central contract register to record all details of contracts above $150,000, which is a requirement of GIPA legislation. Of the agencies that maintained registers, 13 per cent did not capture all contracts and eight per cent did not include all relevant contract details. Sixteen per cent of agencies did not periodically review their contract register. Timely review increases compliance with GIPA legislation, and enhances the effectiveness with which procurement business units monitor contract end dates, contract extensions and commence new procurement.
Training and support	Ninety-three per cent of agencies provide training to staff involved in procurement processes, and a further 77 per cent of agencies provide this training on an on-going basis. Of the seven per cent of agencies that had not provided training to staff, we noted gaps in aspects of their procurement activity, including: not conducting value for money assessments prior to renewing or extending the contract with their existing supplier not obtaining approval from a delegated authority to commence the procurement process procurement documentation not specifying certain key details such as the conditions for participation including any financial guarantees and dates for the delivery of goods or supply of services. Training on procurement activities ensures there is effective management of procurement processes to support operational requirements, and compliance with procurement directions.
Procurement activities	While agencies had implemented controls for tender activities above $650,000, 43 per cent of unaccredited agencies did not comply with the NSW Procurement Policy Framework because they had not had their procurement endorsed by an accredited agency within the cluster or by NSW Procurement. This endorsement aims to ensure the procurement is properly planned to deliver a value for money outcome before it commences.
Emergency procurement	As at 30 June 2020, agencies within the scope of this report reported conducting 32,239 emergency procurements with a total contract value of $316,908,485. Emergency procurement activities included the purchase of COVID-19 cleaning and hygiene supplies. The government, through NSW Procurement released the 'COVID-19 Emergency procurement procedure', which relaxed procurement requirements to allow agencies to make COVID-19 emergency procurements. Our review against the emergency procurement measures found most agencies complied with requirements. For example: 95 per cent of agencies documented an assessment of the need for the emergency procurement for the good and/or service 86 per cent of agencies obtained authorisation of the emergency procurement by the agency head or the nominated employee under Public Works and Procurement Regulation 2019 76 per cent of agencies reported the emergency procurement to the NSW Procurement Board. Complying with the procedure helps to ensure government resources are being efficiently, effectively, economically and in accordance with the law. Recommendation: Agency procurement frameworks should be reviewed and updated so they can respond effectively to emergency situations that may arise in the future. This includes: updating procurement policies and guidelines to define an emergency situation, specify who can approve emergency procurement and capture other key requirements using standard templates and documentation to prompt users to capture key requirements, such as needs analysis, supplier selection criteria, price assessment criteria, licence and insurance checks having processes for reporting on emergency procurements to those charged with governance and NSW Procurement.

5. Delegations

Instruments of delegation

We found that agencies have established financial and human resources delegations, but some had not revisited their delegation manuals following the legislative and machinery of government changes. For those agencies impacted by machinery of government changes we noted:

16 per cent of agencies had not updated their financial delegations to reflect the changes
16 per cent of agencies did not update their human resources delegations to reflect the changes.

Delegations manuals are not always complete; 16 per cent of agencies had no delegation for writing off bad debts and 26 per cent of agencies had no delegation for writing off capital assets.

Recommendation: Agencies should ensure their financial and human resources delegation manuals contain regular set review dates and are updated to reflect the Government Sector Finance Act 2018, machinery of government changes and their current organisational structure and roles and responsibilities.

Compliance with delegations

Agencies did not understand or correctly apply the requirements of the Government Sector Finance Act 2018 (GSF Act), resulting in non-compliance with the Act. We found that 18 per cent of agencies spent deemed appropriations without obtaining an authorised delegation from the relevant Minister(s), as required by sections 4.6(1) and 5.5(3) of the GSF Act.

Further detail on this issue will be included in our Auditor-General's Reports to Parliament on Central Agencies, Education, Health and Stronger Communities, which will be tabled throughout December 2020.

Recommendation: Agencies should review financial and human resources delegations to ensure they capture all key functions of laws and regulations, and clearly specify the relevant power or function being conferred on the officer.

6. Status of 2019 recommendations

Progress implementing last year's recommendations

Recommendations were made last year to improve transparency over reporting on gifts and benefits and improve the visibility management and those charged with governance had over actions taken to address conflicts of interest that may arise. This year, we continue to note:

38 per cent of agencies have not updated their gifts and benefits register to include all the key fields required under the minimum standards set by the Public Service Commission
56 per cent of agencies have not provided training to staff and 63 per cent of agencies have not implemented an annual attestation process for senior management
97 per cent of agencies have not published their gifts and benefits register on their website and 41 per cent of agencies are not reporting on trends in the gifts and benefits register to those charged with governance.

While we acknowledge the significance of the recent emergencies, which have consumed agency time and resources, we note limited progress has been made implementing these recommendations. Further detail on the status of implementing all recommendations is in Appendix 2.

Recommendation: Agencies should re-visit the recommendations made in last year's report on internal controls and governance and action these recommendations.

Internal controls are processes, policies and procedures that help agencies to:

operate effectively and efficiently
produce reliable financial reports
comply with laws and regulations
support ethical government.

This chapter outlines the overall trends for agency controls and governance issues, including the number of audit findings, the degree of risk those deficiencies pose to the agency, and a summary of the most common deficiencies we found across agencies. The rest of this report presents this year’s controls and governance findings in more detail.

Section highlights

We identified ten high risk findings, compared to four last year with two findings repeated from the previous year. There was an overall increase of 13 per cent in the number of internal control deficiencies compared to last year due to a seven per cent increase in new internal control deficiencies, and a 24 per cent increase in repeat internal control deficiencies. The recent emergencies have consumed agency time and resources and may have contributed to the increase in internal control deficiencies, particularly repeat deficiencies.

We identified a number of findings that remain common across multiple agencies over the last four years. Some of these findings related to areas that are fundamental to good internal control environments and effective organisational governance. Examples include:

out of date or missing policies to guide appropriate decisions
poor record keeping and document retention
incomplete or inaccurate centralised registers, or gaps in these registers.

Policies, procedures and internal controls should be properly designed, be appropriate for the current organisational structure and its business activities, and work effectively.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency controls to manage key financial systems.

Section highlights

Government agencies’ financial reporting is heavily reliant on information technology (IT). We continue to see a high number of deficiencies related to IT general controls, particularly those related to user access administration. These controls are key in adequately protecting IT systems from inappropriate access and misuse.

IT is also important to the delivery of agency services. These systems often provide the data to help monitor the efficiency and effectiveness of agency processes and services they deliver. Our financial audits do not review all agency IT systems. For example, IT systems used to support agency service delivery are generally outside the scope of our financial audit. However, agencies should also consider the relevance of our findings to these systems.

Agencies need to continue to focus on assessing the risks of inappropriate access and misuse and the implementation of controls to adequately protect their systems, focussing on the processes in place to grant, remove and monitor user access, particularly privileged user access.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency business continuity and disaster recovery planning arrangements.

Section highlights

We identified deficiencies in agency business continuity and disaster recovery planning arrangements and opportunities for agencies to enhance their business continuity management and disaster recovery planning arrangements. This will better prepare them to respond to a disruption to their critical functions, resulting from an emergency or other serious event. Twenty-three per cent of agencies had not conducted a business impact analysis (BIA) to identify critical business functions and determine business continuity priorities and 40 per cent of agencies had not conducted a business continuity scenario testing exercise in the period from 1 January 2019 to 31 December 2019. Scenario testing improves the effectiveness with which a live crisis is handled.

This section focusses on the preparedness of agency business continuity and disaster recovery planning arrangements prior to the onset of the COVID-19 pandemic. While agencies have responded to the recent emergencies, proactively addressing deficiencies will ensure agencies have adequate safeguards in their processes to again respond in the future, if required.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of procurement agency procurement policies and procurement activity.

Section highlights

We found agencies have procurement policies in place to manage procurement activity, but the content of these policies was not sufficiently detailed to ensure compliance with NSW Procurement Board Directions (the Directions). The Directions aim to ensure procurement activity achieves value for money and meets the principles of probity and fairness.

Agencies have generally implemented controls over their procurement process. In relation to emergency procurement activity, agencies reported conducting 32,239 emergency procurements with a total contract value of $316,908,485 up to 30 June 2020. Our review of emergency procurement activity conducted during 2019–20 identified areas where some agencies did not fully comply with the 'COVID-19 Emergency procurement procedure'.

We also found not all agencies are maintaining complete and accurate contract registers. This not only increases the risk of non-compliance with GIPA legislation, but also limits the effectiveness of procurement business units to monitor contract end dates, contract extensions and commence new procurement in a timely manner. We noted instances where agencies renewed or extended contracts without going through a competitive tender process during the year.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency compliance with financial and human resources delegations.

Section highlights

We found that agencies are not always regularly reviewing and updating their financial and human resources delegations when there are changes to legislation or other organisational changes within the agency or from machinery of government changes. For example, agencies did not understand or correctly apply the requirements of the GSF Act, resulting in non-compliance with the Act. We found that 18 per cent of agencies spent deemed appropriations without obtaining an authorised delegation from the relevant Minister(s), as required by sections 4.6(1) and 5.5(3) of the GSF Act.

In order for agencies to operate efficiently, make necessary expenditure and human resource decisions quickly and lawfully, particularly in emergency situations, it is important that delegations are kept up to date, provide clear authority to decision makers and are widely communicated.

Appendix one – List of 2020 recommendations

Appendix two – Status of 2019 recommendations

Appendix three – Cluster agencies

Copyright notice

20 October 2020

Published

The effectiveness of the financial arrangements and management practices in four integrity agencies

Premier and Cabinet

Treasury

Management and administration

The Auditor-General for New South Wales, Margaret Crawford, released a report today examining the effectiveness of the financial arrangements and management practices of four integrity agencies: the Independent Commission Against Corruption, the NSW Electoral Commission, the NSW Ombudsman, and the Law Enforcement Conduct Commission. The audit also included NSW Treasury and the Department of Premier and Cabinet (DPC) because both departments are involved in the processes that lead to decisions about funding for the integrity agencies and managing access to this funding. The Hon. Don Harwin MLC, Special Minister of State, requested this audit under section 27(B)(3)(c) of the Public Finance and Audit Act 1983.

The audit found that the current approach to determining and administering annual funding for the integrity agencies presents threats to their independent status. The approach used by NSW Treasury and DPC is consistent with the legislative and Constitutional framework for financial management in New South Wales, but it does not sufficiently recognise that the roles and functions of the integrity agencies that are the focus of this audit are different to other departments and agencies. Specific mechanisms that present threats to the independence of the integrity agencies include the absence of transparency in decisions about funding for the integrity agencies, the means of applying efficiency dividends and budget savings and reform measures, the process of providing additional funding from DPC to the integrity agencies, and requests for the integrity agencies to report to DPC on their activities and outcomes.

The Auditor-General outlined the principles that inform the report’s recommendations in order to strengthen the financial arrangements for the integrity agencies. These principles are:

There should be structured oversight by Parliament of the performance and financial management of the integrity agencies.
Parliament’s role in the budget process should be expanded to ensure Cabinet is provided with more independent advice on the funding requirements for the integrity agencies.
There should be transparency to Parliament and the relevant agency for decisions made about funding for the integrity agencies.
The integrity agencies should be required to demonstrate their accountability as prudent managers of their financial resources.

The report also notes that the NSW Parliament should be consulted when considering the report’s recommendations.

Read full report (PDF)

This audit examined the effectiveness of the financial arrangements and management practices of four integrity agencies. It was conducted with reference to the legislative and Constitutional framework that is currently in place for financial management in New South Wales.

This report appropriately recognises that the government of the day is responsible for the prudent and responsible management of the state’s finances. It identifies several areas of ambiguity in the way the current financial arrangements apply to the integrity agencies that are the subject of this audit. It also highlights threats to the independence of the integrity agencies that may arise from the involvement of the Executive Government in the decision making about funding. The report argues these risks are not mitigated sufficiently under the current financial arrangements.

The recommendations in this report outline the principles that should inform the financial arrangements for the integrity agencies. Consistent with the Audit Office of NSW’s role in auditing NSW Government departments and agencies, the recommendations are directed to NSW Treasury and the Department of Premier and Cabinet. However, the report recognises that the current role of these entities in the funding arrangements for the integrity agencies poses a threat to their independence. Consequently, it is important to recognise the important role of the NSW Parliament in determining the appropriate funding model for the integrity agencies. The audited agencies should consult closely with the NSW Parliament when considering these recommendations to ensure the views of Parliament are reflected appropriately in any changes arising from the implementation of these recommendations. This recognises the appropriate role of the NSW Parliament in safeguarding the independence of its integrity agencies.

On 4 November 2019, the Hon. Don Harwin MLC, Special Minister of State, requested this audit under section 27(B)(3)(c) of the Public Finance and Audit Act 1983.

Consistent with the Minister’s request, this audit assessed the effectiveness of the financial arrangements and management practices of four integrity agencies - the Independent Commission Against Corruption (ICAC), the NSW Electoral Commission (NSWEC), the NSW Ombudsman (NSWO) and the Law Enforcement Conduct Commission (LECC). The audit also included NSW Treasury and the Department of Premier and Cabinet (DPC) because both departments are involved in the processes that lead to decisions about funding for the integrity agencies and managing access to this funding.

The NSW Government, through the Treasurer, is responsible to the citizens of New South Wales for the prudent and responsible management of the state’s finances. The annual budget is the primary process that the NSW Government uses for financial management. Decisions about funding for the integrity agencies are made through this budget process. NSW Treasury provides guidance to all government departments and agencies, including the integrity agencies that are the focus of this audit, on the Government’s priorities for the budget. NSW Treasury also reviews and provides advice to the Expenditure Review Committee of Cabinet on proposals for funding through the budget.

The integrity agencies are subject to the application of ‘efficiency dividends’ and ‘budget savings and reform measures’, which limit their access to the full funding that has been approved by Parliament. NSW Treasury and DPC manage the application of these limits to the integrity agencies. The integrity agencies are grouped within the DPC ‘cluster’, which is an administrative arrangement created by the NSW Government. Clusters do not have legal status but are used for administrative and financial management. DPC has provided additional funding during the financial year to some of the integrity agencies in the years covered in this audit. DPC also oversees the involvement of the integrity agencies in developing and reporting on their outcomes. This is a requirement of NSW Treasury’s outcome budgeting reforms, which are currently being implemented.

Each of the integrity agencies is overseen by a parliamentary committee that includes members of both houses of the NSW Parliament. These committees are responsible for reviewing the performance of the integrity agencies that they oversee. They do not have a role in funding decisions. ICAC and LECC each have additional oversight from an Inspector. The Inspector of the ICAC’s role is to oversee the operations and conduct of ICAC to ensure that it complies with the law. The Inspector of the LECC’s role is to oversee the way LECC carries out its functions, with a focus on the legality of LECC’s use of its powers. Neither of these Inspectors has a role in funding decisions.

The Audit Office of NSW is an independent integrity agency that receives some of its revenue through the NSW Government’s budget process and sits within the DPC cluster. We have taken the following actions to preserve our independence and mitigate potential conflicts of interest that could arise in conducting this audit:

not considering or commenting on the financial arrangements for our office
requesting a deferral of our office’s evidence to an inquiry by the NSW Legislative Council’s Public Accountability Committee that is considering the budget process for integrity agencies. The inquiry includes the four integrity agencies that are the subject of this audit and our office
seeking independent legal advice on the framework for the financial arrangements for the integrity agencies
using additional internal review processes to provide quality assurance to audit conclusions.

Conclusion

The current approach to determining annual funding for the integrity agencies presents threats to their independent status. The approach is consistent with the legislative and Constitutional framework for financial management in New South Wales, but it does not sufficiently recognise that the roles and functions of the integrity agencies that are the focus of this audit are different to other departments and agencies.

The government of the day is responsible to the citizens of New South Wales for the prudent and responsible management of the state’s finances. Accordingly, the government of the day has a central role in decisions about funding for departments and agencies and in determining the financial management processes to be applied. This is clearly established in the legislative framework and conventions for managing public funds in New South Wales. This system is primarily designed to determine the funding for departments and agencies that are responsible to ministers. It is less appropriate for integrity agencies because it does not provide additional protection against the risk that funding decisions could be influenced by previous or planned investigations by the integrity agencies. This risk has the potential to limit the ability of the integrity agencies to fulfil their legislative mandate. The extent and nature of this risk differs for each of the integrity agencies. This is outlined in the key findings section below and described in detail in Chapters 2–5 of this report.

Aspects of the financial management mechanisms used to administer funding for the integrity agencies create tensions with their independent status. These mechanisms include the means of applying efficiency dividends and budget savings and reform measures, the provision of additional funding from DPC to the integrity agencies, and requests for the integrity agencies to report to DPC on their activities and outcomes.

NSW Treasury and DPC have administered efficiency dividends and budget savings and reform measures to the integrity agencies. This results in the integrity agencies not being able to access the full funding approved by Parliament. There are two competing interpretations of appropriation legislation that lead to different conclusions about whether there is a clear legal basis for doing this. NSW Treasury and DPC focus on the fact that the Appropriation Act provides funding for the integrity agencies to a Premier, rather than the agency, and does not state that a Premier must provide the full amount of funding approved to the agency. This interpretation leads to the view that a Premier can restrict access to appropriation funding that was approved by Parliament. An alternative interpretation of the Appropriation Act would consider factors specific to the integrity agencies that differentiate them from other agencies subject to these measures. These factors include that the integrity agencies are independent of ministerial control, accountable to Parliament for performing specific legislated functions, and some may conduct investigations that involve a Premier, or DPC or NSW Treasury. If this alternative interpretation is used, then the reduction of the integrity agencies’ access to appropriation funding approved by Parliament could diminish the independent status of the integrity agencies and limit their ability to fulfil their legislative mandate.

DPC’s provision of $2.5 million in additional funding to ICAC in 2019–20 may not have been consistent with the Appropriation Act 2019 (the Act), because of a change to the Act compared to previous appropriation legislation. The additional funding that was provided to ICAC in 2019–20 by DPC had been appropriated to DPC under Part 2 of the Act. The Act specified that funding appropriated under Part 2 could only be used for the purposes specified in that Part. ICAC receives its appropriation under Part 4 of the Act. It is contestable as to whether the purpose of an appropriation under Part 2 of the Act would include providing funding for an agency that receives an appropriation under another part of the Act.

The integrity agencies have been asked to report on activities and outcomes to DPC as part of the outcome budgeting reforms that are being implemented by NSW Treasury. This is inconsistent with their independent status because the integrity agencies are accountable to Parliament for their activities, not DPC or a Premier.

Our audit also assessed the integrity agencies’ systems for planning, budgeting and monitoring the efficiency of their work. We did not find major deficiencies in the management practices of the integrity agencies. We did identify opportunities for improvement in each agency. These are specific to the circumstances of each agency and are outlined in the key findings section below and Chapters 2–5 of this report.

On 4 November 2019, the Hon. Don Harwin MLC, Special Minister of State, requested this audit under section 27(B)(3)(c) of the Public Finance and Audit Act 1983.

Consistent with the Minister’s request, this audit assessed the effectiveness of the financial arrangements and management practices of four integrity agencies - the Independent Commission Against Corruption (ICAC), the NSW Electoral Commission (NSWEC), the NSW Ombudsman (NSWO) and the Law Enforcement Conduct Commission (LECC). The audit also included NSW Treasury and the Department of Premier and Cabinet (DPC) because both departments have a role in the financial arrangements for the integrity agencies. NSW Treasury manages the budget process that determines the annual funding for the integrity agencies. DPC has a role in managing access to this funding because the integrity agencies are placed within the DPC ‘cluster’.

not considering or commenting on the financial arrangements for our office
requesting a deferral of our office’s evidence to an inquiry by the NSW Legislative Council’s Public Accountability Committee that is considering the budget process for integrity agencies and the NSW Parliament, including the four integrity agencies in this audit and our office
seeking independent legal advice on the framework for the financial arrangements of the four integrity agencies in this audit
using additional internal review processes to provide quality assurance to audit conclusions.

Conclusion

Financial arrangements for ICAC

ICAC's main functions are to investigate and prevent corruption in the public sector. Its legislation establishes it as an independent agency that is accountable to Parliament.

Decisions about the annual appropriation for ICAC are made by the Cabinet, with advice from NSW Treasury. Members of Cabinet or NSW Treasury could be involved in or affected by an ICAC investigation. There is no independent advice to Cabinet on ICAC’s funding requirements and there is no transparency to Parliament about the reasons for decisions made about ICAC’s budget. The absence of these safeguards in the current financial arrangements creates a threat to ICAC’s independence and have the potential to limit its ability to fulfil its legislative mandate.

ICAC submitted budget proposals seeking increases to its appropriation funding in several recent years. The budget proposals related to funding to expand its workforce to respond to increases in the volume and complexity of its work. Some of these proposals were rejected without reasons being provided. There are no formal mechanisms available to ICAC to question or challenge these decisions. The process available to ICAC to request additional funding outside the annual budget creates further risks to its independence.

ICAC’s management practices

ICAC’s staff use structured processes for prioritising work against its legislative mandate and it has conducted recent reviews to assess its operational efficiency. ICAC's internal budgeting processes are adequate but could be improved with better documentation of the reasons for its budget decisions.

Conclusion

Financial arrangements for NSWEC

NSWEC conducts elections and is responsible for maintaining the integrity of the electoral system in New South Wales. NSWEC’s legislation states that it should conduct elections and investigate potential breaches of electoral law independently and be accountable to Parliament. Decisions about the annual appropriation for NSWEC are made by the Cabinet. It is possible that NSWEC’s investigations of electoral integrity could include members of Cabinet or the political party that holds government. There is a risk that decisions about its funding could be influenced by the conduct of these investigations. If realised, this would be a threat to NSWEC’s independence and ability to fulfil its legislative mandate. NSWEC has not received the full funding amount it has requested in recent years. There is inadequate transparency about how funding decisions were made and there are no formal mechanisms to question or challenge these decisions.

The conduct of elections is a key element of a democratic system and under-funding this function could have serious implications. NSWEC’s requests for additional appropriation funding are assessed alongside the priorities of the government of the day. Its role transcends these immediate priorities and there is a risk that its funding requirements may not be prioritised.

NSWEC’s management practices

NSWEC’s internal budgeting processes and efficiency programs are clear and well documented. NSWEC has identified options to improve its operational and corporate efficiency but has not implemented all of these.

Conclusion

Financial arrangements for NSWO

NSWO oversees government agencies and some government-funded private sector bodies that provide services to the community or exercise administrative functions. NSWO’s legislation makes it clear that it should operate independently of the agencies it oversees and be accountable to Parliament.

NSWO’s investigations do not include members of Cabinet, except in relation to Public Interest Disclosures made about a minister, so the risk that decisions about its budget could be affected by its investigations is relatively lower. However, NSWO's investigations can comment on and make recommendations about government policies, which may have been endorsed by Cabinet or an individual minister, and its investigations cover systemic issues for which ministers and the heads of government departments are responsible. NSWO faces a further challenge in its ability to make compelling budget proposals under the current financial arrangements. Its funding requests are assessed alongside the government’s priorities, but its work is unlikely to align directly with these priorities.

NSWO’s management practices

NSWO has assessed its operational and corporate efficiency recently and has implemented major changes to its operating model in response to this. Its internal budgeting process is adequate but could be improved by being documented more thoroughly.

Conclusion

Financial arrangements for LECC

LECC's main functions are to investigate allegations of misconduct by law enforcement and oversee police handing of complaints. LECC’s legislation states it should operate independently of the agencies it oversees and be accountable to Parliament. LECC’s jurisdiction does not include members of Cabinet, NSW Treasury or DPC. However, LECC’s investigations have the potential to have a negative impact on a Minister for Police, who is a member of Cabinet, and the government of the day. There is a risk that decision makers for LECC’s funding could be influenced by these considerations. While LECC has not sought increases to its appropriation funding in recent years, there are no formal mechanisms to question or challenge these decisions if it did have concerns about its funding in the future.

Unlike the other integrity agencies in this audit, LECC is not classified as a separate GSF agency under the Government Sector Finance Act 2018. This difference means that LECC has less independence from the Executive Government, because LECC would have to comply with a Treasurer’s Direction even if it believes it is not consistent with the independent exercise of its functions.

LECC's management practices

LECC's internal budgeting processes are clear and documented and it has identified and implemented operational and corporate efficiency savings in several areas. LECC published a new strategic plan in July 2020. Over the first three years of its operations since 2017, LECC had not conducted effective strategic planning which made it difficult for LECC to demonstrate that it had a cohesive approach to its operations across the agency during this time.

Conclusion

Aspects of the financial management mechanisms used by NSW Treasury and DPC to administer funding for the integrity agencies create tensions with their independent status.

NSW Treasury and DPC have administered efficiency dividends and budget savings and reform measures which results in the integrity agencies not being able to access the full funding approved by Parliament. There are two competing interpretations of appropriation legislation that lead to different conclusions about whether there is a clear legal basis for doing this. NSW Treasury and DPC take the view that the Appropriation Act provides funding for the integrity agencies to a Premier and does not state that a Premier must provide the full amount of funding to the agencies. This interpretation leads to the view that a Premier can restrict access to appropriation funding that was approved by Parliament. An alternative approach to interpreting the Appropriation Act would consider the contextual factors specific to the integrity agencies. These factors include: the integrity agencies are independent of ministerial control, the integrity agencies are accountable to Parliament for performing specific legislated functions, and the integrity agencies may conduct investigations that involve a Premier, or DPC or NSW Treasury. If this alternative interpretation is accepted, then the reduction of the integrity agencies’ access to appropriation funding could diminish the independent status of the integrity agencies.

DPC has given additional funding to three of the integrity agencies in recent years in response to requests from the agencies. If the integrity agencies require additional funding during the year, the only mechanism available is to seek funding from DPC. This creates a potential threat to the independence of the integrity agencies. Asking DPC to make decisions about funding allocations between an integrity agency and another agency in the DPC cluster is inappropriate because DPC is not responsible for the functions or actions of an integrity agency. It is also possible that DPC could be the subject of an investigation conducted by an integrity agency. Separately, DPC’s provision of $2.5 million in additional funding to ICAC in 2019–20 may not have been consistent with the Appropriation Act 2019. The appropriations for DPC and ICAC were made under different parts of the Act. Appropriation funding can only be paid out for the purpose specified in each part of the Act. It is not clear whether it is permissible to transfer funding between agencies that receive appropriations from different Parts of the Act.

The integrity agencies have recently been asked to report activity and outcome measures to DPC, as the principal department for the cluster that they have been placed in, under the outcome budgeting reforms that are being implemented by NSW Treasury. This is inconsistent with their independent status because the integrity agencies are accountable to Parliament for their activities, not DPC or a Premier. DPC has advised that it considers the risks to the independence of the integrity agencies described above to be more theoretical than real.

Appendix one – Response from agencies

Appendix two – About the audit

Appendix three – Opinion from the Crown Solicitor’s Office

Copyright notice

24 July 2020

Published

Their Futures Matter

Justice

Community Services

Education

Health

Whole of Government

Cross-agency collaboration

Internal controls and governance

Management and administration

Project management

The Auditor-General for New South Wales, Margaret Crawford, released a report today examining whether the Department of Communities and Justice had effective governance and partnership arrangements in place to deliver ‘Their Futures Matter’.

Their Futures Matter was intended to place vulnerable children and families at the heart of services, and direct investment to where funding and programs deliver the greatest social and economic benefits. It was a four-year whole-of-government reform in response to the 2015 Tune Review of out-of-home care.

The Auditor-General found that while important foundations were put in place, and new programs trialled, the key objective to establish an evidence-based whole-of-government early intervention approach for vulnerable children and families in NSW was not achieved.

Governance and cross-agency partnership arrangements to deliver Their Futures Matter were found to be ineffective. 'Their Futures Matter lacked mechanisms to secure cross portfolio buy‑in and did not have authority to drive reprioritisation of government investment', the Auditor-General said.

At the reform’s close, the majority of around $380 million in investment funding remains tied to existing agency programs, with limited evidence of their comparative effectiveness or alignment with Their Futures Matter policy objectives. The reform concluded on 30 June 2020 without a strategy or plan in place to achieve its intent.

The Auditor-General made four recommendations to the Department of Communities and Justice, aimed at improving implementation of outstanding objectives, revising governance arrangements, and utilising the new human services data set to address the intent of the reform. However, these recommendations respond only in part to the findings of the audit.

According to the Auditor-General, ‘Cross-portfolio leadership and action is required to ensure a whole-of-government response to delivering the objectives of Their Futures Matter to improve outcomes for vulnerable children, young people and their families in New South Wales.’

Read full report (PDF)

In 2016, the NSW Government launched 'Their Futures Matter' (TFM) - a whole-of-government reform aimed at delivering improved outcomes for vulnerable children, young people and their families. TFM was the government's key response to the 2015 Independent Review of Out of Home Care in New South Wales (known as 'the Tune Review').

The Tune Review found that, despite previous child protection reforms, the out of home care system was ineffective and unsustainable. It highlighted that the system was not client-centred and was failing to improve the long-term outcomes for vulnerable children and families. The review found that the greatest proportion of relevant expenditure was made in out of home care service delivery rather than in evidence-based early intervention strategies to support children and families when vulnerabilities first become evident to government services (such as missed school days or presentations to health services).

The then Department of Family and Community Services (FACS) designed the TFM reform initiatives, in consultation with central and human services agencies. A cross-agency board, senior officers group, and a new unit in the FACS cluster were established to drive the implementation of TFM. In the 2016–17 Budget, the government allocated $190 million over four years (2016–17 to 2019–20) to the reform. This resourced the design and commissioning of evidence-based pilots, data analytics work, staffing for the implementation unit and secretariat support for the board and cross-agency collaboration.

As part of the TFM reform, the Department of Premier and Cabinet, NSW Treasury and partnering agencies (NSW Health, Department of Education and Department of Justice) identified various existing programs that targeted vulnerable children and families (such as the preceding whole-of-government ‘Keep Them Safe’ reform coming to an end in June 2020). Funding for these programs, totalling $381 million in 2019–20, was combined to form a nominal ‘investment pool’. The government intended that the TFM Implementation Board would use this pool to direct and prioritise resource allocation to evidence-based interventions for vulnerable children and families in NSW.

This audit assessed whether TFM had effective governance and partnership arrangements in place to enable an evidence-based early intervention investment approach for vulnerable children and families in NSW. We addressed the audit objective with the following audit questions:

Was the TFM reform driven by effective governance arrangements?
Was the TFM reform supported by effective cross-agency collaboration?
Has the TFM reform generated an evidence base to inform a cross-agency investment approach in the future?

The audit did not seek to assess the outcomes for children, young people and families achieved by TFM programs and projects.

Conclusion

The governance and cross-agency partnership arrangements used to deliver the Their Futures Matter reform were ineffective. Important foundations were put in place, and new programs trialled over the reform's four years. However, an evidence-based whole-of-government early intervention approach for vulnerable children and families in NSW − the key objective of the reform − was not established. The reform concluded in June 2020 without a strategy or plan in place to achieve its intent.

The governance arrangements established for the Their Futures Matter (TFM) reform did not provide sufficient independence, authority and cross-agency clout to deliver on the reform’s intent. This hindered delivery of the reform's key elements, particularly the redirection of funding to evidence-based earlier intervention supports, and limited the impact that TFM could have on driving system change.

TFM increased focus on the contribution that other agencies outside of the former Family and Community Services portfolio could make in responding to the needs of vulnerable children and families, and in reducing the demand costs of related government service delivery. Despite being a whole-of-government reform, TFM lacked mechanisms to secure cross-portfolio buy-in and lacked the powers to drive reprioritisation of government investment in evidence-based and earlier intervention supports across agencies. At the reform’s close, the majority of the reform's investment pool funding remained tied to existing agency programs, with limited evidence of their comparative effectiveness or alignment with Their Futures Matter policy objectives.

TFM began building an evidence base about ‘what works’, including piloting programs and creating a new dataset to identify risk factors for vulnerability and future costs to government. However, this evidence base does not yet comprehensively map how existing services meet needs, identify system duplications or gaps, nor demonstrate which government funded supports and interventions are most effective to make a difference to life outcomes for vulnerable children and families in NSW.
Despite these issues, the need, intent and vision for Their Futures Matter remains relevant and urgent, as issues identified in the Tune Review remain pertinent.

Their Futures Matter (TFM) is a whole-of-government reform to deliver improved outcomes for vulnerable children, young people and their families.

Supported by a cross-agency TFM Board, and the TFM Unit in the then Department of Family and Community Services (FACS), the reform aimed to develop whole-of-government evidence-based early intervention investment approaches for vulnerable children and families in NSW.

Governance refers to the structures, systems and practices that an organisation has in place to:

assign decision-making authorities and establish the organisation's strategic direction
oversee the delivery of its services, the implementation of its policies, and the monitoring and mitigation of its key risks
report on its performance in achieving intended results, and drive ongoing improvements.

We examined whether the TFM reform was driven by effective governance arrangements and cross-agency collaboration.

The reform agenda and timeframe set down for Their Futures Matter (TFM) were ambitious. This chapter assesses whether the TFM Board and TFM Unit had the capability, capacity and clout within government to deliver the reform agenda.

Creating a robust evidence base was important for Their Futures Matter, in order to:

identify effective intervention strategies to improve supports and outcomes for vulnerable children and families
make efficient use of taxpayer money to assist the maximum number of vulnerable children and families
inform the investment-based approach for future funding allocation.

This chapter assesses whether the TFM reform has developed an evidence base to inform cross-agency investment decisions.

Appendix one – Response from agency

Appendix two – TFM governance entities

Appendix three – TFM Human Services Data Set

Appendix four – TFM pilot programs

Appendix five – About the audit

Appendix six – Performance auditing

Copyright notice

Parliamentary reference - Report number #337 - released 24 July 2020

9 April 2020

Published

Destination NSW's support for major events

Treasury

Financial reporting

Management and administration

Procurement

Project management

Service delivery

This report focuses on whether Destination NSW (DNSW) can demonstrate that its support for major events achieves value for money.

The audit found that DNSW’s processes for assessing and evaluating the major events it funds are mostly effective, but its public reporting does not provide enough transparency.

DNSW provides clear information to event organisers seeking funding and has a comprehensive methodology for conducting detailed event assessments. However, the reasons for decisions to progress events from the initial assessment to the detailed assessment stage are not documented in sufficient detail.

DNSW does not publish detailed information about the events it funds or the outcomes of these events. This means that members of the public are unable to see whether its activities achieve value for money. However, DNSW’s internal reporting to its key decision‑makers, including the CEO, the Board and the Minister is appropriate.

The Auditor-General made four recommendations to DNSW, aimed at improving the transparency of its activities, improving the documentation of decisions and certain compliance matters, and streamlining its approach to assessing and evaluating events that receive smaller amounts of funding.

Read full report (PDF)

Destination NSW (DNSW) provides funding to attract a range of major events to New South Wales, including high-profile professional sports matches and tournaments, musicals, art and museum exhibitions, and participation-focused events such as festivals and sports events that members of the public can enter. The NSW Government's rationale for providing funding is to encourage event organisers to hold events in New South Wales, and to ensure that events held in New South Wales maximise the potential for attracting overseas and interstate visitors.

This audit assessed whether DNSW can demonstrate that its support for major events achieves value for money. In making this assessment, the audit examined whether:

DNSW effectively assesses proposals to support major events
DNSW effectively evaluates the impact of its support for major events.

This audit focused on DNSW's work to attract major events to New South Wales. It did not assess DNSW's tourism promotion or development work, which includes developing tourism strategies, marketing and advertising campaigns, national and international partnerships, and regional programs.

Conclusion

Destination NSW's processes for assessing event applications and evaluating its support for major events are mostly effective. DNSW's internal systems allow it to know whether its decisions are achieving value for money. Its public reporting does not provide enough information about its activities and their outcomes, although it is consistent with that of equivalent organisations in other Australian jurisdictions.

DNSW's process for assessing applications for funding from organisers of major events is mostly effective. Clear information is provided to event organisers seeking funding, and DNSW has a comprehensive methodology for conducting detailed event assessments. However, the reasons for decisions to progress events from the initial assessment to the detailed assessment stage are not documented in sufficient detail.

DNSW has a framework for disclosure and monitoring staff conflicts of interest. However, its forms for staff to disclose conflicts of interest on specific events they are working on are ambiguous. DNSW's management of gifts and benefits broadly complies with the minimum standards set by the Public Service Commission, but there are some gaps in its implementation of these.

DNSW conducts an evaluation of each major event it supports. DNSW articulates expected outcomes in contracts with event organisers and uses a sound methodology to evaluate events. Internal reporting to its key decision-makers, including the CEO, the Board and the Minister is appropriate. However, DNSW does not publish detailed information about the events it funds or the outcomes of these events. This means that members of the public are unable to see whether its activities achieve value for money.

Appendix one – Response from Destination NSW

Appendix two – About the audit

Appendix three – Performance auditing

Copyright Notice

Parliamentary reference - Report number #332 - released 9 April 2020.

29 November 2018

Published

Central Agencies 2018

Treasury

Premier and Cabinet

Finance

Financial reporting

Internal controls and governance

Management and administration

Risk

The Auditor-General for New South Wales, Margaret Crawford, released her report today on the results of the financial audits of NSW Government central agencies. The report focuses on key observations and findings from the most recent financial statement audits of agencies in the Treasury, Premier and Cabinet, and Finance, Services and Innovation clusters. While clear audit opinions were issued on all agency financial statements, the report notes that some complex accounting requirements caused significant errors in agency financial statements submitted for audit, which were corrected before the financial statements were approved.

This report analyses the results of our audits of the Treasury, Premier and Cabinet and Finance, Services and Innovation cluster agencies for the year ended 30 June 2018. The table below summarises our key observations.

This report provides parliament and other users of the NSW Government's central agencies and their cluster agencies financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:

financial reporting
audit observations
liquidity risk management
government financial services.

The central agencies and their key responsibilities are set out below.

Central agencies	Key central agency responsibilities	Cluster responsibilities
The Treasury	Financial and economic advisor to NSW Government Manages the NSW Government’s financial resources.	The cluster: provides investment and debt management services though TCorp manages residual business arising from privatisation of government businesses provides insurance and compensation cover, including workers compensation insurance includes NSW Government superannuation funds.
Department of Premier and Cabinet	Drives NSW Government’s objectives and sets targets Works with clusters to coordinate policy and achieve NSW Government priorities.	The cluster: includes integrity agencies, such as the Independent Commission Against Corruption, Audit Office of NSW and Ombudsman’s Office other agencies, such as Barangaroo Delivery Authority and Infrastructure NSW.
Department of Finance, Services and Innovation	Supports agency service delivery in relation to the key enabling functions of NSW Government, including procurement, property and asset management, ICT and digital innovation.	The cluster: is responsible for state revenue and rental bond administration regulates statutory insurance schemes, workplace safety and consumer protection provides access to a range of NSW Government services via Service NSW manages the NSW Government communications network.
Public Service Commission	Works to promote and maintain a strong ethical culture across the government sector and improve the capabilities, performance and configuration of the sector’s workforce to deliver better services to the public.	The Public Service Commission is an independent agency within the Premier and Cabinet cluster.

Note: The Audit Office of NSW is an independent agency included in the Premier and Cabinet cluster for administrative purposes, but not commented on in this report.

A full list of agencies that this report covers by relevant cluster is included in Appendix three.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Treasury, Premier and Cabinet and Finance, Services and Innovation clusters for 2018.

Observation	Conclusions and recommendations
2.1 Quality of financial reporting
Unqualified opinions were issued for all agencies' financial statements submitted to the Audit Office. Complex accounting requirements caused significant errors in some agency financial statements, which were corrected before the financial statements were approved.	Sufficient audit evidence was obtained to conclude the financial statements were free of material misstatement. Recommendation: Agencies should respond to key accounting issues when they are identified by preparing accounting papers and engaging with Treasury, the Audit Office and their Audit and Risk Committee when these matters are identified.
2.2 Timeliness of financial reporting
Most agencies complied with the statutory timeframe for completion of early close procedures, 48 agencies in the Treasury cluster did not comply with the statutory requirement to prepare financial statements, and the audits of nine agencies in the Treasury cluster were not completed within the statutory timeframe. All financial statement information of the 48 agencies that did not prepare financial statements has been captured in the consolidated financial statements of their parent entity, which was subject to audit.	Early close procedures allow financial reporting issues and risks to be addressed early in the audit process. The timeliness of financial reporting can be improved by performing more robust early close procedures.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

This chapter outlines our observations and insights from:

our financial statement audits of agencies in the Treasury, Premier and Cabinet and Finance, Services and Innovation cluster for 2018
the areas of focus identified in the Audit Office work program.

The Audit Office work program provides a summary of all audits to be conducted within the proposed time period as well as detailed information on the areas of focus for each of the NSW Government clusters.

Observation	Conclusions and recommendations
3.1 Internal controls
The 2017–18 audits found one high risk issue and 83 moderate risk issues across the agencies. Nineteen per cent of all issues were repeat issues.	Agencies should focus on rectifying repeat issues.
The high risk issue at Service NSW related to several deficiencies in procurement and contract management processes.	Service NSW may not be achieving value-for-money from their procurement and contract management activities. The high risk issue should be rectified as a matter of priority. This includes updating and implementing its procurement, vendor and contract management frameworks and delivering training to key staff involved in procurement and contract management activities.
Property NSW has implemented several controls during the year to rectify the high risk issue identified last year related to its transition to a new property and facility management service provider. However, the service providers performance remains below expectations and there are further opportunities to improve oversight and lift performance.	Property NSW can better define roles and accountabilities with the service provider and formalise policies and processes associated with its monitoring and oversight of the service provider. Implementing relevant KPIs, receiving timely reports and providing timely review and feedback to the service provider may help to lift performance.
GovConnect received unqualified opinions from their service auditor on all business process controls, except for information technology controls provided by Unisys, where a qualified opinion was received from the service auditor. A qualified opinion was received because of several deficiencies in user access controls.	These internal control deficiencies increase the risk of unauthorised access to key business systems, and increase audit effort and costs associated with addressing the risks arising from the deficiencies.
3.2 Audit Office annual work program
Remediation of the Barangaroo site is now estimated to cost the Barangaroo Delivery Authority in excess of net $400 million. The increase in the estimate over the last five years is mainly due to the extent of remediation required, as more evidence of contamination has become known.	Measuring the remaining costs to remediate requires the use of estimation techniques and judgements, making the actual outcome inherently uncertain. We reviewed evidence to support the provision for remediation, including future costs estimates and this evidence supported management’s estimate.
The State Insurance Regulatory Authority have administered the refund of $138 million in Green slip refunds to policy holders through Service NSW during 2017–18. At 30 June 2018, $112 million in refunds are yet to be claimed. We reviewed the systems and processes supporting the refund process. While we found that this supports the disbursement of refunds to policyholders there were some deficiencies in Service NSW’s project controls when the program was being developed.	Service NSW should apply the lessons learnt from this program to other programs it is delivering or will be delivering for agencies.
Revenue NSW recorded $30.4 billion from taxes, fines and fees in 2017–18 ($30.0 billion in 2016–17) to support the State’s finances.	Crown revenue has steadily increased over the last five years predominately driven by rises in payroll tax and land tax and responsibility for collection of the Emergency Services Levy transferring to Revenue NSW under the Emergency Services Levy Act 2017 effective from July 2017.
3.3 Managing maintenance
Place Management NSW manages significant commercial and retail leases and maintains public domain spaces and other assets around the harbour foreshore. It has consistently underspent its asset maintenance budget. In 2017–18, asset maintenance expenses were only 34 per cent of budgeted maintenance expense. Currently, Place Management NSW does not use any ratios or benchmarks to determine the adequacy of its maintenance spend or to monitor whether it is achieving its budgeted maintenance program.	This may be contributing to a high proportion of unplanned maintenance, which Place Management NSW reports was 38 per cent of total maintenance expense in 2017–18. Place Management NSW is outsourcing its property and facilities management function from 1 December 2018 to an external service provider.

This chapter outlines our audit observations, conclusions and recommendations specific to NSW Government agencies providing financial services.

Observation	Conclusions and recommendation
5.1 Superannuation funds
The SAS Trustee Corporation (STC) Pooled Fund and the Parliamentary Contributory Superannuation (PCS) Fund are not required to comply with the prudential and reporting standards issued by the Australian Prudential Regulation Authority (APRA). However, legislation allows the responsible Minister to prescribe prudential standards, reporting and audit requirements.	Structured and comprehensive prudential oversight of these Funds is important as they operate in a volatile financial sector, have 103,000 members and manage investments of $43.3 billion. Recommendation: Treasury should consult with the Trustees of the STC Pooled Fund and PCS Fund to prescribe appropriate prudential standards and requirements, including oversight arrangements.
5.2 Insurance and compensation
Nominal Insurer and NSW Self Insurance Corporation investment performance marginally exceeded benchmark over the past five years.	Investment returns can impact on the premiums required to maintain an adequate funding ratio in addition to other factors such as claims experience and discount rates.
The Workers Compensation Nominal Insurer (Nominal Insurer) and NSW Self Insurance Corporation's net collected premiums and contributions decreased over the past five years.	The insurance schemes' investment performance and stable claim payments have enabled less reliance on net collected premiums and contributions as a source of funding, over the past five years.
Reforms were introduced to manage the Home Warranty Scheme's financial sustainability risks.	The Home Warranty Scheme has not collected sufficient premiums to fund expected claims costs, since commencing operations in 2011. In 2017–18, the Crown contributed $181 million for historical shortfalls. New reforms started on 1 January 2018 enabling the Scheme to price premiums based on risk.

Appendix one - List of 2018 recommendations

Appendix two - Status of 2017 recommendations

Appendix three - Cluster agencies

Appendix four - Timeliness of financial reporting and audit reporting

Appendix five - Management letter findings by risk rating

Appendix six – Financial data

30 October 2018

Published

Internal Controls and Governance 2018

Education

Community Services

Finance

Health

Industry

Justice

Planning

Premier and Cabinet

Transport

Treasury

Whole of Government

Environment

Compliance

Cyber security

Financial reporting

Fraud

Information technology

Internal controls and governance

Management and administration

Procurement

Project management

The Auditor-General for New South Wales Margaret Crawford found that as NSW state government agencies’ digital footprint increases they need to do more to address new and emerging information technology (IT) risks. This is one of the key findings to emerge from the second stand-alone report on internal controls and governance of the 40 largest NSW state government agencies.

This report analyses the internal controls and governance of the 40 largest agencies in the NSW public sector for the year ended 30 June 2018.

This report covers the findings and recommendations from our 2017–18 financial audits that relate to internal controls and governance at the 40 largest agencies (refer to Appendix three) in the NSW public sector.

This report offers insights into internal controls and governance in the NSW public sector

This is our second report dedicated to internal controls and governance at NSW State Government agencies. The report provides insights into the effectiveness of controls and governance processes in the NSW public sector by:

highlighting the potential risks posed by weaknesses in controls and governance processes
helping agencies benchmark the adequacy of their processes against their peers
focusing on new and emerging risks, and the internal controls and governance processes that might address those risks.

Without strong governance systems and internal controls, agencies increase the risks associated with effectively managing their finances and delivering services to citizens. The way agencies deliver services increasingly relies on contracts and partnerships with the private sector. Many of these arrangements deliver front line services, but others provide less visible back office support. For example, an agency may rely on an IT service provider to manage a key system used to provide services to the community. The contract and service level agreements are only truly effective where they are actively managed to reduce risks to continuous quality service delivery, such as interruptions caused by system outages, cyber security attacks and data security breaches.

Our audits do not review all aspects of internal controls and governance every year. We select a range of measures, and report on those that present heightened risks for agencies to mitigate. This report divides these into the following five areas:

Internal control trends
Information technology (IT), including IT vendor management
Transparency and performance reporting
Management of purchasing cards and taxis
Fraud and corruption control.

The findings in this report should not be used to draw conclusions on the effectiveness of individual agency control environments and governance arrangements. Specific financial reporting, controls and service delivery comments are included in the individual 2018 cluster financial audit reports, which will be tabled in Parliament from November to December 2018.

The focus of the report has changed since last year

Last year's report topics included asset management, ethics and conduct, and risk management. We are reporting on new topics this year. We plan to introduce new topics and re-visit our previous topics in subsequent reports on a cyclical basis. This will provide a baseline against which to measure the NSW public sectors’ progress in implementing appropriate internal controls and governance processes to mitigate existing, new and emerging risks in the public sector.

Agencies selected for the volume account for 95 per cent of the state's expenditure

While we have covered only 40 agencies in this report, those selected are a large enough group to identify common issues and insights. They represent about 95 per cent of total expenditure for all NSW public sector agencies.

Internal controls are processes, policies and procedures that help agencies to:

operate effectively and efficiently
produce reliable financial reports
comply with laws and regulations
support ethical government.

This chapter outlines the overall trends for agency controls and governance issues, including the number of findings, level of risk and the most common deficiencies we found across agencies. The rest of this volume presents this year’s controls and governance findings in more detail.

Observation	Conclusions and recommendations
2.1 High risk findings
We found six high risk findings (seven in 2016–17), one of which was repeated from both last year and 2015–16.	Recommendation: Agencies should reduce risk by addressing high risk internal control deficiencies as a priority.
2.2 Common findings
We found several internal controls and governance findings common to multiple agencies.	Conclusion: Central agencies or the lead agency in a cluster can play a lead role in helping ensure agency responses to common findings are consistent, timely, efficient and effective.
2.3 New and repeat findings
Although internal control deficiencies decreased over the last four years, this year has seen a 42 per cent increase in internal control deficiencies.	The increase in new IT control deficiencies and repeat IT control deficiencies signifies an emerging risk for agencies.
IT control deficiencies feature in this increase, having risen by 63 per cent since last year. The number of repeat IT control deficiencies has doubled and is driven by the increasing digital footprint left by agencies as government prioritises on-line interfaces with citizens, and the number of transactions conducted through digital channels increases	Recommendation: Agencies should reduce IT risks by: assigning ownership of recommendations to address IT control deficiencies, with timeframes and actions plans for implementation ensuring audit and risk committees and agency management regularly monitor the implementation status of recommendations.

Government agencies’ financial reporting is now heavily reliant on information technology (IT). IT is also increasingly important to the delivery of agency services. These systems often provide the data to help monitor the efficiency and effectiveness of agency processes and services they deliver. Our audits reviewed whether agencies have effective controls in place to manage both key financial systems and IT service contracts.

Observation	Conclusions and recommendations
3.1 Management of IT vendors
Contract management framework Although 87 per cent of agencies have a contract management policy to manage IT vendors, one fifth require review.	Conclusion: Agencies can more effectively manage IT vendor contracts by developing policies and procedures to ensure vendor management frameworks are kept up to date, plans are in place to manage vendor performance and risk, and compliance with the framework is monitored by: internal audit focusing on key contracting activities experienced officers who are independent of contract administration performing spot checks or peer reviews targeted analysis of data in contract registers.
Contract risk management Forty-one per cent of agencies are not using contract management plans and do not assess contract risks. Half of the agencies that did assess contract risks, had not updated the risk assessments since the commencement of the contract.	Conclusion: Instead of applying a 'set and forget' approach in relation to management of contract risks, agencies should assess risk regularly and develop a plan to actively manage identified risks throughout the contract lifecycle - from negotiation and commencement, to termination.
Performance management Eighty-six per cent of agencies meet with vendors to discuss performance. Only 24 per cent of agencies sought assurance about the accuracy of vendor reporting against KPIs, yet sixty-seven per cent of the IT contracts allow agencies to determine performance based payments and/or penalise underperformance.	Conclusion: Agencies are monitoring IT vendor performance, but could improve outcomes and more effectively manage under-performance by: a more active, rigorous approach to both risk and performance management checking the accuracy of vendor reporting against those KPIs and where appropriate seeking assurance over their accuracy invoking performance based payments clauses in contracts when performance falls below agreed standards.
Transitioning services Forty-three per cent of the IT vendor contracts did not contain transitioning-out provisions. Where IT vendor contracts do make provision for transitioning-out, only 28 per cent of agencies have developed a transitioning-out plan with their IT vendor.	Conclusion: Contract transition/phase out clauses and plans can mitigate risks to service disruption, ensure internal controls remain in place, avoid unnecessary costs and reduce the risk of 'vendor lock-in'.
Contract Registers Eleven out of forty agencies did not have a contract register, or have registers that are not accurate and/or complete.	Conclusion: A contract register helps to manage an agency’s compliance obligations under the Government Information (Public Access) Act 2009 (the GIPA Act). However, it also helps agencies more effectively manage IT vendors by: monitoring contract end dates and contract extensions, and commence new procurements through their central procurement teams in a timely manner managing their contractual commitments, budgeting and cash flow requirements. Recommendation: Agencies should ensure their contract registers are complete and accurate so they can more effectively govern contracts and manage compliance obligations.
3.2 IT general controls
Governance Ninety-five per cent of agencies have established policies to manage key IT processes and functions within the agency, with ten per cent of those due for review.	Conclusion: Regular review of IT policies ensures risks are considered and appropriate strategies and procedures are implemented to manage these risks on a consistent basis. An absence of policies can lead to ad-hoc responses to risks, and failure to consider emerging IT risks and changes to agency IT environments.
User access administration Seventy-two deficiencies were identified related to user access administration, including: thirty issues related to granting user access across 43 per cent of agencies sixteen issues related to removing user access across 30 per cent of agencies twenty-six issues related to periodic reviews of user access across 50 per cent of agencies.	Recommendation: Agencies should strengthen the administration of user access to prevent inappropriate access to key systems.
Privileged access Forty per cent of agencies do not periodically review logs of the activities of privileged users to identify suspicious or unauthorised activities.	Recommendation: Agencies should: review the number of, and access granted to privileged users, and assess and document the risks associated with their activities monitor user access to address risks from unauthorised activity.
Password controls Twenty-three per cent of agencies did not comply with their own policy on password parameters.	Recommendation: Agencies should ensure IT password settings comply with their password policies.
Program changes Fifteen per cent of agencies had deficient IT program change controls mainly related to segregation of duties and authorisation and testing of IT program changes prior to deployment.	Recommendation: Agencies should maintain appropriate segregation of duties in their IT functions and test system changes before they are deployed.

This chapter outlines our audit observations, conclusions and recommendations from our review of how agencies reported their performance in their 2016–17 annual reports. The Annual Reports (Statutory Bodies) Regulation 2015 and Annual Reports (Departments) Regulation 2015 (annual reports regulation) currently prescribes the minimum requirements for agency annual reports.

Observation

Conclusion or recommendation

4.1 Reporting on performance

Only 57 per cent of agencies linked reporting on performance to their strategic objectives.

The use of targets and reporting performance over time was limited and applied inconsistently.

Conclusion: There is significant disparity in the quality and consistency of how agencies report on their performance in their annual reports. This limits the reliability and transparency of reported performance information.

Agencies could improve performance reporting by clearly linking strategic objectives to reported outcomes, and reporting on performance against targets over time. NSW Treasury may need to provide more guidance to agencies to support consistent and high-quality performance reporting in annual reports.

There is no independent assurance that the performance metrics agencies report in their annual reports are accurate.

Prior performance audits have noted issues related to the collection of performance information. For example, our 2016 Report on Red Tape Reduction highlighted inaccuracies in how the dollar-value of red tape reduction had been reported.

Conclusion: The ability of Parliament and the public to rely on reported information as a relevant and accurate reflection of an agency's performance is limited.

The relevance and accuracy of performance information is enhanced when:

policies and guidance support the consistent and accurate collection of data
internal review processes and management oversight are effective
independent review processes are established to provide effective challenge to the assumptions, judgements and methodology used to collect the reported performance information.

4.2 Reporting on reports

Agency reporting on major projects does not meet the requirements of the annual reports regulation.

Forty-seven per cent of agencies did not report on costs to date and estimated completion dates for major works in progress. Of the 47 per cent of agencies that reported on major works, only one agency reported detail about significant cost overruns, delays, amendments, deferments or cancellations.

NSW Treasury produce an annual report checklist to help agencies comply with their annual report obligations.

Recommendation: Agencies should comply with the annual reports regulation and report on all mandatory fields, including significant cost overruns and delays, for their major works in progress.

The information the annual reports regulation requires agencies to report deals only with major works in progress. There is no requirement to report on completed works.

Sixteen of 30 agencies reported some information on completed major works.

Conclusion: Agencies could improve their transparency if they reported, or were required to report:

on both works in progress and projects completed during the year
actual costs and completion dates, and forecast completion dates for major works, against original and revised budgets and original expected completion dates
explanations for significant cost overruns, delays and key project performance metrics.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency preventative and detective controls over purchasing card and taxi use for 2017–18.

Observation	Conclusion or recommendation
5.1 Management of purchasing cards
Volume of credit card spend Purchasing card expenditure has increased by 76 per cent over the last four years in response to a government review into the cost savings possible from using purchasing cards for low value, high volume procurement.	Conclusion: The increasing use of purchasing cards highlights the importance of an effective framework for the use and management of purchasing cards.
Policy framework We found all agencies that held purchasing cards had a policy in place, but 26 per cent of agencies have not reviewed their purchasing card policy by the scheduled date, or do not have a scheduled revision date stated within their policy.	Recommendation: Agencies should mitigate the risks associated with increased purchasing card use by ensuring policies and purchasing card frameworks remain current and compliant with the core requirements of TPP 17–09 'Use and Management of NSW Government Purchasing Cards'.
Preventative controls We found that: all agencies maintained purchasing card registers seventy-six per cent provided training to cardholders prior to being issued with a card eighty-nine per cent appointed a program administrator, but only half of these had clearly defined roles and responsibilities thirty-two per cent of agencies place merchant blocks on purchasing cards forty-seven per cent of agencies place geographic restrictions on purchasing cards.	Agencies have designed and implemented preventative controls aimed at deterring the potential misuse of purchasing cards. Conclusion: Further opportunities exist for agencies to better control the use of purchasing cards, such as: updating purchasing card registers to contain all mandatory fields required by TPP17–09 appointing a program administrator for the agency's purchasing card framework and defining their role and responsibility for the function strengthening preventive controls to prevent misuse.
Detective controls Ninety-two per cent of agencies have designed and implemented at least one control to monitor purchasing card activity. Major reviews, such as data analytics (29 per cent of agencies) and independent spot checks (49 per cent of agencies) are not widely used.	Agencies have designed and implemented detective controls aimed at identifying potential misuse of purchasing cards. Conclusion: More effective monitoring using purchasing card data can provide better visibility over spending activity and can be used to: detect misuse and investigate exceptions analyse trends to highlight cost saving opportunities.
5.2 Management of taxis
Policy framework Thirteen per cent of agencies have not developed and implemented a policy to manage taxi use. In addition: a further 41 per cent of agencies have not reviewed their policies by the scheduled revision date, or do not have a scheduled revision date more than half of all agencies’ policies do not offer alternative travel options. For example, only 36 per cent of policies promoted the use of general Opal cards.	Conclusion: Agencies can promote savings and provide more options to staff where their taxi use policies: limit the circumstances where taxi use is appropriate offer alternate, lower cost options to using taxis, such as general Opal cards and rideshare.
Detective controls All agencies approve taxi expenditure by expense reimbursement, purchasing card and Cabcharge, and have implemented controls around this approval process. However, beyond this there is minimal monitoring and review activity, such as data monitoring, independent spot checks or internal audit reviews.	Conclusion: Taxi spend at agencies is not significant in terms of its dollar value, but it is significant from a probity perspective. Agencies can better address the probity risk by incorporating taxi use into a broader purchasing card or fraud monitoring program.

Fraud and corruption control is one of the 17 key elements of our governance lighthouse. Recent reports from ICAC into state agencies and local government councils highlight the need for effective fraud control and ethical frameworks. Effective frameworks can help protect an agency from events that risk serious reputational damage and financial loss.

Our 2016 Fraud Survey found the NSW Government agencies we surveyed reported 1,077 frauds over the three year period to 30 June 2015. For those frauds where an estimate of losses was made, the reported value exceeded $10.0 million. The report also highlighted that the full extent of fraud in the NSW public sector could be higher than reported because:

unreported frauds in organisations can be almost three times the number of reported frauds
our 2015 survey did not include all NSW public sector agencies, nor did it include any NSW universities or local councils
fraud committed by citizens such as fare evasion and fraudulent state tax self-assessments was not within the scope of our 2015 survey
agencies did not estimate a value for 599 of the 1,077 (56 per cent) reported frauds.

Commissioning and outsourcing of services to the private sector and the advancement of digital technology are changing the fraud and corruption risks agencies face. Fraud risk assessments should be updated regularly and in particular where there are changes in agency business models. NSW Treasury Circular TC18-02 NSW Fraud and Corruption Control Policy now requires agencies develop, implement and maintain a fraud and corruption control framework, effective from 1 July 2018.

Our Fraud Control Improvement Kit provides guidance and practical advice to help organisations implement an effective fraud control framework. The kit is divided into ten attributes. Three key attributes have been assessed below; prevention, detection and notification systems.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency fraud and corruption controls for 2017–18.

Observation	Conclusion or recommendation
6.1 Prevention systems
Prevention systems Ninety-two per cent of agencies have a fraud control plan in place, 81 per cent maintain a fraud database and 79 per cent report fraud and corruption matters as a standing item on audit and risk committee agendas. Only 54 per cent of agencies have an employment screening policy and all agencies have IT security policies, but gaps in IT security controls could undermine their policies.	Conclusion: Most agencies have implemented fraud prevention systems to reduce the risk of fraud. However poor IT security along with other gaps in agency prevention systems, such as employment screening practices heightens the risk of fraud and inappropriate use of data. Agencies can improve their fraud prevention systems by: completing regular fraud risk assessments, embedding fraud risk assessment into their enterprise risk management process and reporting the results of the assessment to the audit and risk committee maintaining a fraud database and reviewing it regularly for systemic issues and reporting a redacted version of the database on the agency's website to inform corruption prevention networks developing policies and procedures for employee screening and benchmarking their current processes against ICAC's publication ‘Strengthening Employment Screening Practices in the NSW Public Sector’ developing and maintaining up to date IT security policies and monitoring compliance with the policy.
Twenty-three per cent of agencies were not performing fraud risk assessments and some agency fraud risk assessments may not be as robust as they could be.	Conclusion: Agencies' systems of internal controls may be less effective where new and emerging fraud risks have been overlooked, or known weaknesses have not been rectified.
6.2 Detection systems
Detection systems Several agencies reported they were developing a data monitoring program, but only 38 per cent of agencies had already implemented a program.	Studies have shown data monitoring, whereby entire populations of transactional data are analysed for indicators of fraudulent activity, is one of the most effective methods of early detection. Early detection decreases the duration a fraud remains undetected thereby limiting the extent of losses. Conclusion: Data monitoring is an effective tool for early detection of fraud and is more effective when informed by a comprehensive fraud risk assessment.
6.3 Notification systems
Notification system All agencies have notification systems for reporting actual or suspected fraud and corruption. Most agencies provide multiple reporting lines, provide training and publicise options for staff to report actual or suspected fraud and corruption.	Conclusion: Training staff about their obligations and the use of fraud notification systems promotes a fraud-aware culture

Appendix one - List of 2018 recommendations

Appendix two - Status of 2017 recommendations

Appendix three - Cluster agencies

4 September 2018

Published

Procurement and reporting of consultancy services

Finance

Education

Community Services

Industry

Justice

Planning

Premier and Cabinet

Health

Treasury

Transport

Environment

Information technology

NSW Government agencies engage consultants to provide professional advice to inform their decision‑making. The spend on consultants is measured and reported in different ways for different purposes and the absence of a consistently applied definition makes quantification difficult.

The NSW Government’s procurement principles aim to help agencies obtain value for money and be fair, ethical and transparent in their procurement activities. All NSW Government agencies, with the exception of State Owned Corporations, must comply with the NSW Procurement Board’s Direction when engaging suppliers of business advisory services. Business advisory services include consultancy services. NSW Government agencies must disclose certain information about their use of consultants in their annual reports. The table below illustrates the detailed procurement and reporting requirements.

	Relevant guidance	Requirements
Procurement of consultancy services	PBD 2015 04 Engagement of major suppliers of consultancy and other services (the Direction) including the Standard Commercial Framework (revised on 31 January 2018, shortly before it was superseded by 'PBD 2018 01')	Required agencies to seek the Agency Head or Chief Financial Officer's approval for engagements over $50,000 and report the engagements in the Major Suppliers' Portal (the Portal).
	PBD 2018 01 Engagement of professional services suppliers (replaced 'PBD 2015 04' in May 2018)	Requires agencies to seek the Agency Head or Chief Financial Officer's approval for engagements that depart from the Standard Commercial Framework and report the engagements in the Portal. Exhibit 3 in the report includes the key requirements of these three Directions.
Reporting of consultancy expenditure	Annual Reports (Departments) Regulation 2015 and Annual Reports (Statutory Bodies) Regulation 2015	Requires agencies to disclose, in their annual reports, details of consultants engaged in a reporting year.
	Premier's Memorandum 'M2002 07 Engagement and Use of Consultants'	Outlines additional reporting requirements for agencies to describe the nature and purpose of consultancies in their annual reports.

We examined how 12 agencies complied with their procurement and reporting obligations for consultancy services between 1 July 2016 and 31 March 2018. Participating agencies are listed in Appendix two. We also examined how NSW Procurement supports the functions of the NSW Procurement Board within the Department of Finance, Services and Innovation.

This audit assessed:

agency compliance with relevant procurement requirements for their use of consultants
agency compliance with disclosure requirements about consultancy expenditure in their annual reports
the effectiveness of the NSW Procurement Board (the Board) in fulfilling its functions to oversee and support agency procurement of consultancy services.

Conclusion

No participating agency materially complied with procurement requirements when engaging consultancy services. Eight participating agencies under reported consultant fees in their annual reports. The NSW Procurement Board is not fully effective in overseeing and supporting agencies' procurement of consultancy services.

All 12 agencies that we examined did not materially comply with the NSW Procurement Board Direction for the use of consultants between 1 July 2016 and 31 March 2018.

Eight agencies did not comply with annual reporting requirements in the 2016–17 financial reporting year. Three agencies did not report expenditure on consultants that had been capitalised as part of asset costs, and one agency did not disclose consultancy fees incurred by its subsidiaries. Agencies also defined ‘consultants’ inconsistently.

The NSW Procurement Board's Direction was revised in January 2018, and mandates the use of the Standard Commercial Framework. The Direction aims to drive value for money, reduce administrative costs and simplify the procurement process. In practice, agencies found the Framework challenging to use. To better achieve the Direction’s intent, the Board needs to simplify procurement and compliance processes.

The Board is yet to publish any statistics or analysis of agencies’ procurement of business advisory services due to issues with the quality of data and systems limitations. Also, the Board’s oversight of agency and supplier compliance with the Framework is limited as it relies on self reporting, and the information provided is insufficient to properly monitor compliance. NSW Procurement is yet to develop an effective procurement and business intelligence system for use by government agencies. Better procurement support, benefit realisation monitoring and reporting by NSW Procurement will help promote value for money in the engagement of consultants.

Appendix one - Response from agencies

Appendix two - List of selected agencies

Appendix three - Performance auditing

7 June 2018

Published

HealthRoster benefits realisation

Health

Compliance

Information technology

Management and administration

Project management

Workforce and capability

The HealthRoster system is delivering some business benefits but Local Health Districts are yet to use all of its features, according to a report released today by the Auditor-General for New South Wales, Margaret Crawford. HealthRoster is an IT system designed to more effectively roster staff to meet the needs of Local Health Districts and other NSW health agencies.

The NSW public health system employs over 100,000 people in clinical and non-clinical roles across the state. With increasing demand for services, it is vital that NSW Health effectively rosters staff to ensure high quality and efficient patient care, while maintaining good workplace practices to support staff in demanding roles.

NSW Health is implementing HealthRoster as its single state-wide rostering system to more effectively roster staff according to the demands of each location. Between 2013–14 and 2016–17, our financial audits of individual LHDs had reported issues with rostering and payroll processes and systems.

NSW Health grouped all Local Health Districts (LHDs), and other NSW Health organisations, into four clusters to manage the implementation of HealthRoster over four years. Refer to Exhibit 4 for a list of the NSW Health entities in each cluster.

Cluster 1 implementation commenced in 2014–15 and was completed in 2015–16.
Cluster 2 implementation commenced in 2015–16 and was completed in 2016–17.
Cluster 3 began implementation in 2016–17 and was underway during the conduct of the audit.
Cluster 4 began planning for implementation in 2017–18.

Full implementation, including capability for centralised data and reporting, is planned for completion in 2019.

This audit assessed the effectiveness of the HealthRoster system in delivering business benefits. In making this assessment, we examined whether:

expected business benefits of HealthRoster were well-defined
HealthRoster is achieving business benefits where implemented.

The HealthRoster project has a timespan from 2009 to 2019. We examined the HealthRoster implementation in LHDs, and other NSW Health organisations, focusing on the period from 2014, when eHealth assumed responsibility for project implementation, to early 2018.

Conclusion

The HealthRoster system is realising functional business benefits in the LHDs where it has been implemented. In these LHDs, financial control of payroll expenditure and rostering compliance with employment award conditions has improved. However, these LHDs are not measuring the value of broader benefits such as better management of staff leave and overtime.

NSW Health has addressed the lessons learned from earlier implementations to improve later implementations. Business benefits identified in the business case were well defined and are consistent with business needs identified by NSW Health. Three of four cluster 1 LHDs have been able to reduce the number of issues with rostering and payroll processes. LHDs in earlier implementations need to use HealthRoster more effectively to ensure they are getting all available benefits from it.

HealthRoster is taking six years longer, and costing $37.2 million more, to fully implement than originally planned. NSW Health attributes the increased cost and extended timeframe to the large scale and complexity of the full implementation of HealthRoster.

Business benefits identified for HealthRoster accurately reflect business needs.

NSW Health has a good understanding of the issues in previous rostering systems and has designed HealthRoster to adequately address these issues. Interviews with frontline staff indicate that HealthRoster facilitates rostering which complies with industrial awards. This is a key business benefit that supports the provision of quality patient care. We saw no evidence that any major business needs or issues with the previous rostering systems are not being addressed by HealthRoster.

In the period examined in this audit since 2015, NSW Health has applied appropriate project management and governance structures to ensure that risks and issues are well managed during HealthRoster implementation.

HealthRoster has had two changes to its budget and timeline. Overall, the capital cost for the project has increased from $88.6 million to $125.6 million (42 per cent) and has delayed expected project completion by four years from 2015 to 2019. NSW Health attributes the increased cost and extended time frame to the large scale and complexity of the full implementation of HealthRoster.

NSW Health has established appropriate governance arrangements to ensure that HealthRoster is successfully implemented and that it will achieve business benefits in the long term. During implementation, local steering committees monitor risks and resolve implementation issues. Risks or issues that cannot be resolved locally are escalated to the state-wide steering committee.

NSW Health has grouped local health districts, and other NSW Health organisations, into four clusters for implementation. This has enabled NSW Health to apply lessons learnt from each implementation to improve future implementations.

NSW Health has a benefits realisation framework, but it is not fully applied to HealthRoster.

NSW Health can demonstrate that HealthRoster has delivered some functional business benefits, including rosters that comply with a wide variety of employment awards.

NSW Health is not yet measuring and tracking the value of business benefits achieved. NSW Health did not have benefits realisation plans with baseline measures defined for LHDs in cluster 1 and 2 before implementation. Without baseline measures NSW Health is unable to quantify business benefits achieved. However, analysis of post-implementation reviews and interviews with frontline staff indicate that benefits are being achieved. As a result, NSW Health now includes defining baseline measures and setting targets as part of LHD implementation planning. It has created a benefits realisation toolkit to assist this process from cluster 3 implementations onwards.

NSW Health conducted post-implementation reviews for clusters 1 and 2 and found that LHDs in these clusters were not using HealthRoster to realise all the benefits that HealthRoster could deliver.

By September 2018, NSW Health should:

Ensure that Local Health Districts undertake benefits realisation planning according to the NSW Health benefits realisation framework
Regularly measure benefits realised, at state and local health district levels, from the statewide implementation of HealthRoster
Review the use of HealthRoster in Local Health Districts in clusters 1 and 2 and assist them to improve their HealthRoster related processes and practices.

By June 2019, NSW Health should:

Ensure that all Local Health Districts are effectively using demand based rostering.

Appendix one - Response from agency

Appendix two - About the audit

Appendix three - Performance auditing

Parliamentary reference - Report number #301 - released 7 June 2018

Audit progress

Sector

Year

Report type

Topic

Reports

1. Financial reporting

2. Audit observations

Section highlights

Section highlights

Conclusion

NSW Health’s management of health and safety risks in NSW hospitals

NSW Health’s management of health and safety risks associated with COVID-19

1. Audit recommendations

Local Health Districts were effective in leading health and safety infection control activity

Hospital staff across NSW would have been better prepared for COVID-19 if pandemic training had been delivered across all Local Health Districts in the past decade

Two NSW Health policies that govern clinical arrangements during pandemics are outdated

The Ministry was slow to establish a centralised communication channel to communicate with frontline staff

Personal protective equipment (PPE) was not always available in required sizes and some hospital masks and gowns were substituted with products that differed from the usual items

HealthShare NSW placed limits or caps on some high-demand PPE items that were too low to meet requirements in some Local Health Districts and had to be adjusted to meet actual demand

Early data modelling showed ICU patient numbers at levels not manageable with levels of ventilators and equipment

NSW Health has developed a strategy to improve the management of PPE for the NSW health workforce

1. Internal control trends

2. Information technology controls

3. Business continuity and disaster recovery planning

4. Procurement, including emergency procurement

5. Delegations

6. Status of 2019 recommendations

Conclusion

Conclusion

Conclusion

Conclusion

Conclusion

Conclusion

Conclusion

Conclusion

This report offers insights into internal controls and governance in the NSW public sector

The focus of the report has changed since last year

Agencies selected for the volume account for 95 per cent of the state's expenditure