The Machinery of Government (MoG) changes abolished the former Planning and Environment cluster and former Industry cluster, and created the Planning, Industry and Environment cluster on 1 July 2019.

The Department of Planning and Environment (DPE), the Department of Industry (DOI), the Office of Environment and Heritage, and the Office of Local Government were abolished and the majority of their functions were transferred to the new Department of Planning, Industry and Environment (DPIE).

The MoG changes bring risks and challenges to the cluster. A MoG Steering Committee, with the support of various project control groups and working groups, identified and developed responses to key risks arising from the changes.

However, the DPIE will take some time to fully integrate the policies, systems and processes of the abolished Departments and agencies.

Fifty-five of the 57 agencies subject to statutory deadlines submitted their financial statements on time.

Due to issues identified during the audit, 13 financial statements audits were not completed and audit opinions issued by the statutory deadline.

Agencies prepared and submitted their early close procedures in accordance with the mandatory timeframe set by NSW Treasury. However, 17 of the 49 agencies where we reviewed early close procedures were assessed as either partially addressing or not addressing one or more of the mandatory requirements. The cluster agencies could benefit from an increased focus on early close procedures.

We noted errors in the lease data used in Property NSW's AASB 16 impact calculations, which affect both Property NSW and other government agencies. These errors were significant enough to present a risk of material misstatements to the financial statements of Property NSW and other government agencies in future reporting periods.

We had similar findings in our recent performance audit on 'Property Asset Utilisation', which highlighted issues with the quality of Property NSW's records.

Recommendation: Property NSW should urgently address the deficiencies in the lease data used to calculate the impact of the new leasing standard effective from 1 July 2019.

Despite an increase in the number of claims resolved, the number of unprocessed Aboriginal land claims increased by 7.2 per cent from the prior year to 35,855 at 30 June 2019. Claims can be made over Crown land assets of the DPIE or other government agencies. Until claims are resolved, there is an uncertainty over who is entitled to the land and the uses and activities that can be carried out on the land. We first recommended action to address unprocessed claims in 2007.

Recommendation (repeat issue): The DPIE should prioritise action to reduce unprocessed Aboriginal land claims.

One in five internal control issues identified and reported to management in 2018–19 were repeat issues.

The lack of user access review was the most common IT general control issue in the cluster.

The NSW Government announced an emergency drought relief package of $500 million in 2018, in addition to other financial assistance measures already in place.

Limited documentation and written agreements between relevant delivery agencies resulted in a $31.0 million misstatement relating to grant revenue.

Crown land is an important asset of the state. Management and recognition of Crown land assets is weakened when there is confusion over who is responsible for a particular Crown land parcel. Last year we recommended the DOI should ensure the database of Crown land is complete and accurate. While the DOI has commenced actions to improve the database, this continued to be an issue in 2018–19.

Recommendation (repeat issue): The DPIE should ensure the Crown land database is complete and accurate so state agencies and local government councils are better informed about the Crown land they control.

The NSW Government announced its intention to integrate Roads and Maritime Services (RMS) into Transport for NSW (TfNSW) as part of the Machinery of Government changes.

This change was not included in the Administrative Orders as the Transport Administration Act 1988 No. 109 governs the composition of the Transport cluster. The Transport Administration Amendment (RMS Dissolution) Act 2019 (the Act) received assent on 22 November 2019. The Act dissolves RMS and transfers the assets, rights and liabilities of RMS to TfNSW. As at the date of this Report, the Act is not yet in force.

Transport is considering the impact of the changes on its operating model and financial reporting.

Unqualified audit opinions were issued on the 2018–19 financial statements of all agencies in the Transport cluster.

TfNSW and Sydney Metro obtained a three-week extension from NSW Treasury to submit their financial statements for audit to resolve accounting issues surrounding the valuation of property, plant and equipment.

The Department of Transport reported total consolidated property, plant and equipment of $158 billion at 30 June 2019. In 2018–19, there were issues with asset valuations at TfNSW, RMS, Sydney Metro and Rail Corporation New South Wales (RailCorp), resulting in adjustments after the submission of financial statements for audit and the correction of a prior period error.

There was also a prior period error resulting from an agreement between TfNSW and the former UrbanGrowth Development Corporation due to a lack of assessment of the financial reporting implications at the time of signing the agreement.

Recommendation: Agency finance teams need to be consulted on major business decisions and commercial transactions to assess their accounting impacts at the time of their execution, rather than at the end of a financial year. Agencies also need to resolve all key accounting issues such as valuations as part of the early close procedures.

This would improve the quality of financial reporting and avoid the need for extensions for agencies to submit their financial statements for audit.

Whilst agencies complied with the requirements of the accounting standards and NSW Treasury policies on valuations, the Audit Office identified some deficiencies in relation to asset valuations across the cluster.

TfNSW reported a retrospective correction of a prior period error at 1 July 2017 which resulted in a reduction in the valuation of its Country Rail Network earthworks by $2.1 billion. This was due to survey results which identified the earthworks were flatter and lower than estimated in the valuation at 30 June 2017.

RMS made several adjustments during the year to correct asset values due to changes to valuation assumptions or data improvements. This included:

• reduction of $318 million in the value of land under roads
• decrease of $84.9 million to the value of land and buildings
• changes to the value of traffic control and traffic signal network assets, due to data improvements.

Sydney Metro North West officially opened in May 2019 and reported total assets of $9.1 billion. Sydney Metro derecognised $322 million in assets constructed to facilitate its operation but transferred to councils and utilities.

There was an inconsistency identified in the cluster relating to the valuation of substratum land. In 2018–19, RailCorp derecognised $109 million of substratum land to ensure consistency in its approach with other Transport agencies.

As the parent entity, the Department of Transport needs to ensure accounting policies are consistently applied across all controlled entities for consolidation purposes. Inconsistencies in the application of accounting standards across agencies will impact comparability of financial reporting and decision making across the Transport cluster.

Recommendation: The Department of Transport should ensure consistent accounting policies are applied across its controlled entities.

Public transport passenger revenue increased by $89.0 million (5.9 per cent) in 2018–19, and patronage increased by 37.8 million (4.9 per cent) across all modes of transport based on data provided by TfNSW.

The increase in revenue is mainly due to an increase in patronage as well as the annual increase in fares.

Negative balance Opal cards resulted in $2.9 million in revenue not collected in 2018–19 ($10.4 million since the introduction of Opal).

In January 2019, Transport made a change to the Sydney Airport stations to prevent customers with high negative balances exiting the station. In addition, in late 2018, Transport increased the minimum top up values for new cards at the airport stations.

Recommendation (repeat): TfNSW should implement further measures to prevent the loss of revenue from passengers tapping off with negative balance Opal cards.

Twenty-six per cent of Transport employees have annual leave balances exceeding 30 days. Of the employees with excess leave balances, 732 (10.3 per cent) did not take any annual leave in 2018–19.

Recommendation (repeat): Transport entities should further review the approach to managing excess annual leave in 2019–20. They should:

• monitor current and projected leave balances to the end of the financial year each month
• agree formal leave plans with employees to reduce leave balances over an acceptable timeframe
• ensure leave plans are actioned appropriately
• encourage all staff with excess leave balances take a minimum two-week period of leave per year.

There are no centralised processes to record all significant contracts and agreements in a register across the Transport cluster.

Across the Transport cluster, contracts and agreements are maintained by the individual agencies using disparate registers. Agencies must perform detailed assessments of their existing contracts and agreements to quantify the impact of the new accounting standards (AASB 16 ‘Leases’, AASB 15 ‘Revenue from Contracts with Customers’, AASB 1058 ‘Income of Not-for-Profit Entities’ and AASB 1059 'Service Concession Arrangements: Grantors').

In 2018–19, there was also a prior period error resulting from an agreement between TfNSW and another government agency due to a lack of assessment of the financial reporting implications at the time of signing the agreement.

A lack of a complete register of all contracts and agreements increases the risk that agencies may not be able to assess the full impact of the new accounting standards, as well as perform a complete assessment of the financial reporting implications of contracts and agreements.

Recommendation: Transport agencies should implement a process to centrally capture all significant contracts and agreements entered. This will ensure:

• agencies are fully aware of contractual and other obligations
• appropriate assessment of financial reporting implications
• assessment of new accounting standards, in particular AASB 16 ‘Leases’, AASB 15 'Revenue from Contract with Customers', AASB 1058 'Income of Not-for-Profit Entities ' and AASB 1059 'Service Concession Arrangements: Grantors' are accurate and complete.

There was an increase in internal control deficiencies of 12 per cent compared to last year. The increase is predominately due to a 100 per cent increase in repeat financial and IT control deficiencies.

Some agencies attributed the delay in actioning repeat findings to the diversion of staff from their regular activities to implement and operationalise the recent Machinery of Government changes. As a result, actions to address audit recommendations have been deferred or re prioritised, as the changes are implemented.

Agencies need to ensure they are actively managing the risks associated with having these vulnerabilities in internal control systems unaddressed for extended periods of time.

A number of findings were common to multiple agencies. These findings often related to areas that are fundamental to good internal control environments and effective organisational governance, such as:

• out of date policies or an absence of policies to guide appropriate decisions
• poor record keeping and document retention
• incomplete or inaccurate centralised registers or gaps in these registers
• policies, procedures or controls no longer suited to the current organisational structure or business activities.

We examined information security controls over key financial systems that support the preparation of agency financial statements. We found:

• user access administration deficiencies at 58 per cent of agencies related to granting, review and removal of user access
• an absence of privileged user activity reviews at 35 per cent of agencies
• password controls that did not align to password policies at 20 per cent of agencies.

We also found 20 per cent of agencies had deficient IT program change controls, mainly related to segregation of duties in approval and authorisation processes, and user acceptance testing of program changes prior to deployment into production environments. User acceptance testing helps identify potential issues with software incompatibility, operational workflows, absent controls and software issues, as well as areas where training or user support may be required.

All agencies had a gifts and benefits policy and 90 per cent of agencies maintain a gifts and benefits register. However, 51 per cent of the gifts and benefits registers we examined contained incomplete declarations, such as missing details for the approving officer, value of the gift and/or benefit offered and reasons supporting the decision.

In some cases, gaps in recorded information meant the basis for decisions around gifts and benefits was not always clear, making it difficult to determine whether decisions in those instances were appropriate, compliant with policy and were not direct or indirect inducements to the recipients to favour suppliers or service providers.

Agencies should ensure their gifts and benefits register includes all key fields specified in the Public Service Commission's minimum standards for gifts and benefits. Agencies should also perform regular reviews of the register to ensure completeness and ensure any gift or benefit accepted by a staff member meets the public's expectations for ethical behaviour.

We found opportunities to improve gifts and benefits processes and enhance transparency. For example, only three per cent of agencies publish their gifts and benefits registers on their websites.

Agencies can improve management of gifts and benefits by:

• ensuring agency policies comprehensively cover the elements necessary to make it effective in an operational environment, such as identifying risks specific to the agency and actions that will be taken in the event of a policy breach
• establishing and publishing a statement of business ethics on the agency's website to clearly communicate expected behaviours to clients, customers, suppliers and contractors
• providing on-going training, awareness activities and support to employees, not just at induction
• publishing their gifts and benefits registers on their websites to demonstrate a commitment to a transparently ethical environment.

Only 35 per cent of agencies reported trends in the number and nature of gifts and benefits recorded in their registers to the agency's senior executive management and/or a governance committee.

Agencies should regularly report to the agency executive or other governance committee on trends in the offer and acceptance of gifts and benefits.

Agencies have established and maintained internal audit functions to provide assurance on the effectiveness of agency controls and governance systems. However, we identified areas where agencies' internal audit functions could improve their processes to add greater value. For example, only 73 per cent of CAEs regularly attend meetings of the agency board or executive management committee.

Internal audit functions can add greater value by involving the CAE more extensively in executive forums as an observer.

Internal audit functions should also consider producing an annual report on internal audit. An annual report allows the internal audit function to report on their performance and add value by drawing to the attention of audit and risk committees and senior management strategic issues, thematic trends and emerging risks.

Forty-five per cent of agencies assigned responsibilities to the Chief Audit Executive (CAE) that were broader than internal audit, but 17 per cent of these had not documented safeguards to protect the independence of the CAE.

The reporting lines and status of the CAE at some agencies also needs review. At two agencies, the CAE reported to the CFO.

Agencies should ensure:

• the reporting lines for the CAE comply with the NSW Treasury policy, and the CAE does not report functionally or administratively to the finance function or other significant recipients of internal audit services
• the CAE's duties are compatible with preserving their independence and where threats to independence exist, safeguards are documented and approved.

Thirty-five per cent of agencies did not have a documented quality assurance and improvement program for its internal audit function.

The policy and the International Standards for the Professional Practice of Internal Auditing require agencies to have a documented quality assurance and improvement program. The results of this program should be reported annually.

Agencies should ensure there is a documented and operational Quality Assurance and Improvement Program for the internal audit function that covers both internal and external assessments.

According to NSW Procurement data, spend on contingent labour has increased by 75 per cent over the last five years, to $1.5 billion in 2018–19. Improvements in internal processes and a renewed focus on agency monitoring and oversight of contingent labour can help ensure agencies get the best value for money from their contingent workforces.

Agencies can improve their management of contingent labour by:

• preparing workforce plans to inform their resourcing strategy and ensure that engaging contingent labour aligns with the strategy and best meets business needs
• involving agency human resources units in decisions about engaging contingent labour
• regularly reporting on contingent labour use and tenure to agency executive teams
• strengthening on-boarding and off-boarding processes.

We also found 57 per cent of the 23 agencies we examined with contingent labour spend of more than $5 million in 2018–19 have implemented the government's vendor management system and service provider 'Contractor Central'.

Sixty-eight per cent of agencies maintain an inventory of their sensitive data and where it resides. However, these inventories are not always complete and risks may be overlooked.

Agencies can improve processes to manage sensitive data by:

• identifying and maintaining an inventory of sensitive data through a comprehensive and structured process
• assessing the criticality and sensitivity of the data so that protection of high risk data can be prioritised.

Eighty-eight per cent of agencies have established policies to respond to potential data breaches when they are identified and 70 per cent of agencies maintain a register to record key information in relation to identified data breach incidents.

Agencies should maintain a data breach register to effectively manage the actions undertaken to contain, evaluate and remediate each data breach.