Refine search

Reports

17 December 2021

Published

Planning, Industry and Environment 2021

Environment

Industry

Local Government

Planning

Asset valuation

Financial reporting

Information technology

Internal controls and governance

Risk

This report analyses the results of our audits of the Planning, Industry and Environment cluster agencies for the year ended 30 June 2021.

Our preferred approach is to table the ‘Report on State Finances’ in Parliament before any other cluster report. This is because the 'Report on State Finances' focuses on the audit results and observations relating to the Total State Sector Accounts, in effect a consolidation of all government agencies. This year the 'Report on State Finances' has been delayed due to significant accounting issues being considered in the Total State Sector Accounts and which may impact the Treasury and Transport clusters.

As there are no outstanding matters relating to audits in the Planning, Industry and Environment cluster impacting the Total State Sector Accounts we have decided to break with normal practice and table this cluster report ahead of the ‘Report on State Finances’.

What the report is about

The results of the Planning, Industry and Environment cluster agencies' financial statements audits for the year ended 30 June 2021.

What we found

Unmodified audit opinions were issued for all completed 30 June 2021 financial statements audits of cluster agencies. Three audits are ongoing.

An 'Other Matter' paragraph was included in the Independent Planning Commission's (the IPC) audit opinion because the prior year comparative figures were not audited. Prior to 2020–21, the IPC was not required to prepare separate financial statements under the Public Finance and Audit Act 1983 (PF&A Act). The financial reporting provisions of the Government Sector Finance Act 2018 now require the IPC to prepare financial statements.

The number of identified misstatements increased from 51 in 2019–20 to 54 in 2020–21.

The 2010–11 to 2019–20 audits of the Water Administration Ministerial Corporation’s (the Corporation) financial statements are incomplete due to insufficient records and evidence to support the transactions of the Corporation, particularly for the earlier years. Management has commenced actions to improve the governance and financial management of the Corporation. These audits are currently in progress and the 2020–21 audit will commence shortly.

There are 609 State controlled Crown land managers (CLMs) across New South Wales that predominantly manage small parcels of Crown land.

Eight CLMs prepared and submitted 2019–20 financial statements by the revised deadline of 30 June 2021. A further 24 CLMs did not prepare financial statements in accordance with the PF&A Act. The remaining CLMs were not required to prepare 2019–20 financial statements as they met NSW Treasury's financial reporting exemption criteria.

The Department of Planning, Industry and Environment's (the department) preliminary assessment indicates that 60 CLMs are required to prepare financial statements in 2020–21. To date, no CLMs have prepared and submitted financial statements for audit in 2020–21.

There are also 120 common trusts that have never submitted financial statements for audit. Common trusts are responsible for the care, control and management of land that has been set aside for specific use in a certain locality, such as grazing, camping or bushwalking.

What the key issues were

The number of matters we reported to management increased from 135 in 2019–20 to 180 in 2020–21, of which 40 per cent were repeat findings.

Seven high-risk issues were identified in 2020–21:

system control deficiencies at the department relating to user access to HR and payroll management systems, vendor master data management and journal processing, which require manual reviews to mitigate risks
deficiencies related to the Centennial Park and Moore Park Trust's tree assets valuation methodology
the Lord Howe Island Board did not regularly review and monitor privileged user access rights to key information systems
the Natural Resources Access Regulator identified and adjusted three prior period errors retrospectively, which indicate deficiencies within the financial reporting processes
deficiencies relating to the Parramatta Park Trust's tree assets valuation methodology
lease arrangements have not been confirmed between the Planning Ministerial Corporation and Office of Sport regarding the Sydney International Regatta Centre
the Wentworth Park Sporting Complex land manager (the land manager) has a $6.5 million loan with Greyhound Racing NSW (GRNSW). GRNSW requested the land manager to repay the loan. However, the land manager subsequently requested GRNSW to convert the loan to a grant. Should this request be denied, the land manager would not be able to continue as a going concern without financial support. This matter remains unresolved for many years.

There continues to be significant deficiencies in Crown land records. The department uses the Crown Land Information Database (CLID) to record key information relating to Crown land in New South Wales that are managed and controlled by the department and land managers (including councils and land managers controlled by the state). The CLID system was not designed to facilitate financial reporting and the department is required to conduct extensive adjustments and reconciliations to produce accurate information for the financial statements.

The department is implementing a new system to record Crown land (the CrownTracker project). The department advised that the project completion date will be confirmed by June 2022.

What we recommended

The department should ensure CLMs and common trusts meet their statutory reporting obligations.

Cluster agencies should prioritise and action recommendations to address internal control deficiencies, with a focus on addressing high-risk and repeat issues.

The department should prioritise action to ensure the Crown land database is complete and accurate. This will allow the department and CLMs to be better informed about the Crown land they control.

Fast facts

The Planning, Industry and Environment cluster aims to make the lives of people in New South Wales better by developing well-connected communities, preserving the environment, supporting industries and contributing to a strong economy.

There are 54 agencies, 609 State controlled Crown land managers that predominantly manage small parcels of Crown land and 120 common trusts in the cluster.

42% of the area of NSW is Crown land
$33.2b water and electricity infrastructure as at 30 June 2021
100% unqualified audit opinions were issued for all completed 30 June 2021 financial statements audits
7 high-risk management letter findings were identified
54 monetary misstatements were reported in 2020–21
40% of reported issues were repeat issues

This report provides parliament and other users of the Planning, Industry and Environment cluster (the cluster) agencies’ financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:

financial reporting
audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision-making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Planning, Industry and Environment cluster (the cluster) for 2021.

Section highlights

Unmodified audit opinions were issued for all completed 30 June 2021 financial statements audits of cluster agencies. Three audits are ongoing.
An 'Other Matter' paragraph was included in the Independent Planning Commission’s (the IPC) audit opinion because the prior year comparative figures were not audited. Prior to 2020–21, the IPC was not required to prepare separate financial statements under the Public Finance and Audit Act 1983. From 2020–21, the IPC is required to prepare financial statements under the Government Sector Finance Act 2018.
The 2010–11 to 2019–20 audits of the Water Administration Ministerial Corporation’s (the Corporation) financial statements were incomplete due to insufficient records and evidence to support the transactions of the Corporation, particularly for the earlier years. These audits are currently underway, and the 2020–21 audit will commence shortly.
The Department of Planning, Industry and Environment's (the department) preliminary assessment indicates that 60 State controlled Crown land managers (CLMs) are required to prepare financial statements in 2020–21. To date, no CLMs have prepared and submitted financial statements for audit in 2020–21. All 120 common trusts have never submitted their financial statements for audit. The department needs to do more to ensure that the CLMs and common trusts meet their statutory reporting obligations.
Nine agencies that were required to perform early close procedures did not complete a total of 20 mandatory procedures. The most common incomplete early close procedures include the revaluation of property, plant and equipment, documenting all significant management judgments and assumptions, and the implementation of new and updated accounting standards.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision-making.

This chapter outlines our observations and insights from our financial statements audits of agencies in the Planning, Industry and Environment cluster.

Section highlights

The number of findings reported to management has increased from 135 in 2019–20 to 180 in 2020–21, and 40 per cent were repeat issues.
Seven high-risk issues were identified in 2020–21, and three high-risk findings were repeat issues.
There continues to be significant deficiencies in Crown land records. The department should prioritise action to ensure the Crown land database is complete and accurate.

Appendix one - Misstatements in financial statements submitted for audit

Appendix two – Early close procedures

Appendix three – Timeliness of financial reporting

Appendix four – Financial data

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

10 December 2020

Published

Stronger Communities 2020

Justice

Community Services

Asset valuation

Compliance

Financial reporting

Information technology

Internal controls and governance

Management and administration

Service delivery

This report analyses the results of our audits of financial statements of the agencies comprising the Stronger Communities cluster for the year ended 30 June 2020. The table below summarises our key observations.

1. Financial reporting
Quality of financial reporting	Unqualified audit opinions were issued for all agencies' 30 June 2020 financial statements.
Compliance with financial reporting requirements	The Treasury extended the statutory deadline for the submission of the 2019–20 financial statements. For agencies subject to Treasurer's Directions, Treasury required agencies to submit their 30 June 2020 financial statements by 5 August 2020. For other agencies, the deadline was extended to 31 October 2020. All agencies in the cluster met the revised statutory deadlines. Cluster agencies substantially completed the mandatory early close procedures set by NSW Treasury. However, nine agencies including the Department of Communities and Justice (the department) did not complete one or more mandatory requirements, such as assessing the impact of new and updated accounting standards.
Financial implications of recent emergencies	Emergency events significantly impacted cluster agencies in 2019–20. Our review of seven cluster agencies most affected highlighted some had incurred additional expenditure because of the bushfires and floods. Others lost revenue due to the COVID-19 pandemic. During the year these agencies collectively received additional funding of $1.1 billion from the State to respond to: increased demand for homeless people seeking temporary accommodation additional cleaning requirements bushfire recovery efforts emergency support for eligible small businesses. The Sydney Cricket Ground Trust, Venues NSW and Office of Sport lodged insurance claims of $51.3 million with the Treasury Managed Fund with respect to lost revenues from the pandemic. The losses were mainly due to event cancellations and covered various periods ranging from mid-March to 31 December 2020. The change in economic conditions caused by the COVID-19 pandemic resulted in the NSW Government cancelling the refurbishment of Stadium Australia it had previously approved in August 2019. Venues NSW wrote off $16.8 million of redevelopment costs during 2019–20.
Restatement of the Sydney Cricket Ground valuation	The valuation of the Sydney Cricket Ground (the Stadium) included costs of $28.6 million which were not eligible for capitalisation. The financial statements were restated to reflect the reduction in the value of the Stadium and the asset revaluation reserve.
Unresolved data quality issues in the VS Connect system	The department continues to address significant data quality issues resulting from its implementation of the VS Connect system (the System) in 2019. The issues relate to the completeness and accuracy of the data transferred from the legacy system. The System is used by the department to manage its Victims Support Services (VSS) and for financial reporting purposes. An independent actuary helps the department estimate its liability for VSS claims. The actuary's valuation at 30 June 2020 was again impacted by the data quality issues. Consequently, the actuary adopted a revised valuation methodology compared to previous years. Recommendation (repeat issue): The department should resolve the data quality issues in the VS Connect System before 31 March 2021.
AASB 16 'Leases' resulted in significant changes to agencies' financial position	Cluster agencies implemented three new accounting standards for the first time in 2019–20. Adoption of AASB 16 'Leases' resulted in cluster agencies collectively recognising right-of-use assets and lease liabilities of $1.7 billion and $1.1 billion respectively on 1 July 2019. Significant misstatements in how lease related balances had been calculated were found in 17 of the 29 cluster agencies. The cluster outsources the management of most of its owned and leased property portfolio to Property NSW, but cluster agencies remain responsible for any deliverables under that arrangement. The misstatements were mainly caused by late revisions of key assumptions and issues with the accuracy and completeness of Property NSW's lease information.
2. Audit observations
Internal control deficiencies	Our 2019–20 financial audits identified 191 internal control issues. Of these, two were high risk and almost one-third were repeat findings from previous audits. While repeat findings reduced by 5.7 percentage points in 2019–20, the number remains high. Recommendation (repeat issue): Cluster agencies should action recommendations to address internal control weaknesses promptly. Focus should be given to addressing high risk and repeat issues.
Agencies response to recent emergencies	The severity of the recent bushfires and floods meant natural disaster expenses incurred by emergency services agencies rose from $67.4 million in 2018–19 to $497 million in 2019–20. The COVID-19 pandemic presented unprecedented challenges for the cluster. Social distancing and other infection control measures disrupted the traditional means of delivering services. Agencies established committees or response teams to respond to these challenges. The department introduced measures to minimise the risk of the spread of COVID-19 amongst inmates in custodial settings.
Managing excess annual leave	Managing excess annual leave was a challenge for cluster agencies directly involved in the government's response to the emergency events. Employees in frontline cluster agencies deferred leave plans and many have taken little or no annual leave during the reporting period. Annual leave liabilities rose at the department, NSW Police Force, Fire and Rescue NSW, Office of the NSW Rural Fire Service, the Legal Aid Commission of New South Wales and the Office of the Director of Public Prosecutions. The combined liabilities increased from $620 million to $692 million or 11.6 per cent between 30 June 2019 and 30 June 2020.
Implementation of Machinery of Government (MoG) changes	Administrative Arrangement Orders effective from 1 July 2019, created the department of Communities and Justice and transferred functions and staff, together with associated assets and liabilities into the department from the former departments of Justice and Family and Community Services. The department continues to establish its governance arrangements following the MoG changes. Recommendation: The department should finalise appropriate governance arrangements for its new organisational structure as soon as possible. This includes: harmonising policies and procedures to ensure a unified approach across the department finalising risk management and monitoring processes across the department updating its delegation instruments to reflect the current organisational structure, delegation limits and roles and responsibilities.
Delivery of the Prison Bed Capacity Program	The department continued to expand prison system capacity through the NSW Government's $3.8 billion Prison Bed Capacity Program. The department reported it spent $480 million on the Program in 2019–20. Six prison expansion projects were completed during the year, which added 1,660 new and 395 refurbished beds to the NSW prison system. Data from the department shows the number of adult inmates in the NSW prison system reached a maximum of 14,165 during the year. Operational capacity was 16,096 beds on 19 August 2020.

This report provides parliament and other users of the financial statements of agencies in the Stronger Communities cluster with the results of our audits, our observations, analysis, conclusions and recommendations.

Agencies in the Stronger Communities cluster were significantly impacted by the bushfires, floods and the COVID-19 pandemic in 2019–20. Our 2019–20 financial audits of the seven cluster agencies most significantly impacted by the recent emergency events considered:

the financial implications of the emergency events
changes to agencies' operating models and control environments
delivery of new or expanded projects, programs or services at short notice.

Our findings on these seven agencies' responses to the recent emergencies are included throughout this report. These agencies are:

Department of Communities and Justice
Fire and Rescue NSW
NSW Police Force
Office of the NSW Rural Fire Service
Office of the NSW State Emergency Service
Sydney Cricket and Sports Ground Trust
Venues NSW.

The Department of Communities and Justice is the principal agency of the cluster. The names of all agencies in the Stronger Communities cluster are included in Appendix one.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Stronger Communities cluster for 2020, including any financial implications from the recent emergency events.

Section highlights

Unqualified audit opinions were issued for all agencies' 30 June 2020 financial statements. All agencies met the revised statutory deadlines for completing early close procedures and submitting their financial statements.
Emergency events significantly impacted cluster agencies in 2019–20. Agencies received additional funding of $1.1 billion to respond to the emergencies.
Cluster agencies implemented three new accounting standards in 2019–20. Adoption of AASB 16 'Leases' resulted in significant changes to agencies' financial statements.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

This chapter outlines our:

observations and insights from our financial statement audits of agencies in the Stronger Communities cluster
assessment of how well cluster agencies adapted their systems, policies and procedures, and governance arrangements in response to recent emergencies
review of how the cluster agencies managed the increased risks associated with new programs aimed at stemming the spread of COVID-19 and stimulating the economy.

Section highlights

Almost one-third of internal control issues reported were repeat findings. Cluster agencies should address these issues more promptly.
The severity of the recent bushfires and floods meant natural disaster expenses incurred by emergency services agencies increased by $430 million in 2019–20.
The department continues to establish its governance arrangements following Machinery of Government changes effective 1 July 2019.

Appendix one – Timeliness of financial reporting by agency

Appendix two – Management letter findings by agency

Appendix three – List of 2020 recommendations

Appendix four – Status of 2019 recommendations

Appendix five – Selected agencies for review of response to emergency events

Appendix six – Financial data

Copyright notice

24 November 2020

Published

Internal controls and governance 2020

Education

Environment

Community Services

Finance

Health

Industry

Justice

Premier and Cabinet

Transport

Treasury

Compliance

Cyber security

Information technology

Internal controls and governance

Management and administration

Procurement

The Auditor-General for New South Wales, Margaret Crawford today released her report on the findings and recommendations from the 2019–20 financial audits that relate to internal controls and governance at 40 of the largest agencies in the NSW public sector.

The bushfire and flood emergencies and the COVID‑19 pandemic continue to have a significant impact on the people and public sector of New South Wales. The scale of the government response to these events has been significant. The report focuses on the effectiveness of internal controls and governance processes, including relevant agencies’ response to the emergencies. In particular, the report focuses on:

financial and information technology controls
business continuity and disaster recovery planning arrangements
procurement, including emergency procurement
delegations that support timely and effective decision-making.

Due to the ongoing impact of COVID‑19 agencies have not yet returned to a business‑as‑usual environment. ‘Agencies will need to assess their response to the recent emergencies and update their business continuity, disaster recovery and other business resilience frameworks to reflect the lessons learnt from these events’ the Auditor-General said.

The report noted that special procurement provisions were put in place to allow agencies to better respond to the COVID-19 pandemic. The Auditor-General recommended agencies update their procurement policies to reflect the current requirements of the NSW Procurement Framework and the emergency procurement requirements.

Read the PDF report

This report analyses the internal controls and governance of 40 of the largest agencies in the NSW public sector for the year ended 30 June 2020. These 40 agencies constitute an estimated 85 per cent of total expenditure for all NSW public sector agencies.

1. Internal control trends

New, repeat and high risk findings

Internal control deficiencies increased by 13 per cent compared to last year. This is predominately due to a seven per cent increase in new internal control deficiencies and 24 per cent increase in repeat internal control deficiencies. There were ten high risk findings compared to four last year.

The recent emergencies have consumed agency time and resources and may have contributed to the increase in internal control deficiencies, particularly repeat deficiencies.

Agencies should:

prioritise addressing high-risk findings
address repeat internal control deficiencies by re-setting action plans and timeframes and monitoring the implementation status of recommendations.

Common findings

A number of findings remain common across multiple agencies over the last four years, including:

out of date or missing policies to guide appropriate decisions
poor record keeping and document retention
incomplete or inaccurate centralised registers or gaps in these registers.

2. Information technology controls

IT general controls

We found deficiencies in information security controls over key financial systems including:

user access administration deficiencies relating to inadequate oversight of the granting, review and removal of user access at 53 per cent of agencies
privileged users were not appropriately monitored at 43 per cent of agencies
deficient password controls that did not align to the agency's own password policies at 25 per cent of agencies.

The deficiencies above increase the risk of non-compliance with the NSW Cyber Security Policy, which requires agencies to have processes in place to manage user access, including privileged user access to sensitive information or systems and remove that access once it is not required or employment is terminated.

3. Business continuity and disaster recovery planning

Assessing risks to business continuity and Scenario testing

The response to the recent emergencies and the COVID-19 pandemic has encompassed a wide range of activities, including policy setting, on-going service delivery, safety and availability of staff, availability of IT and other systems and financial management. Agencies were required to activate their business continuity plans in response, and with the continued impact of COVID-19 have not yet returned to a business-as-usual environment.

Our audits focused on the preparedness of agency business continuity and disaster recovery planning arrangements prior to the onset of the COVID-19 pandemic.

We identified deficiencies in agency business continuity and disaster recovery planning arrangements. Twenty-three per cent of agencies had not conducted a business impact analysis (BIA) to identify critical business functions and determine business continuity priorities. Agencies can also improve the content of their BIA. For example, ten per cent of agencies' BIAs did not include recovery time objectives and six per cent of agencies did not identify key IT systems that support critical business functions. Scenario testing improves the effectiveness with which a live crisis is handled, but 40 per cent of agencies had not conducted a business continuity scenario testing exercise in the period from 1 January 2019 to 31 December 2019. There were also opportunities to improve the effectiveness of scenario testing exercises by:

involving key dependent or inter-dependent third parties who support or deliver critical business functions
testing one or more high impact scenarios identified in their business continuity plan
preparing a formalpost-exercise report documenting the outcome of their scenario testing.

Agencies have responded to the recent emergencies but addressing deficiencies will ensure agencies have adequate safeguards in their processes to again respond in the future, if required.

During 2020–21 we plan to conduct a performance audit on 'Business continuity and disaster recovery planning'. This audit will consider the effectiveness of agency business continuity planning arrangements to maintain business continuity through the recent emergencies and/or COVID-19 pandemic and return to a business-as-usual environment. We also plan to conduct a performance audit on whole-of-government 'Coordination of emergency responses'.

Responding to disruptions

We found agencies' governance functions could have been better informed about responses to disruptive incidents that had activated a business continuity or disaster recovery response between 1 January 2019 to 31 December 2019. For instance:

in 89 per cent of instances where a business continuity response was activated, a post-incident review had been performed. In 82 per cent of these instances, the outcomes were reported to a relevant governance or executive management committee

in 95 per cent of instances where a disaster recovery response was activated, a post incident review had been performed. In 86 per cent of these instances, the outcomes were reported to a relevant governance committee or executive management committee.

Examples of recorded incidents included extensive air quality issues and power outages due to bushfires, system and network outages, and infected and hijacked servers.

Agencies should assess their response to the recent emergencies and the COVID-19 pandemic and update business continuity, disaster recovery and other business resilience frameworks to incorporate lessons learned. Agencies should report to those charged with governance on the results and planned actions.

Management review and oversight

Eighty-two per cent and 86 per cent of agencies report to their audit and risk committees (ARC) on their business continuity and disaster recovery planning arrangements, respectively. Only 18 per cent and five per cent of ARCs are briefed on the results of respective scenario testing. Briefing ARCs on the results of scenario testing exercises helps inform their decisions about whether sound and effective business continuity and disaster recovery arrangements have been established.

4. Procurement, including emergency procurement

Policy framework	Agency procurement policies did not capture the requirements of several key NSW Procurement Board Directions (the Directions), increasing the risk of non-compliance with the Directions. We noted: 67 per cent of agencies did specify that procurement above $650,000 must be open to market unless exempt or procured through an existing Whole of Government Scheme or contract 36 per cent of agencies did specify that procurements above $500,000 payable in foreign currencies must be hedged 69 per cent of agencies' policies did specify that the agency head or cluster CFO must authorise the engagement of consultants where the engagement of the supplier does not comply with the standard commercial framework. Recommendation: Agencies should review their procurement policies and guidelines to ensure they capture the key requirements of the NSW Government Procurement Policy Framework, including NSW Procurement Board Directions.
Managing contracts	Eighty-eight per cent of agencies maintain a central contract register to record all details of contracts above $150,000, which is a requirement of GIPA legislation. Of the agencies that maintained registers, 13 per cent did not capture all contracts and eight per cent did not include all relevant contract details. Sixteen per cent of agencies did not periodically review their contract register. Timely review increases compliance with GIPA legislation, and enhances the effectiveness with which procurement business units monitor contract end dates, contract extensions and commence new procurement.
Training and support	Ninety-three per cent of agencies provide training to staff involved in procurement processes, and a further 77 per cent of agencies provide this training on an on-going basis. Of the seven per cent of agencies that had not provided training to staff, we noted gaps in aspects of their procurement activity, including: not conducting value for money assessments prior to renewing or extending the contract with their existing supplier not obtaining approval from a delegated authority to commence the procurement process procurement documentation not specifying certain key details such as the conditions for participation including any financial guarantees and dates for the delivery of goods or supply of services. Training on procurement activities ensures there is effective management of procurement processes to support operational requirements, and compliance with procurement directions.
Procurement activities	While agencies had implemented controls for tender activities above $650,000, 43 per cent of unaccredited agencies did not comply with the NSW Procurement Policy Framework because they had not had their procurement endorsed by an accredited agency within the cluster or by NSW Procurement. This endorsement aims to ensure the procurement is properly planned to deliver a value for money outcome before it commences.
Emergency procurement	As at 30 June 2020, agencies within the scope of this report reported conducting 32,239 emergency procurements with a total contract value of $316,908,485. Emergency procurement activities included the purchase of COVID-19 cleaning and hygiene supplies. The government, through NSW Procurement released the 'COVID-19 Emergency procurement procedure', which relaxed procurement requirements to allow agencies to make COVID-19 emergency procurements. Our review against the emergency procurement measures found most agencies complied with requirements. For example: 95 per cent of agencies documented an assessment of the need for the emergency procurement for the good and/or service 86 per cent of agencies obtained authorisation of the emergency procurement by the agency head or the nominated employee under Public Works and Procurement Regulation 2019 76 per cent of agencies reported the emergency procurement to the NSW Procurement Board. Complying with the procedure helps to ensure government resources are being efficiently, effectively, economically and in accordance with the law. Recommendation: Agency procurement frameworks should be reviewed and updated so they can respond effectively to emergency situations that may arise in the future. This includes: updating procurement policies and guidelines to define an emergency situation, specify who can approve emergency procurement and capture other key requirements using standard templates and documentation to prompt users to capture key requirements, such as needs analysis, supplier selection criteria, price assessment criteria, licence and insurance checks having processes for reporting on emergency procurements to those charged with governance and NSW Procurement.

5. Delegations

Instruments of delegation

We found that agencies have established financial and human resources delegations, but some had not revisited their delegation manuals following the legislative and machinery of government changes. For those agencies impacted by machinery of government changes we noted:

16 per cent of agencies had not updated their financial delegations to reflect the changes
16 per cent of agencies did not update their human resources delegations to reflect the changes.

Delegations manuals are not always complete; 16 per cent of agencies had no delegation for writing off bad debts and 26 per cent of agencies had no delegation for writing off capital assets.

Recommendation: Agencies should ensure their financial and human resources delegation manuals contain regular set review dates and are updated to reflect the Government Sector Finance Act 2018, machinery of government changes and their current organisational structure and roles and responsibilities.

Compliance with delegations

Agencies did not understand or correctly apply the requirements of the Government Sector Finance Act 2018 (GSF Act), resulting in non-compliance with the Act. We found that 18 per cent of agencies spent deemed appropriations without obtaining an authorised delegation from the relevant Minister(s), as required by sections 4.6(1) and 5.5(3) of the GSF Act.

Further detail on this issue will be included in our Auditor-General's Reports to Parliament on Central Agencies, Education, Health and Stronger Communities, which will be tabled throughout December 2020.

Recommendation: Agencies should review financial and human resources delegations to ensure they capture all key functions of laws and regulations, and clearly specify the relevant power or function being conferred on the officer.

6. Status of 2019 recommendations

Progress implementing last year's recommendations

Recommendations were made last year to improve transparency over reporting on gifts and benefits and improve the visibility management and those charged with governance had over actions taken to address conflicts of interest that may arise. This year, we continue to note:

38 per cent of agencies have not updated their gifts and benefits register to include all the key fields required under the minimum standards set by the Public Service Commission
56 per cent of agencies have not provided training to staff and 63 per cent of agencies have not implemented an annual attestation process for senior management
97 per cent of agencies have not published their gifts and benefits register on their website and 41 per cent of agencies are not reporting on trends in the gifts and benefits register to those charged with governance.

While we acknowledge the significance of the recent emergencies, which have consumed agency time and resources, we note limited progress has been made implementing these recommendations. Further detail on the status of implementing all recommendations is in Appendix 2.

Recommendation: Agencies should re-visit the recommendations made in last year's report on internal controls and governance and action these recommendations.

Internal controls are processes, policies and procedures that help agencies to:

operate effectively and efficiently
produce reliable financial reports
comply with laws and regulations
support ethical government.

This chapter outlines the overall trends for agency controls and governance issues, including the number of audit findings, the degree of risk those deficiencies pose to the agency, and a summary of the most common deficiencies we found across agencies. The rest of this report presents this year’s controls and governance findings in more detail.

Section highlights

We identified ten high risk findings, compared to four last year with two findings repeated from the previous year. There was an overall increase of 13 per cent in the number of internal control deficiencies compared to last year due to a seven per cent increase in new internal control deficiencies, and a 24 per cent increase in repeat internal control deficiencies. The recent emergencies have consumed agency time and resources and may have contributed to the increase in internal control deficiencies, particularly repeat deficiencies.

We identified a number of findings that remain common across multiple agencies over the last four years. Some of these findings related to areas that are fundamental to good internal control environments and effective organisational governance. Examples include:

out of date or missing policies to guide appropriate decisions
poor record keeping and document retention
incomplete or inaccurate centralised registers, or gaps in these registers.

Policies, procedures and internal controls should be properly designed, be appropriate for the current organisational structure and its business activities, and work effectively.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency controls to manage key financial systems.

Section highlights

Government agencies’ financial reporting is heavily reliant on information technology (IT). We continue to see a high number of deficiencies related to IT general controls, particularly those related to user access administration. These controls are key in adequately protecting IT systems from inappropriate access and misuse.

IT is also important to the delivery of agency services. These systems often provide the data to help monitor the efficiency and effectiveness of agency processes and services they deliver. Our financial audits do not review all agency IT systems. For example, IT systems used to support agency service delivery are generally outside the scope of our financial audit. However, agencies should also consider the relevance of our findings to these systems.

Agencies need to continue to focus on assessing the risks of inappropriate access and misuse and the implementation of controls to adequately protect their systems, focussing on the processes in place to grant, remove and monitor user access, particularly privileged user access.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency business continuity and disaster recovery planning arrangements.

Section highlights

We identified deficiencies in agency business continuity and disaster recovery planning arrangements and opportunities for agencies to enhance their business continuity management and disaster recovery planning arrangements. This will better prepare them to respond to a disruption to their critical functions, resulting from an emergency or other serious event. Twenty-three per cent of agencies had not conducted a business impact analysis (BIA) to identify critical business functions and determine business continuity priorities and 40 per cent of agencies had not conducted a business continuity scenario testing exercise in the period from 1 January 2019 to 31 December 2019. Scenario testing improves the effectiveness with which a live crisis is handled.

This section focusses on the preparedness of agency business continuity and disaster recovery planning arrangements prior to the onset of the COVID-19 pandemic. While agencies have responded to the recent emergencies, proactively addressing deficiencies will ensure agencies have adequate safeguards in their processes to again respond in the future, if required.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of procurement agency procurement policies and procurement activity.

Section highlights

We found agencies have procurement policies in place to manage procurement activity, but the content of these policies was not sufficiently detailed to ensure compliance with NSW Procurement Board Directions (the Directions). The Directions aim to ensure procurement activity achieves value for money and meets the principles of probity and fairness.

Agencies have generally implemented controls over their procurement process. In relation to emergency procurement activity, agencies reported conducting 32,239 emergency procurements with a total contract value of $316,908,485 up to 30 June 2020. Our review of emergency procurement activity conducted during 2019–20 identified areas where some agencies did not fully comply with the 'COVID-19 Emergency procurement procedure'.

We also found not all agencies are maintaining complete and accurate contract registers. This not only increases the risk of non-compliance with GIPA legislation, but also limits the effectiveness of procurement business units to monitor contract end dates, contract extensions and commence new procurement in a timely manner. We noted instances where agencies renewed or extended contracts without going through a competitive tender process during the year.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency compliance with financial and human resources delegations.

Section highlights

We found that agencies are not always regularly reviewing and updating their financial and human resources delegations when there are changes to legislation or other organisational changes within the agency or from machinery of government changes. For example, agencies did not understand or correctly apply the requirements of the GSF Act, resulting in non-compliance with the Act. We found that 18 per cent of agencies spent deemed appropriations without obtaining an authorised delegation from the relevant Minister(s), as required by sections 4.6(1) and 5.5(3) of the GSF Act.

In order for agencies to operate efficiently, make necessary expenditure and human resource decisions quickly and lawfully, particularly in emergency situations, it is important that delegations are kept up to date, provide clear authority to decision makers and are widely communicated.

Appendix one – List of 2020 recommendations

Appendix two – Status of 2019 recommendations

Appendix three – Cluster agencies

Copyright notice

2 June 2020

Published

Funding enhancements for police technology

Justice

Community Services

Information technology

Management and administration

Procurement

Project management

This report focuses on how the NSW Police Force managed a $100 million program to acquire new technology. The program invested in technologies intended to make police work safer and quicker. These included body-worn video (BWV) cameras, smart phone devices, mobile fingerprint scanners and hand-held drug testing devices.

The audit found that while the NSW Police Force mostly managed the ‘Policing for Tomorrow’ program effectively, investment decision making could be improved in the future. The NSW Police Force missed an opportunity to take a whole-of-organisation approach to identify capability gaps and target the acquired technologies to plug these.

The NSW Police Force has processes in place to monitor the benefits of some of the larger technology, but it does not do this consistently for all procured technology. It could not demonstrate that smaller projects are improving the efficiency or effectiveness of policing.

The audit also found that the NSW Police Force does not routinely engage with external stakeholders on the use or impacts of new technology that changes how officers interact with the public, noting that this will not always be possible for particularly sensitive procurements that involve covert technologies or methodologies.

The Auditor-General made three recommendations to guide improvement of NSW Police Force ICT procurement, benefits management and stakeholder engagement processes.

Read full report (PDF)

Ahead of the March 2015 election, the NSW Government announced a $100 million Policing for Tomorrow fund for the NSW Police Force to acquire technology intended to make police work safer and quicker. The announcement committed the NSW Police Force to several investment priorities, including body-worn video (BWV) cameras, smart phone devices (MobiPOL), mobile fingerprint scanners and hand-held drug testing devices. Otherwise, the NSW Police Force was allowed flexibility in identifying and resourcing suitable projects.

This audit assessed whether the Policing for Tomorrow fund was effectively managed to improve policing in New South Wales. We addressed the audit objective with the following audit questions:

Did the NSW Police Force efficiently and effectively identify, acquire, implement and maintain technology resourced by the fund?
Did the NSW Police Force establish effective governance arrangements for administering the fund, and for monitoring expected benefits and unintended consequences?
Did technology implemented under the fund improve the efficiency and effectiveness of policing in New South Wales?

Conclusion

The NSW Police Force's management of the Policing for Tomorrow fund was mostly effective. There are measures in place to assess the impact of the technologies on the efficiency and effectiveness of policing in NSW. However, these measures are not in place for all technologies funded by Policing for Tomorrow. A strategic whole-of-organisation approach to identifying and filling technology capability gaps may have assisted in better targeting funds and managing expected benefits.

The NSW Police Force identified, acquired, implemented and maintained a range of technologies resourced by the fund in an efficient and effective way. The election announcement committed the NSW Police Force to four specific projects which made up over three quarters of the fund value. Investment decisions for remaining funds were driven by the availability of funding and individual technology requirements rather than targeting improved policing outcomes and the capability necessary to achieve these.

The NSW Police Force missed an opportunity to take a whole-of-organisation approach to selecting technology projects for the remainder of the funds where it had discretion. This may have included considering less obvious back office technology or making different investment decisions driven by gaps in the agency's technology capabilities.

The NSW Police Force used effective governance arrangements for administering the Policing for Tomorrow fund, including using its existing ICT Executive Board. The NSW Police Force has adequate processes in place to drive benefits and monitor the impact of technology on the efficiency and effectiveness of policing for the larger projects funded by Policing for Tomorrow. Further work is required to ensure this for smaller projects.

The NSW Police Force tends to consider only impacts on the organisation in managing benefits and identifying unintended consequences. It does not routinely engage proactively with stakeholders, including partner criminal justice agencies and members of the community, on new technology that changes how police interact with the public.

We examined how effectively the NSW Police Force governed the Policing for Tomorrow fund, to ensure that key accountability and decision-making arrangements were in place to direct the $100 million spend to appropriate technologies. We also assessed how the NSW Police Force acquired, implemented and maintained technology funded by Policing for Tomorrow to determine the effectiveness of the relevant asset management.

The Policing for Tomorrow election commitment aimed to invest in technology to ‘make police work safer and quicker – meaning more time on the street combatting crime’. We assessed whether the NSW Police Force ensured that funded technologies have improved policing efficiency and effectiveness. We did not seek to independently assure the benefits or outcomes resulting from the technologies.

Appendix one – Response from agency

Appendix two – Policing for Tomorrow projects and expenditure

Appendix three – About the audit

Appendix four – Performance auditing

Copyright notice

Parliamentary reference - Report number #334 - released 2 June 2020

7 April 2020

Published

Integrity of data in the Births, Deaths and Marriages Register

Justice

Premier and Cabinet

Whole of Government

Cyber security

Fraud

Information technology

Internal controls and governance

Management and administration

This report outlines whether the Department of Customer Service (the department) has effective controls in place to ensure the integrity of data in the Births, Deaths and Marriages Register (the register), and to prevent unauthorised access and misuse.

The audit found that the department has processes in place to ensure that the information entered in the register is accurate and that any changes to it are validated. Although there are controls in place to prevent and detect unauthorised access to, and activity in the register, there were significant gaps in these controls. Addressing these gaps is necessary to ensure the integrity of information in the register.

The Auditor-General made nine recommendations to the department, aimed at strengthening controls to prevent and detect unauthorised access to, and activity in the register. These included increased monitoring of individuals who have access to the register and strengthening security controls around the databases that contain the information in the register.

The NSW Registry of Births Deaths and Marriages is responsible for maintaining registers of births, deaths and marriages in New South Wales as well as registering adoptions, changes of names, changes of sex and relationships. Maintaining the integrity of this information is important as it is used to confirm people’s identity and unauthorised access to it can lead to fraud or identity theft.

Read full report (PDF)

The NSW Registry of Births Deaths and Marriages (BD&M) is responsible for maintaining registers of births, deaths and marriages in New South Wales. BD&M is also responsible for registering adoptions, changes of name, changes of sex and relationships. These records are collectively referred to as 'the Register'. The Births, Deaths and Marriages Registration Act 1995 (the BD&M Act) makes the Registrar (the head of BD&M) responsible for maintaining the integrity of the Register and preventing fraud associated with the Register. Maintaining the integrity of the information held in the Register is important as it is used to confirm people's identity. Unauthorised access to, or misuse of the information in the Register can lead to fraud or identity theft. For these reasons it is important that there are sufficient controls in place to protect the information.

BD&M staff access, add to and amend the Register through the LifeLink application. While BD&M is part of the Department of Customer Service, the Department of Communities and Justice (DCJ) manages the databases that contain the Register and sit behind LifeLink and is responsible for the security of these databases.

This audit assessed whether BD&M has effective controls in place to ensure the integrity of data in the Births, Deaths and Marriages Register, and to prevent unauthorised access and misuse. It addressed the following:

Are relevant process and IT controls in place and effective to ensure the integrity of data in the Register and the authenticity of records and documents?
Are security controls in place and effective to prevent unauthorised access to, and modification of, data in the Register?

Conclusion

BD&M has processes and controls in place to ensure that the information entered in the Register is accurate and that amendments to the Register are validated. BD&M also has controls in place to prevent and detect unauthorised access to, and activity in the Register. However, there are significant gaps in these controls. Addressing these gaps is necessary to ensure the integrity of the information in the Register.

BD&M has detailed procedures for all registrations and amendments to the Register, which include processes for entering, assessing and checking the validity and adequacy of source documents. Where BD&M staff have directly input all the data and for amendments to the Register, a second person is required to check all information that has been input before an event can be registered or an amendment can be made. BD&M carries out regular internal audits of all registration processes to check whether procedures are being followed and to address non-compliance where required.

BD&M authorises access to the Register and carries out regular access reviews to ensure that users are current and have the appropriate level of access. There are audit trails of all user activity, but BD&M does not routinely monitor these. At the time of the audit, BD&M also did not monitor activity by privileged users who could make unauthorised changes to the Register. Not monitoring this activity created a risk that unauthorised activity in the Register would not be detected.

BD&M has no direct oversight of the database environment which houses the Register and relies on DCJ's management of a third-party vendor to provide the assurance it needs over database security. The vendor operates an Information Security Management System that complies with international standards, but neither BD&M nor DCJ has undertaken independent assurance of the effectiveness of the vendor's IT controls.

Appendix one – Response from agency

Appendix two – About the audit

Appendix three – Performance auditing

Copyright notice

Parliamentary reference - Report number #330 - released 7 April 2020.

18 December 2019

Published

Supporting the District Criminal Court

Justice

Community Services

Information technology

Internal controls and governance

Project management

The Auditor-General for New South Wales, Margaret Crawford, released a report today on whether the Department of Communities and Justice (the department) effectively supports the efficient operation of the District Criminal Court system.

The audit found that in the provision of data and technology services, the department is not effectively supporting the efficient operation of the District Criminal Court system. The department has insufficient controls in place to ensure that data in the system is always accurate.

The department is also using outdated technology and could improve its delivery of technical support to courts.

The audit also assessed the implementation of the Early Appropriate Guilty Pleas reform. This reform aims to improve court efficiency by having more cases resolved earlier with a guilty plea in the Local Court. The audit found that the department effectively governed the implementation of the reform but is not measuring achievement of expected benefits, placing the objectives of the reform at risk.

The Auditor-General made seven recommendations to the department, aimed at improving the controls around courts data, reporting on key performance indicators, improving regional technical support and measuring the success of the Early Appropriate Guilty Pleas reform.

The District Court is the intermediate court in the New South Wales court system. It hears most serious criminal matters, except murder, treason and piracy. The Department of Communities and Justice (the Department) provides support to the District Court in a variety of ways. For example, it provides security services, library services and front-desk services. This audit examined three forms of support that the Department provides to the District Court:

data collection, reporting and analysis - the Department collects data from cases in its case management system, JusticeLink, based on the orders Judges make in court and court papers
technology - the Department provides technology to courts across New South Wales, as well as technical support for this technology
policy - the Department is responsible for proposing and implementing policy reforms.

Recent years have seen a worsening of District Court efficiency, as measured in the Productivity Commission's Report on Government Services (RoGS). Efficiency in the court system is typically measured through timeliness of case completion. There is evidence that timeliness has worsened. For example, the median time from arrest to finalisation of a case in the District Court increased from 420 days in 2012–13 to 541 days in 2017–18.

As a result, the government has announced a range of measures to improve court performance, particularly in the District Court. These measures included the Early Appropriate Guilty Pleas (EAGP) reform. One of the objectives of EAGP is to improve court efficiency, which would be achieved by having more cases resolve with a guilty plea in the Local Court.

This audit assessed whether the Department of Communities and Justice effectively supports the efficient operation of the District Criminal Court system. We assessed this with the following lines of inquiry:

Does the Department effectively collect, analyse and report performance information relevant to court efficiency?
Does the Department effectively provide technology to support the efficient working of the courts?
Does the Department have effective plans, governance and monitoring for the Early Appropriate Guilty Pleas reform?

The audit did not consider other support functions provided by the Department. Further information on the audit, including detailed audit criteria, may be found in Appendix two.

Conclusion

In the provision of data and technology services, the Department is not effectively supporting the efficient operation of the District Criminal Court system. The Department has insufficient controls in place to ensure accurate data in the District Criminal Court system. The Department is also using outdated technology in significant numbers and could improve its delivery of technical support to meet agreed targets.

The Department effectively governed the implementation of the Early Appropriate Guilty Pleas reform. However, it is not ensuring that the benefits stated in the business case are being achieved, placing its objectives at risk.

The impact of inaccurate court data can be severe, and the Department does not have sufficient controls in place to ensure that its court data is accurate. Recent Bureau of Crime Statistics and Research reviews have identified data inaccuracies, and this demonstrates the Department needs strong controls in place to ensure that its court data is accurate.

The Department does not have a policy for data quality and has not formally assigned responsibility for data quality to any individual or branch. The Department also does not have a data dictionary outlining all the fields in its case management system. While the Department validates the highest risk items, such as warrants, to ensure that they are accurate, most data is not validated. The Department has recently commenced setting up a data unit for the Courts, Tribunals and Service Delivery branch. It is proposed that this unit will address most of the identified shortcomings.

The Department did not provide timely technical support to the court system in 2017 and is using outdated technology in significant numbers. The Digital and Technology Services branch of the Department had agreed a Service Level Agreement with the rest of the Department, outlining the expected speed of technical support responses. The branch did not meet response times in 2017. Performance improved in 2018, though DTS fell short of its targets for critical and moderate priority incidents. Critical incidents are particularly important to deal with in a timely manner as they include incidents which may delay a court sitting.

Requests for technical support rose significantly in 2018 compared to 2017, which may be related to the number of outdated pieces of technology. As at April 2019, the whole court system had 2,389 laptops or desktop computers outside their warranty period. The Department was also using other outdated technology. Outdated technology is more prone to failure and continuing to use it poses a risk of court delays.

The Department is not measuring all the expected benefits from the Early Appropriate Guilty Pleas reform, placing the objectives of the program at risk. The Early Appropriate Guilty Pleas business case outlined nine expected benefits from the reform. The Department is not measuring one of these benefits and is not measuring the economic benefits of a further five business case benefits. Not measuring the impact of the reform means that the Department does not know if it is achieving its objectives and if the reform had the desired impact.

The Department is responsible for providing technology to the courts, which can improve the efficiency of court operations by making them faster and cheaper. The Department is also responsible for providing technical support to courtrooms and registries. It is important that technical support is provided in a timely manner because some technical incidents can delay court sittings and thus impact on court efficiency. A 2013 Organisation for Economic Co‑operation and Development report emphasised the importance of technology and digitisation for reducing trial length.

While the Department may provide technology to the courts, they are not responsible for deciding when, how or if the technology is used in the courtroom.

The Department is using a significant amount of outdated technology, risking court delays

As of April 2019, the whole court system had 2,389 laptops or desktop computers out of warranty, 56.0 per cent of the court system's fleet. The court system also had 786 printing devices out of their normal warranty period, 75.1 per cent of all printers in use. The Department also advised that many of its court audio transcription machines are out of date. These machines must be running for the court to sit and thus it is critical that they are maintained to a high degree. The then Department of Justice estimated the cost of aligning its hardware across the whole Department with desired levels at $14.0 million per year for three years. Figures for the court system were not calculated but they are likely to be a significant portion of this figure.

Using outdated technology poses a risk to the court system as older equipment may be more likely to break down, potentially delaying courts or slowing down court services. In the court system throughout 2018, hardware made up 30.8 per cent of all critical incidents reported to technical support and 41.9 per cent of all high priority incidents. In addition, 16.2 per cent of all reported issues related to printing devices or printing.

From 2017 to 2018, technical support incidents from courts or court services increased. There were 4,379 technical support incidents in 2017, which increased significantly to 9,186 in 2018. The Department advised that some outside factors may have contributed to this increase. The Department was rolling out its new incident recording system throughout 2017, meaning that there would be an under‑reporting of incidents in that year. The Department also advised that throughout 2018 there was a greater focus on ensuring that every issue was logged, which had not previously been the case. Despite these factors, the use of outdated technology has likely increased the risk of technology breakages and may have contributed to the increase in requests for technical support.

Refreshing technology on a regular basis would reduce the risk of hardware failures and ensure that equipment is covered by warranty.

The Department did not meet all court technical support targets in 2017 and 2018

The Digital and Technology Services branch (DTS) was responsible for providing technical support to the courts and the Courts and Tribunal Services branch prior to July 2019. DTS provided technical support in line with a Service Level Agreement (SLA) with the Department. In 2017, DTS did not provide this support in a timely manner. Performance improved in 2018, though DTS fell short of its targets for critical and moderate priority incidents. Exhibit 7 outlines DTS' targets under the SLA.

Exhibit 7: Digital and Technology Services' Service Level Agreement
Priority	Target resolution time	Target percentage in time (%)
1. Critical	4 hours	80
2. High	1 day	80
3. Moderate	3 days	85
4. Low	5 days	85
Source: Department of Communities and Justice, 2019.

Critical incidents are particularly important for the Department to deal with in a timely manner because these include incidents which may delay a court sitting until resolved or incidents which impact on large numbers of staff. Some of the critical incidents raised with DTS specifically stated that they were delaying a court sitting, often due to transcription machines not working. High priority incidents include those where there is some impact on the functions of the business, which may in turn affect the efficiency of the court system. High priority incidents also include those directly impacting on members of the Judiciary.

This audit examined DTS' performance against its SLA in the 2017 and 2018 calendar years across the whole court system, not just the District Court. The total number of incidents, as well as critical and high priority incidents, can be seen in Exhibit 8.

Exhibit 8: Number of incidents in 2017 and 2018
Priority	2017	2018
All	4,379	9,186
1. Critical	48	91
2. High	128	315
Source: Audit Office of NSW analysis of Department of Communities and Justice data, 2019.

The Department's results against its SLA in 2017 and 2018 are shown in Exhibit 9.

The Early Appropriate Guilty Pleas (EAGP) reform consists of five main elements:

early disclosure of evidence from NSW Police Force to the prosecution and defence
early certification of what the accused is going to be charged with to minimise changes
mandatory criminal case conferencing between the prosecutor and accused's representation
changes to Local Court case management
more structured sentence discounts.

More detailed descriptions of each of these changes can be found in the Introduction. These reform elements are anticipated to have three key effects:

accelerate the timing of guilty pleas
increase the overall proportion of guilty pleas
decrease the average length of contested trials.

Improving District Court efficiency is one of the stated aims of EAGP, which would be achieved by having more cases resolve in the Local Court and having fewer defendants plead guilty on the day of their trial in the District Court. The reform commenced in April 2018 and it is too early to state the impact of this reform on District Court efficiency.

The Department is responsible for delivering EAGP in conjunction with other justice sector agencies. They participated in the Steering Committee and the Working Groups, as well as providing the Project Management Office (PMO).

The Department is not measuring the economic benefits stated in the EAGP business case

The business case for EAGP listed nine quantifiable benefits which were expected to be derived from the achievement of the three key effects listed above. The Department is not measuring one of these benefits and is not measuring the economic benefits for five more, as shown in Exhibit 12.

Benefit	Economic benefit (over ten years)	Being measured?
Accelerated timing of guilty pleas	$54.6m
Increased guilty plea rate	$90.7m
Decreased average trial length	$27.5m
A reduction in the delay of indictable matters proceeding to trial	N/A
Increase the number of finalised matters per annum	N/A
Reduction of the current backlog of criminal trials in the District Court	N/A
Reduction in bed pressure on the correction system due to reduced average time in custody	$13.7m
Productivity improvements due to reduction in wasted effort	$53.3m
Bankable cost savings due to jury empanelment avoided	$2.5m

Exhibit 12: The Department's measurement of quantifiable benefits
Key		Measuring		Not measuring economic benefit		Not measuring

Source: Audit Office of NSW analysis.

While it is too early to comment on the overall impact of EAGP, better practice in benefits realisation involves an ongoing effort to monitor benefits to ensure that the reform is on target and determine whether any corrective action is needed.

The Department is measuring the number of finalised matters per annum and while the Department is not measuring the reduction in the backlog as part of this program, this measure is reported as part of the Department's internal reporting framework. The Department is not monitoring the reduction in delay of indictable matters proceeding to trial directly as part of this reform, but this does form part of the monthly Operational Performance Report which the Department sends to the EAGP Steering Committee.

The Department is not monitoring any of the economic benefits stated in the business case. These economic benefits are a mixture of bankable savings and productivity improvements. This amounts to a total of $242.3 million over ten years which was listed in the business case as potential economic benefits from the implementation of this reform against the total cost of $206.9 million over ten years. The Department is collecting proxy indicators which would assist in these calculations for several indicators, but it is not actively monitoring these savings. For example, the Department is monitoring average trial length, but is not using this information to calculate economic benefits derived from changes in trial length.

The Department is also not collecting information related to the average length of custody as part of this program. This means that it is unable to determine if EAGP is putting less pressure on the correctives system and it is not possible for the Department to calculate the savings from this particular benefit.

While stakeholders are optimistic about the impact of EAGP, not measuring the expected benefits stated in the business case means that the Department does not know if the reform is achieving what it was designed to achieve. Further, the Department does not know if it must take corrective action to ensure that the program achieves the stated benefits. These two things put the overall program benefits at risk.

The Department has not assigned responsibility for the realisation of each benefit, potentially risking the success of the program

The Department has not assigned responsibility for the realisation of each benefit stated in the business case. The Department holds the Steering Committee responsible for the realisation of all benefits. Benefits realisation is the process which ensures that the agency reaches benefits as stated in the business case. Assigning responsibility for benefits realisation to the Steering Committee rather than individuals is not in line with good practice.

Good practice benefits realisation involves assigning responsibility for the realisation of each benefit to an individual at the business unit level. This ensures there is a single point of accountability for each part of the program with knowledge of the benefit and the ability to take corrective action if it looks like that benefit will not be realised. This responsibility should sit at the operational level where detailed action can most easily be undertaken. The role of a Steering Committee in benefits realisation is to ensure that responsible parties are monitoring their benefits and taking appropriate corrective action.

The Department advised that it believes the Steering Committee should have responsibility for the realisation of benefits due to the difficulty of attributing the achievement of each benefit to one part of the reform alone. Given the Steering Committee meets only quarterly, it is not well placed to take action in response to variances in performance.

A BOCSAR evaluation is planned, however data errors make some of the information unreliable

BOCSAR are planning to undertake an overall evaluation of EAGP which is planned for release in 2021. Undertaking this evaluation will require high quality data to gain an understanding of the drivers of the reform. However, data captured throughout the first year of EAGP has proven unreliable, which may reduce the usefulness of BOCSAR's evaluation. These data issues were discussed in Exhibit 5 in Chapter 2, above. Access to accurate data is vital for conducting any program evaluation and inaccurate data raises the risk that the BOCSAR evaluation will not be able to provide an accurate evaluation of the impact of EAGP.

In addition to the BOCSAR evaluation, the Department had plans for a series of 'snapshot' evaluations for some of the key elements of the reform to ensure that they were operating effectively. These were initially delayed due to an efficiency dividend which affected EAGP. In August 2019, the Department commissioned a review of the implementation of several key success factors for EAGP.

There was clear governance throughout the implementation of EAGP

The implementation stage of EAGP had clear governance, lines of authority and communication. The Steering Committee, each Working Group and each agency had clear roles and responsibilities, and these were organised through a Project Management Office (PMO) provided by the former Department of Justice. The governance structure throughout the implementation phase can be seen at Exhibit 13.

The Steering Committee was established in December 2016 and met regularly from March 2017. It comprised senior members of key government agencies, as well as the Chief Judge and the Chief Magistrate for most of the duration of the implementation period. The Steering Committee met at least monthly throughout the life of the program. The Steering Committee was responsible for overseeing the delivery of EAGP and making key decisions relating to implementation, including spending decisions. The Chief Judge and the Chief Magistrate abstained from financial decisions. The Steering Committee updated the governance and membership of the Steering Committee as appropriate throughout the life of the reform.

Appendix one – Response from agency

Appendix two – About the audit

Appendix three – Performance auditing

Copyright Notice

Parliamentary Reference: Report number #329 - released 18 December 2019

11 December 2019

Published

Planning, Industry and Environment 2019

Planning

Industry

Environment

Asset valuation

Cyber security

Financial reporting

Information technology

Infrastructure

Internal controls and governance

Management and administration

Service delivery

Workforce and capability

This report outlines the results of audits of the financial statements of agencies now grouped in the NSW Planning, Industry and Environment cluster.

Unqualified audit opinions were issued for 56 of the 66 cluster agencies’ 30 June 2019 financial statements. Ten audits remain incomplete. The cluster agencies need to improve the timeliness of financial reporting.

The Audit Office continued to identify issues regarding unprocessed Aboriginal land claims and the recognition of Crown land. ‘Auditor-General’s reports to parliament have recommended action to reduce the level of unprocessed land claims since 2007. However, the number of unprocessed claims continued to increase’, Margaret Crawford said.

One in five internal control findings were repeat issues. Key themes included information technology, asset management and improvements required to expense and payroll controls.

The report makes several recommendations including:

Property NSW should urgently address the deficiencies in the lease data used to calculate the impact of the new leasing standard effective from 1 July 2019
the Department of Planning, Industry and Environment should prioritise action to reduce unprocessed Aboriginal land claims
the Department of Planning, Industry and Environment should ensure the Crown land database is complete and accurate so state agencies and local government councils are better informed about the Crown land they control.

This report analyses the results of our audits of financial statements of the Planning, Industry and Environment cluster agencies for the year ended 30 June 2019. The table below summarises our key observations.

1. Machinery of Government changes

Creation of the Planning, Industry and Environment cluster

The Machinery of Government (MoG) changes abolished the former Planning and Environment cluster and former Industry cluster, and created the Planning, Industry and Environment cluster on 1 July 2019.

The Department of Planning and Environment (DPE), the Department of Industry (DOI), the Office of Environment and Heritage, and the Office of Local Government were abolished and the majority of their functions were transferred to the new Department of Planning, Industry and Environment (DPIE).

The Department of Planning, Industry and Environment is still in the process of implementing changes

The MoG changes bring risks and challenges to the cluster. A MoG Steering Committee, with the support of various project control groups and working groups, identified and developed responses to key risks arising from the changes.

However, the DPIE will take some time to fully integrate the policies, systems and processes of the abolished Departments and agencies.

2. Financial reporting

Audit opinions	Unqualified audit opinions were issued for 56 of the 66 cluster agencies' 30 June 2019 financial statements audits. Ten financial statements audits are still ongoing.
Timeliness of financial reporting	Fifty-five of the 57 agencies subject to statutory deadlines submitted their financial statements on time. Due to issues identified during the audit, 13 financial statements audits were not completed and audit opinions issued by the statutory deadline. Agencies prepared and submitted their early close procedures in accordance with the mandatory timeframe set by NSW Treasury. However, 17 of the 49 agencies where we reviewed early close procedures were assessed as either partially addressing or not addressing one or more of the mandatory requirements. The cluster agencies could benefit from an increased focus on early close procedures.
Introduction of AASB 16 'Leases'	We noted errors in the lease data used in Property NSW's AASB 16 impact calculations, which affect both Property NSW and other government agencies. These errors were significant enough to present a risk of material misstatements to the financial statements of Property NSW and other government agencies in future reporting periods. We had similar findings in our recent performance audit on 'Property Asset Utilisation', which highlighted issues with the quality of Property NSW's records. Recommendation: Property NSW should urgently address the deficiencies in the lease data used to calculate the impact of the new leasing standard effective from 1 July 2019.
Unprocessed Aboriginal land claims have continued to increase	Despite an increase in the number of claims resolved, the number of unprocessed Aboriginal land claims increased by 7.2 per cent from the prior year to 35,855 at 30 June 2019. Claims can be made over Crown land assets of the DPIE or other government agencies. Until claims are resolved, there is an uncertainty over who is entitled to the land and the uses and activities that can be carried out on the land. We first recommended action to address unprocessed claims in 2007. Recommendation (repeat issue): The DPIE should prioritise action to reduce unprocessed Aboriginal land claims.

3. Audit observations

Internal controls	One in five internal control issues identified and reported to management in 2018–19 were repeat issues. The lack of user access review was the most common IT general control issue in the cluster.
Drought relief	The NSW Government announced an emergency drought relief package of $500 million in 2018, in addition to other financial assistance measures already in place. Limited documentation and written agreements between relevant delivery agencies resulted in a $31.0 million misstatement relating to grant revenue.
Recognition of Crown land	Crown land is an important asset of the state. Management and recognition of Crown land assets is weakened when there is confusion over who is responsible for a particular Crown land parcel. Last year we recommended the DOI should ensure the database of Crown land is complete and accurate. While the DOI has commenced actions to improve the database, this continued to be an issue in 2018–19. Recommendation (repeat issue): The DPIE should ensure the Crown land database is complete and accurate so state agencies and local government councils are better informed about the Crown land they control.
Developer contributions	The former DPE continued to accumulate more developer contributions revenues than it spent on infrastructure projects. Total unspent funds increased to $274 million at 30 June 2019.

This report provides parliament and other users of the Planning, Industry and Environment cluster agencies financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:

financial reporting
audit observations.

This cluster was created by the Machinery of Government changes on 1 July 2019. This report is focused on agencies in the Planning, Industry and Environment cluster from 1 July 2019. However, these agencies were all in other clusters during 2018–19. Please refer to the section on Machinery of Government changes for more details.

Machinery of Government (MoG) refers to how the government organises the structures and functions of the public service. MoG changes are where the government reorganises these structures and functions that are given effect by Administrative orders.

The MoG changes, announced following the NSW State election on 23 March 2019, created the Planning, Industry and Environment (PIE) cluster. The Administrative Changes Orders issued on 2 April 2019, 1 May 2019 and 28 June 2019 gave effect to these changes. These orders became effective on 1 July 2019.

Section highlights

The 2019 MoG changes significantly impacted the former Planning and Environment, and Industry clusters and agencies.

The PIE cluster combines most of the functions and agencies of the former Planning and Environment and Industry clusters from 1 July 2019.
The Department of Planning, Industry and Environment is the principal agency in the PIE cluster.
The MoG changes bring risks and challenges to the PIE cluster.
A MoG Steering Committee was established to oversee the transitional processes.
The full integration of the systems and processes will not be completed in the near future.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Planning, Industry and Environment (PIE) cluster for 2019. In this chapter, the Department of Planning, Industry and Environment is referred to as DPIE, the former Department of Planning and Environment as DPE, and the former Department of Industry as DOI.

Section highlights

Unqualified audit opinions were issued for all completed 30 June 2019 financial statements audits. However, some cluster agencies can further enhance the quality of financial reporting.
Timeliness of financial reporting remains an issue for 13 agencies.
Deficiencies were identified in the data used to calculate the impact of AASB 16 ‘Leases’ effective from 1 July 2019. Property NSW should urgently address these deficiencies.
Unprocessed Aboriginal land claims continue to increase. DPIE should prioritise action to reduce unprocessed Aboriginal land claims.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

This chapter outlines our audit observations and insights from our financial statement audits of agencies in the Planning, Industry and Environment (PIE) cluster for 2019. In this chapter, the Department of Planning, Industry and Environment is referred to as DPIE, the former Department of Planning and Environment as DPE, and the former Department of Industry as DOI.

Section highlights

One in five issues identified and reported to management in 2018–19 were repeat issues.
The lack of user access review was the most common IT general control issue in the PIE cluster.
The PIE cluster provided significant financial assistance for drought relief.
There continues to be significant deficiencies in Crown land records. The DPIE should ensure the Crown land database is complete and accurate.
Unspent developer contributions funds continued to build up in 2018–19.

Appendix one – List of 2019 recommendations

Appendix two – Status of 2018 recommendations

Appendix three – Cluster agencies

Appendix four – Financial data

Appendix five – Management letter findings

Appendix six – Timeliness of financial reporting

Copyright notice

5 November 2019

Published

Internal Controls and Governance 2019

Education

Community Services

Finance

Health

Industry

Justice

Planning

Premier and Cabinet

Transport

Treasury

Whole of Government

Compliance

Cyber security

Fraud

Information technology

Internal controls and governance

Management and administration

Procurement

Project management

This report covers the findings and recommendations from the 2018–19 financial audits that relate to internal controls and governance at 40 of the largest agencies in the NSW public sector. The 40 agencies selected for this report constitute around 84 per cent of total expenditure for all NSW public sector agencies.

The report provides insights into the effectiveness of controls and governance processes across the NSW public sector. It evaluates how agencies identify, mitigate and manage risks related to:

financial controls
information technology controls
gifts and benefits
internal audit
contingent labour
sensitive data.

The Auditor-General recommended that agencies do more to prioritise and address vulnerabilities in their internal controls and governance. The Auditor-General also recommended agencies increase the transparency of their management of gifts and benefits by publishing their registers on their websites.

This report analyses the internal controls and governance of 40 of the largest agencies in the NSW public sector for the year ended 30 June 2019.

1. Internal control trends

New, repeat and high risk findings

There was an increase in internal control deficiencies of 12 per cent compared to last year. The increase is predominately due to a 100 per cent increase in repeat financial and IT control deficiencies.

Agencies need to ensure they are actively managing the risks associated with having these vulnerabilities in internal control systems unaddressed for extended periods of time.

Common findings

A number of findings were common to multiple agencies. These findings often related to areas that are fundamental to good internal control environments and effective organisational governance, such as:

out of date policies or an absence of policies to guide appropriate decisions
poor record keeping and document retention
incomplete or inaccurate centralised registers or gaps in these registers
policies, procedures or controls no longer suited to the current organisational structure or business activities.

2. Information technology controls

IT general controls

We examined information security controls over key financial systems that support the preparation of agency financial statements. We found:

user access administration deficiencies at 58 per cent of agencies related to granting, review and removal of user access
an absence of privileged user activity reviews at 35 per cent of agencies
password controls that did not align to password policies at 20 per cent of agencies.

We also found 20 per cent of agencies had deficient IT program change controls, mainly related to segregation of duties in approval and authorisation processes, and user acceptance testing of program changes prior to deployment into production environments. User acceptance testing helps identify potential issues with software incompatibility, operational workflows, absent controls and software issues, as well as areas where training or user support may be required.

3. Gifts and benefits

Gifts and benefits registers

All agencies had a gifts and benefits policy and 90 per cent of agencies maintain a gifts and benefits register. However, 51 per cent of the gifts and benefits registers we examined contained incomplete declarations, such as missing details for the approving officer, value of the gift and/or benefit offered and reasons supporting the decision.

In some cases, gaps in recorded information meant the basis for decisions around gifts and benefits was not always clear, making it difficult to determine whether decisions in those instances were appropriate, compliant with policy and were not direct or indirect inducements to the recipients to favour suppliers or service providers.

Agencies should ensure their gifts and benefits register includes all key fields specified in the Public Service Commission's minimum standards for gifts and benefits. Agencies should also perform regular reviews of the register to ensure completeness and ensure any gift or benefit accepted by a staff member meets the public's expectations for ethical behaviour.

Managing gifts and benefits

We found opportunities to improve gifts and benefits processes and enhance transparency. For example, only three per cent of agencies publish their gifts and benefits registers on their websites.

Agencies can improve management of gifts and benefits by:

ensuring agency policies comprehensively cover the elements necessary to make it effective in an operational environment, such as identifying risks specific to the agency and actions that will be taken in the event of a policy breach
establishing and publishing a statement of business ethics on the agency's website to clearly communicate expected behaviours to clients, customers, suppliers and contractors
providing on-going training, awareness activities and support to employees, not just at induction
publishing their gifts and benefits registers on their websites to demonstrate a commitment to a transparently ethical environment.

Reporting and monitoring

Only 35 per cent of agencies reported trends in the number and nature of gifts and benefits recorded in their registers to the agency's senior executive management and/or a governance committee.

Agencies should regularly report to the agency executive or other governance committee on trends in the offer and acceptance of gifts and benefits.

4. Internal audit

Obtaining value from the internal audit function

Agencies have established and maintained internal audit functions to provide assurance on the effectiveness of agency controls and governance systems. However, we identified areas where agencies' internal audit functions could improve their processes to add greater value. For example, only 73 per cent of CAEs regularly attend meetings of the agency board or executive management committee.

Internal audit functions can add greater value by involving the CAE more extensively in executive forums as an observer.

Internal audit functions should also consider producing an annual report on internal audit. An annual report allows the internal audit function to report on their performance and add value by drawing to the attention of audit and risk committees and senior management strategic issues, thematic trends and emerging risks.

Role of the Chief Audit Executive

Forty-five per cent of agencies assigned responsibilities to the Chief Audit Executive (CAE) that were broader than internal audit, but 17 per cent of these had not documented safeguards to protect the independence of the CAE.

The reporting lines and status of the CAE at some agencies also needs review. At two agencies, the CAE reported to the CFO.

Agencies should ensure:

the reporting lines for the CAE comply with the NSW Treasury policy, and the CAE does not report functionally or administratively to the finance function or other significant recipients of internal audit services
the CAE's duties are compatible with preserving their independence and where threats to independence exist, safeguards are documented and approved.

Quality assurance and improvement program

Thirty-five per cent of agencies did not have a documented quality assurance and improvement program for its internal audit function.

The policy and the International Standards for the Professional Practice of Internal Auditing require agencies to have a documented quality assurance and improvement program. The results of this program should be reported annually.

Agencies should ensure there is a documented and operational Quality Assurance and Improvement Program for the internal audit function that covers both internal and external assessments.

5. Managing contingent labour

Obtaining value for money from contingent labour

According to NSW Procurement data, spend on contingent labour has increased by 75 per cent over the last five years, to $1.5 billion in 2018–19. Improvements in internal processes and a renewed focus on agency monitoring and oversight of contingent labour can help ensure agencies get the best value for money from their contingent workforces.

Agencies can improve their management of contingent labour by:

preparing workforce plans to inform their resourcing strategy and ensure that engaging contingent labour aligns with the strategy and best meets business needs
involving agency human resources units in decisions about engaging contingent labour
regularly reporting on contingent labour use and tenure to agency executive teams
strengthening on-boarding and off-boarding processes.

We also found 57 per cent of the 23 agencies we examined with contingent labour spend of more than $5 million in 2018–19 have implemented the government's vendor management system and service provider 'Contractor Central'.

6. Managing sensitive data

Identifying and assessing sensitive data

Sixty-eight per cent of agencies maintain an inventory of their sensitive data and where it resides. However, these inventories are not always complete and risks may be overlooked.

Agencies can improve processes to manage sensitive data by:

identifying and maintaining an inventory of sensitive data through a comprehensive and structured process
assessing the criticality and sensitivity of the data so that protection of high risk data can be prioritised.

Managing data breaches

Eighty-eight per cent of agencies have established policies to respond to potential data breaches when they are identified and 70 per cent of agencies maintain a register to record key information in relation to identified data breach incidents.

Agencies should maintain a data breach register to effectively manage the actions undertaken to contain, evaluate and remediate each data breach.

This report covers the findings and recommendations from our 2018–19 financial audits that relate to internal controls and governance at 40 of the largest agencies (refer to Appendix three) in the NSW public sector. The 40 agencies selected for this volume constitute around 84 per cent of total expenditure for all NSW public sector agencies.

Although the report includes several agencies that have changed as a result of the Machinery of Government changes that were effective from 1 July 2019, its focus on sector wide issues and insights means that its findings remain relevant to NSW public sector agencies, including newly formed agencies that have assumed the functions of abolished agencies.

This report offers insights into internal controls and governance in the NSW public sector

This is the third report dedicated to internal controls and governance at NSW State Government agencies. The report provides insights into the effectiveness of controls and governance processes in the NSW public sector by:

highlighting the potential risks posed by weaknesses in controls and governance processes
helping agencies benchmark the adequacy of their processes against their peers
focusing on new and emerging risks, and the internal controls and governance processes that might address those risks.

Without strong governance systems and internal controls, agencies increase the risks associated with effectively managing their finances and delivering services to citizens. For example, if they do not have strong information technology controls, sensitive information may be at risk of unauthorised access and misuse.

Areas of specific focus of the report have changed since last year

Last year's report topics included transparency and performance reporting, management of purchasing cards and taxi use, and fraud and corruption control. We are reporting on new topics this year and re-visiting agency management of gifts and benefits, which we first covered in our 2017 report. Re-visiting topics from prior years provides a baseline to show the NSW public sectors’ progress implementing appropriate internal controls and governance processes to mitigate existing, new and emerging risks in the public sector.

Our audits do not review all aspects of internal controls and governance every year. We select a range of measures and report on those that present heightened risks for agencies to mitigate. This year the report focusses on:

internal control trends
information technology controls, including access to agency systems
protecting sensitive information held within agencies
managing large and diverse workforces (controls around employing and managing contingent workers)
maintaining an ethical culture (management of gifts and benefits)
effectiveness of internal audit function and its oversight by Audit and Risk Committees.

The findings in this report should not be used to draw conclusions on the effectiveness of individual agency control environments and governance arrangements. Specific financial reporting, internal controls and audit observations are included in the individual 2019 cluster financial audit reports, which will be tabled in parliament from November to December 2019.

Internal controls are processes, policies and procedures that help agencies to:

operate effectively and efficiently
produce reliable financial reports
comply with laws and regulations
support ethical government.

Key conclusions and sector wide learnings

We identified four high risk findings, compared to six last year. None of the findings are common with those in the previous year. There was an overall increase of 12 per cent in the number of internal control deficiencies compared to last year. The increase is predominately due to a 100 per cent increase in the number of repeat financial and IT control deficiencies.

Some agencies attributed the delay in actioning repeat findings to the diversion of staff from their regular activities to implement and operationalise the recent Machinery of Government changes. As a result, actions to address audit recommendations have been deferred or re-prioritised, as the changes are implemented. Agencies need to ensure they are actively managing the risks associated with having these vulnerabilities in internal control systems unaddressed for extended periods of time.

We also identified a number of findings that were common to multiple agencies. These common findings often related to areas that are fundamental to good internal control environments and effective organisational governance. Examples include:

out of date policies or an absence of policies to guide appropriate decisions
poor record keeping and document retention
incomplete or inaccurate centralised registers or gaps in these registers.

Policies, procedures and internal controls should be properly designed, be appropriate for the current organisational structure and its business activities, and work effectively.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency controls to manage key financial systems.

Key conclusions and sector wide learnings

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency controls to manage gifts and benefits.

Key conclusions and sector wide learnings

We found most agencies have implemented the Public Service Commission's minimum standards for gifts and benefits. All agencies had a gifts and benefits policy and 90 per cent of agencies maintained a gifts and benefits register and provided some form of training to employees on the treatment of gifts and benefits.

Based on our analysis of agency registers, we found some areas where opportunities existed to make processes more effective. In some cases, gaps in recorded information meant the basis for decisions around gifts and benefits was not always clear, making it difficult to determine whether decisions in those instances were appropriate and compliant with policy. Fifty-one per cent of the gifts and benefits registers reviewed contained declarations where not all fields of information had been completed. Seventy-seven per cent of agencies that maintained a gifts and benefits register did not include all key fields suggested by the minimum standards.

Areas where agencies can improve their management of gifts and benefits include:

ensuring agency policies comprehensively cover the elements necessary to make it effective in an operational environment, such as identifying risks specific to the agency and actions that will be taken in the event of a policy breach
establishing and publishing a statement of business ethics on the agency's website to clearly communicate expected behaviours to clients, customers,suppliers and contractors
updating gifts and benefits registers to include all key fields suggested by the minimum standards, as well as performing regular reviews of the register to ensure completeness
providing on-going training, awareness activities and support to employees, not just at induction
regularly reporting gifts and benefits to executive management and/or a governance committee such as the audit and risk committee, focussing on trends in the number and types of gifts and benefits offered to and accepted by agency staff
publishing their gifts and benefits registers on their websites to demonstrate a commitment to a transparently ethical environment.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency internal audit functions.

Key conclusions and sector wide learnings

We found agencies have established and maintained internal audit functions to provide assurance on the effectiveness of agency controls and governance systems as required by TPP15-03 'Internal Audit and Risk Management Policy for the NSW Public Sector'. However, we identified areas where agencies' internal audit functions could improve their processes to add greater value, including:

documenting and implementing safeguards to address conflicting roles performed by the Chief Audit Executive (CAE)
ensuring the reporting lines for the CAE comply with the NSW Treasury policy, and the CAE reports neither functionally or administratively to the finance function or other significant recipients of internal audit services
involving the CAE more extensively in executive forums as an observer
documenting a Quality Assurance and Improvement Program for the internal audit function and performing both internal and external performance assessments to identify opportunities for continuous improvement
reporting against key performance indicators or a balanced scorecard and producing an annual report on internal audit to bring to the attention of the audit and risk committee and senior management strategic issues, thematic trends and emerging risks that may require further attention or resources.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency controls to on-board, manage and off-board contingent labour.

Key conclusions and sector wide learnings

Agencies have implemented controls to manage contingent labour and most agencies have some level of reporting and oversight of contingent labour at an executive level. However, the increasing trend in spend on contingent labour warrants a renewed focus on agency monitoring and oversight of their use of contingent labour. Over the last five years spend on contingent labour has increased by 75 per cent, to $1.5 billion in 2018–19.

There are also some key gaps that limit the ability of agencies to effectively manage contingent labour. Key areas where agencies can improve their management of contingent labour include:

preparing workforce plans to inform their resourcing strategy, and confirm prior to engaging contingent labour, that this solution aligns with the strategy and best meets business needs
involving agency human resources units in decisions about engaging contingent labour
regularly reporting on contingent labour use to agency executive teams, particularly in terms of trends in agency spend, tenure and compliance with policies and procedures
strengthening on-boarding and off-boarding processes, including establishing checklists to on-board and off-board contingent labour, making provisions for knowledge transfer, and assessing, documenting and capturing performance information.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of governance and processes in relation to the management of sensitive data.

Key conclusions and sector wide learnings

Information technology risks are rapidly increasing. More interfaces between agencies and greater connectivity means the amounts of data agencies generate, access, store and share continue to increase. Some of this information is sensitive information, which is protected by the Privacy Act 1988.

It is important that agencies understand what sensitive data they hold, the risks associated with the inadvertent release of this information and how they are mitigating those risks. We found that agencies need to continue to identify and record their sensitive data, as well as expand the methods they use to identify sensitive data. This includes data held in unstructured repositories, such as network shared drives and by agency service providers.

Key areas where agencies can improve their management of sensitive data include:

identifying sensitive data, based on a comprehensive and structured process and maintaining an inventory of the data
assessing the criticality and sensitivity of the data so that the protection of high risk data can be prioritised
developing comprehensive data breach management policies to ensure data breaches are appropriately managed
maintaining a data breach incident register to record key information in relation to identified data breaches incidents, including the estimated cost of the breach
providing on-going training and awareness activities to employees in relation to sensitive data and managing data breaches.

Appendix one – List of 2019 recommendations

Appendix two – Status of 2018 recommendations

Appendix three – In-scope agencies

13 December 2018

Published

Planning and Environment 2018

Planning

Environment

Asset valuation

Financial reporting

Information technology

Infrastructure

Internal controls and governance

Service delivery

The Auditor-General for New South Wales, Margaret Crawford, released her report today on the NSW Planning and Environment cluster. The report focuses on key observations and findings from the most recent financial audits of these agencies. Unqualified audit opinions were issued for all agencies' financial statements. However, some cultural institutions had challenges valuing collection assets in 2017–18. These issues were resolved before the financial statements were finalised.

This report analyses the results of our audits of financial statements of the Planning and Environment cluster for the year ended 30 June 2018. The table below summarises our key observations.

This report provides parliament and other users of the Planning and Environment cluster agencies' financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:

financial reporting
audit observations
service delivery.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making is enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Planning and Environment cluster for 2018.

Observation	Conclusions and recommendations
2.1 Quality of financial reporting
Unqualified audit opinions were issued for all agencies' financial statements.	The quality of financial reporting remains high across the cluster.
2.2 Key accounting issues
There were errors in some cultural institutions' collection asset valuations.	Recommendation: Collection asset valuations could be improved by: early engagement with key stakeholders regarding the valuation method and approach completing revaluations, including quality review processes earlier improving the quality of asset data by registering all items in an electronic database.
2.3 Timeliness of financial reporting
Except for two agencies, the audits of cluster agencies’ financial statements were completed within the statutory timeframe.	Issues with asset revaluations delayed the finalisation of two environment and heritage agencies' financial statement audits.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

This chapter outlines our observations and insights from:

our financial statement audits of agencies in the Planning and Environment cluster for 2018
the areas of focus identified in the Audit Office work program.

The Audit Office annual work program provides a summary of all audits to be conducted within the proposed time period as well as detailed information on the areas of focus for each of the NSW Government clusters.

Observation	Conclusions and recommendations
3.1 Internal controls
One in five internal control weaknesses reported in 2017–18 were repeat issues.	Delays in implementing audit recommendations can prolong the risk of fraud and error. Recommendation (repeat issue): Management letter recommendations to address internal control weaknesses should be actioned promptly, with a focus on addressing repeat issues.
One extreme risk was identified relating to the National Art School. The School does not have an occupancy agreement for the Darlinghurst campus.	Lack of formal agreement creates uncertainty over the School's continued occupancy of the Darlinghurst site. The School should continue to liaise with stakeholders to formalise the occupancy arrangement.
3.2 Information technology controls
The controls and governance arrangements when migrating payroll data from the Aurion system to SAP HR system were effective.	Data migration from the Aurion system to SAP HR system had no significant issues.
The Department can improve controls over user access to SAP system.	The Department needs to ensure the SAP user access controls are appropriate, including investigation of excess access rights and resolving segregation of duties issues.
3.3 Annual work program
Agencies used different benchmarks to monitor their maintenance expenditure.	The cluster agencies under review operate in different industries. As a result, they do not use the same benchmarks to assess the adequacy of their maintenance spend.

This chapter outlines certain service delivery outcomes for 2017–18. The data on activity levels and performance is provided by cluster agencies. The Audit Office does not have a specific mandate to audit performance information. Accordingly, the information in this chapter is unaudited.

We report this information on service delivery to provide additional context to understand the operations of the Planning and Environment cluster, and to collate and present service information for different segments of the cluster in one report.

In our recent performance audit, ‘Progress and measurement of Premier's Priorities’, we identified 12 limitations of performance measurement and performance data. We recommended the Department of Premier and Cabinet ensure that processes to check and verify data are in place for all relevant agency data sources.

Appendix one - List of 2018 recommendations

Appendix two - Status of 2017 recommendations

Appendix three- Cluster agencies

Appendix four - Financial data

Appendix five - Timeliness of financial reporting

Appendix six - Management letter findings by risk rating

30 October 2018

Published

Internal Controls and Governance 2018

Education

Community Services

Finance

Health

Industry

Justice

Planning

Premier and Cabinet

Transport

Treasury

Whole of Government

Environment

Compliance

Cyber security

Financial reporting

Fraud

Information technology

Internal controls and governance

Management and administration

Procurement

Project management

The Auditor-General for New South Wales Margaret Crawford found that as NSW state government agencies’ digital footprint increases they need to do more to address new and emerging information technology (IT) risks. This is one of the key findings to emerge from the second stand-alone report on internal controls and governance of the 40 largest NSW state government agencies.

This report analyses the internal controls and governance of the 40 largest agencies in the NSW public sector for the year ended 30 June 2018.

This report covers the findings and recommendations from our 2017–18 financial audits that relate to internal controls and governance at the 40 largest agencies (refer to Appendix three) in the NSW public sector.

This report offers insights into internal controls and governance in the NSW public sector

This is our second report dedicated to internal controls and governance at NSW State Government agencies. The report provides insights into the effectiveness of controls and governance processes in the NSW public sector by:

highlighting the potential risks posed by weaknesses in controls and governance processes
helping agencies benchmark the adequacy of their processes against their peers
focusing on new and emerging risks, and the internal controls and governance processes that might address those risks.

Without strong governance systems and internal controls, agencies increase the risks associated with effectively managing their finances and delivering services to citizens. The way agencies deliver services increasingly relies on contracts and partnerships with the private sector. Many of these arrangements deliver front line services, but others provide less visible back office support. For example, an agency may rely on an IT service provider to manage a key system used to provide services to the community. The contract and service level agreements are only truly effective where they are actively managed to reduce risks to continuous quality service delivery, such as interruptions caused by system outages, cyber security attacks and data security breaches.

Our audits do not review all aspects of internal controls and governance every year. We select a range of measures, and report on those that present heightened risks for agencies to mitigate. This report divides these into the following five areas:

Internal control trends
Information technology (IT), including IT vendor management
Transparency and performance reporting
Management of purchasing cards and taxis
Fraud and corruption control.

The findings in this report should not be used to draw conclusions on the effectiveness of individual agency control environments and governance arrangements. Specific financial reporting, controls and service delivery comments are included in the individual 2018 cluster financial audit reports, which will be tabled in Parliament from November to December 2018.

The focus of the report has changed since last year

Last year's report topics included asset management, ethics and conduct, and risk management. We are reporting on new topics this year. We plan to introduce new topics and re-visit our previous topics in subsequent reports on a cyclical basis. This will provide a baseline against which to measure the NSW public sectors’ progress in implementing appropriate internal controls and governance processes to mitigate existing, new and emerging risks in the public sector.

Agencies selected for the volume account for 95 per cent of the state's expenditure

While we have covered only 40 agencies in this report, those selected are a large enough group to identify common issues and insights. They represent about 95 per cent of total expenditure for all NSW public sector agencies.

Internal controls are processes, policies and procedures that help agencies to:

operate effectively and efficiently
produce reliable financial reports
comply with laws and regulations
support ethical government.

This chapter outlines the overall trends for agency controls and governance issues, including the number of findings, level of risk and the most common deficiencies we found across agencies. The rest of this volume presents this year’s controls and governance findings in more detail.

Observation	Conclusions and recommendations
2.1 High risk findings
We found six high risk findings (seven in 2016–17), one of which was repeated from both last year and 2015–16.	Recommendation: Agencies should reduce risk by addressing high risk internal control deficiencies as a priority.
2.2 Common findings
We found several internal controls and governance findings common to multiple agencies.	Conclusion: Central agencies or the lead agency in a cluster can play a lead role in helping ensure agency responses to common findings are consistent, timely, efficient and effective.
2.3 New and repeat findings
Although internal control deficiencies decreased over the last four years, this year has seen a 42 per cent increase in internal control deficiencies.	The increase in new IT control deficiencies and repeat IT control deficiencies signifies an emerging risk for agencies.
IT control deficiencies feature in this increase, having risen by 63 per cent since last year. The number of repeat IT control deficiencies has doubled and is driven by the increasing digital footprint left by agencies as government prioritises on-line interfaces with citizens, and the number of transactions conducted through digital channels increases	Recommendation: Agencies should reduce IT risks by: assigning ownership of recommendations to address IT control deficiencies, with timeframes and actions plans for implementation ensuring audit and risk committees and agency management regularly monitor the implementation status of recommendations.

Government agencies’ financial reporting is now heavily reliant on information technology (IT). IT is also increasingly important to the delivery of agency services. These systems often provide the data to help monitor the efficiency and effectiveness of agency processes and services they deliver. Our audits reviewed whether agencies have effective controls in place to manage both key financial systems and IT service contracts.

Observation	Conclusions and recommendations
3.1 Management of IT vendors
Contract management framework Although 87 per cent of agencies have a contract management policy to manage IT vendors, one fifth require review.	Conclusion: Agencies can more effectively manage IT vendor contracts by developing policies and procedures to ensure vendor management frameworks are kept up to date, plans are in place to manage vendor performance and risk, and compliance with the framework is monitored by: internal audit focusing on key contracting activities experienced officers who are independent of contract administration performing spot checks or peer reviews targeted analysis of data in contract registers.
Contract risk management Forty-one per cent of agencies are not using contract management plans and do not assess contract risks. Half of the agencies that did assess contract risks, had not updated the risk assessments since the commencement of the contract.	Conclusion: Instead of applying a 'set and forget' approach in relation to management of contract risks, agencies should assess risk regularly and develop a plan to actively manage identified risks throughout the contract lifecycle - from negotiation and commencement, to termination.
Performance management Eighty-six per cent of agencies meet with vendors to discuss performance. Only 24 per cent of agencies sought assurance about the accuracy of vendor reporting against KPIs, yet sixty-seven per cent of the IT contracts allow agencies to determine performance based payments and/or penalise underperformance.	Conclusion: Agencies are monitoring IT vendor performance, but could improve outcomes and more effectively manage under-performance by: a more active, rigorous approach to both risk and performance management checking the accuracy of vendor reporting against those KPIs and where appropriate seeking assurance over their accuracy invoking performance based payments clauses in contracts when performance falls below agreed standards.
Transitioning services Forty-three per cent of the IT vendor contracts did not contain transitioning-out provisions. Where IT vendor contracts do make provision for transitioning-out, only 28 per cent of agencies have developed a transitioning-out plan with their IT vendor.	Conclusion: Contract transition/phase out clauses and plans can mitigate risks to service disruption, ensure internal controls remain in place, avoid unnecessary costs and reduce the risk of 'vendor lock-in'.
Contract Registers Eleven out of forty agencies did not have a contract register, or have registers that are not accurate and/or complete.	Conclusion: A contract register helps to manage an agency’s compliance obligations under the Government Information (Public Access) Act 2009 (the GIPA Act). However, it also helps agencies more effectively manage IT vendors by: monitoring contract end dates and contract extensions, and commence new procurements through their central procurement teams in a timely manner managing their contractual commitments, budgeting and cash flow requirements. Recommendation: Agencies should ensure their contract registers are complete and accurate so they can more effectively govern contracts and manage compliance obligations.
3.2 IT general controls
Governance Ninety-five per cent of agencies have established policies to manage key IT processes and functions within the agency, with ten per cent of those due for review.	Conclusion: Regular review of IT policies ensures risks are considered and appropriate strategies and procedures are implemented to manage these risks on a consistent basis. An absence of policies can lead to ad-hoc responses to risks, and failure to consider emerging IT risks and changes to agency IT environments.
User access administration Seventy-two deficiencies were identified related to user access administration, including: thirty issues related to granting user access across 43 per cent of agencies sixteen issues related to removing user access across 30 per cent of agencies twenty-six issues related to periodic reviews of user access across 50 per cent of agencies.	Recommendation: Agencies should strengthen the administration of user access to prevent inappropriate access to key systems.
Privileged access Forty per cent of agencies do not periodically review logs of the activities of privileged users to identify suspicious or unauthorised activities.	Recommendation: Agencies should: review the number of, and access granted to privileged users, and assess and document the risks associated with their activities monitor user access to address risks from unauthorised activity.
Password controls Twenty-three per cent of agencies did not comply with their own policy on password parameters.	Recommendation: Agencies should ensure IT password settings comply with their password policies.
Program changes Fifteen per cent of agencies had deficient IT program change controls mainly related to segregation of duties and authorisation and testing of IT program changes prior to deployment.	Recommendation: Agencies should maintain appropriate segregation of duties in their IT functions and test system changes before they are deployed.

This chapter outlines our audit observations, conclusions and recommendations from our review of how agencies reported their performance in their 2016–17 annual reports. The Annual Reports (Statutory Bodies) Regulation 2015 and Annual Reports (Departments) Regulation 2015 (annual reports regulation) currently prescribes the minimum requirements for agency annual reports.

Observation

Conclusion or recommendation

4.1 Reporting on performance

Only 57 per cent of agencies linked reporting on performance to their strategic objectives.

The use of targets and reporting performance over time was limited and applied inconsistently.

Conclusion: There is significant disparity in the quality and consistency of how agencies report on their performance in their annual reports. This limits the reliability and transparency of reported performance information.

Agencies could improve performance reporting by clearly linking strategic objectives to reported outcomes, and reporting on performance against targets over time. NSW Treasury may need to provide more guidance to agencies to support consistent and high-quality performance reporting in annual reports.

There is no independent assurance that the performance metrics agencies report in their annual reports are accurate.

Prior performance audits have noted issues related to the collection of performance information. For example, our 2016 Report on Red Tape Reduction highlighted inaccuracies in how the dollar-value of red tape reduction had been reported.

Conclusion: The ability of Parliament and the public to rely on reported information as a relevant and accurate reflection of an agency's performance is limited.

The relevance and accuracy of performance information is enhanced when:

policies and guidance support the consistent and accurate collection of data
internal review processes and management oversight are effective
independent review processes are established to provide effective challenge to the assumptions, judgements and methodology used to collect the reported performance information.

4.2 Reporting on reports

Agency reporting on major projects does not meet the requirements of the annual reports regulation.

Forty-seven per cent of agencies did not report on costs to date and estimated completion dates for major works in progress. Of the 47 per cent of agencies that reported on major works, only one agency reported detail about significant cost overruns, delays, amendments, deferments or cancellations.

NSW Treasury produce an annual report checklist to help agencies comply with their annual report obligations.

Recommendation: Agencies should comply with the annual reports regulation and report on all mandatory fields, including significant cost overruns and delays, for their major works in progress.

The information the annual reports regulation requires agencies to report deals only with major works in progress. There is no requirement to report on completed works.

Sixteen of 30 agencies reported some information on completed major works.

Conclusion: Agencies could improve their transparency if they reported, or were required to report:

on both works in progress and projects completed during the year
actual costs and completion dates, and forecast completion dates for major works, against original and revised budgets and original expected completion dates
explanations for significant cost overruns, delays and key project performance metrics.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency preventative and detective controls over purchasing card and taxi use for 2017–18.

Observation	Conclusion or recommendation
5.1 Management of purchasing cards
Volume of credit card spend Purchasing card expenditure has increased by 76 per cent over the last four years in response to a government review into the cost savings possible from using purchasing cards for low value, high volume procurement.	Conclusion: The increasing use of purchasing cards highlights the importance of an effective framework for the use and management of purchasing cards.
Policy framework We found all agencies that held purchasing cards had a policy in place, but 26 per cent of agencies have not reviewed their purchasing card policy by the scheduled date, or do not have a scheduled revision date stated within their policy.	Recommendation: Agencies should mitigate the risks associated with increased purchasing card use by ensuring policies and purchasing card frameworks remain current and compliant with the core requirements of TPP 17–09 'Use and Management of NSW Government Purchasing Cards'.
Preventative controls We found that: all agencies maintained purchasing card registers seventy-six per cent provided training to cardholders prior to being issued with a card eighty-nine per cent appointed a program administrator, but only half of these had clearly defined roles and responsibilities thirty-two per cent of agencies place merchant blocks on purchasing cards forty-seven per cent of agencies place geographic restrictions on purchasing cards.	Agencies have designed and implemented preventative controls aimed at deterring the potential misuse of purchasing cards. Conclusion: Further opportunities exist for agencies to better control the use of purchasing cards, such as: updating purchasing card registers to contain all mandatory fields required by TPP17–09 appointing a program administrator for the agency's purchasing card framework and defining their role and responsibility for the function strengthening preventive controls to prevent misuse.
Detective controls Ninety-two per cent of agencies have designed and implemented at least one control to monitor purchasing card activity. Major reviews, such as data analytics (29 per cent of agencies) and independent spot checks (49 per cent of agencies) are not widely used.	Agencies have designed and implemented detective controls aimed at identifying potential misuse of purchasing cards. Conclusion: More effective monitoring using purchasing card data can provide better visibility over spending activity and can be used to: detect misuse and investigate exceptions analyse trends to highlight cost saving opportunities.
5.2 Management of taxis
Policy framework Thirteen per cent of agencies have not developed and implemented a policy to manage taxi use. In addition: a further 41 per cent of agencies have not reviewed their policies by the scheduled revision date, or do not have a scheduled revision date more than half of all agencies’ policies do not offer alternative travel options. For example, only 36 per cent of policies promoted the use of general Opal cards.	Conclusion: Agencies can promote savings and provide more options to staff where their taxi use policies: limit the circumstances where taxi use is appropriate offer alternate, lower cost options to using taxis, such as general Opal cards and rideshare.
Detective controls All agencies approve taxi expenditure by expense reimbursement, purchasing card and Cabcharge, and have implemented controls around this approval process. However, beyond this there is minimal monitoring and review activity, such as data monitoring, independent spot checks or internal audit reviews.	Conclusion: Taxi spend at agencies is not significant in terms of its dollar value, but it is significant from a probity perspective. Agencies can better address the probity risk by incorporating taxi use into a broader purchasing card or fraud monitoring program.

Fraud and corruption control is one of the 17 key elements of our governance lighthouse. Recent reports from ICAC into state agencies and local government councils highlight the need for effective fraud control and ethical frameworks. Effective frameworks can help protect an agency from events that risk serious reputational damage and financial loss.

Our 2016 Fraud Survey found the NSW Government agencies we surveyed reported 1,077 frauds over the three year period to 30 June 2015. For those frauds where an estimate of losses was made, the reported value exceeded $10.0 million. The report also highlighted that the full extent of fraud in the NSW public sector could be higher than reported because:

unreported frauds in organisations can be almost three times the number of reported frauds
our 2015 survey did not include all NSW public sector agencies, nor did it include any NSW universities or local councils
fraud committed by citizens such as fare evasion and fraudulent state tax self-assessments was not within the scope of our 2015 survey
agencies did not estimate a value for 599 of the 1,077 (56 per cent) reported frauds.

Commissioning and outsourcing of services to the private sector and the advancement of digital technology are changing the fraud and corruption risks agencies face. Fraud risk assessments should be updated regularly and in particular where there are changes in agency business models. NSW Treasury Circular TC18-02 NSW Fraud and Corruption Control Policy now requires agencies develop, implement and maintain a fraud and corruption control framework, effective from 1 July 2018.

Our Fraud Control Improvement Kit provides guidance and practical advice to help organisations implement an effective fraud control framework. The kit is divided into ten attributes. Three key attributes have been assessed below; prevention, detection and notification systems.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency fraud and corruption controls for 2017–18.

Observation	Conclusion or recommendation
6.1 Prevention systems
Prevention systems Ninety-two per cent of agencies have a fraud control plan in place, 81 per cent maintain a fraud database and 79 per cent report fraud and corruption matters as a standing item on audit and risk committee agendas. Only 54 per cent of agencies have an employment screening policy and all agencies have IT security policies, but gaps in IT security controls could undermine their policies.	Conclusion: Most agencies have implemented fraud prevention systems to reduce the risk of fraud. However poor IT security along with other gaps in agency prevention systems, such as employment screening practices heightens the risk of fraud and inappropriate use of data. Agencies can improve their fraud prevention systems by: completing regular fraud risk assessments, embedding fraud risk assessment into their enterprise risk management process and reporting the results of the assessment to the audit and risk committee maintaining a fraud database and reviewing it regularly for systemic issues and reporting a redacted version of the database on the agency's website to inform corruption prevention networks developing policies and procedures for employee screening and benchmarking their current processes against ICAC's publication ‘Strengthening Employment Screening Practices in the NSW Public Sector’ developing and maintaining up to date IT security policies and monitoring compliance with the policy.
Twenty-three per cent of agencies were not performing fraud risk assessments and some agency fraud risk assessments may not be as robust as they could be.	Conclusion: Agencies' systems of internal controls may be less effective where new and emerging fraud risks have been overlooked, or known weaknesses have not been rectified.
6.2 Detection systems
Detection systems Several agencies reported they were developing a data monitoring program, but only 38 per cent of agencies had already implemented a program.	Studies have shown data monitoring, whereby entire populations of transactional data are analysed for indicators of fraudulent activity, is one of the most effective methods of early detection. Early detection decreases the duration a fraud remains undetected thereby limiting the extent of losses. Conclusion: Data monitoring is an effective tool for early detection of fraud and is more effective when informed by a comprehensive fraud risk assessment.
6.3 Notification systems
Notification system All agencies have notification systems for reporting actual or suspected fraud and corruption. Most agencies provide multiple reporting lines, provide training and publicise options for staff to report actual or suspected fraud and corruption.	Conclusion: Training staff about their obligations and the use of fraud notification systems promotes a fraud-aware culture

Appendix one - List of 2018 recommendations

Appendix two - Status of 2017 recommendations

Appendix three - Cluster agencies

Audit progress

Sector

Year

Report type

Topic

Reports

What the report is about

What we found

What the key issues were

What we recommended

Fast facts

Section highlights

Section highlights

Copyright notice

1. Financial reporting

2. Audit observations

Section highlights

Section highlights

1. Internal control trends

2. Information technology controls

3. Business continuity and disaster recovery planning

4. Procurement, including emergency procurement

5. Delegations

6. Status of 2019 recommendations

Conclusion

The Department did not meet all court technical support targets in 2017 and 2018

1. Machinery of Government changes

2. Financial reporting

3. Audit observations

This report offers insights into internal controls and governance in the NSW public sector

Areas of specific focus of the report have changed since last year

Key conclusions and sector wide learnings

Key conclusions and sector wide learnings

Key conclusions and sector wide learnings

Key conclusions and sector wide learnings

Key conclusions and sector wide learnings

This report offers insights into internal controls and governance in the NSW public sector

The focus of the report has changed since last year

Agencies selected for the volume account for 95 per cent of the state's expenditure