Reports
Internal Controls and Governance 2019
This report covers the findings and recommendations from the 2018–19 financial audits that relate to internal controls and governance at 40 of the largest agencies in the NSW public sector. The 40 agencies selected for this report constitute around 84 per cent of total expenditure for all NSW public sector agencies.
The report provides insights into the effectiveness of controls and governance processes across the NSW public sector. It evaluates how agencies identify, mitigate and manage risks related to:
- financial controls
- information technology controls
- gifts and benefits
- internal audit
- contingent labour
- sensitive data.
The Auditor-General recommended that agencies do more to prioritise and address vulnerabilities in their internal controls and governance. The Auditor-General also recommended agencies increase the transparency of their management of gifts and benefits by publishing their registers on their websites.
This report analyses the internal controls and governance of 40 of the largest agencies in the NSW public sector for the year ended 30 June 2019.
1. Internal control trends
| New, repeat and high risk findings |
There was an increase in internal control deficiencies of 12 per cent compared to last year. The increase is predominately due to a 100 per cent increase in repeat financial and IT control deficiencies. Some agencies attributed the delay in actioning repeat findings to the diversion of staff from their regular activities to implement and operationalise the recent Machinery of Government changes. As a result, actions to address audit recommendations have been deferred or re prioritised, as the changes are implemented. Agencies need to ensure they are actively managing the risks associated with having these vulnerabilities in internal control systems unaddressed for extended periods of time. |
| Common findings |
A number of findings were common to multiple agencies. These findings often related to areas that are fundamental to good internal control environments and effective organisational governance, such as:
|
2. Information technology controls
| IT general controls |
We examined information security controls over key financial systems that support the preparation of agency financial statements. We found:
We also found 20 per cent of agencies had deficient IT program change controls, mainly related to segregation of duties in approval and authorisation processes, and user acceptance testing of program changes prior to deployment into production environments. User acceptance testing helps identify potential issues with software incompatibility, operational workflows, absent controls and software issues, as well as areas where training or user support may be required. |
3. Gifts and benefits
| Gifts and benefits registers |
All agencies had a gifts and benefits policy and 90 per cent of agencies maintain a gifts and benefits register. However, 51 per cent of the gifts and benefits registers we examined contained incomplete declarations, such as missing details for the approving officer, value of the gift and/or benefit offered and reasons supporting the decision. In some cases, gaps in recorded information meant the basis for decisions around gifts and benefits was not always clear, making it difficult to determine whether decisions in those instances were appropriate, compliant with policy and were not direct or indirect inducements to the recipients to favour suppliers or service providers. Agencies should ensure their gifts and benefits register includes all key fields specified in the Public Service Commission's minimum standards for gifts and benefits. Agencies should also perform regular reviews of the register to ensure completeness and ensure any gift or benefit accepted by a staff member meets the public's expectations for ethical behaviour. |
| Managing gifts and benefits |
We found opportunities to improve gifts and benefits processes and enhance transparency. For example, only three per cent of agencies publish their gifts and benefits registers on their websites. Agencies can improve management of gifts and benefits by:
|
| Reporting and monitoring |
Only 35 per cent of agencies reported trends in the number and nature of gifts and benefits recorded in their registers to the agency's senior executive management and/or a governance committee. Agencies should regularly report to the agency executive or other governance committee on trends in the offer and acceptance of gifts and benefits. |
4. Internal audit
| Obtaining value from the internal audit function |
Agencies have established and maintained internal audit functions to provide assurance on the effectiveness of agency controls and governance systems. However, we identified areas where agencies' internal audit functions could improve their processes to add greater value. For example, only 73 per cent of CAEs regularly attend meetings of the agency board or executive management committee. Internal audit functions can add greater value by involving the CAE more extensively in executive forums as an observer. Internal audit functions should also consider producing an annual report on internal audit. An annual report allows the internal audit function to report on their performance and add value by drawing to the attention of audit and risk committees and senior management strategic issues, thematic trends and emerging risks. |
| Role of the Chief Audit Executive |
Forty-five per cent of agencies assigned responsibilities to the Chief Audit Executive (CAE) that were broader than internal audit, but 17 per cent of these had not documented safeguards to protect the independence of the CAE. The reporting lines and status of the CAE at some agencies also needs review. At two agencies, the CAE reported to the CFO. Agencies should ensure:
|
| Quality assurance and improvement program |
Thirty-five per cent of agencies did not have a documented quality assurance and improvement program for its internal audit function. The policy and the International Standards for the Professional Practice of Internal Auditing require agencies to have a documented quality assurance and improvement program. The results of this program should be reported annually. Agencies should ensure there is a documented and operational Quality Assurance and Improvement Program for the internal audit function that covers both internal and external assessments. |
5. Managing contingent labour
| Obtaining value for money from contingent labour |
According to NSW Procurement data, spend on contingent labour has increased by 75 per cent over the last five years, to $1.5 billion in 2018–19. Improvements in internal processes and a renewed focus on agency monitoring and oversight of contingent labour can help ensure agencies get the best value for money from their contingent workforces. Agencies can improve their management of contingent labour by:
We also found 57 per cent of the 23 agencies we examined with contingent labour spend of more than $5 million in 2018–19 have implemented the government's vendor management system and service provider 'Contractor Central'. |
6. Managing sensitive data
| Identifying and assessing sensitive data |
Sixty-eight per cent of agencies maintain an inventory of their sensitive data and where it resides. However, these inventories are not always complete and risks may be overlooked. Agencies can improve processes to manage sensitive data by:
|
| Managing data breaches |
Eighty-eight per cent of agencies have established policies to respond to potential data breaches when they are identified and 70 per cent of agencies maintain a register to record key information in relation to identified data breach incidents. Agencies should maintain a data breach register to effectively manage the actions undertaken to contain, evaluate and remediate each data breach. |
This report covers the findings and recommendations from our 2018–19 financial audits that relate to internal controls and governance at 40 of the largest agencies (refer to Appendix three) in the NSW public sector. The 40 agencies selected for this volume constitute around 84 per cent of total expenditure for all NSW public sector agencies.
Although the report includes several agencies that have changed as a result of the Machinery of Government changes that were effective from 1 July 2019, its focus on sector wide issues and insights means that its findings remain relevant to NSW public sector agencies, including newly formed agencies that have assumed the functions of abolished agencies.
This report offers insights into internal controls and governance in the NSW public sector
This is the third report dedicated to internal controls and governance at NSW State Government agencies. The report provides insights into the effectiveness of controls and governance processes in the NSW public sector by:
- highlighting the potential risks posed by weaknesses in controls and governance processes
- helping agencies benchmark the adequacy of their processes against their peers
- focusing on new and emerging risks, and the internal controls and governance processes that might address those risks.
Without strong governance systems and internal controls, agencies increase the risks associated with effectively managing their finances and delivering services to citizens. For example, if they do not have strong information technology controls, sensitive information may be at risk of unauthorised access and misuse.
Areas of specific focus of the report have changed since last year
Last year's report topics included transparency and performance reporting, management of purchasing cards and taxi use, and fraud and corruption control. We are reporting on new topics this year and re-visiting agency management of gifts and benefits, which we first covered in our 2017 report. Re-visiting topics from prior years provides a baseline to show the NSW public sectors’ progress implementing appropriate internal controls and governance processes to mitigate existing, new and emerging risks in the public sector.
Our audits do not review all aspects of internal controls and governance every year. We select a range of measures and report on those that present heightened risks for agencies to mitigate. This year the report focusses on:
- internal control trends
- information technology controls, including access to agency systems
- protecting sensitive information held within agencies
- managing large and diverse workforces (controls around employing and managing contingent workers)
- maintaining an ethical culture (management of gifts and benefits)
- effectiveness of internal audit function and its oversight by Audit and Risk Committees.
The findings in this report should not be used to draw conclusions on the effectiveness of individual agency control environments and governance arrangements. Specific financial reporting, internal controls and audit observations are included in the individual 2019 cluster financial audit reports, which will be tabled in parliament from November to December 2019.
Internal controls are processes, policies and procedures that help agencies to:
- operate effectively and efficiently
- produce reliable financial reports
- comply with laws and regulations
- support ethical government.
This chapter outlines the overall trends for agency controls and governance issues, including the number of audit findings, the degree of risk those deficiencies pose to the agency, and a summary of the most common deficiencies we found across agencies. The rest of this report presents this year’s controls and governance findings in more detail.
Key conclusions and sector wide learnings
- out of date policies or an absence of policies to guide appropriate decisions
- poor record keeping and document retention
- incomplete or inaccurate centralised registers or gaps in these registers.
Policies, procedures and internal controls should be properly designed, be appropriate for the current organisational structure and its business activities, and work effectively.
This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency controls to manage key financial systems.
This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency controls to manage gifts and benefits.
Key conclusions and sector wide learnings
We found most agencies have implemented the Public Service Commission's minimum standards for gifts and benefits. All agencies had a gifts and benefits policy and 90 per cent of agencies maintained a gifts and benefits register and provided some form of training to employees on the treatment of gifts and benefits.
Based on our analysis of agency registers, we found some areas where opportunities existed to make processes more effective. In some cases, gaps in recorded information meant the basis for decisions around gifts and benefits was not always clear, making it difficult to determine whether decisions in those instances were appropriate and compliant with policy. Fifty-one per cent of the gifts and benefits registers reviewed contained declarations where not all fields of information had been completed. Seventy-seven per cent of agencies that maintained a gifts and benefits register did not include all key fields suggested by the minimum standards.
Areas where agencies can improve their management of gifts and benefits include:
- ensuring agency policies comprehensively cover the elements necessary to make it effective in an operational environment, such as identifying risks specific to the agency and actions that will be taken in the event of a policy breach
- establishing and publishing a statement of business ethics on the agency's website to clearly communicate expected behaviours to clients, customers,suppliers and contractors
- updating gifts and benefits registers to include all key fields suggested by the minimum standards, as well as performing regular reviews of the register to ensure completeness
- providing on-going training, awareness activities and support to employees, not just at induction
- regularly reporting gifts and benefits to executive management and/or a governance committee such as the audit and risk committee, focussing on trends in the number and types of gifts and benefits offered to and accepted by agency staff
- publishing their gifts and benefits registers on their websites to demonstrate a commitment to a transparently ethical environment.
This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency internal audit functions.
Key conclusions and sector wide learnings
We found agencies have established and maintained internal audit functions to provide assurance on the effectiveness of agency controls and governance systems as required by TPP15-03 'Internal Audit and Risk Management Policy for the NSW Public Sector'. However, we identified areas where agencies' internal audit functions could improve their processes to add greater value, including:
- documenting and implementing safeguards to address conflicting roles performed by the Chief Audit Executive (CAE)
- ensuring the reporting lines for the CAE comply with the NSW Treasury policy, and the CAE reports neither functionally or administratively to the finance function or other significant recipients of internal audit services
- involving the CAE more extensively in executive forums as an observer
- documenting a Quality Assurance and Improvement Program for the internal audit function and performing both internal and external performance assessments to identify opportunities for continuous improvement
- reporting against key performance indicators or a balanced scorecard and producing an annual report on internal audit to bring to the attention of the audit and risk committee and senior management strategic issues, thematic trends and emerging risks that may require further attention or resources.
This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency controls to on-board, manage and off-board contingent labour.
Key conclusions and sector wide learnings
Agencies have implemented controls to manage contingent labour and most agencies have some level of reporting and oversight of contingent labour at an executive level. However, the increasing trend in spend on contingent labour warrants a renewed focus on agency monitoring and oversight of their use of contingent labour. Over the last five years spend on contingent labour has increased by 75 per cent, to $1.5 billion in 2018–19.
There are also some key gaps that limit the ability of agencies to effectively manage contingent labour. Key areas where agencies can improve their management of contingent labour include:
- preparing workforce plans to inform their resourcing strategy, and confirm prior to engaging contingent labour, that this solution aligns with the strategy and best meets business needs
- involving agency human resources units in decisions about engaging contingent labour
- regularly reporting on contingent labour use to agency executive teams, particularly in terms of trends in agency spend, tenure and compliance with policies and procedures
- strengthening on-boarding and off-boarding processes, including establishing checklists to on-board and off-board contingent labour, making provisions for knowledge transfer, and assessing, documenting and capturing performance information.
This chapter outlines our audit observations, conclusions and recommendations, arising from our review of governance and processes in relation to the management of sensitive data.
Key conclusions and sector wide learnings
Information technology risks are rapidly increasing. More interfaces between agencies and greater connectivity means the amounts of data agencies generate, access, store and share continue to increase. Some of this information is sensitive information, which is protected by the Privacy Act 1988.
It is important that agencies understand what sensitive data they hold, the risks associated with the inadvertent release of this information and how they are mitigating those risks. We found that agencies need to continue to identify and record their sensitive data, as well as expand the methods they use to identify sensitive data. This includes data held in unstructured repositories, such as network shared drives and by agency service providers.
Eighty-eight per cent of agencies have established policies to respond to potential data breaches when they are identified and 70 per cent of agencies maintain a register to record key information in relation to identified data breach incidents.
Key areas where agencies can improve their management of sensitive data include:
- identifying sensitive data, based on a comprehensive and structured process and maintaining an inventory of the data
- assessing the criticality and sensitivity of the data so that the protection of high risk data can be prioritised
- developing comprehensive data breach management policies to ensure data breaches are appropriately managed
- maintaining a data breach incident register to record key information in relation to identified data breaches incidents, including the estimated cost of the breach
- providing on-going training and awareness activities to employees in relation to sensitive data and managing data breaches.
Appendix one – List of 2019 recommendations
Appendix two – Status of 2018 recommendations
Appendix three – In-scope agencies
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Managing growth in the NSW prison population
The Department of Justice has relied heavily on temporary responses to accommodate growing prisoner numbers according to a report released today by the Acting Auditor-General for New South Wales, Ian Goodwin.
At the time of this audit, the NSW Department of Justice (DOJ) was responsible for delivering custodial corrections services in New South Wales through its Corrective Services NSW division (Corrective Services NSW). From 1 July 2019, the Department of Family and Community Services and Justice will be responsible for these functions.
Within DOJ, Corrective Services NSW is responsible for administering sentences and legal orders through custodial and community-based management of adult offenders. Its key priorities are:
- providing safe, secure and humane management of prisoners
- reducing reoffending
- improving community safety and confidence in the justice system.
The prison population in New South Wales grew by around 40 per cent between 2012 to 2018, from 9,602 to 13,630 inmates. This rate of growth was higher than experienced prior to 2012. DOJ forecasts growth to continue over the short and longer-term.
DOJ has responded to inmate population growth by doubling-up and tripling-up the number of prison beds in cells, reactivating previously closed prisons, and a $3.8 billion program of new prison capacity. DOJ has also developed a long-term prison infrastructure strategy that projects long-term needs and recommended investments to meet these needs.
This audit assessed how efficiently and effectively DOJ is responding to growth in the NSW prison population. In this report, we have not analysed the sources of demand or recommended ways that custody may be avoided. These are largely government policy issues.
The Productivity Commission’s Report on Government Services outlines the performance indicator framework for corrective services in Australia (Appendix three). We have used measures from this framework to assess the efficiency and effectiveness of DOJ’s responses to prison bed capacity needs.
In this section, we analyse system-wide indicators as DOJ has not consistently published or reported data for individual correctional centres over the period of review.
Appendix one - Response from agency
Appendix two - Managing women in custody
Appendix three - Corrective services performance indicator framework
Appendix four - About the audit
Appendix five – Performance auditing
Parliamentary Reference: Report number #319 - released 24 May 2019
Firearms regulation
There are gaps in how the Firearms Registry administers the firearms licencing and registration scheme for existing licence holders, according to a report released today by the Auditor-General for New South Wales, Margaret Crawford. These gaps reduce the Registry’s effectiveness in regulating firearms use and ownership.
While the Firearms Registry has systems to promptly update details in the firearms register for changes in firearm ownership and for criminal or anti-social behaviour of licence holders, some key information, including addresses, is not accurate or up-to date. 'This exposes a critical gap in the Registry’s data on the location of licence holders and their firearms,' Ms Crawford said.
The Firearms Registry may also be making unsound or inconsistent administrative decisions due to a lack of clear internal policies and guidance. These decisions include licence suspensions or revocations, assessing reasons for the acquisition of firearms, and initiating enforcement actions for breaches by licence holders. Ms Crawford noted that 'these gaps mean the Registry cannot be confident it conducts aspects of its licencing activities effectively.'
The report’s recommendations aim to improve the integrity of the data in the register and ensure that the Firearms Registry is making sound and consistent decisions in regulating firearms use and ownership.
Firearms used by the general public in NSW are regulated through the Firearms Act 1996 (NSW) (the Act) and the Firearms Regulation 2017 (NSW) (Regulation). In October 2018, there were over 237,500 firearm licence holders and just over one million registered firearms in NSW.
The Act and Regulation reflect the National Firearms Agreement reached by all Australian jurisdictions in 1996 and confirmed in 2017. This Agreement sets out the minimum requirements for regulating firearms. The Act recognises that possessing and using firearms are privileges conditional on the overriding need to ensure public safety.
The NSW Police Force (NSW Police), which includes the Firearms Registry (the Registry), is responsible for administering the Act and Regulation, and for operating the NSW firearms licensing and registration scheme. Relevant third parties such as approved clubs, firearms dealers and shooting ranges also carry some administrative and oversight responsibilities under the Act and Regulation.
The role of the Registry includes administering the following requirements under the Act and Regulation that are relevant to this audit:
- licence conditions
- licence suspensions and revocations
- initiating seizure of firearms
- assessing permits to acquire firearms
- administering the good reason test
- maintaining the register of firearms
- approving alternative safe storage arrangements.
The Registry's other activities identified in this report support its regulatory responsibilities under the NSW Government framework for better regulation.
This audit assessed how well the Registry administers the requirements of the Act and Regulation for existing firearms licence holders. To effectively administer these requirements, the Registry should have:
- a reliable database that supports the firearms licensing and registration scheme
- appropriate risk-based policies and procedures for the Registry’s operation that are consistent with the Act and Regulation.
We did not assess the Registry’s processes in assessing and issuing firearms licences to new applicants or renewing licences of existing licence holders. We also did not examine the administrative actions conducted by police officers who are not part of the Registry.
See Section 1 for details on the role of the Registry. See Appendix six for details of the audit.
The Registry is promptly advised of the sale of firearms or potential criminal or anti-social behaviour activity of licence holders and it promptly updates relevant information in the register.
Licence holders do not always advise the Registry of their address changes within the time required. The Registry does not have processes to efficiently identify these changes if not advised. This exposes a critical gap in the Registry's data on the location of some firearms. While the Registry has implemented a number of programs for checking the accuracy of data in the register, some of these programs have either ceased or been severely curtailed. For example, the Registry was conducting various checks on the accuracy of the data relating to the description of firearms in the register and correcting errors. These checks ceased after July 2017, with only around 50 per cent of the register checked.
There is an increased risk of the Registry making unsound or inconsistent administrative decisions.
The Registry lacks appropriate policies and guidance for important administrative decisions and sanctions. These include making decisions about licence suspensions and revocations, assessing good reasons for acquiring firearms, and initiating some enforcement actions. There is also limited review of these critical decisions.
The Commissioner of Police’s response to this report (Appendix one) indicates he disagrees with some of our findings and recommendations based on his view that the firearms licensing and registration scheme is a ‘co-regulatory model’. The conclusion and recommendations of this report are based on the provisions in the Act which indicate that the Commissioner, and through him the NSW Police Force (including the Firearms Registry), is the responsible regulator. We acknowledge that other stakeholders have obligations to undertake certain actions in accordance with the Act and Regulation. This is further discussed below.
To effectively administer the requirements of the Act and Regulation, the register that supports the firearms licensing and registration scheme should have readily accessible, accurate and up-to-date information regarding the status of licence holders and registered firearms.
Appendix one - Response from agency
Appendix two - Reasons for firearms licences to be suspended or revoked
Appendix three - Licence holder obligations
Appendix four - Firearms licence categories
Appendix five - Firearms distribution
Appendix six - About the audit
Appendix seven - Performance auditing
Parliamentary reference - Report number #315 - released 28 February 2019
Compliance of expenditure with Section 12A of the Public Finance and Audit Act 1983 - Law Enforcement Conduct Commission
The Hon. Troy Grant MP, Minister for Police and Minister for Emergency Services requested an audit under section 27B(3)(c) of the Public Finance and Audit Act 1983, to determine whether expenditure on overseas travel by the Law Enforcement Conduct Commission (the Commission) complied with section 12A of the Public Finance and Audit Act 1983.
On 9 November 2018, the Hon. Troy Grant MP, Minister for Police and Minister for Emergency Services (the Minister), requested an audit under s. 27B(3)(c) of the Public Finance and Audit Act 1983 (the PF&A Act) to determine whether the expenditure of $8,074.66 on overseas travel by the Law Enforcement Conduct Commission (the LECC) complied with s. 12A of the PF&A Act.
In forming my audit conclusion, I have reviewed documentation provided by the Minister and the LECC, made enquiries of LECC staff, and sought independent legal advice on key aspects of the PF&A Act and the Law Enforcement Conduct Commission Act 2016 (the LECC Act) and their interface.
In my opinion, the LECC did not comply with s. 12A of the PF&A Act because the Minister:
- had not delegated his authority to approve expenditure for overseas travel to an officer in the LECC
- had specifically declined approving a request from the LECC to incur expenditure on the travel in question.
Despite this, the LECC incurred the expenditure.
In my view, the LECC required the Minister’s approval to incur the overseas travel expenditure before it could legally spend funds for this purpose from its appropriation.
The LECC is an independent investigative body, funded by appropriation, to oversight NSW Police and the Crime Commission
The Bill to establish the LECC was introduced to parliament following a review of the police oversight system.1 The establishment of the LECC drew together functions previously undertaken by the Police Integrity Commission, the Ombudsman and the Inspector of the Crime Commission. It aimed to ‘remove overlapping responsibilities, inefficiencies and failures’ and ‘create a single civilian law enforcement oversight body’.2
Part 4 of the LECC Act sets out the functions of the Commission as an independent investigative body. The objects of the LECC Act are summarised in Appendix one. The LECC Act provides that the Minister cannot direct the LECC on how to perform its functions.
Notably, s. 22 of the LECC Act states:
The Commission and Commissioners are not subject to the control or direction of the Minister in the exercise of their functions.
For the financial year ended 30 June 2018, under s. 22 of the Appropriation Act 2017 (NSW), $21,195,000 was appropriated to the Minister for the LECC’s services. This provided the statutory basis for the sum in question to be drawn from the Consolidated Fund, but only in accordance with the PF&A Act.
The PF&A Act is the legislation that governs the administration of public finances
The PF&A Act determines how expenditure is to occur and sets out the conditions under which such expenditure can occur in NSW public sector agencies.The LECC is an agency within the NSW public sector.
Section 12A of the PF&A Act stipulates that:
A Minister to whom a sum of money is appropriated out of the Consolidated Fund for a use or purpose (whether by an annual Appropriation Act or other Act) may delegate to another Minister or to an officer of any authority, or authorise another Minister to delegate to an officer of any authority, the committing or incurring of expenditure from the sum so appropriated.
Section 12 of the PF&A Act also stipulates that:
Expenditure shall be committed or incurred by an officer of an authority only within the limits of a delegation in writing conferred on the officer by a person entitled to make the delegation.
The relevant ‘authority’ in this case was the Office of the Law Enforcement Conduct Commission (Office of the LECC) - a body which, under the Government Sector Employment Act 2013 (the GSE Act)3 employs the staff of the LECC.
Prima facie, as the LECC is funded by appropriation and is subject to the PF&A Act, its officers can only commit or incur expenditure with a delegation from the Minister.
The Minister did not delegate his right to approve expenditure on overseas travel
In April 2017, the Minister approved the LECC’s financial delegations under the authority vested in him by s. 12A of the PF&A Act. However, he reserved his right to approve any expenditure on overseas travel. This effectively required the LECC to obtain his approval for each instance of such expenditure.4
The Minister declined approval of a LECC request for an officer to travel overseas
In August 2017, the Chief Commissioner sought the Minister’s approval to incur overseas travel expenditure. The Minister exercised his right under the PF&A Act to decline the request and confirmed this in writing:
Establishment of LECC being in its infancy, travel is not supported at this time. Operating priorities should be the focus at this time.
The LECC paid the overseas travel expenses without a delegation or Ministerial approval
In October 2017, despite the absence of a delegation or approval from the Minister to incur expenditure on overseas travel, the Chief Commissioner approved a total of $8,074.66 for the LECC’s Director of Covert Services to travel to, and attend an international conference.
The LECC booked and paid for the travel in four payments between October and December 2017. Over the same period the Chief Commissioner reimbursed the agency for these expenses from his personal funds. On 13 October 2017, the Chief Commissioner wrote to the Minister asking him to reconsider his decision. On 12 January 2018, in the absence of a response from the Minister, the Chief Commissioner directed the LECC’s finance officer to ‘repay the relevant costs to my account’.5 On 16 January 2018, the LECC’s Chief Executive Officer approved the reimbursement to the Chief Commissioner, which occurred on 17 January 2018. Appendix three provides further detail on the series of payments.
The Chief Commissioner first disclosed he had been reimbursed for the expenses, without Ministerial approval, in March 2018. In August 2018, the Chief Commissioner made a further disclosure about the expenditure at Budget Estimates.6
The Chief Commissioner argues the overseas travel expenditure was properly incurred
The Chief Commissioner argues the LECC’s overseas travel expenditure was properly incurred because:
- the travel was undertaken in pursuit of the detective and investigative functions specified in s. 26(b)(i) of Part 4 of the LECC Act7
- a specific reservation in public policy cannot be qualified by general rules of public policy.8 The Chief Commissioner argues s. 22 of the LECC Act is a specific provision that conflicts with the general provisions in ss. 12 and 12A of the PF&A Act. In his view, the conflict is resolved by applying the principle that a specific later provision effectively repeals an earlier general provision. In his view, the LECC Act contains a specific provision that the Minister cannot direct the LECC in exercising its functions, whereas the PF&A Act contains general provisions which deal with the spending of public money.
The Chief Commissioner believes the Minister’s decision7:
- was not made in the bona fide exercise of the power conferred on him by the PF&A Act as it interfered with the management of the LECC’s operating priorities
- and his failure to enquire into the operational situation of the LECC were not decisions a rational decision maker could have made
- was made for an improper purpose and was biased, in that the Minister had approved expenditure for a member of NSW Police to travel to the conference, but denied the same to a member of the LECC, which oversights NSW Police
- breached s. 22 of the LECC Act, because it directed the LECC Commissioners in the exercise of their functions.
The Crown Solicitor and Solicitor General advised the expenditure breached the PF&A Act
On 7 September 2017, the Crown Solicitor advised the Office of Police (part of the Department of Justice) that:
The Minister’s authority to determine whether or not to approve a particular expenditure from the amount appropriated from the Consolidated Fund for the purpose of the Commission under the Constitution Act 1902 and the PF&A Act is not affected by s.22 of the LECC Act. These have different spheres of operation. It is not unusual for otherwise independent bodies to be subject to restrictions with respect to the use of public moneys.9
Subsequently, the Crown Solicitor asked the Solicitor General to review the matter of her previous advice. On 14 December 2017, the Solicitor General concurred with the Crown Solicitor’s advice. He concluded that:
Although LECC has a high degree of independence under its legislation, it is a body operating in the public sector and within the context of the broad policies of the government of the day in relation to public administration... it is not a function of LECC or its Commissioners to deal directly with money appropriated to the Minister out of the Consolidated Fund.10
The Secretary of the Department of Justice forwarded the Crown Solicitor’s and the Solicitor General’s advice to the Chief Commissioner.11 The Chief Commissioner continues to contest the Crown Solicitor’s and the Solicitor General’s advice.12
The Minister referred the matter to the Inspector of the LECC
In August 2018, the Minister referred the Chief Commissioner’s disclosure in Budget Estimates13 that he had been personally reimbursed for an expense concerning overseas travel by an officer of the LECC, to the Inspector of the LECC (the Inspector).14 The Inspector is the person, under s. 122 of the LECC Act, responsible for 'auditing the operation of the Commission for the purpose of monitoring compliance with the law of the State'. On 4 September 2018, the Inspector recused himself from investigating the Minister’s complaint.15 In his letter to the Premier dated 19 September 2018, he wrote ‘I informed the Minister for Police that I had acquired information in my capacity as Inspector of LECC (and in the discharge of my statutory functions) prior to receiving his letter of complaint…’. He further suggested to the Minister and the Premier that an Assistant Inspector be appointed to investigate the complaint under s. 121(1) of the LECC Act to give ‘proper and independent’ consideration to the Minister’s complaint.16
The Minister asks the Auditor General to audit the transaction’s compliance with the PF&A Act
An Assistant Inspector appointed under section 121 of the LECC Act can exercise any function of the Inspector, including ‘auditing the operations of the Commission’. The reasons why an Assistant Inspector was not appointed to investigate the matter are not apparent. Instead, on 9 November 2018, the Minister requested the Auditor General to conduct an audit of whether the expenditure complied with s. 12A of the PF&A Act.17
2 Second reading speech of Minister Troy Grant for the LECC Bill.
3 Per the definition of ‘authority’ in s. 4(1) of the PF&A Act and the definition of ‘Public Service agency’ in s. 3 of the GSE Act and Part 3 of Schedule 1 to the GSE Act.
In forming my adverse conclusion, I considered the Chief Commissioner’s argument that s. 22 of the LECC Act prevailed over those sections of the PF&A Act that deal with spending public money, and:
- the principles of statutory interpretation that might apply when a potential conflict between a general provision in one Act and specific provisions in another exists
- whether an apparent conflict exists
- whether the Chief Commissioner was entitled to incur the expenditure without Ministerial approval
- whether the Minister was lawfully entitled to withhold approval for the expenditure from the Chief Commissioner.
The principles of statutory interpretation apply where potential conflicts exist between Acts
A basic principle of statutory interpretation is that all legislation be given its full scope and effect. Courts, and thereby other interpreters, are not at liberty to consider any word or meaning as superfluous. The starting point is that all words must be given some meaning and effect.18 If there is an apparent conflict between two Acts, the pieces of legislation should be read in such a way as to avoid that conflict by giving the words the construction that produces the greatest harmony and the least inconsistency.19
One way conflict can be avoided is to apply the approach that a later general provision does not override an earlier specific provision.20 However, this approach is rebuttable, as a later general Act might also be said to qualify an earlier specific Act.21 The reverse can also apply, in that a later specific Act can be claimed to qualify or supersede an earlier general provision. In such a case, it is said that the later Act impliedly repeals the earlier. This is an easier case to make out because it is apparent the parliament has dealt with the specific instance and it would be reasonable to expect that it had considered any contrary general legislation. However, here again, the courts have qualified this approach by suggesting it should be presumed unlikely that a parliament would intend to contradict itself. If the specific Act was intended to qualify an earlier general Act, then the legislation would have spelt this out.
One must therefore always start from the premise that all words are to be given meaning and effect, and that meaning should enable both pieces of legislation to operate. It is only where the point is reached that it is not possible for both pieces of legislation to operate to their full extent that the approaches to resolving conflicts can be usefully invoked. The approaches may then be useful to determine which is the primary provision and which provision must give way to the requirements set out in that primary provision.
Is there an apparent conflict between the LECC Act and the PF&A Act that needs to be resolved?
No. The LECC Act deals specifically with the operational functions of the LECC, while the PF&A Act deals with the specific issue of expenditure by a delegate of the Minister.
The Chief Commissioner argues that s. 22 of the LECC Act is a specific provision and should take precedence over general delegation provisions in the PF&A Act, namely ss. 12 and 12A. He argues this because s. 22 deals specifically with the operation of the LECC and prohibits the Minister from directing the LECC in the performance of its functions. In his view, this includes the administrative and financial functions impliedly invested in the LECC for it to perform the specific functions referred to in the LECC Act.
However, it can also be readily argued that s. 22 of the LECC Act deals with the general issue of Minister's directions to the LECC and the PF&A deals with the specific issue of expenditure by a delegate of the Minister. While the expenditure of funds may be essential for the LECC to perform its functions, that expenditure is controlled by the PF&A Act, as it controls all expenditure from the Consolidated Fund. The PF&A Act is the specific legislation that relates to expenditure.
The issues that have arisen can be resolved by looking at the effect of the two Acts in their application to the facts. In my view, the PF&A Act and the LECC Act can be applied to the facts under consideration as they deal with different issues and are thereby capable of separate operation.
Was the LECC able to incur expenditure without Ministerial approval?
No. The PF&A Act applies to the LECC in the same way it applies to all NSW Government agencies. While the Minister had approved the LECC’s financial delegations under the authority vested in him by s. 12A of the PF&A Act, he reserved his right to approve all expenditure on overseas travel. This effectively required the LECC to obtain his approval for each instance of such expenditure. As the Minister did not approve the overseas travel request, the Chief Commissioner was not legally able to authorise the expenditure.
The PF&A Act determines how expenditure is to occur and sets out the conditions under which such expenditure can occur in New South Wales public sector agencies. Expenditure can ‘only be committed or incurred by an officer of an authority within the limits of a delegation in writing conferred on the officer by a person entitled to make the delegation’.22
Was the Minister lawfully entitled to withhold approval of the overseas travel expenditure?
Yes. If one accepts the premise that the PF&A Act determines the basis on which public money can be spent, it follows that the Minister could exercise the discretion reserved to him by financial delegation and withhold approval of the overseas travel expenditure for the LECC officer.
Section 22 of the LECC Act prevents the Minister from directing the LECC to send (or not to send) an officer to a conference. However, the Minister did not direct the LECC as to whether the person should or should not attend the conference. Rather, he exercised the responsibility given to him to determine how public funds were to be spent.
The appropriation to the LECC provided funding to the delegate of the Minister to support the performance of the agency’s functions. However, the expenditure of money for overseas travel was governed by ss. 12 and 12A of the PF&A Act. This gave the Minister discretion to approve or refuse to approve expenditure for overseas travel on a case by case basis. It follows from this that the Chief Commissioner was not entitled to spend money for overseas travel, even though in the Commissioner’s view it was beneficial to the performance of the LECC’s functions.
It may be suggested that the Minister’s refusal to provide funding for a particular function may have the same effect as directing an agency not to perform that function. NSW’s constitutional structure of government establishes that public money can only be spent in accordance with legislation and if expenditure requires a Minister’s approval, that approval establishes the ability of an agency to spend that money. That said, in reserving approval for certain types of expenditures, care should be exercised not to unduly interfere with the legitimate functions of independent agencies.
This assurance audit is a ‘direct engagement’ whereby the Auditor‑General provides the Minister and parliament with reasonable assurance about whether $8,074.66 spent on overseas travel by the LECC complied, in all material respects with s. 12A of the PF&A Act.
My audit was conducted in accordance with applicable Standards on Assurance Engagements (ASAE 3100 ‘Compliance Engagements’).
In conducting my audit, I have complied with:
- the independence requirements of Australian Auditing and Assurance Standards
- ASQC 1 ‘Quality Control for firms that Perform Audits and Reviews of Financial Reports and Other Financial Information, Other Assurance Engagements and Related Service Engagements’
- relevant ethical pronouncements.
Parliament promotes independence by ensuring the Auditor‑General and the Audit Office of New South Wales are not compromised in their roles by:
- providing that only parliament, and not the executive government, can remove an Auditor‑General
- mandating the Auditor‑General as auditor of public sector agencies
- precluding the Auditor‑General from providing non‑audit services.
I have reviewed documentation provided by the Minister and the LECC, gained an understanding of the LECC’s controls and processes for approving and making expenditure and made enquiries of LECC staff. I have also:
- gained an understanding of the relevant pieces of legislation and case law
- reviewed the advice of the Crown Solicitor and the Solicitor‑General
- sought independent legal advice on key aspects of the PF&A Act and the Law Enforcement Conduct Commission Act 2016 (the LECC Act) from an acknowledged expert in statutory interpretation
- conducted interviews with key persons
- reviewed the documentation listed in Appendix four.
Newcastle Urban Transformation and Transport Program
The urban renewal projects on former railway land in the Newcastle city centre are well targeted to support the objectives of the Newcastle Urban Transformation and Transport Program (the Program), according to a report released today by the Auditor-General for New South Wales, Margaret Crawford. The planned uses of the former railway land achieve a balance between the economic and social objectives of the Program at a reasonable cost to the government. However, the evidence that the cost of the light rail will be justified by its contribution to the Program is not convincing.
The Newcastle Urban Transformation and Transport Program (the Program) is an urban renewal and transport program in the Newcastle city centre. The Hunter and Central Coast Development Corporation (HCCDC) has led the Program since 2017. UrbanGrowth NSW led the Program from 2014 until 2017. Transport for NSW has been responsible for delivering the transport parts of the Program since the Program commenced. All references to HCCDC in this report relate to both HCCDC and its predecessor, the Hunter Development Corporation. All references to UrbanGrowth NSW in this report relate only to its Newcastle office from 2014 to 2017.
This audit had two objectives:
- To assess the economy of the approach chosen to achieve the objectives of the Program.
- To assess the effectiveness of the consultation and oversight of the Program.
We addressed the audit objectives by answering the following questions:
a) Was the decision to build light rail an economical option for achieving Program objectives?
b) Has the best value been obtained for the use of the former railway land?
c) Was good practice used in consultation on key Program decisions?
d) Did governance arrangements support delivery of the program?
1. The urban renewal projects on the former railway land are well targeted to support the objectives of the Program. However, there is insufficient evidence that the cost of the light rail will be justified by its contribution to Program objectives.
The planned uses of the former railway land achieve a balance between the economic and social objectives of the Program at a reasonable cost to the Government. HCCDC, and previously UrbanGrowth NSW, identified and considered options for land use that would best meet Program objectives. Required probity processes were followed for developments that involved financial transactions. Our audit did not assess the achievement of these objectives because none of the projects have been completed yet.
Analysis presented in the Program business case and other planning documents showed that the light rail would have small transport benefits and was expected to make a modest contribution to broader Program objectives. Analysis in the Program business case argued that despite this, the light rail was justified because it would attract investment and promote economic development around the route. The Program business case referred to several international examples to support this argument, but did not make a convincing case that these examples were comparable to the proposed light rail in Newcastle.
The audited agencies argue that the contribution of light rail cannot be assessed separately because it is a part of a broader Program. The cost of the light rail makes up around 53 per cent of the total Program funding. Given the cost of the light rail, agencies need to be able to demonstrate that this investment provides value for money by making a measurable contribution to the Program objectives.
2. Consultation and oversight were mostly effective during the implementation stages of the Program. There were weaknesses in both areas in the planning stages.
Consultations about the urban renewal activities from around 2015 onward followed good practice standards. These consultations were based on an internationally accepted framework and met their stated objectives. Community consultations on the decision to close the train line were held in 2006 and 2009. However, the final decision in 2012 was made without a specific community consultation. There was no community consultation on the decision to build a light rail.
The governance arrangements that were in place during the planning stages of the Program did not provide effective oversight. This meant there was not a single agreed set of Program objectives until 2016 and roles and responsibilities for the Program were not clear. Leadership and oversight improved during the implementation phase of the Program. Roles and responsibilities were clarified and a multi-agency steering committee was established to resolve issues that needed multi-agency coordination.
Recommendations
For future infrastructure programs, NSW Government agencies should support economical decision-making on infrastructure projects by:
- providing balanced advice to decision makers on the benefits and risks of large infrastructure investments at all stages of the decision-making process
- providing scope and cost estimates that are as accurate and complete as possible when initial funding decisions are being made
- making business cases available to the public.
The planned uses of the former railway land align with the objectives of encouraging people to visit and live in the city centre, creating attractive public spaces, and supporting growth in employment in the city. The transport benefits of the activities are less clear, because the light rail is the major transport project and this will not make significant improvements to transport in Newcastle.
The processes used for selling and leasing parts of the former railway land followed industry standards. Options for the former railway land were identified and assessed systematically. Competitive processes were used for most transactions and the required assessment and approval processes were followed. The sale of land to the University of Newcastle did not use a competitive process, but required processes for direct negotiations were followed.
Recommendation
By March 2019, the Hunter and Central Coast Development Corporation should:
- work with relevant stakeholders to explore options for increasing the focus on the heritage objective of the Program in projects on the former railway land. This could include projects that recognise the cultural and industrial heritage of Newcastle.
Consultations focusing on urban renewal options for the Program included a range of stakeholders and provided opportunities for input into decisions about the use of the former railway land. These consultations received mostly positive feedback from participants. Changes and additions were made to the objectives of the Program and specific projects in response to feedback received.
There had been several decades of debate about the potential closure of the train line, including community consultations in 2006 and 2009. However, the final decision to close the train line was made and announced in 2012 without a specific community consultation. HCCDC states that consultation with industry and business representatives constitutes community consultation because industry representatives are also members of the community. This does not meet good practice standards because it is not a representative sample of the community.
There was no community consultation on the decision to build a light rail. There were subsequent opportunities for members of the community to comment on the implementation options, but the decision to build it had already been made. A community and industry consultation was held on which route the light rail should use, but the results of this were not made public.
Recommendation
For future infrastructure programs, NSW Government agencies should consult with a wide range of stakeholders before major decisions are made and announced, and report publicly on the results and outcomes of consultations.
The governance arrangements that were in place during the planning stages of the Program did not provide effective oversight. Project leadership and oversight improved during the implementation phase of the Program.
Multi-agency coordination and oversight were ineffective during the planning stages of the Program. Examples include: multiple versions of Program objectives being in circulation; unclear reporting lines for project management groups; and poor role definition for the initial advisory board. Program ownership was clarified in mid-2016 with the appointment of a new Program Director with clear accountability for the delivery of the Program. This was supported by the creation of a multi-agency steering committee that was more effective than previous oversight bodies.
The limitations that existed in multi-agency coordination and oversight had some negative consequences in important aspects of project management for the Program. This included whole-of-government benefits management and the coordination of work to mitigate impacts of the Program on small businesses.
Recommendations
For future infrastructure programs, NSW Government agencies should:
- develop and implement a benefits management approach from the beginning of a program to ensure responsibility for defining benefits and measuring their achievement is clear
- establish whole-of-government oversight early in the program to guide major decisions. This should include:
- agreeing on objectives and ensuring all agencies understand these
- clearly defining roles and responsibilities for all agencies
- establishing whole-of-government coordination for the assessment and mitigation of the impact of major construction projects on businesses and the community.
By March 2019, the Hunter and Central Coast Development Corporation should update and implement the Program Benefits Realisation Plan. This should include:
- setting measurable targets for the desired benefits
- clearly allocating ownership for achieving the desired benefits
- monitoring progress toward achieving the desired benefits and reporting publicly on the results.
Appendix one - Response from agencies
Appendix two - About the audit
Appendix three - Performance auditing
Parliamentary reference - Report number #310 - released 12 December 2018
Internal Controls and Governance 2018
The Auditor-General for New South Wales Margaret Crawford found that as NSW state government agencies’ digital footprint increases they need to do more to address new and emerging information technology (IT) risks. This is one of the key findings to emerge from the second stand-alone report on internal controls and governance of the 40 largest NSW state government agencies.
This report analyses the internal controls and governance of the 40 largest agencies in the NSW public sector for the year ended 30 June 2018.
This report covers the findings and recommendations from our 2017–18 financial audits that relate to internal controls and governance at the 40 largest agencies (refer to Appendix three) in the NSW public sector.
This report offers insights into internal controls and governance in the NSW public sector
This is our second report dedicated to internal controls and governance at NSW State Government agencies. The report provides insights into the effectiveness of controls and governance processes in the NSW public sector by:
- highlighting the potential risks posed by weaknesses in controls and governance processes
- helping agencies benchmark the adequacy of their processes against their peers
- focusing on new and emerging risks, and the internal controls and governance processes that might address those risks.
Without strong governance systems and internal controls, agencies increase the risks associated with effectively managing their finances and delivering services to citizens. The way agencies deliver services increasingly relies on contracts and partnerships with the private sector. Many of these arrangements deliver front line services, but others provide less visible back office support. For example, an agency may rely on an IT service provider to manage a key system used to provide services to the community. The contract and service level agreements are only truly effective where they are actively managed to reduce risks to continuous quality service delivery, such as interruptions caused by system outages, cyber security attacks and data security breaches.
Our audits do not review all aspects of internal controls and governance every year. We select a range of measures, and report on those that present heightened risks for agencies to mitigate. This report divides these into the following five areas:
- Internal control trends
- Information technology (IT), including IT vendor management
- Transparency and performance reporting
- Management of purchasing cards and taxis
- Fraud and corruption control.
The findings in this report should not be used to draw conclusions on the effectiveness of individual agency control environments and governance arrangements. Specific financial reporting, controls and service delivery comments are included in the individual 2018 cluster financial audit reports, which will be tabled in Parliament from November to December 2018.
The focus of the report has changed since last year
Last year's report topics included asset management, ethics and conduct, and risk management. We are reporting on new topics this year. We plan to introduce new topics and re-visit our previous topics in subsequent reports on a cyclical basis. This will provide a baseline against which to measure the NSW public sectors’ progress in implementing appropriate internal controls and governance processes to mitigate existing, new and emerging risks in the public sector.
Agencies selected for the volume account for 95 per cent of the state's expenditure
While we have covered only 40 agencies in this report, those selected are a large enough group to identify common issues and insights. They represent about 95 per cent of total expenditure for all NSW public sector agencies.
Internal controls are processes, policies and procedures that help agencies to:
- operate effectively and efficiently
- produce reliable financial reports
- comply with laws and regulations
- support ethical government.
This chapter outlines the overall trends for agency controls and governance issues, including the number of findings, level of risk and the most common deficiencies we found across agencies. The rest of this volume presents this year’s controls and governance findings in more detail.
| Observation | Conclusions and recommendations |
|---|---|
| 2.1 High risk findings | |
| We found six high risk findings (seven in 2016–17), one of which was repeated from both last year and 2015–16. | Recommendation: Agencies should reduce risk by addressing high risk internal control deficiencies as a priority. |
| 2.2 Common findings | |
| We found several internal controls and governance findings common to multiple agencies. | Conclusion: Central agencies or the lead agency in a cluster can play a lead role in helping ensure agency responses to common findings are consistent, timely, efficient and effective. |
| 2.3 New and repeat findings | |
| Although internal control deficiencies decreased over the last four years, this year has seen a 42 per cent increase in internal control deficiencies. | The increase in new IT control deficiencies and repeat IT control deficiencies signifies an emerging risk for agencies. |
| IT control deficiencies feature in this increase, having risen by 63 per cent since last year. The number of repeat IT control deficiencies has doubled and is driven by the increasing digital footprint left by agencies as government prioritises on-line interfaces with citizens, and the number of transactions conducted through digital channels increases |
Recommendation: Agencies should reduce IT risks by:
|
Government agencies’ financial reporting is now heavily reliant on information technology (IT). IT is also increasingly important to the delivery of agency services. These systems often provide the data to help monitor the efficiency and effectiveness of agency processes and services they deliver. Our audits reviewed whether agencies have effective controls in place to manage both key financial systems and IT service contracts.
| Observation | Conclusions and recommendations |
|---|---|
| 3.1 Management of IT vendors | |
| Contract management framework Although 87 per cent of agencies have a contract management policy to manage IT vendors, one fifth require review. |
Conclusion: Agencies can more effectively manage IT vendor contracts by developing policies and procedures to ensure vendor management frameworks are kept up to date, plans are in place to manage vendor performance and risk, and compliance with the framework is monitored by:
|
| Contract risk management Forty-one per cent of agencies are not using contract management plans and do not assess contract risks. Half of the agencies that did assess contract risks, had not updated the risk assessments since the commencement of the contract. |
Conclusion: Instead of applying a 'set and forget' approach in relation to management of contract risks, agencies should assess risk regularly and develop a plan to actively manage identified risks throughout the contract lifecycle - from negotiation and commencement, to termination. |
|
Performance management Only 24 per cent of agencies sought assurance about the accuracy of vendor reporting against KPIs, yet sixty-seven per cent of the IT contracts allow agencies to determine performance based payments and/or penalise underperformance. |
Conclusion: Agencies are monitoring IT vendor performance, but could improve outcomes and more effectively manage under-performance by:
|
|
Transitioning services Where IT vendor contracts do make provision for transitioning-out, only 28 per cent of agencies have developed a transitioning-out plan with their IT vendor. |
Conclusion: Contract transition/phase out clauses and plans can mitigate risks to service disruption, ensure internal controls remain in place, avoid unnecessary costs and reduce the risk of 'vendor lock-in'. |
| Contract Registers Eleven out of forty agencies did not have a contract register, or have registers that are not accurate and/or complete. |
Conclusion: A contract register helps to manage an agency’s compliance obligations under the Government Information (Public Access) Act 2009 (the GIPA Act). However, it also helps agencies more effectively manage IT vendors by:
Recommendation: Agencies should ensure their contract registers are complete and accurate so they can more effectively govern contracts and manage compliance obligations. |
| 3.2 IT general controls | |
| Governance Ninety-five per cent of agencies have established policies to manage key IT processes and functions within the agency, with ten per cent of those due for review. |
Conclusion: Regular review of IT policies ensures risks are considered and appropriate strategies and procedures are implemented to manage these risks on a consistent basis. An absence of policies can lead to ad-hoc responses to risks, and failure to consider emerging IT risks and changes to agency IT environments. |
|
User access administration
|
Recommendation: Agencies should strengthen the administration of user access to prevent inappropriate access to key systems. |
| Privileged access Forty per cent of agencies do not periodically review logs of the activities of privileged users to identify suspicious or unauthorised activities. |
Recommendation: Agencies should:
|
| Password controls Twenty-three per cent of agencies did not comply with their own policy on password parameters. |
Recommendation: Agencies should ensure IT password settings comply with their password policies. |
| Program changes Fifteen per cent of agencies had deficient IT program change controls mainly related to segregation of duties and authorisation and testing of IT program changes prior to deployment. |
Recommendation: Agencies should maintain appropriate segregation of duties in their IT functions and test system changes before they are deployed. |
This chapter outlines our audit observations, conclusions and recommendations from our review of how agencies reported their performance in their 2016–17 annual reports. The Annual Reports (Statutory Bodies) Regulation 2015 and Annual Reports (Departments) Regulation 2015 (annual reports regulation) currently prescribes the minimum requirements for agency annual reports.
| Observation | Conclusion or recommendation |
| 4.1 Reporting on performance | |
|
Only 57 per cent of agencies linked reporting on performance to their strategic objectives. The use of targets and reporting performance over time was limited and applied inconsistently. |
Conclusion: There is significant disparity in the quality and consistency of how agencies report on their performance in their annual reports. This limits the reliability and transparency of reported performance information. Agencies could improve performance reporting by clearly linking strategic objectives to reported outcomes, and reporting on performance against targets over time. NSW Treasury may need to provide more guidance to agencies to support consistent and high-quality performance reporting in annual reports. |
|
There is no independent assurance that the performance metrics agencies report in their annual reports are accurate. Prior performance audits have noted issues related to the collection of performance information. For example, our 2016 Report on Red Tape Reduction highlighted inaccuracies in how the dollar-value of red tape reduction had been reported. |
Conclusion: The ability of Parliament and the public to rely on reported information as a relevant and accurate reflection of an agency's performance is limited. The relevance and accuracy of performance information is enhanced when:
|
| 4.2 Reporting on reports | |
|
Agency reporting on major projects does not meet the requirements of the annual reports regulation. Forty-seven per cent of agencies did not report on costs to date and estimated completion dates for major works in progress. Of the 47 per cent of agencies that reported on major works, only one agency reported detail about significant cost overruns, delays, amendments, deferments or cancellations. |
NSW Treasury produce an annual report checklist to help agencies comply with their annual report obligations. Recommendation: Agencies should comply with the annual reports regulation and report on all mandatory fields, including significant cost overruns and delays, for their major works in progress. |
|
The information the annual reports regulation requires agencies to report deals only with major works in progress. There is no requirement to report on completed works. Sixteen of 30 agencies reported some information on completed major works. |
Conclusion: Agencies could improve their transparency if they reported, or were required to report:
|
This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency preventative and detective controls over purchasing card and taxi use for 2017–18.
| Observation | Conclusion or recommendation |
| 5.1 Management of purchasing cards | |
| Volume of credit card spend Purchasing card expenditure has increased by 76 per cent over the last four years in response to a government review into the cost savings possible from using purchasing cards for low value, high volume procurement. |
Conclusion: The increasing use of purchasing cards highlights the importance of an effective framework for the use and management of purchasing cards. |
| Policy framework We found all agencies that held purchasing cards had a policy in place, but 26 per cent of agencies have not reviewed their purchasing card policy by the scheduled date, or do not have a scheduled revision date stated within their policy. |
Recommendation: Agencies should mitigate the risks associated with increased purchasing card use by ensuring policies and purchasing card frameworks remain current and compliant with the core requirements of TPP 17–09 'Use and Management of NSW Government Purchasing Cards'. |
| Preventative controls We found that:
|
Agencies have designed and implemented preventative controls aimed at deterring the potential misuse of purchasing cards. Conclusion: Further opportunities exist for agencies to better control the use of purchasing cards, such as:
|
|
Detective controls Major reviews, such as data analytics (29 per cent of agencies) and independent spot checks (49 per cent of agencies) are not widely used. |
Agencies have designed and implemented detective controls aimed at identifying potential misuse of purchasing cards. Conclusion: More effective monitoring using purchasing card data can provide better visibility over spending activity and can be used to:
|
| 5.2 Management of taxis | |
| Policy framework Thirteen per cent of agencies have not developed and implemented a policy to manage taxi use. In addition:
|
Conclusion: Agencies can promote savings and provide more options to staff where their taxi use policies:
|
| Detective controls All agencies approve taxi expenditure by expense reimbursement, purchasing card and Cabcharge, and have implemented controls around this approval process. However, beyond this there is minimal monitoring and review activity, such as data monitoring, independent spot checks or internal audit reviews. |
Conclusion: Taxi spend at agencies is not significant in terms of its dollar value, but it is significant from a probity perspective. Agencies can better address the probity risk by incorporating taxi use into a broader purchasing card or fraud monitoring program. |
Fraud and corruption control is one of the 17 key elements of our governance lighthouse. Recent reports from ICAC into state agencies and local government councils highlight the need for effective fraud control and ethical frameworks. Effective frameworks can help protect an agency from events that risk serious reputational damage and financial loss.
Our 2016 Fraud Survey found the NSW Government agencies we surveyed reported 1,077 frauds over the three year period to 30 June 2015. For those frauds where an estimate of losses was made, the reported value exceeded $10.0 million. The report also highlighted that the full extent of fraud in the NSW public sector could be higher than reported because:
- unreported frauds in organisations can be almost three times the number of reported frauds
- our 2015 survey did not include all NSW public sector agencies, nor did it include any NSW universities or local councils
- fraud committed by citizens such as fare evasion and fraudulent state tax self-assessments was not within the scope of our 2015 survey
- agencies did not estimate a value for 599 of the 1,077 (56 per cent) reported frauds.
Commissioning and outsourcing of services to the private sector and the advancement of digital technology are changing the fraud and corruption risks agencies face. Fraud risk assessments should be updated regularly and in particular where there are changes in agency business models. NSW Treasury Circular TC18-02 NSW Fraud and Corruption Control Policy now requires agencies develop, implement and maintain a fraud and corruption control framework, effective from 1 July 2018.
Our Fraud Control Improvement Kit provides guidance and practical advice to help organisations implement an effective fraud control framework. The kit is divided into ten attributes. Three key attributes have been assessed below; prevention, detection and notification systems.
This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency fraud and corruption controls for 2017–18.
| Observation | Conclusion or recommendation |
| 6.1 Prevention systems | |
|
Prevention systems Only 54 per cent of agencies have an employment screening policy and all agencies have IT security policies, but gaps in IT security controls could undermine their policies. |
Conclusion: Most agencies have implemented fraud prevention systems to reduce the risk of fraud. However poor IT security along with other gaps in agency prevention systems, such as employment screening practices heightens the risk of fraud and inappropriate use of data. Agencies can improve their fraud prevention systems by:
|
| Twenty-three per cent of agencies were not performing fraud risk assessments and some agency fraud risk assessments may not be as robust as they could be. | Conclusion: Agencies' systems of internal controls may be less effective where new and emerging fraud risks have been overlooked, or known weaknesses have not been rectified. |
| 6.2 Detection systems | |
| Detection systems Several agencies reported they were developing a data monitoring program, but only 38 per cent of agencies had already implemented a program. |
Studies have shown data monitoring, whereby entire populations of transactional data are analysed for indicators of fraudulent activity, is one of the most effective methods of early detection. Early detection decreases the duration a fraud remains undetected thereby limiting the extent of losses. Conclusion: Data monitoring is an effective tool for early detection of fraud and is more effective when informed by a comprehensive fraud risk assessment. |
| 6.3 Notification systems | |
| Notification system All agencies have notification systems for reporting actual or suspected fraud and corruption. Most agencies provide multiple reporting lines, provide training and publicise options for staff to report actual or suspected fraud and corruption. |
Conclusion: Training staff about their obligations and the use of fraud notification systems promotes a fraud-aware culture |
Regional Assistance Programs
Infrastructure NSW effectively manages how grant applications for regional assistance programs are assessed and recommended for funding. Its contract management processes are also effective. However, we are unable to conclude whether the objectives of these programs have been achieved as the relevant agencies have not yet measured their benefits, according to a report released today by the Auditor-General for New South Wales, Margaret Crawford.
In 2011, the NSW Government established Restart NSW to fund new infrastructure with the proceeds from the sale and lease of government assets. From 2011 to 2017, the NSW Government allocated $1.7 billion from the fund for infrastructure in regional areas, with an additional commitment of $1.3 billion to be allocated by 2021. The NSW Government allocates these funds through regional assistance programs such as Resources for Regions and Fixing Country Roads. NSW councils are the primary recipients of funding provided under these programs.
The NSW Government announced the Resources for Regions program in 2012 with the aim of addressing infrastructure constraints in mining affected communities. Infrastructure NSW administers the program, with support from the Department of Premier and Cabinet.
The NSW Government announced the Fixing Country Roads program in 2014 with the aim of building more efficient road freight networks. Transport for NSW and Infrastructure NSW jointly administer this program, which funds local councils to deliver projects that help connect local and regional roads to state highways and freight hubs.
This audit assessed whether these two programs (Resources for Regions and Fixing Country Roads) were being effectively managed and achieved their objectives. In making this assessment, we answered the following questions:
- How well are the relevant agencies managing the assessment and recommendation process?
- How do the relevant agencies ensure that funded projects are being delivered?
- Do the funded projects meet program and project objectives?
The audit focussed on four rounds of Resources for Regions funding between 2013–14 to 2015–16, as well as the first two rounds of Fixing Country Roads funding in 2014–15 and 2015–16.
The project selection criteria are consistent with the program objectives set by the NSW Government, and the RIAP applied the criteria consistently. Probity and record keeping practices did not fully comply with the probity plans.
The assessment methodology designed by Infrastructure NSW is consistent with2 the program objectives and criteria. In the rounds that we reviewed, all funded projects met the assessment criteria.
Infrastructure NSW developed probity plans for both programs which provided guidance on the record keeping required to maintain an audit trail, including the use of conflict of interest registers. Infrastructure NSW and Transport for NSW did not fully comply with these requirements. The relevant agencies have taken steps to address this in the current funding rounds for both programs.
NSW Procurement Board Directions require agencies to ensure that they do not engage a probity advisor that is engaged elsewhere in the agency. Infrastructure NSW has not fully complied with this requirement. A conflict of interest arose when Infrastructure NSW engaged the same consultancy to act as its internal auditor and probity advisor.
While these infringements of probity arrangements are unlikely to have had a major impact on the assessment process, they weaken the transparency and accountability of the process.
Some councils have identified resourcing and capability issues which impact on their ability to participate in the application process. For both programs, the relevant agencies conducted briefings and webinars with applicants to provide advice on the objectives of the programs and how to improve the quality of their applications. Additionally, Transport for NSW and the Department of Premier and Cabinet have developed tools to assist councils to demonstrate the economic impact of their applications.
The relevant agencies provided feedback on unsuccessful applications to councils. Councils reported that the quality of this feedback has improved over time.
Recommendations
- By June 2018, Infrastructure NSW should:
- ensure probity reports address whether all elements of the probity plan have been effectively implemented.
- By June 2018, Infrastructure NSW and Transport for NSW should:
- maintain and store all documentation regarding assessment and probity matters according to the State Records Act 1998, the NSW Standard on Records Management and the relevant probity plans
Infrastructure NSW is responsible for overseeing and monitoring projects funded under Resources for Regions and Fixing Country Roads. Infrastructure NSW effectively manages projects to keep them on track, however it could do more to assure itself that all recipients have complied with funding deeds. Benefits and outcomes should also start to be measured and reported as soon as practicable after projects are completed to inform assessment of future projects.
Infrastructure NSW identifies projects experiencing unreasonable delays or higher than expected expenses as 'at‑risk'. After Infrastructure NSW identifies a project as 'at‑risk', it puts in place processes to resolve issues to bring them back on track. Infrastructure NSW, working with Public Works Advisory regional offices, employs a risk‑based approach to validate payment claims, however this process should be strengthened. Infrastructure NSW would get better assurance by also conducting annual audits of compliance with the funding deed for a random sample of projects.
Infrastructure NSW collects project completion reports for all Resources for Regions and Fixing Country Roads funded projects. It applies the Infrastructure Investor Assurance Framework to Resources for Regions and Fixing Country Roads at a program level. This means that each round of funding (under both programs) is treated as a distinct program for the purposes of benefits realisation. It plans to assess whether benefits have been realised once each project in a funding round is completed. As a result, no benefits realisation assessment has been done for any project funded under either Resources for Regions or Fixing Country Roads. Without project‑level benefits realisation, future decisions are not informed by the lessons from previous investments.
Recommendations
- By December 2018, Infrastructure NSW should:
- conduct annual audits of compliance with the funding deed for a random sample of projects funded under Resources for Regions and Fixing Country Roads
- publish the circumstances under which unspent funds can be allocated to changes in project scope
- measure benefits delivered by projects that were completed before December 2017
- implement an annual process to measure benefits for projects completed after December 2017
- By December 2018, Transport for NSW and Infrastructure NSW should:
- incorporate a benefits realisation framework as part of the detailed application.
Appendix one - Response from agencies
Appendix two - Maps of funded projects
Appendix three - About the audit
Appendix four - Performance auditing
Parliamentary reference - Report number #300 - released 17 May 2018
Managing risks in the NSW public sector: risk culture and capability
The Ministry of Health, NSW Fair Trading, NSW Police Force, and NSW Treasury Corporation are taking steps to strengthen their risk culture, according to a report released today by the Auditor-General, Margaret Crawford. 'Senior management communicates the importance of managing risk to their staff, and there are many examples of risk management being integrated into daily activities', the Auditor-General said.
We did find that three of the agencies we examined could strengthen their culture so that all employees feel comfortable speaking openly about risks. To support innovation, senior management could also do better at communicating to their staff the levels of risk they are willing to accept.
Effective risk management is essential to good governance, and supports staff at all levels to make informed judgements and decisions. At a time when government is encouraging innovation and exploring new service delivery models, effective risk management is about seizing opportunities as well as managing threats.
Over the past decade, governments and regulators around the world have increasingly turned their attention to risk culture. It is now widely accepted that organisational culture is a key element of risk management because it influences how people recognise and engage with risk. Neglecting this ‘soft’ side of risk management can prevent institutions from managing risks that threaten their success and lead to missed opportunities for change, improvement or innovation.
This audit assessed how effectively NSW Government agencies are building risk management capabilities and embedding a sound risk culture throughout their organisations. To do this we examined whether:
- agencies can demonstrate that senior management is committed to risk management
- information about risk is communicated effectively throughout agencies
- agencies are building risk management capabilities.
The audit examined four agencies: the Ministry of Health, the NSW Fair Trading function within the Department of Finance, Services and Innovation, NSW Police Force and NSW Treasury Corporation (TCorp). NSW Treasury was also included as the agency responsible for the NSW Government's risk management framework.
In assessing an agency’s risk culture, we focused on four key areas:
Executive sponsorship (tone at the top)
In the four agencies we reviewed, senior management is communicating the importance of managing risk. They have endorsed risk management frameworks and funded central functions tasked with overseeing risk management within their agencies.
That said, we found that three case study agencies do not measure their existing risk culture. Without clear measures of how employees identify and engage with risk, it is difficult for agencies to tell whether employee's behaviours are aligned with the 'tone' set by the executive and management.
For example, in some agencies we examined we found a disconnect between risk tolerances espoused by senior management and how these concepts were understood by staff.
Employee perceptions of risk management
Our survey of staff indicated that while senior leaders have communicated the importance of managing risk, more could be done to strengthen a culture of open communication so that all employees feel comfortable speaking openly about risks. We found that senior management could better communicate to their staff the levels of risk they should be willing to accept.
Integration of risk management into daily activities and links to decision-making
We found examples of risk management being integrated into daily activities. On the other hand, we also identified areas where risk management deviated from good practice. For example, we found that corporate risk registers are not consistently used as a tool to support decision-making.
Support and guidance to help staff manage risks
Most case study agencies are monitoring risk-related skills and knowledge of their workforce, but only one agency has addressed the gaps it identified. While agencies are providing risk management training, surveyed staff in three case study agencies reported that risk management training is not adequate.
NSW Treasury provides agencies with direction and guidance on risk management through policy and guidelines. In line with better practice, NSW Treasury's principles-based policy acknowledges that individual agencies are in a better position to understand their own risks and design risk management frameworks that address those risks. Nevertheless, there is scope for NSW Treasury to refine its guidance material to support a better risk culture in the NSW public sector.
Recommendation
By May 2019, NSW Treasury should:
- Review the scope of its risk management guidance, and identify additional guidance, training or activities to improve risk culture across the NSW public sector. This should focus on encouraging agency heads to form a view on the current risk culture in their agencies, identify desirable changes to that risk culture, and take steps to address those changes.
Appendix one - Response from agencies
Appendix three - About the audit
Appendix four - Performance auditing
Parliamentary reference - Report number #298 - released 23 April 2018
Internal Controls and Governance 2017
Agencies need to do more to address risks posed by information technology (IT).
Effective internal controls and governance systems help agencies to operate efficiently and effectively and comply with relevant laws, standards and policies. We assessed how well agencies are implementing these systems, and highlighted opportunities for improvement.
1. Overall trends
|
New and repeat findings |
The number of reported financial and IT control deficiencies has fallen, but many previously reported findings remain unresolved. |
|
High risk findings |
Poor systems implementations contributed to the seven high risk internal control deficiencies that could affect agencies. |
|
Common findings |
Poor IT controls are the most commonly reported deficiency across agencies, followed by governance issues relating to cyber security, capital projects, continuous disclosure, shared services, ethics and risk management maturity. |
2. Information Technology
|
IT security |
Only two-thirds of agencies are complying with their own policies on IT security. Agencies need to tighten user access and password controls. |
|
Cyber security |
Agencies do not have a common view on what constitutes a cyber attack, which limits understanding the extent of the cyber security threat. |
|
Other IT systems |
Agencies can improve their disaster recovery plans and the change control processes they use when updating IT systems. |
3. Asset Management
|
Capital investment |
Agencies report delays delivering against the significant increase in their budgets for capital projects. |
|
Capital projects |
Agencies are underspending their capital budgets and some can improve capital project governance. |
|
Asset disposals |
Eleven per cent of agencies were required to sell their real property through Property NSW but didn’t. And eight per cent of agencies can improve their asset disposal processes. |
4. Governance
|
Governance arrangements |
Sixty-four per cent of agencies’ disclosure policies support communication of key performance information and prompt public reporting of significant issues. |
|
Shared services |
Fifty-nine per cent of agencies use shared services, yet 14 per cent do not have service level agreements in place and 20 per cent can strengthen the performance standards they set. |
5. Ethics and Conduct
|
Ethical framework |
Agencies can reinforce their ethical frameworks by updating code‑of‑conduct policies and publishing a Statement of Business Ethics. |
|
Conflicts of interest |
All agencies we reviewed have a code of conduct, but they can still improve the way they update and manage their codes to reduce the risk of fraud and unethical behaviour. |
6. Risk Management
|
Risk management maturity |
All agencies have implemented risk management frameworks, but with varying levels of maturity. |
|
Risk management elements |
Many agencies can improve risk registers and strengthen their risk culture, particularly in the way that they report risks to their lead agency. |
This report covers the findings and recommendations from our 2016–17 financial audits related to the internal controls and governance of the 39 largest agencies (refer to Appendix three) in the NSW public sector. These agencies represent about 95 per cent of total expenditure for all NSW agencies and were considered to be a large enough group to identify common issues and insights.
The findings in this report should not be used to draw conclusions on the effectiveness of individual agency control environments and governance arrangements. Specific financial reporting, controls and service delivery comments are included in the individual 2017 cluster financial audit reports tabled in Parliament from October to December 2017.
This new report offers strategic insight on the public sector as a whole
In previous years, we have commented on internal control and governance issues in the volumes we published on each ‘cluster’ or agency sector, generally between October and December. To add further value, we then commented more broadly about the issues identified for the public sector as a whole at the start of the following year.
This year, we have created this report dedicated to internal controls and governance. This will help Parliament to understand broad issues affecting the public sector, and help agencies to compare their own performance against that of their peers.
Without strong control measures and governance systems, agencies face increased risks in their financial management and service delivery. If they do not, for example, properly authorise payments or manage conflicts of interest, they are at greater risk of fraud. If they do not have strong information technology (IT) systems, sensitive and trusted information may be at risk of unauthorised access and misuse.
These problems can in turn reduce the efficiency of agency operations, increase their costs and reduce the quality of the services they deliver.
Our audits do not review every control or governance measure every year. We select a range of measures, and report on those that present the most significant risks that agencies should mitigate. This report divides these into the following six areas:
- Overall trends
- Information technology
- Asset management
- Governance
- Ethics and conduct
- Risk management.
Internal controls are processes, policies and procedures that help agencies to:
- operate effectively and efficiently
- produce reliable financial reports
- comply with laws and regulations.
This chapter outlines the overall trends for agency controls and governance issues, including the number of findings, level of risk and the most common deficiencies we found across agencies. The rest of this volume then illustrates this year’s controls and governance findings in more detail.
|
Issues |
Recommendations |
|
1.1 New and repeat findings |
|
|
The number of internal control deficiencies reduced over the past three years, but new higher-risk information technology (IT) control deficiencies were reported in 2016–17. Deficiencies repeated from previous years still make up a sizeable proportion of all internal control deficiencies. |
Recommendation Agencies should focus on emerging IT risks, but also manage new IT risks, reduce existing IT control deficiencies, and address repeat internal control deficiencies on a more timely basis. |
|
1.2 High risk findings |
|
|
We found seven high risk internal control deficiencies, which might significantly affect agencies. |
Recommendation Agencies should rectify high risk internal control deficiencies as a priority |
|
1.3 Common findings |
|
|
The most common internal control deficiencies related to poor or absent IT controls. We found some common governance deficiencies across multiple agencies. |
Recommendation Agencies should coordinate actions and resources to help rectify common IT control and governance deficiencies. |
Information technology (IT) has become increasingly important for government agencies’ financial reporting and to deliver their services efficiently and effectively. Our audits reviewed whether agencies have effective controls in place over their IT systems. We found that IT security remains the source of many control weakness in agencies.
| Issues | Recommendations |
2.1 IT security |
|
|
User access administration While 95 per cent of agencies have policies about user access, about two-thirds were compliant with these policies. Agencies can improve how they grant, change and end user access to their systems. |
Recommendation Agencies should strengthen user access administration to prevent inappropriate access to sensitive systems. Agencies should:
|
|
Privileged access Sixty-eight per cent of agencies do not adequately manage who can access their information systems, and many do not sufficiently monitor or restrict privileged access. |
Recommendation Agencies should tighten privileged user access to protect their information systems and reduce the risks of data misuse and fraud. Agencies should ensure they:
|
|
Password controls Forty-one per cent of agencies did not meet either their own standards or minimum standards for password controls. |
Recommendation Agencies should review and enforce password controls to strengthen security over sensitive systems. As a minimum, password parameters should include:
|
2.2 Cyber Security |
|
|
Cyber security framework Agencies do not have a common view on what constitutes a cyber attack, which limits understanding the extent of the cyber security threat. |
Recommendation The Department of Finance, Services and Innovation should revisit its existing framework to develop a shared cyber security terminology and strengthen the current reporting requirements for cyber incidents. |
|
Cyber security strategies While 82 per cent of agencies have dedicated resources to address cyber security, they can strengthen their strategies, expertise and staff awareness. |
Recommendations The Department of Finance, Services and Innovation should:
Agencies should ensure they adequately resource staff dedicated to cyber security. |
2.3 Other IT systems |
|
|
Change control processes Some agencies need to improve change control processes to avoid unauthorised or inaccurate system changes. |
Recommendation Agencies should consistently perform user acceptance testing before system upgrades and changes. They should also properly approve and document changes to IT systems. |
|
Disaster recovery planning Agencies can do more to adequately assess critical business systems to enforce effective disaster recovery plans. This includes reviewing and testing their plans on a timely basis. |
Recommendation Agencies should complete business impact analyses to strengthen disaster recovery plans, then regularly test and update their plans. |
Agency service delivery relies on developing and renewing infrastructure assets such as schools, hospitals, roads, or public housing. Agencies are currently investing significantly in new assets. Agencies need to manage the scale and volume of current capital projects in order to deliver new infrastructure on time, on budget and realise the intended benefits. We found agencies can improve how they:
- manage their major capital projects
- dispose of existing assets.
| Issues | Recommendations or conclusions |
3.1 Capital investment |
|
|
Capital asset investment ratios Most agencies report high capital investment ratios, but one-third of agencies’ capital investment ratios are less than one. |
Recommendation Agencies with high capital asset investment ratios should ensure their project management and delivery functions have the capacity to deliver their current and forward work programs. |
|
Volume of capital spending Most agencies have significant forward spending commitments for capital projects. However, agencies’ actual capital expenditure has been below budget for the last three years. |
Conclusion The significant increase in capital budget underspends warrant investigation, particularly where this has resulted from slower than expected delivery of projects from previous years. |
3.2 Capital projects |
|
|
Major capital projects Agencies’ major capital projects were underspent by 13 percent against their budgets. |
Conclusion The causes of agency budget underspends warrant investigation to ensure the NSW Government’s infrastructure commitment is delivered on time. |
|
Capital project governance Agencies do not consistently prepare business cases or use project steering committees to oversee major capital projects. |
Conclusion Agencies that have project management processes that include robust business cases and regular updates to their steering committees (or equivalent) are better able to provide those projects with strategic direction and oversight. |
3.3. Asset disposals |
|
|
Asset disposal procedures Agencies need to strengthen their asset disposal procedures. |
Recommendations Agencies should have formal processes for disposing of surplus properties. Agencies should use Property NSW to manage real property sales unless, as in the case for State owned corporations, they have been granted an exemption. |
Governance refers to the high-level frameworks, processes and behaviours that help an organisation to achieve its objectives, comply with legal and other requirements, and meet a high standard of probity, accountability and transparency.
This chapter sets out the governance lighthouse model the Audit Office developed to help agencies reach best practice. It then focuses on two key areas: continuous disclosure and shared services arrangements. The following two chapters look at findings related to ethics and risk management.
| Issues | Recommendations or conclusions |
4.1 Governance arrangements |
|
|
Continuous disclosure Continuous disclosure promotes improved performance and public trust and aides better decision-making. Continuous disclosure is only mandatory for NSW Government Businesses such as State owned corporations. |
Conclusion Some agencies promote transparency and accountability by publishing on their websites a continuous disclosure policy that provides for, and encourages:
|
4.2 Shared services |
|
|
Service level agreements Some agencies do not have service level agreements for their shared service arrangements. Many of the agreements that do exist do not adequately specify controls, performance or reporting requirements. This reduces the effectiveness of shared services arrangements. |
Conclusion Agencies are better able to manage the quality and timeliness of shared service arrangements where they have a service level agreement in place. Ideally, the terms of service should be agreed before services are transferred to the service provider and:
|
|
Shared service performance Some agencies do not set performance standards for their shared service providers or regularly review performance results. |
Conclusion Agencies can achieve better results from shared service arrangements when they regularly monitor the performance of shared service providers using key measures for the benefits realised, costs saved and quality of services received. Before agencies extend or renegotiate a contract, they should comprehensively assess the services received and test the market to maximise value for money. |
All government sector employees must demonstrate the highest levels of ethical conduct, in line with standards set by The Code of Ethics and Conduct for NSW government sector employees.
This chapter looks at how well agencies are managing these requirements, and where they can improve their policies and processes.
We found that agencies mostly have the appropriate codes, frameworks and policies in place. But we have highlighted opportunities to improve the way they manage those systems to reduce the risks of unethical conduct.
| Issues | Recommendations or conclusions |
5.1 Ethical framework |
|
|
Code of conduct All agencies we reviewed have a code of conduct, but they can still improve the way they update and manage their codes to reduce the risk of fraud and unethical behaviour. |
Recommendation Agencies should regularly review their code-of-conduct policies and ensure they keep their codes of conduct up-to-date. |
|
Statement of business ethics Most agencies maintain an ethical framework, but some can enhance their related processes, particularly when dealing with external clients, customers, suppliers and contractors. |
Conclusion Agencies can enhance their ethical frameworks by publishing a Statement of Business Ethics, which communicates their values and culture. |
5.2 Potential conflicts of interest |
|
|
Conflicts of interest All agencies have a conflicts-of-interest policy, but most can improve how they identify, manage and avoid conflicts of interest. |
Recommendation Agencies should improve the way they manage conflicts of interest, particularly by:
|
|
Gifts and benefits While all agencies already have a formal gifts-and-benefits policy, we found gaps in the management of gifts and benefits by some that increase the risk of unethical conduct. |
Recommendation Agencies should improve the way they manage gifts and benefits by promptly updating registers and providing annual training to staff. |
Risk management is an integral part of effective corporate governance. It helps agencies to identify, assess and prioritise the risks they face and in turn minimise, monitor and control the impact of unforeseen events. It also means agencies can respond to opportunities that may emerge and improve their services and activities.
This year we looked at the overall maturity of the risk management frameworks that agencies use, along with two important risk management elements: risk culture and risk registers.
| Issues | Recommendations or conclusions |
6.1 Risk management maturity |
|
|
All agencies have implemented risk management frameworks, but with varying levels of maturity in their application. Agencies’ averaged a score of 3.1 out of five across five critical assessment criteria for risk management. While strategy and governance fared best, the areas that most need to improve are risk culture, and systems and intelligence. |
Conclusion Agencies have introduced risk management frameworks and practices as required by the Treasury’s:
However, more can be done to progress risk management maturity and embed risk management in agency culture. |
6.2 Risk management elements |
|
|
Risk culture Most agencies have started to embed risk management into the culture of their organisation. But only some have successfully done so, and most agencies can improve their risk culture.
|
Conclusion Agencies can improve their risk culture by:
|
|
Risk registers and reporting Some agencies do not report their significant risks to their lead agency, which may impair the way resources are allocated in their cluster. Some agencies do not integrate risk registers at a divisional and whole-of-enterprise level. |
Conclusion Agencies not reporting significant risks at the cluster level increases the likelihood that significant risks are not being mitigated appropriately. |
Effective risk management can improve agency decision-making, protect reputations and lead to significant efficiencies and cost savings. By embedding risk management directly into their operations, agencies can also derive extra value for their activities and services.
Planning and Environment 2017
The following report highlights results of financial audits of agencies in the Planning and Environment cluster. The report focuses on key observations and findings from the most recent audits of these agencies.
The audits were completed for most agencies in the cluster and unqualified audit opinions issued. Issues identified during the financial statement audits of seven small agencies delayed their finalisation beyond the statutory deadline, and six of these remain incomplete. Apart from these small agencies, the quality of financial reporting across the cluster remained at a high standard.
This report provides Parliament and others with the audit results, observations and recommendations for Planning and Environment cluster agencies. The report has been structured into two chapters focussing on financial reporting and controls and service delivery.
The Planning and Environment cluster plays a role in ensuring each community across New South Wales receives the services and infrastructure it needs.
This chapter outlines our audit observations and recommendations related to financial reporting and controls of Planning and Environment cluster agencies for 2016–17.
| Observation | Conclusion or recommendation |
2.1 Quality of financial reporting |
|
|
Unqualified audit opinions were issued for 39 of the 45 cluster agencies' financial statements. |
Issues identified during the financial statement audits of seven smaller agencies delayed their completion. Six audits remain incomplete at the date of this report. Apart from these seven small agency audits, the quality of financial reporting across the cluster remained at a high standard. |
2.2 Timeliness of financial reporting |
|
|
Seven agencies' financial statement audits were not completed by the statutory deadline with six audits incomplete at the date of this report. |
Issues identified during the financial statement audits of seven smaller agencies delayed their finalisation beyond the statutory deadline. These agencies would benefit from performing additional early close procedures in future reporting periods. |
2.3 Financial and sustainability analysis |
|
|
Water and Electricity utility agencies continue to operate with low liquidity ratios. |
A liquidity ratio below one is an indicator that an entity may not be able to pay its debts as and when they fall due. Whilst liquidity ratios were below one, utility agencies demonstrated they can continue to support ongoing operations due to:
|
2.5 Internal controls |
|
|
One in six internal control weaknesses reported in 2016–17 were repeat issues. |
Delays in implementing audit recommendations can prolong the risk of fraud and error. Recommendation (repeat issue): anagement letter recommendations to address internal control weaknesses should be actioned promptly, with a focus on addressing repeat issues. |
|
Nine of these internal control weaknesses related to the creation, modification, deletion and review of user access to financial systems. |
These control weaknesses may compromise the integrity and security of financial data. Recommendation (repeat issue): Management of user administration over financial systems should be strengthened to prevent inappropriate access to financial information. |
This chapter outlines our audit observations, conclusions and recommendations relating to service delivery for 2016–17.
| Observation | Conclusion or recommendation |
3.1 Premier's and State priorities |
|
| The Planning and Environment cluster is responsible for delivering five Premier's and State priorities. |
One priority target was achieved in 2016–17, two targets are on track to be achieved and progress towards one target slowed. Progress against one target cannot be determined. |
3.2 Planning |
|
|
Housing Completion |
|
| There were 63,506 housing completions in 2016–17. This was 4.1 per cent above the Premier’s priority target of delivering 61,000 housing completions per year. |
The Australian Bureau of Statistics data shows the housing completions target was achieved in 2016–17. |
|
Housing supply |
|
| The number of approvals for new houses in 2016–17 was 72,472 against the State priority target of more than 50,000 approvals per year. |
The Australian Bureau of Statistics data indicates the housing approvals target was achieved in 2016–17. |
|
Major project assessment |
|
| State significant developments are not clearly defined for the purposes of reporting against the State priority target. | The Department of Planning and Environment will clarify with the Department of Premier and Cabinet which developments are captured by the State priority target. |
| The Department of Planning and Environment’s data shows the time taken to assess complex State significant developments increased by 16 per cent in 2016–17 while the time taken to assess less complex developments reduced by 20 per cent. | The Department of Planning and Environment considers it is on track to meet the State priority target of halving the time taken to assess State significant developments, despite uncertainty over the target measure. |
|
Housing acceleration fund |
|
|
Program business cases were not developed for projects in Housing Acceleration Fund Rounds 1 to 4. The Department advised a program business case will be developed for Housing Acceleration Fund Round 5 projects. |
A program business case is necessary to ensure related projects are evaluated, managed and coordinated effectively. |
|
A benefit realisation review process has not yet been approved for Housing Acceleration Fund projects. The Department of Planning and Environment advised it is developing a benefit realisation review process. |
A benefit realisation review process is necessary to determine whether funded projects achieved intended outcomes. |
|
Greater Sydney Commission |
|
| The Greater Sydney Commission forecasts a further 725,000 dwellings in the greater Sydney region will be required up to 2036 to meet housing demand. | In response to population growth, the Commission has set a five-year housing supply target of 189,100 houses across the five Greater Sydney Commission districts. |
|
ePlanning system |
|
| The Department of Planning and Environment did not perform a benefit realisation review for phase one of the ePlanning project. It has committed to performing a benefit realisation review after completion of phase two in 2018. | It cannot be determined if phase one of the project delivered expected outcomes as a benefit realisation review was not performed. |
3.3. Environment and Heritage |
|
| Litter volume in New South Wales was 6.6 litres per 1,000 square metres in 2016–17, an increase of 16 per cent from the prior year. This is above the Premier's priority litter volume target of 4.2 litres per 1,000 square metres by 2020. | The Environment Protection Authority's data indicates the progress towards the target of reducing the volume of litter by 40 per cent by 2020 has slowed. |
| The NSW Government plans to invest $240 million to facilitate strategic biodiversity conservation on private land. | Performance measures have not yet been developed for the private land conservation program. |
3.4 Water |
|
| IPART reduced water usage charges for most Sydney Water Corporation customers in 2016–17. | Water usage prices in New South Wales compare favourably to larger water utilities in other jurisdictions. |
|
Hunter Water Corporation's water recycling and water conservation performance has been stable over recent years. The volume of Sydney Water Corporation’s recycled water reduced by 12 per cent in 2016–17 compared to the previous year. |
Sydney Water Corporation experienced reduced industry demand for recycled water. Several large industrial customers relocated away from Sydney. |
3.5 Arts and culture |
|
| A State priority target is to increase overall attendance at cultural venues and events in New South Wales by 15 per cent from 2014–15 levels by 2019. | The Department of Planning and Environment's data indicates overall attendance increased by 16 per cent in 2015–16, although attendance fluctuated across individual venues and events. This indicates progress towards achieving the overall target by 2019. |
