Refine search

Reports

27 February 2024

Published

Effectiveness of SafeWork NSW in exercising its compliance functions

Finance

Industry

Health

Compliance

Internal controls and governance

Management and administration

Procurement

Project management

Regulation

Risk

What this report is about

This report assesses how effectively SafeWork NSW, a part of the Department of Customer Service (DCS), has performed its regulatory compliance functions for work health and safety in New South Wales.

The report includes a case study examining SafeWork NSW's management of a project to develop a realtime monitoring device for airborne silica in workplaces.

Findings

There is limited transparency about SafeWork NSW's effectiveness as a regulator. The limited performance information that is available is either subsumed within DCS reporting (or other sources) and is focused on activity, not outcomes.

As a work health and safety (WHS) regulator, SafeWork NSW lacks an effective strategic and data-driven approach to respond to emerging WHS risks.

It was slow to respond to the risk of respirable crystalline silica in manufactured stone.

SafeWork NSW is constrained by an information management system that is over 20 years old and has passed its effective useful life.

While it has invested effort into ensuring consistent regulatory decisions, SafeWork NSW needs to maintain a focus on this objective, including by ensuring that there is a comprehensive approach to quality assurance.

SafeWork NSW's engagement of a commercial partner to develop a real-time silica monitoring device did not comply with key procurement obligations.

There was ineffective governance and process to address important concerns about the accuracy of the real-time silica monitoring device.

As such, SafeWork NSW did not adequately manage potential WHS risks.

Recommendations

The report recommended that DCS should:

ensure there is an independent investigation into the procurement of the research partner for the real-time silica detector
embed a formal process to review and set its annual regulatory priorities
publish a consolidated performance report
set long-term priorities, including for workforce planning and technology uplift
improve its use of data, and start work to replace its existing complaints handling system
review its risk culture and its risk management framework
review the quality assurance measures that support consistent regulatory decisions

Read the PDF report.

Parliamentary reference - Report number #390 - released 27 February 2024

29 November 2023

Published

Regional NSW 2023

Industry

Environment

Planning

Whole of Government

Asset valuation

Compliance

Cyber security

Financial reporting

Fraud

Information technology

Infrastructure

Procurement

Regulation

Risk

Service delivery

Shared services and collaboration

What this report is about

Results of the Regional NSW financial statements audits for the year ended 30 June 2023.

What we found

Unqualified audit opinions were issued on all completed audits in the Regional NSW portfolio agencies.

The number of monetary misstatements identified in our audits increased from 28 in 2021–22 to 30 in 2022–23.

What the key issues were

Effective 1 July 2023, staff employed in the Northern Rivers Reconstruction Corporation Division of the Department of Regional NSW transferred to the NSW Reconstruction Authority Staff Agency.

The Regional NSW portfolio agencies were migrated into a new government wide enterprise resourcing planning system.

The total number of audit management letter findings across the portfolio of agencies decreased from 36 to 23.

A high risk matter was raised for the NSW Food Authority to improve the internal controls in the information technology environment including monitoring and managing privilege user access.

What we recommended

Local Land Services should prioritise completing all mandatory early close procedures.

Portfolio agencies should:

ensure any changes to employee entitlements are assessed for their potential financial statements impact under the relevant Australian Accounting Standards
prioritise and address internal control deficiencies identified in audit management letters.

This report provides Parliament and other users of the Regional NSW portfolio of agencies financial statements with the results of our audits, analysis, conclusions and recommendations in the following areas:

financial reporting
audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision-making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Regional NSW portfolio of agencies (the portfolio) for 2023.

Section highlights

Unqualified audit opinions were issued on all completed 30 June 2023 financial statements audits of the portfolio agencies. Two audits are ongoing.
The total number of errors (including corrected and uncorrected) in the financial statements increased compared to the prior year.
Portfolio agencies met the statutory deadline for submitting their 2022–23 early close financial statements and other mandatory procedures.
Portfolio agencies continue to provide financial assistance to communities affected by natural disasters.
A change to the NSW paid parental leave scheme, effective October 2023, created a new legal obligation that needed to be recognised by impacted government agencies. Impact to the agencies' financial statements were not material.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision-making.

This chapter outlines our observations and insights from our financial statement audits of agencies in the Regional NSW portfolio.

Section highlights

The 2022–23 audits identified one high risk and nine moderate risk issues across the portfolio. Of these, one was a moderate risk repeat issue.
The total number of findings decreased from 36 to 23 which mainly related to deficiencies in internal controls.
The high risk matter relates to the monitoring and managing of privilege user access at NSW Food Authority.

Appendix one – Misstatements in financial statements submitted for audit

Appendix two – Early close procedures

Appendix three – Timeliness of financial reporting

Appendix four – Financial data

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

22 June 2023

Published

Regulation of public native forestry

Environment

Industry

Compliance

Management and administration

Regulation

Risk

What this report is about

The Forestry Corporation of NSW (FCNSW) is a state-owned corporation that manages over two million hectares of public native forests and plantations supplying timber to sawmills across NSW.

The NSW Environment Protection Authority (EPA) is responsible for regulating the native forestry industry in NSW.

FCNSW must comply with Integrated Forestry Operations Approvals (IFOAs), which set out rules for how timber harvesting may occur.

Most harvesting is undertaken under the Coastal IFOA, which commenced in 2018.

This audit assessed how effectively Forestry Corporation of NSW manages its public native forestry activities to ensure compliance, and how effectively the Environment Protection Authority regulates these activities.

What we found

Forestry Corporation of NSW (FCNSW) clearly articulates its compliance obligations.

While FCNSW undertakes monitoring of its contractors, it does not do so consistently and does not target its monitoring activities on a risk basis.

FCNSW has largely fulfilled mandatory Coastal IFOA training requirements, but has not yet trained other staff who would also benefit from the training.

Contractor compliance appears to be improving, but there are gaps and inconsistencies in FCNSW's documentation of this.

FCNSW is not measuring its overall compliance to determine how it is tracking against its target.

The EPA undertakes proactive inspections of Coastal IFOA harvesting operations on a risk basis. However, it does not assess the risk at harvest sites covered by other IFOAs.

Most EPA compliance staff have received basic training, but few have received more advanced training required to effectively undertake forestry inspections.

Some EPA offices do not have the necessary equipment to undertake forestry inspections.

The EPA and FCNSW are not implementing all elements of a Memorandum of Understanding that aims to promote a cooperative relationship between the agencies.

What we recommended

The report made recommendations to FCNSW which aim to improve:

staff training
consistency of compliance reviews and data capture
targeting of compliance activities
measurement of performance.

The report made recommendations to the EPA which aim to improve:

risk-assessments
staff training
staff equipment.

The report also recommended that FCNSW and EPA should fully implement their Memorandum of Understanding.

The Forestry Corporation of NSW (FCNSW) is a state-owned corporation that supplies timber to sawmills in New South Wales, including timber harvested from public native forests. FCNSW is responsible for the management of around two million hectares of public native forests and plantations. Around half the area of native forests is permanently set aside for conservation.

Public native forestry is regulated through the Forestry Act 2012, Biodiversity Conservation Act 2016, Protection of the Environment Operations Act 1997 and associated regulations. Under the Forestry Act 2012, the objectives of FCNSW include, where its activities affect the environment, to conduct its operations in compliance with the principles of ecologically sustainable development contained in section 6(2) of the Protection of the Environment Administration Act 1991. This involves the integration of social, economic and environmental considerations in decision-making processes.

In undertaking its native forestry operations, FCNSW must comply with Integrated Forestry Operations Approvals (IFOA), issued jointly by the Minister for the Environment and the Minister for Agriculture, which set out rules to protect species and ecosystems where timber harvesting is occurring, and aim to ensure forests are managed in an ecologically sustainable way. FCNSW must also ensure that its contractors undertake forestry operations in line with IFOAs. The Coastal IFOA, developed in 2018, consolidated the four IFOAs for the Eden, Southern, Upper and Lower North East coastal regions of New South Wales into a single IFOA. The other three current IFOAs are Brigalow Nandewar, South Western Cypress and Riverina Redgum (the Western IFOAs).

The NSW Environment Protection Authority (EPA) is responsible for regulating native forestry in New South Wales. Under the Protection of the Environment Administration Act 1991, one of the objectives of the EPA is to protect, restore and enhance the quality of the environment in New South Wales, having regard to the need to maintain ecologically sustainable development. This includes monitoring FCNSW’s compliance with IFOA conditions, including by maintaining and enforcing a compliance program.

The Coastal IFOA also introduced a new structure and regulatory approach for IFOAs, establishing outcomes, conditions and protocols. The conditions set mandatory actions and controls intended to protect threatened plants, animals, habitats, soils and water. The protocols, referenced in the conditions, set out additional enforceable actions and controls intended to support the effective implementation of the conditions.

Public native forestry is the largest component of hardwood supply in New South Wales. The 2019–20 bushfires had a major impact on regional communities, and large areas of native forest. This heightened environmental risks and challenges in public native forestry. Five million hectares of New South Wales was impacted, including more than 890,000 hectares of native State Forests. This is over 40% of the coastal and tablelands native State Forests in New South Wales.

In addition to effective compliance activities, the success of the regulatory approach to public native forestry operations depends on how wood supply yields are modelled, and ensuring that harvested volumes do not exceed these yields. This is of particular importance in areas where forests have been severely damaged by fire. This audit did not consider sustainable yields. Recent reviews of this include an independent review of the FCNSW sustainable yield model and a Natural Resources Commission review in 2021.

Conclusion

Forestry Corporation of NSW (FCNSW) clearly articulates its compliance obligations at the corporate level and for each harvest site. However, there are deficiencies in FCNSW’s compliance approach. While FCNSW undertakes monitoring of its contractors in a number of ways, it does not consistently monitor compliance across its contractors and does not target its monitoring activities on a risk basis. This increases the risk that non-compliant practices will not be identified, potentially leading to environmental harm.

FCNSW has a compliance strategy and program that sets out its compliance obligations and how they will be managed. FCNSW’s Compliance Policy outlines compliance requirements, actions to ensure compliance, and responsibilities for staff, supervisors, senior management and board members. FCNSW also has a compliance monitoring system manual that outlines its monitoring program, and its risk-assessment and incident reporting procedures. These corporate documents set out FCNSW’s overall approach to managing compliance.

Harvesting in State Forests is undertaken by contractors or sub-contractors. FCNSW provides training to its staff and contractors and undertakes monitoring to identify contractor compliance with relevant requirements through a variety of means, including its quality assurance assessment (QAA) program. FCNSW also communicates compliance obligations to contractors in harvest plans.

FCNSW is not undertaking its monitoring activities on a risk basis. The frequency of contractor supervision is inconsistent and is not tied to the contractor’s past performance, meaning that monitoring resources are not necessarily being targeted at the areas of highest -risk.

FCNSW also does not target its QAAs on a risk basis. FCNSW does not have procedures for how QAAs should occur outside the North Coast region. QAAs are conducted inconsistently, with some reviews occurring in only part of the harvest site while others cover the whole harvest site. In addition, some QAAs do not meet FCNSW’s minimum standards. FCNSW’s record keeping of QAAs is also inconsistent, making it difficult to determine true levels of compliance and the cause of identified potential non-compliances.

In addition, FCNSW does not collate and analyse the results of its compliance monitoring to target its compliance audits. Undertaking these audits on a risk basis would allow FCNSW to apply its resources to the highest-risk harvest sites and contractors.

The EPA identifies native forestry as a high priority regulatory activity and undertakes proactive inspections of Coastal IFOA harvest sites on a risk basis. However, the EPA does not assess the risk at Western IFOA harvest sites, leaving a significant gap in its inspection regime. This means that the EPA may not be inspecting all high-risk harvest sites to ensure compliance with regulations across those sites. The EPA has started to train more of its staff in conducting forestry inspections, but it currently has a limited number of trained and experienced staff to undertake this work.

The EPA has developed a Regulatory and Compliance Priorities Statement 2022–23 which identifies native forestry as a key risk. This statement identifies that forestry is a priority area for its compliance activities because of the increased environmental risk and sensitivity in forests following the 2019–20 bushfires. A divisional plan for its regulatory operations contains specific actions for forestry, including ensuring that the EPA has a consistent approach to recording regulatory actions undertaken and identifying priority areas for assurance over State Forests.

As part of its compliance activities, the EPA responds to complaints received, or reports of non-compliance, across all four IFOA areas and also carries out proactive inspections in the Coastal IFOA area. To guide these inspections, the EPA determines the level of risk posed by each harvest site in the Coastal IFOA area using information it gathers from FCNSW. The EPA prioritises inspections of sites rated as high and medium-risk, but the EPA has not undertaken risk-assessments for the three Western IFOAs. By not determining the risks in these areas, the EPA does not have assurance that it is checking FCNSW compliance with regulations across all high-risk sites.

Most EPA staff have basic training in forestry matters, but few staff have the more advanced training required to effectively undertake forestry inspections. In addition, not all EPA officers have access to the technology required to undertake forestry inspections, such as internet-enabled tablets and specialised tapes for measuring tree diameter. This limits the EPA’s ability to determine the level of compliance with regulations and respond effectively to instances of environmental harm in relation to public native forestry.

The Coastal IFOA does not contain provisions which allow the EPA to unilaterally restrict forestry activities in the aftermath of a catastrophic event such as the 2019–20 bushfires. Following the bushfires, FCNSW approached the EPA and asked for additional site-specific operating conditions (SSOC) at some locations to assist it in maintaining compliance. The SSOCs were issued by the EPA and FCNSW was required to carry out forestry operations in accordance with the SSOCs at relevant harvest sites. These SSOCs were in place for 12 months. After a year, FCNSW decided not to renew this approach with the EPA, but implemented its own voluntary measures during harvesting operations. Unlike the SSOCs, the EPA was unable to undertake enforcement activities for breaches of voluntary measures.

Appendix one – Responses from agencies
Appendix two – About the audit
Appendix three – Performance auditing

Parliamentary reference - Report number #382 - released 22 June 2023

8 December 2022

Published

Regional NSW 2022

Environment

Industry

Planning

Asset valuation

Compliance

Financial reporting

Fraud

Information technology

Infrastructure

Internal controls and governance

Management and administration

Regulation

Risk

Shared services and collaboration

What the report is about

Result of the Regional NSW cluster agencies' financial statement audits for the year ended 30 June 2022.

What we found

Unmodified audit opinions were issued for Regional NSW cluster agencies. Two audits are ongoing.

What the key issues were

The Department of Regional NSW (the department) and Local Land Services (LLS) accepted changes to their office leasing arrangements managed by Property NSW.

These changes resulted in the collective derecognition of $100.6 million of rights-of-use-assets and $110.4 million of lease liabilities.

In 2021–22, the cluster agencies continued to assist communities in their recovery from recent weather emergencies, including significant flooding in New South Wales.

The Northern Rivers Reconstruction Corporation was established in May 2022 to rebuild communities in the Lismore and Northern Rivers region impacted by floods.

The number of matters reported to management decreased from 36 in 2020–21 to 14 in 2021–22.

Five moderate risk issues were identified and 14% of reported issues were repeat issues.

One moderate risk issue was a repeat issue related to Local Land Services' annual fair value assessment of the asset improvements on land reserves used for moving stock.

This report provides Parliament and other users of the Regional NSW cluster financial statements with the results of our audits, analysis, conclusions and recommendations in the following areas:

financial reporting
audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision-making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Regional NSW cluster (the cluster) for 2022.

Section highlights

Unqualified audit opinions were issued on the financial statements of cluster agencies. Two audits are ongoing.
Cluster agencies completed all required early close procedures.
Changes to accommodation arrangements managed by Property NSW on behalf of the department and cluster agencies resulted in the collective derecognition of approximately $100.6 million in right-of-use assets and corresponding lease liabilities totalling $110.4 million from the balance sheets of these agencies.
Cluster agencies continue to provide financial assistance to communities affected by natural disasters.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision-making.

This chapter outlines our observations and insights from our financial statement audits of agencies in the Regional NSW cluster.

Section highlights

The 2021–22 audits identified five moderate issues across the cluster. One moderate risk issue was a repeat issue related to Local Land Services' annual fair value assessment of the asset improvements on land reserves used for moving stock.
Of the four newly identified moderate rated issues, one related to internal control deficiencies and improvements and three related to financial reporting.
The number of findings reported to management has decreased from 36 in 2020–21 to 14 in 2021–22.

Appendix one – Misstatements in financial statements submitted for audit

Appendix two – Early close procedures

Appendix three – Timeliness of financial reporting

Appendix four – Financial data

30 June 2022

Published

Audit Insights 2018-2022

Community Services

Education

Environment

Finance

Health

Industry

Justice

Local Government

Premier and Cabinet

Planning

Transport

Treasury

Universities

Whole of Government

Asset valuation

Cross-agency collaboration

Compliance

Cyber security

Financial reporting

Fraud

Information technology

Infrastructure

Internal controls and governance

Management and administration

Procurement

Project management

Regulation

Risk

Service delivery

Shared services and collaboration

Workforce and capability

What the report is about

In this report, we have analysed the key findings and recommendations from our audit reports over the past four years.

This analysis includes financial audits, performance audits, and compliance audits of state and local government entities that were tabled in NSW Parliament between July 2018 and February 2022.

The report is framed by recognition that the past four years have seen significant challenges and emergency events.

The scale of government responses to these events has been wide-ranging, involving emergency response coordination, service delivery, governance and policy.

The report is a resource to support public sector agencies and local government to improve future programs and activities.

What we found

Our analysis of findings and recommendations is structured around six key themes:

Integrity and transparency
Performance and monitoring
Governance and oversight
Cyber security and data
System planning for disruption
Resource management.

The report draws from this analysis to present recommendations for elements of good practice that government agencies should consider in relation to these themes. It also includes relevant examples from recent audit reports.

In this report we particularly call out threats to the integrity of government systems, processes and governance arrangements.

The report highlights the need for balanced advice to government on options and risks, for transparent documentation and reporting of directions and decisions, and for early and open sharing of information with integrity bodies and audit.

A number of the matters highlighted in this report are similar to those described in our previous Insights Report, (Performance Audit Insights: key findings from 2014–2018) specifically in relation to cyber and information security, to performance measurement, reporting and evaluation, and system and workforce planning and capability.

Fast facts

72 audits included in the Audit Insights 2018–2022 analysis
4 years of audits tabled by the Auditor-General for New South Wales
6 key themes for Audit Insights 2018–2022.

picture of Margaret Crawford Auditor-General for New South Wales in black dress with city skyline as background I am pleased to present the Audit Insights 2018–2022 report. This report describes key findings, trends and lessons learned from the last four years of audit. It seeks to inform the New South Wales Parliament of key risks identified and to provide insights and suggestions to the agencies we audit to improve performance across the public sector.

The report is framed by a very clear recognition that governments have been responding to significant events, in number, character and scale, over recent years. Further, it acknowledges that public servants at both state and council levels generally bring their best selves to work and diligently strive to deliver great outcomes for citizens and communities. The role of audit in this context is to provide necessary assurance over government spending, programs and services, and make suggestions for continuous improvement.

However, in this report we particularly call out threats to the integrity of government systems, processes and governance arrangements. We highlight the need for balanced advice to government on options and risks, for transparent documentation and reporting of directions and decisions, and for early and open sharing of information with integrity bodies and audit. Arguably, these considerations are never more important than in an increasingly complex environment and in the face of significant emergency events and they will be key areas of focus in our future audit program.

While we have acknowledged the challenges of the last few years have required rapid responses to address the short-term impacts of emergency events, there is much to be learned to improve future programs. I trust that the insights developed in this report provide a helpful resource to public sector agencies and local government across New South Wales. I would be pleased to receive any feedback you may wish to offer.

Margaret Crawford
Auditor-General for New South Wales

Integrity and transparency	Performance and monitoring	Governance and oversight	Cyber security and data	System planning	Resource management
Insufficient documentation of decisions reduces the ability to identify, or rule out, misconduct or corruption.	Failure to apply lessons learned risks mistakes being repeated and undermines future decisions on the use of public funds.	The control environment should be risk-based and keep pace with changes in the quantum and diversity of agency work.	Building effective cyber resilience requires leadership and committed executive management, along with dedicated resourcing to build improvements in cyber security and culture.	Priorities to meet forecast demand should incorporate regular assessment of need and any emerging risks or trends. Absence of an overarching strategy to guide decision-making results in project-by-project decisions lacking coordination.	Governments must weigh up the cost of reliance on consultants at the expense of internal capability, and actively manage contracts and conflicts of interest.
Government entities should report to the public at both system and project level for transparency and accountability.	Government activities benefit from a clear statement of objectives and associated performance measures to support systematic monitoring and reporting on outcomes and impact.	Management of risk should include mechanisms to escalate risks, and action plans to mitigate risks with effective controls.	In implementing strategies to mitigate cyber risk, agencies must set target cyber maturity levels, and document their acceptance of cyber risks consistent with their risk appetite.	Service planning should establish future service offerings and service levels relative to current capacity, address risks to avoid or mitigate disruption of business and service delivery, and coordinate across other relevant plans and stakeholders.	Negotiations on outsourced services and major transactions must maintain focus on integrity and seeking value for public funds.
Entities must provide balanced advice to decision-makers on the benefits and risks of investments.	Benefits realisation should identify responsibility for benefits management, set baselines and targets for benefits, review during delivery, and evaluate costs and benefits post-delivery.	Active review of policies and procedures in line with current business activities supports more effective risk management.	Governments hold repositories of valuable data and data capabilities that should be leveraged and shared across government and non-government entities to improve strategic planning and forecasting.	Formal structures and systems to facilitate coordination between agencies is critical to more efficient allocation of resources and to facilitate a timely response to unexpected events.	Transformation programs can be improved by resourcing a program management office.
Clear guidelines and transparency of decisions are critical in distributing grant funding.	Quality assurance should underpin key inputs that support performance monitoring and accounting judgements.	Governance arrangements can enable input into key decisions from both government and non-government partners, and those with direct experience of complex issues.			Workforce planning should consider service continuity and ensure that specialist and targeted roles can be resourced and allocated to meet community need.
Governments must ensure timely and complete provision of information to support governance, integrity and audit processes.
Read more	Read more	Read more	Read more	Read more	Read more

This report brings together a summary of key findings arising from NSW Audit Office reports tabled in the New South Wales Parliament between July 2018 and February 2022. This includes analysis of financial audits, performance audits, and compliance audits tabled over this period.

Financial audits provide an independent opinion on the financial statements of NSW Government entities, universities and councils and identify whether they comply with accounting standards, relevant laws, regulations, and government directions.
Performance audits determine whether government entities carry out their activities effectively, are doing so economically and efficiently, and in accordance with relevant laws. The activities examined by a performance audit may include a selected program or service, all or part of an entity, or more than one government entity. Performance audits can consider issues which affect the whole state and/or the local government sectors.
Compliance audits and other assurance reviews are audits that assess whether specific legislation, directions, and regulations have been adhered to.

This report follows our earlier edition titled 'Performance Audit Insights: key findings from 2014–2018'. That report sought to highlight issues and themes emerging from performance audit findings, and to share lessons common across government. In this report, we have analysed the key findings and recommendations from our reports over the past four years. The full list of reports is included in Appendix 1. The analysis included findings and recommendations from 58 performance audits, as well as selected financial and compliance reports tabled between July 2018 and February 2022. The number of recommendations and key findings made across different areas of activity and the top issues are summarised at Exhibit 1.

The past four years have seen unprecedented challenges and several emergency events, and the scale of government responses to these events has been wide-ranging involving emergency response coordination, service delivery, governance and policy. While these emergencies are having a significant impact today, they are also likely to continue to have an impact into the future. There is much to learn from the response to those events that will help the government sector to prepare for and respond to future disruption. The following chapters bring together our recommendations for core elements of good practice across a number of areas of government activity, along with relevant examples from recent audit reports.

This 'Audit Insights 2018–2022' report does not make comparative analysis of trends in public sector performance since our 2018 Insights report, but instead highlights areas where government continues to face challenges, as well as new issues that our audits have identified since our 2018 report. We will continue to use the findings of our Insights analysis to shape our future audit priorities, in line with our purpose to help Parliament hold government accountable for its use of public resources in New South Wales.

Appendix one – Included reports, 2018–2022

Appendix two – About this report

Copyright notice

24 November 2020

Published

Internal controls and governance 2020

Education

Environment

Community Services

Finance

Health

Industry

Justice

Premier and Cabinet

Transport

Treasury

Compliance

Cyber security

Information technology

Internal controls and governance

Management and administration

Procurement

The Auditor-General for New South Wales, Margaret Crawford today released her report on the findings and recommendations from the 2019–20 financial audits that relate to internal controls and governance at 40 of the largest agencies in the NSW public sector.

The bushfire and flood emergencies and the COVID‑19 pandemic continue to have a significant impact on the people and public sector of New South Wales. The scale of the government response to these events has been significant. The report focuses on the effectiveness of internal controls and governance processes, including relevant agencies’ response to the emergencies. In particular, the report focuses on:

financial and information technology controls
business continuity and disaster recovery planning arrangements
procurement, including emergency procurement
delegations that support timely and effective decision-making.

Due to the ongoing impact of COVID‑19 agencies have not yet returned to a business‑as‑usual environment. ‘Agencies will need to assess their response to the recent emergencies and update their business continuity, disaster recovery and other business resilience frameworks to reflect the lessons learnt from these events’ the Auditor-General said.

The report noted that special procurement provisions were put in place to allow agencies to better respond to the COVID-19 pandemic. The Auditor-General recommended agencies update their procurement policies to reflect the current requirements of the NSW Procurement Framework and the emergency procurement requirements.

Read the PDF report

This report analyses the internal controls and governance of 40 of the largest agencies in the NSW public sector for the year ended 30 June 2020. These 40 agencies constitute an estimated 85 per cent of total expenditure for all NSW public sector agencies.

1. Internal control trends

New, repeat and high risk findings

Internal control deficiencies increased by 13 per cent compared to last year. This is predominately due to a seven per cent increase in new internal control deficiencies and 24 per cent increase in repeat internal control deficiencies. There were ten high risk findings compared to four last year.

The recent emergencies have consumed agency time and resources and may have contributed to the increase in internal control deficiencies, particularly repeat deficiencies.

Agencies should:

prioritise addressing high-risk findings
address repeat internal control deficiencies by re-setting action plans and timeframes and monitoring the implementation status of recommendations.

Common findings

A number of findings remain common across multiple agencies over the last four years, including:

out of date or missing policies to guide appropriate decisions
poor record keeping and document retention
incomplete or inaccurate centralised registers or gaps in these registers.

2. Information technology controls

IT general controls

We found deficiencies in information security controls over key financial systems including:

user access administration deficiencies relating to inadequate oversight of the granting, review and removal of user access at 53 per cent of agencies
privileged users were not appropriately monitored at 43 per cent of agencies
deficient password controls that did not align to the agency's own password policies at 25 per cent of agencies.

The deficiencies above increase the risk of non-compliance with the NSW Cyber Security Policy, which requires agencies to have processes in place to manage user access, including privileged user access to sensitive information or systems and remove that access once it is not required or employment is terminated.

3. Business continuity and disaster recovery planning

Assessing risks to business continuity and Scenario testing

The response to the recent emergencies and the COVID-19 pandemic has encompassed a wide range of activities, including policy setting, on-going service delivery, safety and availability of staff, availability of IT and other systems and financial management. Agencies were required to activate their business continuity plans in response, and with the continued impact of COVID-19 have not yet returned to a business-as-usual environment.

Our audits focused on the preparedness of agency business continuity and disaster recovery planning arrangements prior to the onset of the COVID-19 pandemic.

We identified deficiencies in agency business continuity and disaster recovery planning arrangements. Twenty-three per cent of agencies had not conducted a business impact analysis (BIA) to identify critical business functions and determine business continuity priorities. Agencies can also improve the content of their BIA. For example, ten per cent of agencies' BIAs did not include recovery time objectives and six per cent of agencies did not identify key IT systems that support critical business functions. Scenario testing improves the effectiveness with which a live crisis is handled, but 40 per cent of agencies had not conducted a business continuity scenario testing exercise in the period from 1 January 2019 to 31 December 2019. There were also opportunities to improve the effectiveness of scenario testing exercises by:

involving key dependent or inter-dependent third parties who support or deliver critical business functions
testing one or more high impact scenarios identified in their business continuity plan
preparing a formalpost-exercise report documenting the outcome of their scenario testing.

Agencies have responded to the recent emergencies but addressing deficiencies will ensure agencies have adequate safeguards in their processes to again respond in the future, if required.

During 2020–21 we plan to conduct a performance audit on 'Business continuity and disaster recovery planning'. This audit will consider the effectiveness of agency business continuity planning arrangements to maintain business continuity through the recent emergencies and/or COVID-19 pandemic and return to a business-as-usual environment. We also plan to conduct a performance audit on whole-of-government 'Coordination of emergency responses'.

Responding to disruptions

We found agencies' governance functions could have been better informed about responses to disruptive incidents that had activated a business continuity or disaster recovery response between 1 January 2019 to 31 December 2019. For instance:

in 89 per cent of instances where a business continuity response was activated, a post-incident review had been performed. In 82 per cent of these instances, the outcomes were reported to a relevant governance or executive management committee

in 95 per cent of instances where a disaster recovery response was activated, a post incident review had been performed. In 86 per cent of these instances, the outcomes were reported to a relevant governance committee or executive management committee.

Examples of recorded incidents included extensive air quality issues and power outages due to bushfires, system and network outages, and infected and hijacked servers.

Agencies should assess their response to the recent emergencies and the COVID-19 pandemic and update business continuity, disaster recovery and other business resilience frameworks to incorporate lessons learned. Agencies should report to those charged with governance on the results and planned actions.

Management review and oversight

Eighty-two per cent and 86 per cent of agencies report to their audit and risk committees (ARC) on their business continuity and disaster recovery planning arrangements, respectively. Only 18 per cent and five per cent of ARCs are briefed on the results of respective scenario testing. Briefing ARCs on the results of scenario testing exercises helps inform their decisions about whether sound and effective business continuity and disaster recovery arrangements have been established.

4. Procurement, including emergency procurement

Policy framework	Agency procurement policies did not capture the requirements of several key NSW Procurement Board Directions (the Directions), increasing the risk of non-compliance with the Directions. We noted: 67 per cent of agencies did specify that procurement above $650,000 must be open to market unless exempt or procured through an existing Whole of Government Scheme or contract 36 per cent of agencies did specify that procurements above $500,000 payable in foreign currencies must be hedged 69 per cent of agencies' policies did specify that the agency head or cluster CFO must authorise the engagement of consultants where the engagement of the supplier does not comply with the standard commercial framework. Recommendation: Agencies should review their procurement policies and guidelines to ensure they capture the key requirements of the NSW Government Procurement Policy Framework, including NSW Procurement Board Directions.
Managing contracts	Eighty-eight per cent of agencies maintain a central contract register to record all details of contracts above $150,000, which is a requirement of GIPA legislation. Of the agencies that maintained registers, 13 per cent did not capture all contracts and eight per cent did not include all relevant contract details. Sixteen per cent of agencies did not periodically review their contract register. Timely review increases compliance with GIPA legislation, and enhances the effectiveness with which procurement business units monitor contract end dates, contract extensions and commence new procurement.
Training and support	Ninety-three per cent of agencies provide training to staff involved in procurement processes, and a further 77 per cent of agencies provide this training on an on-going basis. Of the seven per cent of agencies that had not provided training to staff, we noted gaps in aspects of their procurement activity, including: not conducting value for money assessments prior to renewing or extending the contract with their existing supplier not obtaining approval from a delegated authority to commence the procurement process procurement documentation not specifying certain key details such as the conditions for participation including any financial guarantees and dates for the delivery of goods or supply of services. Training on procurement activities ensures there is effective management of procurement processes to support operational requirements, and compliance with procurement directions.
Procurement activities	While agencies had implemented controls for tender activities above $650,000, 43 per cent of unaccredited agencies did not comply with the NSW Procurement Policy Framework because they had not had their procurement endorsed by an accredited agency within the cluster or by NSW Procurement. This endorsement aims to ensure the procurement is properly planned to deliver a value for money outcome before it commences.
Emergency procurement	As at 30 June 2020, agencies within the scope of this report reported conducting 32,239 emergency procurements with a total contract value of $316,908,485. Emergency procurement activities included the purchase of COVID-19 cleaning and hygiene supplies. The government, through NSW Procurement released the 'COVID-19 Emergency procurement procedure', which relaxed procurement requirements to allow agencies to make COVID-19 emergency procurements. Our review against the emergency procurement measures found most agencies complied with requirements. For example: 95 per cent of agencies documented an assessment of the need for the emergency procurement for the good and/or service 86 per cent of agencies obtained authorisation of the emergency procurement by the agency head or the nominated employee under Public Works and Procurement Regulation 2019 76 per cent of agencies reported the emergency procurement to the NSW Procurement Board. Complying with the procedure helps to ensure government resources are being efficiently, effectively, economically and in accordance with the law. Recommendation: Agency procurement frameworks should be reviewed and updated so they can respond effectively to emergency situations that may arise in the future. This includes: updating procurement policies and guidelines to define an emergency situation, specify who can approve emergency procurement and capture other key requirements using standard templates and documentation to prompt users to capture key requirements, such as needs analysis, supplier selection criteria, price assessment criteria, licence and insurance checks having processes for reporting on emergency procurements to those charged with governance and NSW Procurement.

5. Delegations

Instruments of delegation

We found that agencies have established financial and human resources delegations, but some had not revisited their delegation manuals following the legislative and machinery of government changes. For those agencies impacted by machinery of government changes we noted:

16 per cent of agencies had not updated their financial delegations to reflect the changes
16 per cent of agencies did not update their human resources delegations to reflect the changes.

Delegations manuals are not always complete; 16 per cent of agencies had no delegation for writing off bad debts and 26 per cent of agencies had no delegation for writing off capital assets.

Recommendation: Agencies should ensure their financial and human resources delegation manuals contain regular set review dates and are updated to reflect the Government Sector Finance Act 2018, machinery of government changes and their current organisational structure and roles and responsibilities.

Compliance with delegations

Agencies did not understand or correctly apply the requirements of the Government Sector Finance Act 2018 (GSF Act), resulting in non-compliance with the Act. We found that 18 per cent of agencies spent deemed appropriations without obtaining an authorised delegation from the relevant Minister(s), as required by sections 4.6(1) and 5.5(3) of the GSF Act.

Further detail on this issue will be included in our Auditor-General's Reports to Parliament on Central Agencies, Education, Health and Stronger Communities, which will be tabled throughout December 2020.

Recommendation: Agencies should review financial and human resources delegations to ensure they capture all key functions of laws and regulations, and clearly specify the relevant power or function being conferred on the officer.

6. Status of 2019 recommendations

Progress implementing last year's recommendations

Recommendations were made last year to improve transparency over reporting on gifts and benefits and improve the visibility management and those charged with governance had over actions taken to address conflicts of interest that may arise. This year, we continue to note:

38 per cent of agencies have not updated their gifts and benefits register to include all the key fields required under the minimum standards set by the Public Service Commission
56 per cent of agencies have not provided training to staff and 63 per cent of agencies have not implemented an annual attestation process for senior management
97 per cent of agencies have not published their gifts and benefits register on their website and 41 per cent of agencies are not reporting on trends in the gifts and benefits register to those charged with governance.

While we acknowledge the significance of the recent emergencies, which have consumed agency time and resources, we note limited progress has been made implementing these recommendations. Further detail on the status of implementing all recommendations is in Appendix 2.

Recommendation: Agencies should re-visit the recommendations made in last year's report on internal controls and governance and action these recommendations.

Internal controls are processes, policies and procedures that help agencies to:

operate effectively and efficiently
produce reliable financial reports
comply with laws and regulations
support ethical government.

This chapter outlines the overall trends for agency controls and governance issues, including the number of audit findings, the degree of risk those deficiencies pose to the agency, and a summary of the most common deficiencies we found across agencies. The rest of this report presents this year’s controls and governance findings in more detail.

Section highlights

We identified ten high risk findings, compared to four last year with two findings repeated from the previous year. There was an overall increase of 13 per cent in the number of internal control deficiencies compared to last year due to a seven per cent increase in new internal control deficiencies, and a 24 per cent increase in repeat internal control deficiencies. The recent emergencies have consumed agency time and resources and may have contributed to the increase in internal control deficiencies, particularly repeat deficiencies.

We identified a number of findings that remain common across multiple agencies over the last four years. Some of these findings related to areas that are fundamental to good internal control environments and effective organisational governance. Examples include:

out of date or missing policies to guide appropriate decisions
poor record keeping and document retention
incomplete or inaccurate centralised registers, or gaps in these registers.

Policies, procedures and internal controls should be properly designed, be appropriate for the current organisational structure and its business activities, and work effectively.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency controls to manage key financial systems.

Section highlights

Government agencies’ financial reporting is heavily reliant on information technology (IT). We continue to see a high number of deficiencies related to IT general controls, particularly those related to user access administration. These controls are key in adequately protecting IT systems from inappropriate access and misuse.

IT is also important to the delivery of agency services. These systems often provide the data to help monitor the efficiency and effectiveness of agency processes and services they deliver. Our financial audits do not review all agency IT systems. For example, IT systems used to support agency service delivery are generally outside the scope of our financial audit. However, agencies should also consider the relevance of our findings to these systems.

Agencies need to continue to focus on assessing the risks of inappropriate access and misuse and the implementation of controls to adequately protect their systems, focussing on the processes in place to grant, remove and monitor user access, particularly privileged user access.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency business continuity and disaster recovery planning arrangements.

Section highlights

We identified deficiencies in agency business continuity and disaster recovery planning arrangements and opportunities for agencies to enhance their business continuity management and disaster recovery planning arrangements. This will better prepare them to respond to a disruption to their critical functions, resulting from an emergency or other serious event. Twenty-three per cent of agencies had not conducted a business impact analysis (BIA) to identify critical business functions and determine business continuity priorities and 40 per cent of agencies had not conducted a business continuity scenario testing exercise in the period from 1 January 2019 to 31 December 2019. Scenario testing improves the effectiveness with which a live crisis is handled.

This section focusses on the preparedness of agency business continuity and disaster recovery planning arrangements prior to the onset of the COVID-19 pandemic. While agencies have responded to the recent emergencies, proactively addressing deficiencies will ensure agencies have adequate safeguards in their processes to again respond in the future, if required.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of procurement agency procurement policies and procurement activity.

Section highlights

We found agencies have procurement policies in place to manage procurement activity, but the content of these policies was not sufficiently detailed to ensure compliance with NSW Procurement Board Directions (the Directions). The Directions aim to ensure procurement activity achieves value for money and meets the principles of probity and fairness.

Agencies have generally implemented controls over their procurement process. In relation to emergency procurement activity, agencies reported conducting 32,239 emergency procurements with a total contract value of $316,908,485 up to 30 June 2020. Our review of emergency procurement activity conducted during 2019–20 identified areas where some agencies did not fully comply with the 'COVID-19 Emergency procurement procedure'.

We also found not all agencies are maintaining complete and accurate contract registers. This not only increases the risk of non-compliance with GIPA legislation, but also limits the effectiveness of procurement business units to monitor contract end dates, contract extensions and commence new procurement in a timely manner. We noted instances where agencies renewed or extended contracts without going through a competitive tender process during the year.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency compliance with financial and human resources delegations.

Section highlights

We found that agencies are not always regularly reviewing and updating their financial and human resources delegations when there are changes to legislation or other organisational changes within the agency or from machinery of government changes. For example, agencies did not understand or correctly apply the requirements of the GSF Act, resulting in non-compliance with the Act. We found that 18 per cent of agencies spent deemed appropriations without obtaining an authorised delegation from the relevant Minister(s), as required by sections 4.6(1) and 5.5(3) of the GSF Act.

In order for agencies to operate efficiently, make necessary expenditure and human resource decisions quickly and lawfully, particularly in emergency situations, it is important that delegations are kept up to date, provide clear authority to decision makers and are widely communicated.

Appendix one – List of 2020 recommendations

Appendix two – Status of 2019 recommendations

Appendix three – Cluster agencies

Copyright notice

24 September 2020

Published

Support for regional town water infrastructure

Industry

Environment

Local Government

Infrastructure

Management and administration

Regulation

Risk

The Auditor-General for New South Wales, Margaret Crawford, released a report today examining whether the Department of Planning, Industry and Environment has effectively supported the planning for, and funding of, town water infrastructure in regional NSW.

The audit found that the department has not effectively supported or overseen town water infrastructure planning since at least 2014. It does not have a clear regulatory approach and lacks internal procedures and data to guide its support for local water utilities that service around 1.85 million people in regional NSW.

The audit also found that the department has not had a strategy in place to target investments in town water infrastructure to the areas of greatest priority. A state-wide plan is now in development.

The Auditor-General made seven recommendations to the department, aimed at improving the administration and transparency of its oversight, support and funding for town water infrastructure, and at strengthening its sector engagement and interagency coordination on town water planning issues and investments.

According to the Auditor-General, ‘A continued focus on coordinating town water planning, investments and sector engagement is needed for the department to more effectively support, plan for and fund town water infrastructure, and to work with local water utilities to help avoid future shortages of safe water in regional towns and cities.’

This report is part of a multi-volume series on the theme of water. Refer to ‘Water conservation in Greater Sydney’ and ‘Water management and regulation – undertaking in 2020-21’.

Read full report (PDF)

Safe and reliable water and sewer services are essential for community health and wellbeing, environmental protection, and economic productivity. In 2019, during intense drought, around ten regional New South Wales (NSW) cities or towns were close to ‘zero’ water and others had six to 12 months of supply. In some towns, water quality was declared unsafe.

Ensuring the right water and sewer infrastructure in regional NSW to deliver these services (known as 'town water infrastructure') involves a strategic, integrated approach to water management. The NSW Government committed to ‘secure long-term potable water supplies for towns and cities’ in 2011. In 2019, it reiterated a commitment to invest in water security by funding town water infrastructure projects.

The New South Wales’ Water Management Act 2000 (WM Act) aims to promote the sustainable, integrated and best practice management of the State’s water resources, and establishes the priority of town water for meeting critical human needs.

The Department of Planning, Industry and Environment (the department) is the lead agency for water resource policy, regulation and planning in NSW. It is also responsible for ensuring water management is consistent with the shared commitments of the Australian, State and Territory Governments under the National Water Initiative. This includes the provision of healthy, safe and reliable water supplies, and reporting on the performance of water utilities.

Ninety-two Local Water Utilities (LWUs) plan for, price and deliver town water services in regional NSW. Eighty-nine are operated by local councils under the New South Wales’ Local Government Act 1993, and other LWUs exercise their functions under the WM Act. The Minister for Water, Property and Housing is the responsible minister for water supply functions under both acts.

The department is the primary regulator of LWUs. NSW Health, the NSW Environment Protection Authority (EPA) and the Natural Access Resource Regulator (NRAR) also regulate aspects of LWUs' operations. The department’s legislative powers with respect to LWUs cover approving infrastructure developments and intervening where there are town water risks, or in emergencies. In this context, the department administers the Best Practice Management of Water Supply and Sewerage Guidelines (BPM Guidelines) to support its regulation and to assist LWUs to strategically plan and price their services, including their planning for town water infrastructure.

Under the BPM Guidelines, the department supports LWU’s town water infrastructure planning with the Integrated Water Cycle Management (IWCM) Checklist. The Checklist outlines steps for LWUs to prepare an IWCM strategy: a long-term planning document that sets out town water priorities, including infrastructure and non-infrastructure investments, water conservation and drought measures. The department's objective is to review and approve (i.e. give ‘concurrence to’) an IWCM strategy before the LWU implements it. In turn, these documents should provide the department with evidence of town water risks, issues and infrastructure priorities.

The department also assesses and co-funds LWU's town water infrastructure projects. In 2017, the department launched the $1 billion Safe and Secure Water Program to ensure town water infrastructure in regional NSW is secure and meets current health and environmental standards. The program was initially established under the Restart NSW Fund.

This audit examined whether the department has effectively supported the planning for and funding of town water infrastructure in regional NSW. It focused on the department’s activities since 2014. This audit follows a previous Audit Office of NSW report which found that the department had helped to promote better management practices in the LWU sector, up to 2012–13.

Conclusion

The Department of Planning, Industry and Environment has not effectively supported or overseen town water infrastructure planning in regional NSW since at least 2014. It has also lacked a strategic, evidence-based approach to target investments in town water infrastructure.

A continued focus on coordinating town water planning, investments and sector engagement is needed for the department to more effectively support, plan for and fund town water infrastructure, and work with Local Water Utilities to help avoid future shortages of safe water in regional towns and cities.

The department has had limited impact on facilitating Local Water Utilities’ (LWU) strategic town water planning. Its lack of internal procedures, records and data mean that the department cannot demonstrate it has effectively engaged, guided or supported the LWU sector in Integrated Water Cycle Management (IWCM) planning over the past six years. Today, less than ten per cent of the 92 LWUs have an IWCM strategy approved by the department.

The department did not design or implement a strategic approach for targeting town water infrastructure investment through its $1 billion Safe and Secure Water Program (SSWP). Most projects in the program were reviewed by a technical panel but there was limited evidence available about regional and local priorities to inform strategic project assessments. About a third of funded SSWP projects were recommended via various alternative processes that were not transparent. The department also lacks systems for integrated project monitoring and program evaluation to determine the contribution of its investments to improved town water outcomes for communities. The department has recently developed a risk-based framework to inform future town water infrastructure funding priorities.

The department does not have strategic water plans in place at state and regional levels: a key objective of these is to improve town water for regional communities. The department started a program of regional water planning in 2018, following the NSW Government’s commitment to this in 2014. It also started developing a state water strategy in 2020, as part of an integrated water planning framework to align local, regional and state priorities. One of 12 regional water strategies has been completed and the remaining strategies are being developed to an accelerated timeframe: this has limited the department’s engagement with some LWUs on town water risks and priorities.

Regional New South Wales (NSW) is home to about a third of the state's population. Infrastructure that provides safe and reliable water and sewer services (also known simply as 'town water infrastructure') is essential for community health and wellbeing, environmental protection, and economic productivity. Planning for and meeting these infrastructure needs, as well as identifying when non-infrastructure options may be a better solution, involves a strategic and integrated approach to water resource management in regional NSW.

We examined whether the department has effectively supported planning for town water infrastructure since 2014. This assessment was made in the context of its current approach to LWU sector regulation. The findings below focus on whether the department has an effective framework including governance arrangements for town water issues to inform state-wide strategic water planning, and whether (at the local level) the department has effectively overseen and facilitated town water infrastructure planning through its Integrated Water Cycle Management (IWCM) planning guidance to LWUs.

We examined whether the department has effectively targeted town water infrastructure funding to policy objectives, with a focus on the design and implementation of the Safe and Secure Water Program (SSWP) since its commencement in 2017. The program’s aim was to fund town water infrastructure projects that would deliver health, social and environmental benefits, and support economic growth and productivity. We also assessed the department’s capacity to demonstrate the outcomes of the SSWP funding and the contributions of its town water infrastructure investments more broadly. Finally, we identified risks to the effectiveness of the department’s work underway since 2018–19, which is intended to enhance its strategic water planning and approach to prioritising investments in reducing town water risks.

Appendix one – Response from agency

Appendix two – Key terms

Appendix three – About the audit

Appendix four – Performance auditing

Copyright notice

Parliamentary reference - Report number #341 - released 24 September 2020

23 June 2020

Published

Water conservation in Greater Sydney

Environment

Industry

Infrastructure

Internal controls and governance

Management and administration

Regulation

Risk

This report examines whether the Department of Planning, Industry and Environment, and Sydney Water have effectively progressed water conservation initiatives in Greater Sydney.

The report found that the department and Sydney Water have not effectively investigated, implemented or supported water conservation initiatives in Greater Sydney. The agencies have not met key requirements of the current Metropolitan Water Plan and Sydney Water has not met all its operating licence requirements for water conservation. There has been little policy or regulatory reform, little focus on identifying new options and investments, and limited planning and implementation of water conservation initiatives.

As a result, Greater Sydney's water supply may be less resilient to population growth and climate variability, including drought.

The Metropolitan Water Plan states that water conservation, including recycling water, makes the drinking water supply go further. The plan also states that increasing water conservation efforts may be cheaper than building new large-scale supply options and can delay the timing of investment in new supply infrastructure.

The Auditor-General recommends the department develop a clear policy and regulatory position on water conservation options, improve governance and funding for water conservation, and work with Sydney Water to assess the viability of water conservation initiatives. The report also recommends improvements to Sydney Water’s planning for and reporting on water conservation, including the transparency of this information.

This report is part of a multi-volume series on the theme of water. Refer to ‘Support for regional town water infrastructure’ and ‘Water management and regulation – undertaking in 2020-21’.

Read full report (PDF)

The current, 2017 Metropolitan Water Plan states that water conservation, including recycling water, makes the drinking water supply go further. The plan also states that increasing water conservation efforts may be cheaper than building new large-scale supply options and can delay the timing of investment in new supply infrastructure.

Water conservation refers to water recycling, leakage management and programs to enhance water efficiency. Water recycling refers to both harvesting stormwater for beneficial use and reusing wastewater.

This audit examined whether water conservation initiatives for the Greater Sydney Metropolitan area are effectively investigated, implemented and supported. We audited the Department of Planning, Industry and Environment (the Department) and the Sydney Water Corporation (Sydney Water), with a focus on activities since 2016.

The Department is responsible for the integrated and sustainable management of the state’s water resources under the Water Management Act 2000, which includes encouraging ‘best practice in the management and use of water’ as an objective. The Department is also responsible for strategic water policy and planning for Greater Sydney, including implementing the Metropolitan Water Plan.

Sydney Water is a state-owned corporation and the supplier of water, wastewater, recycled water and some stormwater services to more than five million people in Greater Sydney. It is regulated by an operating licence that is issued by the Governor on the recommendation of the Independent Pricing and Regulatory Tribunal (IPART). The Tribunal determines Sydney Water’s maximum prices, reviews its operating licence and monitors compliance. Sydney Water's operating licence and reporting manual set out requirements for its planning, implementing and reporting of water conservation.

From 2007 to 2012, the Climate Change Fund was a source of funds for water conservation activities to be undertaken by the Department and Sydney Water. The Climate Change Fund was established under the Energy and Utilities Administration Act 1987. Four of its six objectives relate to water savings. Water distributors such as Sydney Water can be issued with orders to contribute funds for water-related programs. The Fund is administered by the Department.

In 2016, Sydney Water developed a method for determining whether and how much to invest in water conservation. Known as the ‘Economic Level of Water Conservation’ (ELWC), the method identifies whether it costs less to implement a water conservation initiative than the value of the water saved, in which case the initiative should be implemented.

Conclusion

The Department and Sydney Water have not effectively investigated, implemented or supported water conservation initiatives in Greater Sydney.

The agencies have not met key requirements of the Metropolitan Water Plan and Sydney Water has not met all its operating licence requirements for water conservation. There has been little policy or regulatory reform, little focus on identifying new options and investments, and limited planning and implementation of water conservation initiatives.

As a result, Greater Sydney's water supply may be less resilient to population growth and climate variability, including drought.

The Department has not undertaken an annual assessment of Sydney Water’s level of investment in water conservation against water security risks and the capacity to respond when drought conditions return, as required by the Metropolitan Water Plan. It did not complete identified research and planning activities to support the plan, such as developing and using a framework for assessing the potential for water conservation initiatives for Greater Sydney, and developing a long-term strategy for water conservation and water recycling. It also did not finalise a monitoring, evaluation, reporting and improvement strategy to support the plan.

Sydney Water has been ineffective in driving water conservation initiatives, delivering detailed planning and resourcing for ongoing initiatives, and in increasing its investment in water conservation during drought. These were requirements of the Metropolitan Water Plan. Sydney Water's reporting on water conservation has not met all its operating licence requirements and lacked transparency with limited information on key aspects such as planning for leakage management, how the viability of potential initiatives were assessed, and how adopted initiatives are tracking.

The Department and Sydney Water did not put in place sufficient governance arrangements, including clarifying and agreeing responsibilities for key water conservation planning, delivery and reporting activities. There has also been limited collaboration, capacity building and community engagement to support water conservation, particularly outside times of drought.

Appendix one – Responses from agencies

Appendix two – About the audit

Appendix three – Glossary

Appendix four – Performance auditing

Copyright notice

Parliamentary reference - Report number #336 - released 23 June 2020

11 December 2019

Published

Planning, Industry and Environment 2019

Planning

Industry

Environment

Asset valuation

Cyber security

Financial reporting

Information technology

Infrastructure

Internal controls and governance

Management and administration

Service delivery

Workforce and capability

This report outlines the results of audits of the financial statements of agencies now grouped in the NSW Planning, Industry and Environment cluster.

Unqualified audit opinions were issued for 56 of the 66 cluster agencies’ 30 June 2019 financial statements. Ten audits remain incomplete. The cluster agencies need to improve the timeliness of financial reporting.

The Audit Office continued to identify issues regarding unprocessed Aboriginal land claims and the recognition of Crown land. ‘Auditor-General’s reports to parliament have recommended action to reduce the level of unprocessed land claims since 2007. However, the number of unprocessed claims continued to increase’, Margaret Crawford said.

One in five internal control findings were repeat issues. Key themes included information technology, asset management and improvements required to expense and payroll controls.

The report makes several recommendations including:

Property NSW should urgently address the deficiencies in the lease data used to calculate the impact of the new leasing standard effective from 1 July 2019
the Department of Planning, Industry and Environment should prioritise action to reduce unprocessed Aboriginal land claims
the Department of Planning, Industry and Environment should ensure the Crown land database is complete and accurate so state agencies and local government councils are better informed about the Crown land they control.

This report analyses the results of our audits of financial statements of the Planning, Industry and Environment cluster agencies for the year ended 30 June 2019. The table below summarises our key observations.

1. Machinery of Government changes

Creation of the Planning, Industry and Environment cluster

The Machinery of Government (MoG) changes abolished the former Planning and Environment cluster and former Industry cluster, and created the Planning, Industry and Environment cluster on 1 July 2019.

The Department of Planning and Environment (DPE), the Department of Industry (DOI), the Office of Environment and Heritage, and the Office of Local Government were abolished and the majority of their functions were transferred to the new Department of Planning, Industry and Environment (DPIE).

The Department of Planning, Industry and Environment is still in the process of implementing changes

The MoG changes bring risks and challenges to the cluster. A MoG Steering Committee, with the support of various project control groups and working groups, identified and developed responses to key risks arising from the changes.

However, the DPIE will take some time to fully integrate the policies, systems and processes of the abolished Departments and agencies.

2. Financial reporting

Audit opinions	Unqualified audit opinions were issued for 56 of the 66 cluster agencies' 30 June 2019 financial statements audits. Ten financial statements audits are still ongoing.
Timeliness of financial reporting	Fifty-five of the 57 agencies subject to statutory deadlines submitted their financial statements on time. Due to issues identified during the audit, 13 financial statements audits were not completed and audit opinions issued by the statutory deadline. Agencies prepared and submitted their early close procedures in accordance with the mandatory timeframe set by NSW Treasury. However, 17 of the 49 agencies where we reviewed early close procedures were assessed as either partially addressing or not addressing one or more of the mandatory requirements. The cluster agencies could benefit from an increased focus on early close procedures.
Introduction of AASB 16 'Leases'	We noted errors in the lease data used in Property NSW's AASB 16 impact calculations, which affect both Property NSW and other government agencies. These errors were significant enough to present a risk of material misstatements to the financial statements of Property NSW and other government agencies in future reporting periods. We had similar findings in our recent performance audit on 'Property Asset Utilisation', which highlighted issues with the quality of Property NSW's records. Recommendation: Property NSW should urgently address the deficiencies in the lease data used to calculate the impact of the new leasing standard effective from 1 July 2019.
Unprocessed Aboriginal land claims have continued to increase	Despite an increase in the number of claims resolved, the number of unprocessed Aboriginal land claims increased by 7.2 per cent from the prior year to 35,855 at 30 June 2019. Claims can be made over Crown land assets of the DPIE or other government agencies. Until claims are resolved, there is an uncertainty over who is entitled to the land and the uses and activities that can be carried out on the land. We first recommended action to address unprocessed claims in 2007. Recommendation (repeat issue): The DPIE should prioritise action to reduce unprocessed Aboriginal land claims.

3. Audit observations

Internal controls	One in five internal control issues identified and reported to management in 2018–19 were repeat issues. The lack of user access review was the most common IT general control issue in the cluster.
Drought relief	The NSW Government announced an emergency drought relief package of $500 million in 2018, in addition to other financial assistance measures already in place. Limited documentation and written agreements between relevant delivery agencies resulted in a $31.0 million misstatement relating to grant revenue.
Recognition of Crown land	Crown land is an important asset of the state. Management and recognition of Crown land assets is weakened when there is confusion over who is responsible for a particular Crown land parcel. Last year we recommended the DOI should ensure the database of Crown land is complete and accurate. While the DOI has commenced actions to improve the database, this continued to be an issue in 2018–19. Recommendation (repeat issue): The DPIE should ensure the Crown land database is complete and accurate so state agencies and local government councils are better informed about the Crown land they control.
Developer contributions	The former DPE continued to accumulate more developer contributions revenues than it spent on infrastructure projects. Total unspent funds increased to $274 million at 30 June 2019.

This report provides parliament and other users of the Planning, Industry and Environment cluster agencies financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:

financial reporting
audit observations.

This cluster was created by the Machinery of Government changes on 1 July 2019. This report is focused on agencies in the Planning, Industry and Environment cluster from 1 July 2019. However, these agencies were all in other clusters during 2018–19. Please refer to the section on Machinery of Government changes for more details.

Machinery of Government (MoG) refers to how the government organises the structures and functions of the public service. MoG changes are where the government reorganises these structures and functions that are given effect by Administrative orders.

The MoG changes, announced following the NSW State election on 23 March 2019, created the Planning, Industry and Environment (PIE) cluster. The Administrative Changes Orders issued on 2 April 2019, 1 May 2019 and 28 June 2019 gave effect to these changes. These orders became effective on 1 July 2019.

Section highlights

The 2019 MoG changes significantly impacted the former Planning and Environment, and Industry clusters and agencies.

The PIE cluster combines most of the functions and agencies of the former Planning and Environment and Industry clusters from 1 July 2019.
The Department of Planning, Industry and Environment is the principal agency in the PIE cluster.
The MoG changes bring risks and challenges to the PIE cluster.
A MoG Steering Committee was established to oversee the transitional processes.
The full integration of the systems and processes will not be completed in the near future.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Planning, Industry and Environment (PIE) cluster for 2019. In this chapter, the Department of Planning, Industry and Environment is referred to as DPIE, the former Department of Planning and Environment as DPE, and the former Department of Industry as DOI.

Section highlights

Unqualified audit opinions were issued for all completed 30 June 2019 financial statements audits. However, some cluster agencies can further enhance the quality of financial reporting.
Timeliness of financial reporting remains an issue for 13 agencies.
Deficiencies were identified in the data used to calculate the impact of AASB 16 ‘Leases’ effective from 1 July 2019. Property NSW should urgently address these deficiencies.
Unprocessed Aboriginal land claims continue to increase. DPIE should prioritise action to reduce unprocessed Aboriginal land claims.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

This chapter outlines our audit observations and insights from our financial statement audits of agencies in the Planning, Industry and Environment (PIE) cluster for 2019. In this chapter, the Department of Planning, Industry and Environment is referred to as DPIE, the former Department of Planning and Environment as DPE, and the former Department of Industry as DOI.

Section highlights

One in five issues identified and reported to management in 2018–19 were repeat issues.
The lack of user access review was the most common IT general control issue in the PIE cluster.
The PIE cluster provided significant financial assistance for drought relief.
There continues to be significant deficiencies in Crown land records. The DPIE should ensure the Crown land database is complete and accurate.
Unspent developer contributions funds continued to build up in 2018–19.

Appendix one – List of 2019 recommendations

Appendix two – Status of 2018 recommendations

Appendix three – Cluster agencies

Appendix four – Financial data

Appendix five – Management letter findings

Appendix six – Timeliness of financial reporting

Copyright notice

5 November 2019

Published

Internal Controls and Governance 2019

Education

Community Services

Finance

Health

Industry

Justice

Planning

Premier and Cabinet

Transport

Treasury

Whole of Government

Compliance

Cyber security

Fraud

Information technology

Internal controls and governance

Management and administration

Procurement

Project management

This report covers the findings and recommendations from the 2018–19 financial audits that relate to internal controls and governance at 40 of the largest agencies in the NSW public sector. The 40 agencies selected for this report constitute around 84 per cent of total expenditure for all NSW public sector agencies.

The report provides insights into the effectiveness of controls and governance processes across the NSW public sector. It evaluates how agencies identify, mitigate and manage risks related to:

financial controls
information technology controls
gifts and benefits
internal audit
contingent labour
sensitive data.

The Auditor-General recommended that agencies do more to prioritise and address vulnerabilities in their internal controls and governance. The Auditor-General also recommended agencies increase the transparency of their management of gifts and benefits by publishing their registers on their websites.

This report analyses the internal controls and governance of 40 of the largest agencies in the NSW public sector for the year ended 30 June 2019.

1. Internal control trends

New, repeat and high risk findings

There was an increase in internal control deficiencies of 12 per cent compared to last year. The increase is predominately due to a 100 per cent increase in repeat financial and IT control deficiencies.

Agencies need to ensure they are actively managing the risks associated with having these vulnerabilities in internal control systems unaddressed for extended periods of time.

Common findings

A number of findings were common to multiple agencies. These findings often related to areas that are fundamental to good internal control environments and effective organisational governance, such as:

out of date policies or an absence of policies to guide appropriate decisions
poor record keeping and document retention
incomplete or inaccurate centralised registers or gaps in these registers
policies, procedures or controls no longer suited to the current organisational structure or business activities.

2. Information technology controls

IT general controls

We examined information security controls over key financial systems that support the preparation of agency financial statements. We found:

user access administration deficiencies at 58 per cent of agencies related to granting, review and removal of user access
an absence of privileged user activity reviews at 35 per cent of agencies
password controls that did not align to password policies at 20 per cent of agencies.

We also found 20 per cent of agencies had deficient IT program change controls, mainly related to segregation of duties in approval and authorisation processes, and user acceptance testing of program changes prior to deployment into production environments. User acceptance testing helps identify potential issues with software incompatibility, operational workflows, absent controls and software issues, as well as areas where training or user support may be required.

3. Gifts and benefits

Gifts and benefits registers

All agencies had a gifts and benefits policy and 90 per cent of agencies maintain a gifts and benefits register. However, 51 per cent of the gifts and benefits registers we examined contained incomplete declarations, such as missing details for the approving officer, value of the gift and/or benefit offered and reasons supporting the decision.

In some cases, gaps in recorded information meant the basis for decisions around gifts and benefits was not always clear, making it difficult to determine whether decisions in those instances were appropriate, compliant with policy and were not direct or indirect inducements to the recipients to favour suppliers or service providers.

Agencies should ensure their gifts and benefits register includes all key fields specified in the Public Service Commission's minimum standards for gifts and benefits. Agencies should also perform regular reviews of the register to ensure completeness and ensure any gift or benefit accepted by a staff member meets the public's expectations for ethical behaviour.

Managing gifts and benefits

We found opportunities to improve gifts and benefits processes and enhance transparency. For example, only three per cent of agencies publish their gifts and benefits registers on their websites.

Agencies can improve management of gifts and benefits by:

ensuring agency policies comprehensively cover the elements necessary to make it effective in an operational environment, such as identifying risks specific to the agency and actions that will be taken in the event of a policy breach
establishing and publishing a statement of business ethics on the agency's website to clearly communicate expected behaviours to clients, customers, suppliers and contractors
providing on-going training, awareness activities and support to employees, not just at induction
publishing their gifts and benefits registers on their websites to demonstrate a commitment to a transparently ethical environment.

Reporting and monitoring

Only 35 per cent of agencies reported trends in the number and nature of gifts and benefits recorded in their registers to the agency's senior executive management and/or a governance committee.

Agencies should regularly report to the agency executive or other governance committee on trends in the offer and acceptance of gifts and benefits.

4. Internal audit

Obtaining value from the internal audit function

Agencies have established and maintained internal audit functions to provide assurance on the effectiveness of agency controls and governance systems. However, we identified areas where agencies' internal audit functions could improve their processes to add greater value. For example, only 73 per cent of CAEs regularly attend meetings of the agency board or executive management committee.

Internal audit functions can add greater value by involving the CAE more extensively in executive forums as an observer.

Internal audit functions should also consider producing an annual report on internal audit. An annual report allows the internal audit function to report on their performance and add value by drawing to the attention of audit and risk committees and senior management strategic issues, thematic trends and emerging risks.

Role of the Chief Audit Executive

Forty-five per cent of agencies assigned responsibilities to the Chief Audit Executive (CAE) that were broader than internal audit, but 17 per cent of these had not documented safeguards to protect the independence of the CAE.

The reporting lines and status of the CAE at some agencies also needs review. At two agencies, the CAE reported to the CFO.

Agencies should ensure:

the reporting lines for the CAE comply with the NSW Treasury policy, and the CAE does not report functionally or administratively to the finance function or other significant recipients of internal audit services
the CAE's duties are compatible with preserving their independence and where threats to independence exist, safeguards are documented and approved.

Quality assurance and improvement program

Thirty-five per cent of agencies did not have a documented quality assurance and improvement program for its internal audit function.

The policy and the International Standards for the Professional Practice of Internal Auditing require agencies to have a documented quality assurance and improvement program. The results of this program should be reported annually.

Agencies should ensure there is a documented and operational Quality Assurance and Improvement Program for the internal audit function that covers both internal and external assessments.

5. Managing contingent labour

Obtaining value for money from contingent labour

According to NSW Procurement data, spend on contingent labour has increased by 75 per cent over the last five years, to $1.5 billion in 2018–19. Improvements in internal processes and a renewed focus on agency monitoring and oversight of contingent labour can help ensure agencies get the best value for money from their contingent workforces.

Agencies can improve their management of contingent labour by:

preparing workforce plans to inform their resourcing strategy and ensure that engaging contingent labour aligns with the strategy and best meets business needs
involving agency human resources units in decisions about engaging contingent labour
regularly reporting on contingent labour use and tenure to agency executive teams
strengthening on-boarding and off-boarding processes.

We also found 57 per cent of the 23 agencies we examined with contingent labour spend of more than $5 million in 2018–19 have implemented the government's vendor management system and service provider 'Contractor Central'.

6. Managing sensitive data

Identifying and assessing sensitive data

Sixty-eight per cent of agencies maintain an inventory of their sensitive data and where it resides. However, these inventories are not always complete and risks may be overlooked.

Agencies can improve processes to manage sensitive data by:

identifying and maintaining an inventory of sensitive data through a comprehensive and structured process
assessing the criticality and sensitivity of the data so that protection of high risk data can be prioritised.

Managing data breaches

Eighty-eight per cent of agencies have established policies to respond to potential data breaches when they are identified and 70 per cent of agencies maintain a register to record key information in relation to identified data breach incidents.

Agencies should maintain a data breach register to effectively manage the actions undertaken to contain, evaluate and remediate each data breach.

This report covers the findings and recommendations from our 2018–19 financial audits that relate to internal controls and governance at 40 of the largest agencies (refer to Appendix three) in the NSW public sector. The 40 agencies selected for this volume constitute around 84 per cent of total expenditure for all NSW public sector agencies.

Although the report includes several agencies that have changed as a result of the Machinery of Government changes that were effective from 1 July 2019, its focus on sector wide issues and insights means that its findings remain relevant to NSW public sector agencies, including newly formed agencies that have assumed the functions of abolished agencies.

This report offers insights into internal controls and governance in the NSW public sector

This is the third report dedicated to internal controls and governance at NSW State Government agencies. The report provides insights into the effectiveness of controls and governance processes in the NSW public sector by:

highlighting the potential risks posed by weaknesses in controls and governance processes
helping agencies benchmark the adequacy of their processes against their peers
focusing on new and emerging risks, and the internal controls and governance processes that might address those risks.

Without strong governance systems and internal controls, agencies increase the risks associated with effectively managing their finances and delivering services to citizens. For example, if they do not have strong information technology controls, sensitive information may be at risk of unauthorised access and misuse.

Areas of specific focus of the report have changed since last year

Last year's report topics included transparency and performance reporting, management of purchasing cards and taxi use, and fraud and corruption control. We are reporting on new topics this year and re-visiting agency management of gifts and benefits, which we first covered in our 2017 report. Re-visiting topics from prior years provides a baseline to show the NSW public sectors’ progress implementing appropriate internal controls and governance processes to mitigate existing, new and emerging risks in the public sector.

Our audits do not review all aspects of internal controls and governance every year. We select a range of measures and report on those that present heightened risks for agencies to mitigate. This year the report focusses on:

internal control trends
information technology controls, including access to agency systems
protecting sensitive information held within agencies
managing large and diverse workforces (controls around employing and managing contingent workers)
maintaining an ethical culture (management of gifts and benefits)
effectiveness of internal audit function and its oversight by Audit and Risk Committees.

The findings in this report should not be used to draw conclusions on the effectiveness of individual agency control environments and governance arrangements. Specific financial reporting, internal controls and audit observations are included in the individual 2019 cluster financial audit reports, which will be tabled in parliament from November to December 2019.

Internal controls are processes, policies and procedures that help agencies to:

operate effectively and efficiently
produce reliable financial reports
comply with laws and regulations
support ethical government.

Key conclusions and sector wide learnings

We identified four high risk findings, compared to six last year. None of the findings are common with those in the previous year. There was an overall increase of 12 per cent in the number of internal control deficiencies compared to last year. The increase is predominately due to a 100 per cent increase in the number of repeat financial and IT control deficiencies.

Some agencies attributed the delay in actioning repeat findings to the diversion of staff from their regular activities to implement and operationalise the recent Machinery of Government changes. As a result, actions to address audit recommendations have been deferred or re-prioritised, as the changes are implemented. Agencies need to ensure they are actively managing the risks associated with having these vulnerabilities in internal control systems unaddressed for extended periods of time.

We also identified a number of findings that were common to multiple agencies. These common findings often related to areas that are fundamental to good internal control environments and effective organisational governance. Examples include:

out of date policies or an absence of policies to guide appropriate decisions
poor record keeping and document retention
incomplete or inaccurate centralised registers or gaps in these registers.

Policies, procedures and internal controls should be properly designed, be appropriate for the current organisational structure and its business activities, and work effectively.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency controls to manage key financial systems.

Key conclusions and sector wide learnings

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency controls to manage gifts and benefits.

Key conclusions and sector wide learnings

We found most agencies have implemented the Public Service Commission's minimum standards for gifts and benefits. All agencies had a gifts and benefits policy and 90 per cent of agencies maintained a gifts and benefits register and provided some form of training to employees on the treatment of gifts and benefits.

Based on our analysis of agency registers, we found some areas where opportunities existed to make processes more effective. In some cases, gaps in recorded information meant the basis for decisions around gifts and benefits was not always clear, making it difficult to determine whether decisions in those instances were appropriate and compliant with policy. Fifty-one per cent of the gifts and benefits registers reviewed contained declarations where not all fields of information had been completed. Seventy-seven per cent of agencies that maintained a gifts and benefits register did not include all key fields suggested by the minimum standards.

Areas where agencies can improve their management of gifts and benefits include:

ensuring agency policies comprehensively cover the elements necessary to make it effective in an operational environment, such as identifying risks specific to the agency and actions that will be taken in the event of a policy breach
establishing and publishing a statement of business ethics on the agency's website to clearly communicate expected behaviours to clients, customers,suppliers and contractors
updating gifts and benefits registers to include all key fields suggested by the minimum standards, as well as performing regular reviews of the register to ensure completeness
providing on-going training, awareness activities and support to employees, not just at induction
regularly reporting gifts and benefits to executive management and/or a governance committee such as the audit and risk committee, focussing on trends in the number and types of gifts and benefits offered to and accepted by agency staff
publishing their gifts and benefits registers on their websites to demonstrate a commitment to a transparently ethical environment.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency internal audit functions.

Key conclusions and sector wide learnings

We found agencies have established and maintained internal audit functions to provide assurance on the effectiveness of agency controls and governance systems as required by TPP15-03 'Internal Audit and Risk Management Policy for the NSW Public Sector'. However, we identified areas where agencies' internal audit functions could improve their processes to add greater value, including:

documenting and implementing safeguards to address conflicting roles performed by the Chief Audit Executive (CAE)
ensuring the reporting lines for the CAE comply with the NSW Treasury policy, and the CAE reports neither functionally or administratively to the finance function or other significant recipients of internal audit services
involving the CAE more extensively in executive forums as an observer
documenting a Quality Assurance and Improvement Program for the internal audit function and performing both internal and external performance assessments to identify opportunities for continuous improvement
reporting against key performance indicators or a balanced scorecard and producing an annual report on internal audit to bring to the attention of the audit and risk committee and senior management strategic issues, thematic trends and emerging risks that may require further attention or resources.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency controls to on-board, manage and off-board contingent labour.

Key conclusions and sector wide learnings

Agencies have implemented controls to manage contingent labour and most agencies have some level of reporting and oversight of contingent labour at an executive level. However, the increasing trend in spend on contingent labour warrants a renewed focus on agency monitoring and oversight of their use of contingent labour. Over the last five years spend on contingent labour has increased by 75 per cent, to $1.5 billion in 2018–19.

There are also some key gaps that limit the ability of agencies to effectively manage contingent labour. Key areas where agencies can improve their management of contingent labour include:

preparing workforce plans to inform their resourcing strategy, and confirm prior to engaging contingent labour, that this solution aligns with the strategy and best meets business needs
involving agency human resources units in decisions about engaging contingent labour
regularly reporting on contingent labour use to agency executive teams, particularly in terms of trends in agency spend, tenure and compliance with policies and procedures
strengthening on-boarding and off-boarding processes, including establishing checklists to on-board and off-board contingent labour, making provisions for knowledge transfer, and assessing, documenting and capturing performance information.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of governance and processes in relation to the management of sensitive data.

Key conclusions and sector wide learnings

Information technology risks are rapidly increasing. More interfaces between agencies and greater connectivity means the amounts of data agencies generate, access, store and share continue to increase. Some of this information is sensitive information, which is protected by the Privacy Act 1988.

It is important that agencies understand what sensitive data they hold, the risks associated with the inadvertent release of this information and how they are mitigating those risks. We found that agencies need to continue to identify and record their sensitive data, as well as expand the methods they use to identify sensitive data. This includes data held in unstructured repositories, such as network shared drives and by agency service providers.

Key areas where agencies can improve their management of sensitive data include:

identifying sensitive data, based on a comprehensive and structured process and maintaining an inventory of the data
assessing the criticality and sensitivity of the data so that the protection of high risk data can be prioritised
developing comprehensive data breach management policies to ensure data breaches are appropriately managed
maintaining a data breach incident register to record key information in relation to identified data breaches incidents, including the estimated cost of the breach
providing on-going training and awareness activities to employees in relation to sensitive data and managing data breaches.

Appendix one – List of 2019 recommendations

Appendix two – Status of 2018 recommendations

Appendix three – In-scope agencies

Audit progress

Sector

Year

Report type

Topic

Reports

What this report is about

Findings

Recommendations

What this report is about

What we found

What the key issues were

What we recommended

Section highlights

Section highlights

What this report is about

What we found

What we recommended

Conclusion

What the report is about

What we found

What the key issues were

Section highlights

Section highlights

What the report is about

What we found

Fast facts

Copyright notice

1. Internal control trends

2. Information technology controls

3. Business continuity and disaster recovery planning

4. Procurement, including emergency procurement

5. Delegations

6. Status of 2019 recommendations

Conclusion

Conclusion

1. Machinery of Government changes

2. Financial reporting

3. Audit observations

This report offers insights into internal controls and governance in the NSW public sector

Areas of specific focus of the report have changed since last year

Key conclusions and sector wide learnings

Key conclusions and sector wide learnings

Key conclusions and sector wide learnings

Key conclusions and sector wide learnings

Key conclusions and sector wide learnings