Refine search

Reports

18 December 2020

Published

Service NSW's handling of personal information

Premier and Cabinet

Finance

Cyber security

Fraud

Information technology

Internal controls and governance

Management and administration

Risk

Service delivery

The Auditor-General for New South Wales, Margaret Crawford, released a report today examining the effectiveness of Service NSW’s handling of customers’ personal information to ensure its privacy.

The audit found that Service NSW is not effectively handling personal customer and business information to ensure its privacy. Service NSW continues to use business processes that pose a risk to the privacy of personal information. This includes the routine emailing of personal information between Service NSW service centres and other agencies, which is one of the processes that contributed to the data breach earlier this year. The audit found that previously identified risks and recommended solutions had not been implemented on a timely basis.

The Auditor-General made eight recommendations aimed at ensuring improved processes, technologies, and governance arrangements for how Service NSW handles customers’ personal information.

The Hon. Victor Dominello, MP, Minister for Customer Service, requested this audit under section 27(B)(3)(c) of the Public Finance and Audit Act 1983 following public reports in May 2020 of a cyber security attack which had led to a breach of Service NSW customer information. This audit also included the Department of Customer Service which supports Service NSW with privacy, risk and governance functions.

Service NSW was established in 2013 with the intention that it would, over time, 'become the primary interaction point for customers accessing New South Wales Government transaction services'.

Service NSW's functions are set out in the Service NSW (One stop Access to Government Services) Act 2013. This legislation allows for other NSW Government agencies to delegate to and enter into agreements with the Chief Executive Officer of Service NSW in order for Service NSW to undertake service functions for the agency.

Service NSW now has agreements with 36 NSW Government client agencies to facilitate over 1,200 types of interactions and transactions for the community.

The nature of each agreement between Service NSW and its client agencies varies. Some client agencies have delegated authority to allow Service NSW staff to conduct transactions on their behalf in the agencies' systems. Other arrangements do not include the same degree of delegation. In these cases, Service NSW provides services such as responding to enquiries and validating documents.

In addition, Service NSW conducts transactions for its own programs, such as the Seniors Card. Personal information for these programs, as well as information for customers' MyServiceNSW accounts, are stored by Service NSW on its Salesforce Customer Relationship Management (CRM) system.

In March 2020, Service NSW suffered two cyber security attacks in short succession. Technical analysis undertaken by the Department of Customer Service (DCS) concluded that these attacks resulted from a phishing exercise through which external threat actors gained access to the email accounts of 47 staff members. These attacks resulted in the breach of a large amount of personal customer information that was contained in these email accounts. See Section 1.1 for further details.

This audit is being conducted in response to a request from the Hon. Victor Dominello, Minister for Customer Service, under section 27B(3)(c) of the Public Finance and Audit Act 1983. Minister Dominello requested that the Auditor General conduct a performance audit in relation to Service NSW's handling of sensitive customer and business information.

This audit assessed how effectively Service NSW handles personal customer and business information to ensure its privacy.

It addressed the following:

Does Service NSW have processes and governance in place to identify and manage risks to the privacy of personal customer and business information?
Does Service NSW have policies, processes and systems in place that support the effective handling of personal customer and business information to ensure its privacy?
Has Service NSW effectively implemented its policies, processes and systems for managing personal customer and business information?

Conclusion

Service NSW is not effectively handling personal customer and business information to ensure its privacy. It continues to use business processes that pose a risk to the privacy of personal information. These include routinely emailing personal customer information to client agencies, which is one of the processes that contributed to the March 2020 data breach. Previously identified risks and recommended solutions had not been implemented on a timely basis.

Service NSW identifies privacy as a strategic risk in both its Risk Management Guideline and enterprise risk register and sets out a zero level appetite for privacy risk in its risk appetite statement. That said, the governance, policies, and processes established by Service NSW to mitigate privacy risk are not effective in ensuring the privacy of personal customer and business information. While Service NSW had risk identification and management processes in place at the time of the March 2020 data breach, these did not prevent the breach occurring.

Some of the practices that contributed to the data breach are still being followed by Service NSW staff. For example, business processes still require Service NSW staff to scan and email personal information to some client agencies.

The lack of multi factor authentication has been identified as another key contributing factor to the March 2020 data breach as this enabled the external threat actors to gain access to staff email accounts once they had obtained the user account details through a phishing exercise. Service NSW had identified the lack of multi factor authentication on its webmail platform as a risk more than a year prior to the breach and had committed to addressing this by June 2019. It was not implemented until after the breach occurred.

There are weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce Customer Relationship Management (CRM) system, which holds the personal information of over four million NSW residents.

Internal audits carried out by Service NSW, including one completed in August 2020, have identified significant weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce CRM system. These include deficiencies in the management of role based access, monitoring and audit of user access, and partitioning of program specific transaction information. These deficiencies create an increased risk of unauthorised access to the personal information of over four million customers held in the system.

Lines of responsibility for meeting privacy obligations are not clearly drawn between Service NSW and its client agencies.

Service NSW has agreements in place with client agencies. However, the agreements lack detail and clarity about the roles and responsibilities of the agencies in relation to the collection, storage and security of customer's personal information. This lack of clarity raises the risk that privacy obligations will become confused and missed between the agencies.

Service NSW carries out privacy impact assessments for major new projects but does not routinely review existing processes and systems.

Service NSW carries out privacy impact assessments as part of its routine processes for implementing major new projects, ensuring that privacy management is considered as part of project design. Service NSW does not regularly undertake privacy impact assessments or reviews of existing or legacy processes and systems, which has resulted in some processes continuing despite posing significant risks to the privacy of personal information, such as the scanning, emailing, and storing of identification documents.

1. Key findings

Service NSW identifies privacy risks, but the controls and processes it put in place to mitigate these privacy risks were not adequate to prevent or limit the extent of the data breach that occurred in March 2020

Service NSW’s approach to risk management is framed by its Risk Management Guideline, which defines 'privacy and compliance' as one of the key types of risk for the agency. Service NSW's enterprise risk register identifies four strategic privacy related risks. Service NSW has set out a zero level appetite for privacy risk in its risk appetite statement.

Service NSW has assessed the adequacy of its controls for privacy risks as needing improvement. To be fully effective, the Risk Management Guideline says that these controls should have a focus that is ‘largely preventative and address the root causes’.

One of the business processes that was a key contributing factor to the data breach was the emailing of personal information by Service NSW staff to client agencies.

This process had been identified as a risk prior to the breach and some steps had been put in place to mitigate the risk. In particular, staff were required to manually delete emails that contained personal information. However, these measures were ineffective in preventing the breach, as the external threat actors still gained access to 47 staff email accounts that contained a large amount of personal information.

It is unclear why Service NSW did not effectively mitigate this risk prior to the breaches. However, Service NSW has advised that it implemented measures in June and October 2020 to automatically archive emails likely to contain personal information. This is expected to limit the quantity of information retained in email accounts for extended periods.

Service NSW has not put in place any technical or other solutions to avoid Service NSW staff having to scan and email personal information to some client agencies. Urgent action is needed to remove the requirement for staff to email personal information to client agencies, thereby mitigating the risk inherent in sending and storing this information using email.

There are weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce CRM system, which holds the personal information of over four million customers

There are weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce CRM system. These weaknesses include deficiencies in governance of role based access, monitoring and audit of staff access, and partitioning of program specific transaction information. These deficiencies create an increased risk of unauthorised access to the personal information of over four million customers which is stored in this system.

In addition, there is an absence of important controls to safeguard customers' privacy, such as multi factor authentication and reviewable logs of access history to their information. Such controls, when properly implemented, would enhance the control that customers are able to exercise over their personal information.

A privacy impact assessment conducted on Service NSW’s Salesforce CRM system in 2015 recommended that the system include the ability for customers to review access history to their personal information, as well as the option for customers to apply multi factor authentication to their accounts. While both these recommendations appeared positively received by Service NSW, neither have been implemented.

Since its inception, Service NSW’s use of Salesforce has extended to storing transaction data, particularly for transactions for which Service NSW is responsible, such as the Seniors Card. It also holds details of over four million MyServiceNSW account holders, including name, email address and phone number, and optional address details. It was not originally intended for the system to hold this volume and nature of customer information.

Lines of responsibility for meeting privacy obligations are unclear between Service NSW and its client agencies

Service NSW's privacy management plan does not clearly set out the privacy obligations of Service NSW and its client agencies. It sets out that 'compliance with the privacy principles will primarily be the responsibility of that [client] agency'. However, Service NSW has its own obligations under the security principles of the Privacy and Personal Information Protection Act 1998 (PPIP Act) to take reasonable steps to prevent unauthorised access to personal information, which is not made clear in the privacy management plan.

The agreements between Service NSW and client agencies reviewed for this audit only include general and high level references to privacy. Most do not include details of each parties' privacy responsibilities such as: which agency will provide the customer with a privacy notice explaining how their personal information will be handled, how personal information will be kept secure, how long Service NSW will retain information, what processes will be followed for internal reviews, and what specific planning is in place to respond to data breaches.

Service NSW's privacy management plan has not been updated to include new programs and governance changes

Service NSW's privacy management plan includes most of the matters required by law or good practice, with some exceptions. It does not explain any exemptions that the agency commonly relies on under the PPIP Act and does not address any health information that Service NSW may handle. It had also not been updated to reflect governance changes and the fact that, at the time this audit commenced, Service NSW was disclosing the content of internal review applications (the formal expression for 'complaints') to the Department of Customer Service (DCS). These governance changes were part of the centralisation of Service NSW's corporate support functions into DCS in late 2019, though internal review staff were seconded back into Service NSW during the course of this audit.

The current July 2019 privacy management plan has also not been updated since the rollout of a number of major new initiatives in 2020. These include 2019–20 bushfire emergency recovery initiatives (such as small business grants) and COVID 19 pandemic response initiatives (such as small business grants, border permits and the COVID safe check in app).

Service NSW routinely conducts privacy impact assessments for new initiatives, though privacy risks remain in legacy systems and processes

Service NSW routinely conducts privacy impact assessments for major new initiatives and the assessments reviewed for this audit largely accorded with good practice guidance.

Service NSW does not routinely review existing processes and systems to ensure that they are effective in ensuring the privacy of customer personal information. Business processes that create the highest risk to privacy, such as emailing of personal information, are more common in these longstanding legacy systems.

Service NSW's significant and rapid growth has outpaced the establishment of a robust control environment which has exacerbated privacy risks

Since it was established in 2013, Service NSW has experienced significant growth in the number and diversity of the types of transactions it provides, as well as the number of client agencies with which it works. The pace and extent of this growth has contributed to important controls not being properly implemented on a timely basis, which has heightened privacy risks, particularly in regard to existing, legacy systems and processes.

The pace of change and increasing demand for new program implementation has limited the opportunity for Service NSW, in collaboration with its client agencies, to revisit and redesign legacy business practices which pose a greater privacy risk. This includes the scanning and emailing of personal information.

While 2019–20 has seen additional demands placed on Service NSW in responding to the 2019–20 bushfire emergency and COVID 19 pandemic, it is the nature of the agency’s work that it operates in a fast paced and complex environment, where it is required to respond to multiple client agencies and stakeholders. Ensuring customer privacy should be integral to Service NSW’s business as usual operations.

2. Recommendations

Service NSW commissioned a number of external reviews and investigations stemming from the data breaches. The Auditor General's recommendations below have taken these other reviews into account. In order to offer assurance that it is appropriately protecting the privacy of its customers, Service NSW should address the full breadth of findings and recommendations made across all relevant reviews.

As a matter of urgency, Service NSW should:

1. in consultation with relevant client agencies and the Department of Customer Service, implement a solution for a secure method of transferring personal information between Service NSW and client agencies

2. review the need to store scanned copies of personal information and, if still required, implement a more secure method of storing this information and regular deletion of material.

By March 2021, Service NSW should:

3. ensure that all new agreements entered into with client agencies from 1 April 2021 address the deficiencies identified in this audit, including that they provide clarity on:

the content and provision of privacy collection notices
the terms by which personal information will be retained, stored, archived, and disposed of when no longer required
steps that will be taken by each agency to ensure that personal information is kept secure
the circumstances in which, and processes by which, applications for internal review will be referred by one agency to the other
how identified breaches of privacy will be handled between agencies

4. in collaboration with the Department of Customer Service, review its privacy management plan to address the deficiencies raised in this audit, including:

to clarify Service NSW's understanding of how responsibility for meeting privacy obligations are delineated between Service NSW and client agencies
to better reflect the full scope and complexity of personal information handled by Service NSW
to better explain how applications for internal review are handled between Service NSW and the Department of Customer Service
to ensure regular ongoing review, either according to a schedule or when Service NSW experiences substantial change to its programs and handling of personal information

5. in consultation with the Department of Customer Service, review its policies and processes for the management of privacy risks, including to:

ensure that there are appropriate mechanisms to escalate identified privacy risks from business units to the Executive Leadership Team
ensure that there are action plans to address strategic privacy risks that are assessed as having ineffective controls.

By June 2021, Service NSW should:

6. address deficiencies in the controls over, and security for, its Salesforce customer relationship management and related systems that hold customer personal information, including:

establish policies and processes for regular access reviews and monitoring of user activity in these systems, including for privileged users
enable partitioning and role based access restrictions to personal information collected for different programs
provide customers the choice to use multi factor authentication to further secure their MyServiceNSW accounts
enable customers to view the transaction history of their personal information to detect possible mishandling.

By December 2021, Service NSW should:

7. ensure that all existing agreements with client agencies address the deficiencies identified in this audit, including that they provide clarity on:

the content and provision of privacy collection notices
the terms by which personal information will be retained, stored, archived, and disposed of when no longer required
steps that will be taken by each agency to ensure that personal information is kept secure
the circumstances in which, and processes by which, applications for internal review will be referred by one agency to the other
how identified breaches of privacy will be handled between agencies

8. carry out a risk assessment of all processes, systems and transactions that involve the handling of personal information and undertake a privacy impact assessment for those that:

are identified as high risk and have not previously had a privacy impact assessment
have had major changes or updates since the privacy impact assessment was completed.

Appendix one – Responses from agencies

Appendix two – About the audit

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

26 November 2020

Published

Waste levy and grants for waste infrastructure

Planning

Environment

Management and administration

Regulation

Risk

Service delivery

The Auditor-General for New South Wales, Margaret Crawford, released a report today that examined the effectiveness of the waste levy and grants for waste infrastructure in minimising the amount of waste sent to landfill and increasing recycling rates.

The audit found that the waste levy has a positive impact on diverting waste from landfill. However, while the levy rates increase each year in line with the consumer price index, the EPA has not conducted a review since 2009 to confirm whether they are set at the optimal level. The audit also found that there were no objective and transparent criteria for which local government areas should pay the levy, and the list of levied local government areas has not been reviewed since 2014.

Grant funding programs for waste infrastructure administered by the EPA and the Environmental Trust have supported increases in recycling capacity. However, these grant programs are not guided by a clear strategy for investment in waste infrastructure.

The Auditor-General made six recommendations aimed at ensuring the waste levy is as effective as possible at meeting its objectives and ensuring funding for waste infrastructure is contributing effectively to recycling and waste diversion targets.

Overall, waste generation in New South Wales (NSW) is increasing. This leads to an increasing need to manage waste in ways that reduce the environmental impact of waste and promote the efficient use of resources. In 2014, the NSW Government set targets relating to recycling rates and diversion of waste from landfill, to be achieved by 2021–22. The NSW Waste and Resource Recovery (WARR) Strategy 2014–21 identifies the waste levy, a strong compliance regime, and investment in recycling infrastructure as key tools for achieving these waste targets.

This audit assessed the effectiveness of the NSW Government in minimising waste sent to landfill and increasing recycling rates. The audit focused on the waste levy, which is paid by waste facility operators when waste is sent to landfill, and grant programs that fund infrastructure for waste reuse and recycling.

The waste levy is regulated by the Environment Protection Authority (EPA) and is generally paid when waste is disposed in landfill. The waste levy rates are set by the NSW Government and prescribed in the Protection of Environment Operations (Waste) Regulation 2014. As part of its broader role in reviewing the regulatory framework for managing waste and recycling, the EPA can provide advice to the government on the operation of the waste levy.

The purpose of the waste levy is to act as an incentive for waste generators to reduce, re-use or recycle waste by increasing the cost of sending waste to landfill. In 2019–20, around $750 million was collected through the waste levy in NSW. The government spends approximately one third of the revenue raised through the waste levy on waste and environmental programs.

One of the waste programs funded through the one third allocation of the waste levy is Waste Less, Recycle More (WLRM). This initiative funds smaller grant programs that focus on specific aspects of waste management. This audit focused on five grant programs that fund projects that provide new or enhanced waste infrastructure such as recycling facilities. Four of these programs were administered by the Environmental Trust and one by the EPA.

Conclusion

The waste levy has a positive impact on diverting waste from landfill. However, aspects of the EPA's administration of the waste levy could be improved, including the frequency of its modelling of the waste levy impact and coverage, and the timeliness of reporting. Grant funding programs have supported increases in recycling capacity but are not guided by a clear strategy for investment in waste infrastructure which would help effectively target them to where waste infrastructure is most needed. Data published by the EPA indicates that the NSW Government is on track to meet the recycling target for construction and demolition waste, but recycling targets for municipal solid waste and commercial and industrial waste are unlikely to be met.

Waste levy

The waste levy rate, including a schedule of annual increases to 2016, was set by the NSW Government in 2009. Since 2016, the waste levy rate has increased in line with the consumer price index (CPI). The EPA has not conducted recent modelling to test whether the waste levy is set at the optimal level to achieve its objectives. The waste levy operation was last reviewed in 2012, although some specific aspects of the waste levy have been reviewed more recently, including reviews of waste levy rates for two types of waste. The waste levy is applied at different rates across the state. Decisions about which local government areas (LGAs) are subject to the levy, and which rate each LGA pays, were made in 2009 and potential changes were considered but not implemented in 2014. Currently, there are no objective and transparent criteria for determining which LGAs pay the levy. The EPA collects waste data from waste operators. This data has improved since 2015, but published data is at least one year out of date which limits its usefulness to stakeholders when making decisions relating to waste management.

Grants for waste infrastructure

All state funding for new and enhanced waste infrastructure in NSW is administered through grants to councils and commercial waste operators. The government's Waste and Resource Recovery (WARR) Strategy 2014–21 includes few priorities for waste infrastructure and there is no other waste infrastructure strategy in place to guide investment. The absence of a formal strategy to guide infrastructure investment in NSW limits the ability of the State Government to develop a shared understanding between planners, councils and the waste industry about waste infrastructure requirements and priorities. The Department of Planning, Industry and Environment is currently developing a 20-year waste strategy and there is an opportunity for the government to take a more direct role in planning the type, location and timing of waste infrastructure needed in NSW.

The grants administration procedures used for the grant programs reviewed in this audit were well designed. However, we identified some gaps in risk management, record-keeping and consistency of information provided to applicants and assessment teams. In four of the five programs we examined, there was no direct alignment between program objectives and the NSW Government's overall waste targets.

Achievement of the 2014–21 state targets for waste and resource recovery (WARR targets) is reliant in part on the availability of infrastructure that supports waste diversion and recycling. The state WARR targets dependent on waste infrastructure are:

Increase recycling rates to 70 per cent for municipal solid waste and commercial and industrial waste, and 80 per cent for construction and demolition waste.
Increase waste diverted from landfill to 75 per cent.

A further target — manage problem waste better by establishing or upgrading 86 drop-off facilities or services for managing household problem wastes state-wide — is dependent on accessible community waste drop-off facilities across NSW.

Exhibit 7 identifies the five grant programs that provide funding for new or enhanced waste infrastructure to increase capacity for reuse or recycling of waste. All five of these programs were examined in the audit.
In addition to the grant programs shown in Exhibit 7, other programs provide funding for infrastructure, but at a smaller scale. Examples of these include:

Bin Trim which provides rebates to small businesses for small scale recycling equipment such as cardboard and soft plastic balers.
Litter grants which provide funding for litter bins.
Weighbridges grants for installation of a weighbridge at waste facilities.
Landfill consolidation and environmental improvement grants for rural councils to replace old landfills with transfer stations or to improve the infrastructure at landfill sites.

Appendix one – Responses from audited agencies

Appendix two – About the audit

Appendix three – Performance auditing

Copyright notice

Parliamentary reference - Report number #343 - released 26 November 2020

24 November 2020

Published

Internal controls and governance 2020

Education

Environment

Community Services

Finance

Health

Industry

Justice

Premier and Cabinet

Transport

Treasury

Compliance

Cyber security

Information technology

Internal controls and governance

Management and administration

Procurement

The Auditor-General for New South Wales, Margaret Crawford today released her report on the findings and recommendations from the 2019–20 financial audits that relate to internal controls and governance at 40 of the largest agencies in the NSW public sector.

The bushfire and flood emergencies and the COVID‑19 pandemic continue to have a significant impact on the people and public sector of New South Wales. The scale of the government response to these events has been significant. The report focuses on the effectiveness of internal controls and governance processes, including relevant agencies’ response to the emergencies. In particular, the report focuses on:

financial and information technology controls
business continuity and disaster recovery planning arrangements
procurement, including emergency procurement
delegations that support timely and effective decision-making.

Due to the ongoing impact of COVID‑19 agencies have not yet returned to a business‑as‑usual environment. ‘Agencies will need to assess their response to the recent emergencies and update their business continuity, disaster recovery and other business resilience frameworks to reflect the lessons learnt from these events’ the Auditor-General said.

The report noted that special procurement provisions were put in place to allow agencies to better respond to the COVID-19 pandemic. The Auditor-General recommended agencies update their procurement policies to reflect the current requirements of the NSW Procurement Framework and the emergency procurement requirements.

Read the PDF report

This report analyses the internal controls and governance of 40 of the largest agencies in the NSW public sector for the year ended 30 June 2020. These 40 agencies constitute an estimated 85 per cent of total expenditure for all NSW public sector agencies.

1. Internal control trends

New, repeat and high risk findings

Internal control deficiencies increased by 13 per cent compared to last year. This is predominately due to a seven per cent increase in new internal control deficiencies and 24 per cent increase in repeat internal control deficiencies. There were ten high risk findings compared to four last year.

The recent emergencies have consumed agency time and resources and may have contributed to the increase in internal control deficiencies, particularly repeat deficiencies.

Agencies should:

prioritise addressing high-risk findings
address repeat internal control deficiencies by re-setting action plans and timeframes and monitoring the implementation status of recommendations.

Common findings

A number of findings remain common across multiple agencies over the last four years, including:

out of date or missing policies to guide appropriate decisions
poor record keeping and document retention
incomplete or inaccurate centralised registers or gaps in these registers.

2. Information technology controls

IT general controls

We found deficiencies in information security controls over key financial systems including:

user access administration deficiencies relating to inadequate oversight of the granting, review and removal of user access at 53 per cent of agencies
privileged users were not appropriately monitored at 43 per cent of agencies
deficient password controls that did not align to the agency's own password policies at 25 per cent of agencies.

The deficiencies above increase the risk of non-compliance with the NSW Cyber Security Policy, which requires agencies to have processes in place to manage user access, including privileged user access to sensitive information or systems and remove that access once it is not required or employment is terminated.

3. Business continuity and disaster recovery planning

Assessing risks to business continuity and Scenario testing

The response to the recent emergencies and the COVID-19 pandemic has encompassed a wide range of activities, including policy setting, on-going service delivery, safety and availability of staff, availability of IT and other systems and financial management. Agencies were required to activate their business continuity plans in response, and with the continued impact of COVID-19 have not yet returned to a business-as-usual environment.

Our audits focused on the preparedness of agency business continuity and disaster recovery planning arrangements prior to the onset of the COVID-19 pandemic.

We identified deficiencies in agency business continuity and disaster recovery planning arrangements. Twenty-three per cent of agencies had not conducted a business impact analysis (BIA) to identify critical business functions and determine business continuity priorities. Agencies can also improve the content of their BIA. For example, ten per cent of agencies' BIAs did not include recovery time objectives and six per cent of agencies did not identify key IT systems that support critical business functions. Scenario testing improves the effectiveness with which a live crisis is handled, but 40 per cent of agencies had not conducted a business continuity scenario testing exercise in the period from 1 January 2019 to 31 December 2019. There were also opportunities to improve the effectiveness of scenario testing exercises by:

involving key dependent or inter-dependent third parties who support or deliver critical business functions
testing one or more high impact scenarios identified in their business continuity plan
preparing a formalpost-exercise report documenting the outcome of their scenario testing.

Agencies have responded to the recent emergencies but addressing deficiencies will ensure agencies have adequate safeguards in their processes to again respond in the future, if required.

During 2020–21 we plan to conduct a performance audit on 'Business continuity and disaster recovery planning'. This audit will consider the effectiveness of agency business continuity planning arrangements to maintain business continuity through the recent emergencies and/or COVID-19 pandemic and return to a business-as-usual environment. We also plan to conduct a performance audit on whole-of-government 'Coordination of emergency responses'.

Responding to disruptions

We found agencies' governance functions could have been better informed about responses to disruptive incidents that had activated a business continuity or disaster recovery response between 1 January 2019 to 31 December 2019. For instance:

in 89 per cent of instances where a business continuity response was activated, a post-incident review had been performed. In 82 per cent of these instances, the outcomes were reported to a relevant governance or executive management committee

in 95 per cent of instances where a disaster recovery response was activated, a post incident review had been performed. In 86 per cent of these instances, the outcomes were reported to a relevant governance committee or executive management committee.

Examples of recorded incidents included extensive air quality issues and power outages due to bushfires, system and network outages, and infected and hijacked servers.

Agencies should assess their response to the recent emergencies and the COVID-19 pandemic and update business continuity, disaster recovery and other business resilience frameworks to incorporate lessons learned. Agencies should report to those charged with governance on the results and planned actions.

Management review and oversight

Eighty-two per cent and 86 per cent of agencies report to their audit and risk committees (ARC) on their business continuity and disaster recovery planning arrangements, respectively. Only 18 per cent and five per cent of ARCs are briefed on the results of respective scenario testing. Briefing ARCs on the results of scenario testing exercises helps inform their decisions about whether sound and effective business continuity and disaster recovery arrangements have been established.

4. Procurement, including emergency procurement

Policy framework	Agency procurement policies did not capture the requirements of several key NSW Procurement Board Directions (the Directions), increasing the risk of non-compliance with the Directions. We noted: 67 per cent of agencies did specify that procurement above $650,000 must be open to market unless exempt or procured through an existing Whole of Government Scheme or contract 36 per cent of agencies did specify that procurements above $500,000 payable in foreign currencies must be hedged 69 per cent of agencies' policies did specify that the agency head or cluster CFO must authorise the engagement of consultants where the engagement of the supplier does not comply with the standard commercial framework. Recommendation: Agencies should review their procurement policies and guidelines to ensure they capture the key requirements of the NSW Government Procurement Policy Framework, including NSW Procurement Board Directions.
Managing contracts	Eighty-eight per cent of agencies maintain a central contract register to record all details of contracts above $150,000, which is a requirement of GIPA legislation. Of the agencies that maintained registers, 13 per cent did not capture all contracts and eight per cent did not include all relevant contract details. Sixteen per cent of agencies did not periodically review their contract register. Timely review increases compliance with GIPA legislation, and enhances the effectiveness with which procurement business units monitor contract end dates, contract extensions and commence new procurement.
Training and support	Ninety-three per cent of agencies provide training to staff involved in procurement processes, and a further 77 per cent of agencies provide this training on an on-going basis. Of the seven per cent of agencies that had not provided training to staff, we noted gaps in aspects of their procurement activity, including: not conducting value for money assessments prior to renewing or extending the contract with their existing supplier not obtaining approval from a delegated authority to commence the procurement process procurement documentation not specifying certain key details such as the conditions for participation including any financial guarantees and dates for the delivery of goods or supply of services. Training on procurement activities ensures there is effective management of procurement processes to support operational requirements, and compliance with procurement directions.
Procurement activities	While agencies had implemented controls for tender activities above $650,000, 43 per cent of unaccredited agencies did not comply with the NSW Procurement Policy Framework because they had not had their procurement endorsed by an accredited agency within the cluster or by NSW Procurement. This endorsement aims to ensure the procurement is properly planned to deliver a value for money outcome before it commences.
Emergency procurement	As at 30 June 2020, agencies within the scope of this report reported conducting 32,239 emergency procurements with a total contract value of $316,908,485. Emergency procurement activities included the purchase of COVID-19 cleaning and hygiene supplies. The government, through NSW Procurement released the 'COVID-19 Emergency procurement procedure', which relaxed procurement requirements to allow agencies to make COVID-19 emergency procurements. Our review against the emergency procurement measures found most agencies complied with requirements. For example: 95 per cent of agencies documented an assessment of the need for the emergency procurement for the good and/or service 86 per cent of agencies obtained authorisation of the emergency procurement by the agency head or the nominated employee under Public Works and Procurement Regulation 2019 76 per cent of agencies reported the emergency procurement to the NSW Procurement Board. Complying with the procedure helps to ensure government resources are being efficiently, effectively, economically and in accordance with the law. Recommendation: Agency procurement frameworks should be reviewed and updated so they can respond effectively to emergency situations that may arise in the future. This includes: updating procurement policies and guidelines to define an emergency situation, specify who can approve emergency procurement and capture other key requirements using standard templates and documentation to prompt users to capture key requirements, such as needs analysis, supplier selection criteria, price assessment criteria, licence and insurance checks having processes for reporting on emergency procurements to those charged with governance and NSW Procurement.

5. Delegations

Instruments of delegation

We found that agencies have established financial and human resources delegations, but some had not revisited their delegation manuals following the legislative and machinery of government changes. For those agencies impacted by machinery of government changes we noted:

16 per cent of agencies had not updated their financial delegations to reflect the changes
16 per cent of agencies did not update their human resources delegations to reflect the changes.

Delegations manuals are not always complete; 16 per cent of agencies had no delegation for writing off bad debts and 26 per cent of agencies had no delegation for writing off capital assets.

Recommendation: Agencies should ensure their financial and human resources delegation manuals contain regular set review dates and are updated to reflect the Government Sector Finance Act 2018, machinery of government changes and their current organisational structure and roles and responsibilities.

Compliance with delegations

Agencies did not understand or correctly apply the requirements of the Government Sector Finance Act 2018 (GSF Act), resulting in non-compliance with the Act. We found that 18 per cent of agencies spent deemed appropriations without obtaining an authorised delegation from the relevant Minister(s), as required by sections 4.6(1) and 5.5(3) of the GSF Act.

Further detail on this issue will be included in our Auditor-General's Reports to Parliament on Central Agencies, Education, Health and Stronger Communities, which will be tabled throughout December 2020.

Recommendation: Agencies should review financial and human resources delegations to ensure they capture all key functions of laws and regulations, and clearly specify the relevant power or function being conferred on the officer.

6. Status of 2019 recommendations

Progress implementing last year's recommendations

Recommendations were made last year to improve transparency over reporting on gifts and benefits and improve the visibility management and those charged with governance had over actions taken to address conflicts of interest that may arise. This year, we continue to note:

38 per cent of agencies have not updated their gifts and benefits register to include all the key fields required under the minimum standards set by the Public Service Commission
56 per cent of agencies have not provided training to staff and 63 per cent of agencies have not implemented an annual attestation process for senior management
97 per cent of agencies have not published their gifts and benefits register on their website and 41 per cent of agencies are not reporting on trends in the gifts and benefits register to those charged with governance.

While we acknowledge the significance of the recent emergencies, which have consumed agency time and resources, we note limited progress has been made implementing these recommendations. Further detail on the status of implementing all recommendations is in Appendix 2.

Recommendation: Agencies should re-visit the recommendations made in last year's report on internal controls and governance and action these recommendations.

Internal controls are processes, policies and procedures that help agencies to:

operate effectively and efficiently
produce reliable financial reports
comply with laws and regulations
support ethical government.

This chapter outlines the overall trends for agency controls and governance issues, including the number of audit findings, the degree of risk those deficiencies pose to the agency, and a summary of the most common deficiencies we found across agencies. The rest of this report presents this year’s controls and governance findings in more detail.

Section highlights

We identified ten high risk findings, compared to four last year with two findings repeated from the previous year. There was an overall increase of 13 per cent in the number of internal control deficiencies compared to last year due to a seven per cent increase in new internal control deficiencies, and a 24 per cent increase in repeat internal control deficiencies. The recent emergencies have consumed agency time and resources and may have contributed to the increase in internal control deficiencies, particularly repeat deficiencies.

We identified a number of findings that remain common across multiple agencies over the last four years. Some of these findings related to areas that are fundamental to good internal control environments and effective organisational governance. Examples include:

out of date or missing policies to guide appropriate decisions
poor record keeping and document retention
incomplete or inaccurate centralised registers, or gaps in these registers.

Policies, procedures and internal controls should be properly designed, be appropriate for the current organisational structure and its business activities, and work effectively.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency controls to manage key financial systems.

Section highlights

Government agencies’ financial reporting is heavily reliant on information technology (IT). We continue to see a high number of deficiencies related to IT general controls, particularly those related to user access administration. These controls are key in adequately protecting IT systems from inappropriate access and misuse.

IT is also important to the delivery of agency services. These systems often provide the data to help monitor the efficiency and effectiveness of agency processes and services they deliver. Our financial audits do not review all agency IT systems. For example, IT systems used to support agency service delivery are generally outside the scope of our financial audit. However, agencies should also consider the relevance of our findings to these systems.

Agencies need to continue to focus on assessing the risks of inappropriate access and misuse and the implementation of controls to adequately protect their systems, focussing on the processes in place to grant, remove and monitor user access, particularly privileged user access.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency business continuity and disaster recovery planning arrangements.

Section highlights

We identified deficiencies in agency business continuity and disaster recovery planning arrangements and opportunities for agencies to enhance their business continuity management and disaster recovery planning arrangements. This will better prepare them to respond to a disruption to their critical functions, resulting from an emergency or other serious event. Twenty-three per cent of agencies had not conducted a business impact analysis (BIA) to identify critical business functions and determine business continuity priorities and 40 per cent of agencies had not conducted a business continuity scenario testing exercise in the period from 1 January 2019 to 31 December 2019. Scenario testing improves the effectiveness with which a live crisis is handled.

This section focusses on the preparedness of agency business continuity and disaster recovery planning arrangements prior to the onset of the COVID-19 pandemic. While agencies have responded to the recent emergencies, proactively addressing deficiencies will ensure agencies have adequate safeguards in their processes to again respond in the future, if required.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of procurement agency procurement policies and procurement activity.

Section highlights

We found agencies have procurement policies in place to manage procurement activity, but the content of these policies was not sufficiently detailed to ensure compliance with NSW Procurement Board Directions (the Directions). The Directions aim to ensure procurement activity achieves value for money and meets the principles of probity and fairness.

Agencies have generally implemented controls over their procurement process. In relation to emergency procurement activity, agencies reported conducting 32,239 emergency procurements with a total contract value of $316,908,485 up to 30 June 2020. Our review of emergency procurement activity conducted during 2019–20 identified areas where some agencies did not fully comply with the 'COVID-19 Emergency procurement procedure'.

We also found not all agencies are maintaining complete and accurate contract registers. This not only increases the risk of non-compliance with GIPA legislation, but also limits the effectiveness of procurement business units to monitor contract end dates, contract extensions and commence new procurement in a timely manner. We noted instances where agencies renewed or extended contracts without going through a competitive tender process during the year.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency compliance with financial and human resources delegations.

Section highlights

We found that agencies are not always regularly reviewing and updating their financial and human resources delegations when there are changes to legislation or other organisational changes within the agency or from machinery of government changes. For example, agencies did not understand or correctly apply the requirements of the GSF Act, resulting in non-compliance with the Act. We found that 18 per cent of agencies spent deemed appropriations without obtaining an authorised delegation from the relevant Minister(s), as required by sections 4.6(1) and 5.5(3) of the GSF Act.

In order for agencies to operate efficiently, make necessary expenditure and human resource decisions quickly and lawfully, particularly in emergency situations, it is important that delegations are kept up to date, provide clear authority to decision makers and are widely communicated.

Appendix one – List of 2020 recommendations

Appendix two – Status of 2019 recommendations

Appendix three – Cluster agencies

Copyright notice

24 September 2020

Published

Support for regional town water infrastructure

Industry

Environment

Local Government

Infrastructure

Management and administration

Regulation

Risk

The Auditor-General for New South Wales, Margaret Crawford, released a report today examining whether the Department of Planning, Industry and Environment has effectively supported the planning for, and funding of, town water infrastructure in regional NSW.

The audit found that the department has not effectively supported or overseen town water infrastructure planning since at least 2014. It does not have a clear regulatory approach and lacks internal procedures and data to guide its support for local water utilities that service around 1.85 million people in regional NSW.

The audit also found that the department has not had a strategy in place to target investments in town water infrastructure to the areas of greatest priority. A state-wide plan is now in development.

The Auditor-General made seven recommendations to the department, aimed at improving the administration and transparency of its oversight, support and funding for town water infrastructure, and at strengthening its sector engagement and interagency coordination on town water planning issues and investments.

According to the Auditor-General, ‘A continued focus on coordinating town water planning, investments and sector engagement is needed for the department to more effectively support, plan for and fund town water infrastructure, and to work with local water utilities to help avoid future shortages of safe water in regional towns and cities.’

This report is part of a multi-volume series on the theme of water. Refer to ‘Water conservation in Greater Sydney’ and ‘Water management and regulation – undertaking in 2020-21’.

Read full report (PDF)

Safe and reliable water and sewer services are essential for community health and wellbeing, environmental protection, and economic productivity. In 2019, during intense drought, around ten regional New South Wales (NSW) cities or towns were close to ‘zero’ water and others had six to 12 months of supply. In some towns, water quality was declared unsafe.

Ensuring the right water and sewer infrastructure in regional NSW to deliver these services (known as 'town water infrastructure') involves a strategic, integrated approach to water management. The NSW Government committed to ‘secure long-term potable water supplies for towns and cities’ in 2011. In 2019, it reiterated a commitment to invest in water security by funding town water infrastructure projects.

The New South Wales’ Water Management Act 2000 (WM Act) aims to promote the sustainable, integrated and best practice management of the State’s water resources, and establishes the priority of town water for meeting critical human needs.

The Department of Planning, Industry and Environment (the department) is the lead agency for water resource policy, regulation and planning in NSW. It is also responsible for ensuring water management is consistent with the shared commitments of the Australian, State and Territory Governments under the National Water Initiative. This includes the provision of healthy, safe and reliable water supplies, and reporting on the performance of water utilities.

Ninety-two Local Water Utilities (LWUs) plan for, price and deliver town water services in regional NSW. Eighty-nine are operated by local councils under the New South Wales’ Local Government Act 1993, and other LWUs exercise their functions under the WM Act. The Minister for Water, Property and Housing is the responsible minister for water supply functions under both acts.

The department is the primary regulator of LWUs. NSW Health, the NSW Environment Protection Authority (EPA) and the Natural Access Resource Regulator (NRAR) also regulate aspects of LWUs' operations. The department’s legislative powers with respect to LWUs cover approving infrastructure developments and intervening where there are town water risks, or in emergencies. In this context, the department administers the Best Practice Management of Water Supply and Sewerage Guidelines (BPM Guidelines) to support its regulation and to assist LWUs to strategically plan and price their services, including their planning for town water infrastructure.

Under the BPM Guidelines, the department supports LWU’s town water infrastructure planning with the Integrated Water Cycle Management (IWCM) Checklist. The Checklist outlines steps for LWUs to prepare an IWCM strategy: a long-term planning document that sets out town water priorities, including infrastructure and non-infrastructure investments, water conservation and drought measures. The department's objective is to review and approve (i.e. give ‘concurrence to’) an IWCM strategy before the LWU implements it. In turn, these documents should provide the department with evidence of town water risks, issues and infrastructure priorities.

The department also assesses and co-funds LWU's town water infrastructure projects. In 2017, the department launched the $1 billion Safe and Secure Water Program to ensure town water infrastructure in regional NSW is secure and meets current health and environmental standards. The program was initially established under the Restart NSW Fund.

This audit examined whether the department has effectively supported the planning for and funding of town water infrastructure in regional NSW. It focused on the department’s activities since 2014. This audit follows a previous Audit Office of NSW report which found that the department had helped to promote better management practices in the LWU sector, up to 2012–13.

Conclusion

The Department of Planning, Industry and Environment has not effectively supported or overseen town water infrastructure planning in regional NSW since at least 2014. It has also lacked a strategic, evidence-based approach to target investments in town water infrastructure.

A continued focus on coordinating town water planning, investments and sector engagement is needed for the department to more effectively support, plan for and fund town water infrastructure, and work with Local Water Utilities to help avoid future shortages of safe water in regional towns and cities.

The department has had limited impact on facilitating Local Water Utilities’ (LWU) strategic town water planning. Its lack of internal procedures, records and data mean that the department cannot demonstrate it has effectively engaged, guided or supported the LWU sector in Integrated Water Cycle Management (IWCM) planning over the past six years. Today, less than ten per cent of the 92 LWUs have an IWCM strategy approved by the department.

The department did not design or implement a strategic approach for targeting town water infrastructure investment through its $1 billion Safe and Secure Water Program (SSWP). Most projects in the program were reviewed by a technical panel but there was limited evidence available about regional and local priorities to inform strategic project assessments. About a third of funded SSWP projects were recommended via various alternative processes that were not transparent. The department also lacks systems for integrated project monitoring and program evaluation to determine the contribution of its investments to improved town water outcomes for communities. The department has recently developed a risk-based framework to inform future town water infrastructure funding priorities.

The department does not have strategic water plans in place at state and regional levels: a key objective of these is to improve town water for regional communities. The department started a program of regional water planning in 2018, following the NSW Government’s commitment to this in 2014. It also started developing a state water strategy in 2020, as part of an integrated water planning framework to align local, regional and state priorities. One of 12 regional water strategies has been completed and the remaining strategies are being developed to an accelerated timeframe: this has limited the department’s engagement with some LWUs on town water risks and priorities.

Regional New South Wales (NSW) is home to about a third of the state's population. Infrastructure that provides safe and reliable water and sewer services (also known simply as 'town water infrastructure') is essential for community health and wellbeing, environmental protection, and economic productivity. Planning for and meeting these infrastructure needs, as well as identifying when non-infrastructure options may be a better solution, involves a strategic and integrated approach to water resource management in regional NSW.

We examined whether the department has effectively supported planning for town water infrastructure since 2014. This assessment was made in the context of its current approach to LWU sector regulation. The findings below focus on whether the department has an effective framework including governance arrangements for town water issues to inform state-wide strategic water planning, and whether (at the local level) the department has effectively overseen and facilitated town water infrastructure planning through its Integrated Water Cycle Management (IWCM) planning guidance to LWUs.

We examined whether the department has effectively targeted town water infrastructure funding to policy objectives, with a focus on the design and implementation of the Safe and Secure Water Program (SSWP) since its commencement in 2017. The program’s aim was to fund town water infrastructure projects that would deliver health, social and environmental benefits, and support economic growth and productivity. We also assessed the department’s capacity to demonstrate the outcomes of the SSWP funding and the contributions of its town water infrastructure investments more broadly. Finally, we identified risks to the effectiveness of the department’s work underway since 2018–19, which is intended to enhance its strategic water planning and approach to prioritising investments in reducing town water risks.

Appendix one – Response from agency

Appendix two – Key terms

Appendix three – About the audit

Appendix four – Performance auditing

Copyright notice

Parliamentary reference - Report number #341 - released 24 September 2020

24 July 2020

Published

Their Futures Matter

Justice

Community Services

Education

Health

Whole of Government

Cross-agency collaboration

Internal controls and governance

Management and administration

Project management

The Auditor-General for New South Wales, Margaret Crawford, released a report today examining whether the Department of Communities and Justice had effective governance and partnership arrangements in place to deliver ‘Their Futures Matter’.

Their Futures Matter was intended to place vulnerable children and families at the heart of services, and direct investment to where funding and programs deliver the greatest social and economic benefits. It was a four-year whole-of-government reform in response to the 2015 Tune Review of out-of-home care.

The Auditor-General found that while important foundations were put in place, and new programs trialled, the key objective to establish an evidence-based whole-of-government early intervention approach for vulnerable children and families in NSW was not achieved.

Governance and cross-agency partnership arrangements to deliver Their Futures Matter were found to be ineffective. 'Their Futures Matter lacked mechanisms to secure cross portfolio buy‑in and did not have authority to drive reprioritisation of government investment', the Auditor-General said.

At the reform’s close, the majority of around $380 million in investment funding remains tied to existing agency programs, with limited evidence of their comparative effectiveness or alignment with Their Futures Matter policy objectives. The reform concluded on 30 June 2020 without a strategy or plan in place to achieve its intent.

The Auditor-General made four recommendations to the Department of Communities and Justice, aimed at improving implementation of outstanding objectives, revising governance arrangements, and utilising the new human services data set to address the intent of the reform. However, these recommendations respond only in part to the findings of the audit.

According to the Auditor-General, ‘Cross-portfolio leadership and action is required to ensure a whole-of-government response to delivering the objectives of Their Futures Matter to improve outcomes for vulnerable children, young people and their families in New South Wales.’

Read full report (PDF)

In 2016, the NSW Government launched 'Their Futures Matter' (TFM) - a whole-of-government reform aimed at delivering improved outcomes for vulnerable children, young people and their families. TFM was the government's key response to the 2015 Independent Review of Out of Home Care in New South Wales (known as 'the Tune Review').

The Tune Review found that, despite previous child protection reforms, the out of home care system was ineffective and unsustainable. It highlighted that the system was not client-centred and was failing to improve the long-term outcomes for vulnerable children and families. The review found that the greatest proportion of relevant expenditure was made in out of home care service delivery rather than in evidence-based early intervention strategies to support children and families when vulnerabilities first become evident to government services (such as missed school days or presentations to health services).

The then Department of Family and Community Services (FACS) designed the TFM reform initiatives, in consultation with central and human services agencies. A cross-agency board, senior officers group, and a new unit in the FACS cluster were established to drive the implementation of TFM. In the 2016–17 Budget, the government allocated $190 million over four years (2016–17 to 2019–20) to the reform. This resourced the design and commissioning of evidence-based pilots, data analytics work, staffing for the implementation unit and secretariat support for the board and cross-agency collaboration.

As part of the TFM reform, the Department of Premier and Cabinet, NSW Treasury and partnering agencies (NSW Health, Department of Education and Department of Justice) identified various existing programs that targeted vulnerable children and families (such as the preceding whole-of-government ‘Keep Them Safe’ reform coming to an end in June 2020). Funding for these programs, totalling $381 million in 2019–20, was combined to form a nominal ‘investment pool’. The government intended that the TFM Implementation Board would use this pool to direct and prioritise resource allocation to evidence-based interventions for vulnerable children and families in NSW.

This audit assessed whether TFM had effective governance and partnership arrangements in place to enable an evidence-based early intervention investment approach for vulnerable children and families in NSW. We addressed the audit objective with the following audit questions:

Was the TFM reform driven by effective governance arrangements?
Was the TFM reform supported by effective cross-agency collaboration?
Has the TFM reform generated an evidence base to inform a cross-agency investment approach in the future?

The audit did not seek to assess the outcomes for children, young people and families achieved by TFM programs and projects.

Conclusion

The governance and cross-agency partnership arrangements used to deliver the Their Futures Matter reform were ineffective. Important foundations were put in place, and new programs trialled over the reform's four years. However, an evidence-based whole-of-government early intervention approach for vulnerable children and families in NSW − the key objective of the reform − was not established. The reform concluded in June 2020 without a strategy or plan in place to achieve its intent.

The governance arrangements established for the Their Futures Matter (TFM) reform did not provide sufficient independence, authority and cross-agency clout to deliver on the reform’s intent. This hindered delivery of the reform's key elements, particularly the redirection of funding to evidence-based earlier intervention supports, and limited the impact that TFM could have on driving system change.

TFM increased focus on the contribution that other agencies outside of the former Family and Community Services portfolio could make in responding to the needs of vulnerable children and families, and in reducing the demand costs of related government service delivery. Despite being a whole-of-government reform, TFM lacked mechanisms to secure cross-portfolio buy-in and lacked the powers to drive reprioritisation of government investment in evidence-based and earlier intervention supports across agencies. At the reform’s close, the majority of the reform's investment pool funding remained tied to existing agency programs, with limited evidence of their comparative effectiveness or alignment with Their Futures Matter policy objectives.

TFM began building an evidence base about ‘what works’, including piloting programs and creating a new dataset to identify risk factors for vulnerability and future costs to government. However, this evidence base does not yet comprehensively map how existing services meet needs, identify system duplications or gaps, nor demonstrate which government funded supports and interventions are most effective to make a difference to life outcomes for vulnerable children and families in NSW.
Despite these issues, the need, intent and vision for Their Futures Matter remains relevant and urgent, as issues identified in the Tune Review remain pertinent.

Their Futures Matter (TFM) is a whole-of-government reform to deliver improved outcomes for vulnerable children, young people and their families.

Supported by a cross-agency TFM Board, and the TFM Unit in the then Department of Family and Community Services (FACS), the reform aimed to develop whole-of-government evidence-based early intervention investment approaches for vulnerable children and families in NSW.

Governance refers to the structures, systems and practices that an organisation has in place to:

assign decision-making authorities and establish the organisation's strategic direction
oversee the delivery of its services, the implementation of its policies, and the monitoring and mitigation of its key risks
report on its performance in achieving intended results, and drive ongoing improvements.

We examined whether the TFM reform was driven by effective governance arrangements and cross-agency collaboration.

The reform agenda and timeframe set down for Their Futures Matter (TFM) were ambitious. This chapter assesses whether the TFM Board and TFM Unit had the capability, capacity and clout within government to deliver the reform agenda.

Creating a robust evidence base was important for Their Futures Matter, in order to:

identify effective intervention strategies to improve supports and outcomes for vulnerable children and families
make efficient use of taxpayer money to assist the maximum number of vulnerable children and families
inform the investment-based approach for future funding allocation.

This chapter assesses whether the TFM reform has developed an evidence base to inform cross-agency investment decisions.

Appendix one – Response from agency

Appendix two – TFM governance entities

Appendix three – TFM Human Services Data Set

Appendix four – TFM pilot programs

Appendix five – About the audit

Appendix six – Performance auditing

Copyright notice

Parliamentary reference - Report number #337 - released 24 July 2020

23 June 2020

Published

Water conservation in Greater Sydney

Environment

Industry

Infrastructure

Internal controls and governance

Management and administration

Regulation

Risk

This report examines whether the Department of Planning, Industry and Environment, and Sydney Water have effectively progressed water conservation initiatives in Greater Sydney.

The report found that the department and Sydney Water have not effectively investigated, implemented or supported water conservation initiatives in Greater Sydney. The agencies have not met key requirements of the current Metropolitan Water Plan and Sydney Water has not met all its operating licence requirements for water conservation. There has been little policy or regulatory reform, little focus on identifying new options and investments, and limited planning and implementation of water conservation initiatives.

As a result, Greater Sydney's water supply may be less resilient to population growth and climate variability, including drought.

The Metropolitan Water Plan states that water conservation, including recycling water, makes the drinking water supply go further. The plan also states that increasing water conservation efforts may be cheaper than building new large-scale supply options and can delay the timing of investment in new supply infrastructure.

The Auditor-General recommends the department develop a clear policy and regulatory position on water conservation options, improve governance and funding for water conservation, and work with Sydney Water to assess the viability of water conservation initiatives. The report also recommends improvements to Sydney Water’s planning for and reporting on water conservation, including the transparency of this information.

This report is part of a multi-volume series on the theme of water. Refer to ‘Support for regional town water infrastructure’ and ‘Water management and regulation – undertaking in 2020-21’.

Read full report (PDF)

The current, 2017 Metropolitan Water Plan states that water conservation, including recycling water, makes the drinking water supply go further. The plan also states that increasing water conservation efforts may be cheaper than building new large-scale supply options and can delay the timing of investment in new supply infrastructure.

Water conservation refers to water recycling, leakage management and programs to enhance water efficiency. Water recycling refers to both harvesting stormwater for beneficial use and reusing wastewater.

This audit examined whether water conservation initiatives for the Greater Sydney Metropolitan area are effectively investigated, implemented and supported. We audited the Department of Planning, Industry and Environment (the Department) and the Sydney Water Corporation (Sydney Water), with a focus on activities since 2016.

The Department is responsible for the integrated and sustainable management of the state’s water resources under the Water Management Act 2000, which includes encouraging ‘best practice in the management and use of water’ as an objective. The Department is also responsible for strategic water policy and planning for Greater Sydney, including implementing the Metropolitan Water Plan.

Sydney Water is a state-owned corporation and the supplier of water, wastewater, recycled water and some stormwater services to more than five million people in Greater Sydney. It is regulated by an operating licence that is issued by the Governor on the recommendation of the Independent Pricing and Regulatory Tribunal (IPART). The Tribunal determines Sydney Water’s maximum prices, reviews its operating licence and monitors compliance. Sydney Water's operating licence and reporting manual set out requirements for its planning, implementing and reporting of water conservation.

From 2007 to 2012, the Climate Change Fund was a source of funds for water conservation activities to be undertaken by the Department and Sydney Water. The Climate Change Fund was established under the Energy and Utilities Administration Act 1987. Four of its six objectives relate to water savings. Water distributors such as Sydney Water can be issued with orders to contribute funds for water-related programs. The Fund is administered by the Department.

In 2016, Sydney Water developed a method for determining whether and how much to invest in water conservation. Known as the ‘Economic Level of Water Conservation’ (ELWC), the method identifies whether it costs less to implement a water conservation initiative than the value of the water saved, in which case the initiative should be implemented.

Conclusion

The Department and Sydney Water have not effectively investigated, implemented or supported water conservation initiatives in Greater Sydney.

The agencies have not met key requirements of the Metropolitan Water Plan and Sydney Water has not met all its operating licence requirements for water conservation. There has been little policy or regulatory reform, little focus on identifying new options and investments, and limited planning and implementation of water conservation initiatives.

As a result, Greater Sydney's water supply may be less resilient to population growth and climate variability, including drought.

The Department has not undertaken an annual assessment of Sydney Water’s level of investment in water conservation against water security risks and the capacity to respond when drought conditions return, as required by the Metropolitan Water Plan. It did not complete identified research and planning activities to support the plan, such as developing and using a framework for assessing the potential for water conservation initiatives for Greater Sydney, and developing a long-term strategy for water conservation and water recycling. It also did not finalise a monitoring, evaluation, reporting and improvement strategy to support the plan.

Sydney Water has been ineffective in driving water conservation initiatives, delivering detailed planning and resourcing for ongoing initiatives, and in increasing its investment in water conservation during drought. These were requirements of the Metropolitan Water Plan. Sydney Water's reporting on water conservation has not met all its operating licence requirements and lacked transparency with limited information on key aspects such as planning for leakage management, how the viability of potential initiatives were assessed, and how adopted initiatives are tracking.

The Department and Sydney Water did not put in place sufficient governance arrangements, including clarifying and agreeing responsibilities for key water conservation planning, delivery and reporting activities. There has also been limited collaboration, capacity building and community engagement to support water conservation, particularly outside times of drought.

Appendix one – Responses from agencies

Appendix two – About the audit

Appendix three – Glossary

Appendix four – Performance auditing

Copyright notice

Parliamentary reference - Report number #336 - released 23 June 2020

7 April 2020

Published

Integrity of data in the Births, Deaths and Marriages Register

Justice

Premier and Cabinet

Whole of Government

Cyber security

Fraud

Information technology

Internal controls and governance

Management and administration

This report outlines whether the Department of Customer Service (the department) has effective controls in place to ensure the integrity of data in the Births, Deaths and Marriages Register (the register), and to prevent unauthorised access and misuse.

The audit found that the department has processes in place to ensure that the information entered in the register is accurate and that any changes to it are validated. Although there are controls in place to prevent and detect unauthorised access to, and activity in the register, there were significant gaps in these controls. Addressing these gaps is necessary to ensure the integrity of information in the register.

The Auditor-General made nine recommendations to the department, aimed at strengthening controls to prevent and detect unauthorised access to, and activity in the register. These included increased monitoring of individuals who have access to the register and strengthening security controls around the databases that contain the information in the register.

The NSW Registry of Births Deaths and Marriages is responsible for maintaining registers of births, deaths and marriages in New South Wales as well as registering adoptions, changes of names, changes of sex and relationships. Maintaining the integrity of this information is important as it is used to confirm people’s identity and unauthorised access to it can lead to fraud or identity theft.

Read full report (PDF)

The NSW Registry of Births Deaths and Marriages (BD&M) is responsible for maintaining registers of births, deaths and marriages in New South Wales. BD&M is also responsible for registering adoptions, changes of name, changes of sex and relationships. These records are collectively referred to as 'the Register'. The Births, Deaths and Marriages Registration Act 1995 (the BD&M Act) makes the Registrar (the head of BD&M) responsible for maintaining the integrity of the Register and preventing fraud associated with the Register. Maintaining the integrity of the information held in the Register is important as it is used to confirm people's identity. Unauthorised access to, or misuse of the information in the Register can lead to fraud or identity theft. For these reasons it is important that there are sufficient controls in place to protect the information.

BD&M staff access, add to and amend the Register through the LifeLink application. While BD&M is part of the Department of Customer Service, the Department of Communities and Justice (DCJ) manages the databases that contain the Register and sit behind LifeLink and is responsible for the security of these databases.

This audit assessed whether BD&M has effective controls in place to ensure the integrity of data in the Births, Deaths and Marriages Register, and to prevent unauthorised access and misuse. It addressed the following:

Are relevant process and IT controls in place and effective to ensure the integrity of data in the Register and the authenticity of records and documents?
Are security controls in place and effective to prevent unauthorised access to, and modification of, data in the Register?

Conclusion

BD&M has processes and controls in place to ensure that the information entered in the Register is accurate and that amendments to the Register are validated. BD&M also has controls in place to prevent and detect unauthorised access to, and activity in the Register. However, there are significant gaps in these controls. Addressing these gaps is necessary to ensure the integrity of the information in the Register.

BD&M has detailed procedures for all registrations and amendments to the Register, which include processes for entering, assessing and checking the validity and adequacy of source documents. Where BD&M staff have directly input all the data and for amendments to the Register, a second person is required to check all information that has been input before an event can be registered or an amendment can be made. BD&M carries out regular internal audits of all registration processes to check whether procedures are being followed and to address non-compliance where required.

BD&M authorises access to the Register and carries out regular access reviews to ensure that users are current and have the appropriate level of access. There are audit trails of all user activity, but BD&M does not routinely monitor these. At the time of the audit, BD&M also did not monitor activity by privileged users who could make unauthorised changes to the Register. Not monitoring this activity created a risk that unauthorised activity in the Register would not be detected.

BD&M has no direct oversight of the database environment which houses the Register and relies on DCJ's management of a third-party vendor to provide the assurance it needs over database security. The vendor operates an Information Security Management System that complies with international standards, but neither BD&M nor DCJ has undertaken independent assurance of the effectiveness of the vendor's IT controls.

Appendix one – Response from agency

Appendix two – About the audit

Appendix three – Performance auditing

Copyright notice

Parliamentary reference - Report number #330 - released 7 April 2020.

20 December 2017

Published

Internal Controls and Governance 2017

Finance

Education

Community Services

Health

Justice

Whole of Government

Asset valuation

Compliance

Cyber security

Information technology

Internal controls and governance

Project management

Risk

Agencies need to do more to address risks posed by information technology (IT).

Effective internal controls and governance systems help agencies to operate efficiently and effectively and comply with relevant laws, standards and policies. We assessed how well agencies are implementing these systems, and highlighted opportunities for improvement.

1. Overall trends

New and repeat findings	The number of reported financial and IT control deficiencies has fallen, but many previously reported findings remain unresolved.
High risk findings	Poor systems implementations contributed to the seven high risk internal control deficiencies that could affect agencies.
Common findings	Poor IT controls are the most commonly reported deficiency across agencies, followed by governance issues relating to cyber security, capital projects, continuous disclosure, shared services, ethics and risk management maturity.

2. Information Technology

IT security	Only two-thirds of agencies are complying with their own policies on IT security. Agencies need to tighten user access and password controls.
Cyber security	Agencies do not have a common view on what constitutes a cyber attack, which limits understanding the extent of the cyber security threat.
Other IT systems	Agencies can improve their disaster recovery plans and the change control processes they use when updating IT systems.

3. Asset Management

Capital investment	Agencies report delays delivering against the significant increase in their budgets for capital projects.
Capital projects	Agencies are underspending their capital budgets and some can improve capital project governance.
Asset disposals	Eleven per cent of agencies were required to sell their real property through Property NSW but didn’t. And eight per cent of agencies can improve their asset disposal processes.

4. Governance

Governance arrangements	Sixty-four per cent of agencies’ disclosure policies support communication of key performance information and prompt public reporting of significant issues.
Shared services	Fifty-nine per cent of agencies use shared services, yet 14 per cent do not have service level agreements in place and 20 per cent can strengthen the performance standards they set.

5. Ethics and Conduct

Ethical framework	Agencies can reinforce their ethical frameworks by updating code‑of‑conduct policies and publishing a Statement of Business Ethics.
Conflicts of interest	All agencies we reviewed have a code of conduct, but they can still improve the way they update and manage their codes to reduce the risk of fraud and unethical behaviour.

6. Risk Management

Risk management maturity	All agencies have implemented risk management frameworks, but with varying levels of maturity.
Risk management elements	Many agencies can improve risk registers and strengthen their risk culture, particularly in the way that they report risks to their lead agency.

This report covers the findings and recommendations from our 2016–17 financial audits related to the internal controls and governance of the 39 largest agencies (refer to Appendix three) in the NSW public sector. These agencies represent about 95 per cent of total expenditure for all NSW agencies and were considered to be a large enough group to identify common issues and insights.

The findings in this report should not be used to draw conclusions on the effectiveness of individual agency control environments and governance arrangements. Specific financial reporting, controls and service delivery comments are included in the individual 2017 cluster financial audit reports tabled in Parliament from October to December 2017.

This new report offers strategic insight on the public sector as a whole

In previous years, we have commented on internal control and governance issues in the volumes we published on each ‘cluster’ or agency sector, generally between October and December. To add further value, we then commented more broadly about the issues identified for the public sector as a whole at the start of the following year.

This year, we have created this report dedicated to internal controls and governance. This will help Parliament to understand broad issues affecting the public sector, and help agencies to compare their own performance against that of their peers.

Without strong control measures and governance systems, agencies face increased risks in their financial management and service delivery. If they do not, for example, properly authorise payments or manage conflicts of interest, they are at greater risk of fraud. If they do not have strong information technology (IT) systems, sensitive and trusted information may be at risk of unauthorised access and misuse.

These problems can in turn reduce the efficiency of agency operations, increase their costs and reduce the quality of the services they deliver.

Our audits do not review every control or governance measure every year. We select a range of measures, and report on those that present the most significant risks that agencies should mitigate. This report divides these into the following six areas:

Overall trends
Information technology
Asset management
Governance
Ethics and conduct
Risk management.

Internal controls are processes, policies and procedures that help agencies to:

operate effectively and efficiently
produce reliable financial reports
comply with laws and regulations.

This chapter outlines the overall trends for agency controls and governance issues, including the number of findings, level of risk and the most common deficiencies we found across agencies. The rest of this volume then illustrates this year’s controls and governance findings in more detail.

Issues	Recommendations
1.1 New and repeat findings
The number of internal control deficiencies reduced over the past three years, but new higher-risk information technology (IT) control deficiencies were reported in 2016–17. Deficiencies repeated from previous years still make up a sizeable proportion of all internal control deficiencies.	Recommendation Agencies should focus on emerging IT risks, but also manage new IT risks, reduce existing IT control deficiencies, and address repeat internal control deficiencies on a more timely basis.
1.2 High risk findings
We found seven high risk internal control deficiencies, which might significantly affect agencies.	Recommendation Agencies should rectify high risk internal control deficiencies as a priority
1.3 Common findings
The most common internal control deficiencies related to poor or absent IT controls. We found some common governance deficiencies across multiple agencies.	Recommendation Agencies should coordinate actions and resources to help rectify common IT control and governance deficiencies.

Information technology (IT) has become increasingly important for government agencies’ financial reporting and to deliver their services efficiently and effectively. Our audits reviewed whether agencies have effective controls in place over their IT systems. We found that IT security remains the source of many control weakness in agencies.

Issues

Recommendations

2.1 IT security

User access administration

While 95 per cent of agencies have policies about user access, about two-thirds were compliant with these policies. Agencies can improve how they grant, change and end user access to their systems.

Recommendation

Agencies should strengthen user access administration to prevent inappropriate access to sensitive systems. Agencies should:

establish and enforce clear policies and procedures
review user access regularly
remove user access for terminated staff promptly
change user access for transferred staff promptly.

Privileged access

Sixty-eight per cent of agencies do not adequately manage who can access their information systems, and many do not sufficiently monitor or restrict privileged access.

Recommendation

Agencies should tighten privileged user access to protect their information systems and reduce the risks of data misuse and fraud. Agencies should ensure they:

only grant privileged access in line with the responsibilities of a position
review the level of access regularly
limit privileged access to necessary functions and data
monitor privileged user account activity on a regular basis.

Password controls

Forty-one per cent of agencies did not meet either their own standards or minimum standards for password controls.

Recommendation

Agencies should review and enforce password controls to strengthen security over sensitive systems. As a minimum, password parameters should include:

minimum password lengths and complexity requirements
limits on the number of failed log-in attempts
password history (such as the number of passwords remembered)
maximum and minimum password ages.

2.2 Cyber Security

Cyber security framework

Agencies do not have a common view on what constitutes a cyber attack, which limits understanding the extent of the cyber security threat.

Recommendation

The Department of Finance, Services and Innovation should revisit its existing framework to develop a shared cyber security terminology and strengthen the current reporting requirements for cyber incidents.

Cyber security strategies

While 82 per cent of agencies have dedicated resources to address cyber security, they can strengthen their strategies, expertise and staff awareness.

Recommendations

The Department of Finance, Services and Innovation should:

mandate minimum standards and require agencies to regularly assess and report on how well they mitigate cyber security risks against these standards
develop a framework that provides for cyber security training.

Agencies should ensure they adequately resource staff dedicated to cyber security.

2.3 Other IT systems

Change control processes

Some agencies need to improve change control processes to avoid unauthorised or inaccurate system changes.

Recommendation

Agencies should consistently perform user acceptance testing before system upgrades and changes. They should also properly approve and document changes to IT systems.

Disaster recovery planning

Agencies can do more to adequately assess critical business systems to enforce effective disaster recovery plans. This includes reviewing and testing their plans on a timely basis.

Recommendation

Agencies should complete business impact analyses to strengthen disaster recovery plans, then regularly test and update their plans.

Agency service delivery relies on developing and renewing infrastructure assets such as schools, hospitals, roads, or public housing. Agencies are currently investing significantly in new assets. Agencies need to manage the scale and volume of current capital projects in order to deliver new infrastructure on time, on budget and realise the intended benefits. We found agencies can improve how they:

manage their major capital projects
dispose of existing assets.

Issues

Recommendations or conclusions

3.1 Capital investment

Capital asset investment ratios

Most agencies report high capital investment ratios, but one-third of agencies’ capital investment ratios are less than one.

Recommendation

Agencies with high capital asset investment ratios should ensure their project management and delivery functions have the capacity to deliver their current and forward work programs.

Volume of capital spending

Most agencies have significant forward spending commitments for capital projects. However, agencies’ actual capital expenditure has been below budget for the last three years.

Conclusion

The significant increase in capital budget underspends warrant investigation, particularly where this has resulted from slower than expected delivery of projects from previous years.

3.2 Capital projects

Major capital projects

Agencies’ major capital projects were underspent by 13 percent against their budgets.

Conclusion

The causes of agency budget underspends warrant investigation to ensure the NSW Government’s infrastructure commitment is delivered on time.

Capital project governance

Agencies do not consistently prepare business cases or use project steering committees to oversee major capital projects.

Conclusion

Agencies that have project management processes that include robust business cases and regular updates to their steering committees (or equivalent) are better able to provide those projects with strategic direction and oversight.

3.3. Asset disposals

Asset disposal procedures

Agencies need to strengthen their asset disposal procedures.

Recommendations

Agencies should have formal processes for disposing of surplus properties.

Agencies should use Property NSW to manage real property sales unless, as in the case for State owned corporations, they have been granted an exemption.

Governance refers to the high-level frameworks, processes and behaviours that help an organisation to achieve its objectives, comply with legal and other requirements, and meet a high standard of probity, accountability and transparency.

This chapter sets out the governance lighthouse model the Audit Office developed to help agencies reach best practice. It then focuses on two key areas: continuous disclosure and shared services arrangements. The following two chapters look at findings related to ethics and risk management.

Issues

Recommendations or conclusions

4.1 Governance arrangements

Continuous disclosure

Continuous disclosure promotes improved performance and public trust and aides better decision-making. Continuous disclosure is only mandatory for NSW Government Businesses such as State owned corporations.

Conclusion

Some agencies promote transparency and accountability by publishing on their websites a continuous disclosure policy that provides for, and encourages:

regular public disclosure of key performance information
disclosure of both positive and negative information
prompt reporting of significant issues.

4.2 Shared services

Service level agreements

Some agencies do not have service level agreements for their shared service arrangements.

Many of the agreements that do exist do not adequately specify controls, performance or reporting requirements. This reduces the effectiveness of shared services arrangements.

Conclusion

Agencies are better able to manage the quality and timeliness of shared service arrangements where they have a service level agreement in place. Ideally, the terms of service should be agreed before services are transferred to the service provider and:

specify the controls a provider must maintain
specify key performance targets
include penalties for non-compliance.

Shared service performance

Some agencies do not set performance standards for their shared service providers or regularly review performance results.

Conclusion

Agencies can achieve better results from shared service arrangements when they regularly monitor the performance of shared service providers using key measures for the benefits realised, costs saved and quality of services received.

Before agencies extend or renegotiate a contract, they should comprehensively assess the services received and test the market to maximise value for money.

All government sector employees must demonstrate the highest levels of ethical conduct, in line with standards set by The Code of Ethics and Conduct for NSW government sector employees.

This chapter looks at how well agencies are managing these requirements, and where they can improve their policies and processes.

We found that agencies mostly have the appropriate codes, frameworks and policies in place. But we have highlighted opportunities to improve the way they manage those systems to reduce the risks of unethical conduct.

Issues

Recommendations or conclusions

5.1 Ethical framework

Code of conduct

All agencies we reviewed have a code of conduct, but they can still improve the way they update and manage their codes to reduce the risk of fraud and unethical behaviour.

Recommendation

Agencies should regularly review their code-of-conduct policies and ensure they keep their codes of conduct up-to-date.

Statement of business ethics

Most agencies maintain an ethical framework, but some can enhance their related processes, particularly when dealing with external clients, customers, suppliers and contractors.

Conclusion

Agencies can enhance their ethical frameworks by publishing a Statement of Business Ethics, which communicates their values and culture.

5.2 Potential conflicts of interest

Conflicts of interest

All agencies have a conflicts-of-interest policy, but most can improve how they identify, manage and avoid conflicts of interest.

Recommendation

Agencies should improve the way they manage conflicts of interest, particularly by:

requiring senior executives to make a conflict-of-interest declaration at least annually
implementing processes to identify and address outstanding declarations
providing annual training to staff
maintaining current registers of conflicts of interest.

Gifts and benefits

While all agencies already have a formal gifts-and-benefits policy, we found gaps in the management of gifts and benefits by some that increase the risk of unethical conduct.

Recommendation

Agencies should improve the way they manage gifts and benefits by promptly updating registers and providing annual training to staff.

Risk management is an integral part of effective corporate governance. It helps agencies to identify, assess and prioritise the risks they face and in turn minimise, monitor and control the impact of unforeseen events. It also means agencies can respond to opportunities that may emerge and improve their services and activities.

This year we looked at the overall maturity of the risk management frameworks that agencies use, along with two important risk management elements: risk culture and risk registers.

Issues

Recommendations or conclusions

6.1 Risk management maturity

All agencies have implemented risk management frameworks, but with varying levels of maturity in their application.

Agencies’ averaged a score of 3.1 out of five across five critical assessment criteria for risk management. While strategy and governance fared best, the areas that most need to improve are risk culture, and systems and intelligence.

Conclusion

Agencies have introduced risk management frameworks and practices as required by the Treasury’s:

'Risk Management Toolkit for the NSW Public Sector'
'Internal Audit and Risk Management Policy for the NSW Public Sector'.

However, more can be done to progress risk management maturity and embed risk management in agency culture.

6.2 Risk management elements

Risk culture

Most agencies have started to embed risk management into the culture of their organisation. But only some have successfully done so, and most agencies can improve their risk culture.

Conclusion

Agencies can improve their risk culture by:

setting an appropriate tone from the top
training all staff in effective risk management
ensuring desired risk behaviours and culture are supported, monitored, and reinforced through business plans, or the equivalent and employees' performance assessments.

Risk registers and reporting

Some agencies do not report their significant risks to their lead agency, which may impair the way resources are allocated in their cluster. Some agencies do not integrate risk registers at a divisional and whole-of-enterprise level.

Conclusion

Agencies not reporting significant risks at the cluster level increases the likelihood that significant risks are not being mitigated appropriately.

Effective risk management can improve agency decision-making, protect reputations and lead to significant efficiencies and cost savings. By embedding risk management directly into their operations, agencies can also derive extra value for their activities and services.

19 December 2017

Published

Planning and Environment 2017

Planning

Environment

Asset valuation

Information technology

Internal controls and governance

Management and administration

Project management

The following report highlights results of financial audits of agencies in the Planning and Environment cluster. The report focuses on key observations and findings from the most recent audits of these agencies.

The audits were completed for most agencies in the cluster and unqualified audit opinions issued. Issues identified during the financial statement audits of seven small agencies delayed their finalisation beyond the statutory deadline, and six of these remain incomplete. Apart from these small agencies, the quality of financial reporting across the cluster remained at a high standard.

1. Financial reporting and controls

Financial reporting	Unqualified audit opinions were issued for 39 of the 45 cluster agencies. Issues identified during the financial statement audits of seven small agencies delayed their finalisation beyond the statutory deadline. Six of these audits remain incomplete at the date of this report.
	Agencies completed early close procedures mandated by the Treasury. We noted opportunities for agencies to improve the effectiveness of these procedures.
Internal Controls	One in six internal control weaknesses identified during the financial audits were repeat issues. Agencies should action audit recommendations promptly.
	User administration over financial systems needs to be strengthened to prevent inappropriate access to financial information.

2. Service Delivery

Housing completions	Australian Bureau of Statistics data indicates the Department of Planning and Environment achieved the Premier's priority for housing completions in 2016–17.
Increasing housing supply	Australian Bureau of Statistics data shows the Department of Planning and Environment achieved the annual target of delivering over 50,000 housing approvals over the past three years.
Major project assessment	Progress against the State priority target to reduce time taken to assess planning applications for State significant developments is difficult to determine as the measure is unclear.
Litter management	The Environment Protection Authority's data indicates that progress towards the Premier's priority target for litter reduction slowed in 2016–17.
Cultural participation	The Department of Planning and Environment’s data indicates overall attendance at cultural venues and events in New South Wales increased by 16 per cent in 2015–16.

This report provides Parliament and others with the audit results, observations and recommendations for Planning and Environment cluster agencies. The report has been structured into two chapters focussing on financial reporting and controls and service delivery.

The Planning and Environment cluster plays a role in ensuring each community across New South Wales receives the services and infrastructure it needs.

This chapter outlines our audit observations and recommendations related to financial reporting and controls of Planning and Environment cluster agencies for 2016–17.

Observation	Conclusion or recommendation
2.1 Quality of financial reporting
Unqualified audit opinions were issued for 39 of the 45 cluster agencies' financial statements.	Issues identified during the financial statement audits of seven smaller agencies delayed their completion. Six audits remain incomplete at the date of this report. Apart from these seven small agency audits, the quality of financial reporting across the cluster remained at a high standard.
2.2 Timeliness of financial reporting
Seven agencies' financial statement audits were not completed by the statutory deadline with six audits incomplete at the date of this report.	Issues identified during the financial statement audits of seven smaller agencies delayed their finalisation beyond the statutory deadline. These agencies would benefit from performing additional early close procedures in future reporting periods.
2.3 Financial and sustainability analysis
Water and Electricity utility agencies continue to operate with low liquidity ratios.	A liquidity ratio below one is an indicator that an entity may not be able to pay its debts as and when they fall due. Whilst liquidity ratios were below one, utility agencies demonstrated they can continue to support ongoing operations due to: access to regulated revenue streams assets with long useful lives to generate revenue debt funding limits approved by the NSW Treasurer under the Public Authorities (Financial Arrangements) Act 1987.
2.5 Internal controls
One in six internal control weaknesses reported in 2016–17 were repeat issues.	Delays in implementing audit recommendations can prolong the risk of fraud and error. Recommendation (repeat issue): anagement letter recommendations to address internal control weaknesses should be actioned promptly, with a focus on addressing repeat issues.
Nine of these internal control weaknesses related to the creation, modification, deletion and review of user access to financial systems.	These control weaknesses may compromise the integrity and security of financial data. Recommendation (repeat issue): Management of user administration over financial systems should be strengthened to prevent inappropriate access to financial information.

This chapter outlines our audit observations, conclusions and recommendations relating to service delivery for 2016–17.

Observation	Conclusion or recommendation
3.1 Premier's and State priorities
The Planning and Environment cluster is responsible for delivering five Premier's and State priorities.	One priority target was achieved in 2016–17, two targets are on track to be achieved and progress towards one target slowed. Progress against one target cannot be determined.
3.2 Planning
Housing Completion
There were 63,506 housing completions in 2016–17. This was 4.1 per cent above the Premier’s priority target of delivering 61,000 housing completions per year.	The Australian Bureau of Statistics data shows the housing completions target was achieved in 2016–17.
Housing supply
The number of approvals for new houses in 2016–17 was 72,472 against the State priority target of more than 50,000 approvals per year.	The Australian Bureau of Statistics data indicates the housing approvals target was achieved in 2016–17.
Major project assessment
State significant developments are not clearly defined for the purposes of reporting against the State priority target.	The Department of Planning and Environment will clarify with the Department of Premier and Cabinet which developments are captured by the State priority target.
The Department of Planning and Environment’s data shows the time taken to assess complex State significant developments increased by 16 per cent in 2016–17 while the time taken to assess less complex developments reduced by 20 per cent.	The Department of Planning and Environment considers it is on track to meet the State priority target of halving the time taken to assess State significant developments, despite uncertainty over the target measure.
Housing acceleration fund
Program business cases were not developed for projects in Housing Acceleration Fund Rounds 1 to 4. The Department advised a program business case will be developed for Housing Acceleration Fund Round 5 projects.	A program business case is necessary to ensure related projects are evaluated, managed and coordinated effectively.
A benefit realisation review process has not yet been approved for Housing Acceleration Fund projects. The Department of Planning and Environment advised it is developing a benefit realisation review process.	A benefit realisation review process is necessary to determine whether funded projects achieved intended outcomes.
Greater Sydney Commission
The Greater Sydney Commission forecasts a further 725,000 dwellings in the greater Sydney region will be required up to 2036 to meet housing demand.	In response to population growth, the Commission has set a five-year housing supply target of 189,100 houses across the five Greater Sydney Commission districts.
ePlanning system
The Department of Planning and Environment did not perform a benefit realisation review for phase one of the ePlanning project. It has committed to performing a benefit realisation review after completion of phase two in 2018.	It cannot be determined if phase one of the project delivered expected outcomes as a benefit realisation review was not performed.
3.3. Environment and Heritage
Litter volume in New South Wales was 6.6 litres per 1,000 square metres in 2016–17, an increase of 16 per cent from the prior year. This is above the Premier's priority litter volume target of 4.2 litres per 1,000 square metres by 2020.	The Environment Protection Authority's data indicates the progress towards the target of reducing the volume of litter by 40 per cent by 2020 has slowed.
The NSW Government plans to invest $240 million to facilitate strategic biodiversity conservation on private land.	Performance measures have not yet been developed for the private land conservation program.
3.4 Water
IPART reduced water usage charges for most Sydney Water Corporation customers in 2016–17.	Water usage prices in New South Wales compare favourably to larger water utilities in other jurisdictions.
Hunter Water Corporation's water recycling and water conservation performance has been stable over recent years. The volume of Sydney Water Corporation’s recycled water reduced by 12 per cent in 2016–17 compared to the previous year.	Sydney Water Corporation experienced reduced industry demand for recycled water. Several large industrial customers relocated away from Sydney.
3.5 Arts and culture
A State priority target is to increase overall attendance at cultural venues and events in New South Wales by 15 per cent from 2014–15 levels by 2019.	The Department of Planning and Environment's data indicates overall attendance increased by 16 per cent in 2015–16, although attendance fluctuated across individual venues and events. This indicates progress towards achieving the overall target by 2019.

Appendix one - List of 2017 recommendations

Appendix two - Status of 2016 recommendations

Appendix three - Agencies selected for this volume

Appendix four - Financial audit reporting

Appendix five - Timeliness of financial reporting

Appendix six - Financial indicators

21 November 2017

Published

Central Agencies 2017

Finance

Premier and Cabinet

Asset valuation

Compliance

Financial reporting

Fraud

Information technology

Internal controls and governance

Project management

This report highlights the results of the financial audits of NSW Government central agencies. The report focuses on key observations and findings from the most recent financial statement audits of agencies in the Treasury, Premier and Cabinet, and Finance, Services and Innovation clusters.

The report includes a range of findings in respect to service delivery. One repeat finding is that while the Government regularly reports on the 12 Premier's priorities, there is no comprehensive reporting on the 18 State priorities.

1. Financial reporting and controls

Audit Opinions	Unqualified audit opinions were issued for all agencies' 30 June 2017 financial statements.
Early close	Early close procedures continue to facilitate the timely preparation of financial statements and completion of audits, but agencies can make further improvement.
Deficient user administration access	User access administration over financial systems remains an area of weakness. Agencies need to strengthen user access administration to critical systems.
Transitioning to outsourced service providers	Transitioning of services to outsourced service providers can be improved. Outsourcing services can lead to better outcomes, which may include lower transaction costs and improved services, but it also introduces new risks.

2. Service delivery

Premier and State Priorities	A comprehensive report of performance against the 18 State Priorities is yet to be published. While some measures are publicly reported through agency annual reports or other sources, a comprehensive report of performance against the 18 State Priorities would ensure all State Priorities are publicly reported, provide a single and easily accessible source of reference and improve transparency.
ICT and digital government	The Digital Government Strategy was released in May 2017. Targets will need to be set to assess and monitor progress against the Strategy.
Digital information security	Not all agencies are complying with the NSW Government's information security policy. This increases the risk of noncompliance with legislation, information security breaches and difficulty restoring data or maintaining business continuity in the event of a disaster or disruption.
Property and asset utilisation	Property NSW's performance reporting would be enhanced by developing and reporting on customer satisfaction, reporting against set targets and benchmarking cost of service to the private sector.

3. Government financial services

Prudential oversight of NSW Government superannuation funds	Prudential oversight of SAS Trustee Corporation Pooled Fund and Parliamentary Contributory Superannuation Fund has not been prescribed. Structured and comprehensive prudential oversight of these funds remains important as they operate in a specialised, complex and continuously changing investment market sector, have over 106,000 members and manage investments in excess of $42.4 billion.
Green slip scheme affordability	Currently, Green Slips in NSW are the most expensive in Australia. However, CTP reforms are expected to reduce the cost of Green Slips.

This report sets out the results of the 30 June 2017 financial statement audits of NSW Government's central agencies and their cluster agencies.

Central agencies play a key role in ensuring policy coordination, good administrative and people management practices and prudent fiscal management. The central agencies and their key responsibilities are set out below.

Confidence in public sector decision‑making and transparency is enhanced when financial reporting is accurate and timely. Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. This chapter outlines our audit observations, conclusions or recommendations related to financial reporting and controls of agencies for 2016–17.

Observation	Conclusion or recommendation
2.1 Quality of financial reporting
Unqualified audit opinions were issued for all agency financial statements.	The quality of financial reporting continues to remain strong across the clusters.
2.2 Timeliness of financial reporting
Most agencies complied with the statutory timeframes for completion of early close procedures and preparation and audit of financial statements.	Early close procedures continue to facilitate the timely preparation of financial statements and completion of audits, but agencies can make further improvement.
2.3 Financial performance and sustainability
We assessed the performance of agencies listed in Appendix six against some key financial sustainability indicators. This highlighted two agencies with negative operating margins of more than ten per cent and one agency with a liquidity ratio of less than 0.5.	These agencies have strategies in place to remain financially sustainability and manage their liquidity. Our analysis found that, overall, the agencies are not at high risk of sustainability concerns.
2.4 Internal Controls
User access administration over financial systems remains an area of weakness. Sixteen moderate risk and ten low risk issues related to user access administration across eight agencies were identified.	Recommendation: Agencies should review user access administration to critical systems to ensure: policies for user access creation, modification and deactivation are documented approval is being obtained to establish, modify or delete user accounts regular user access reviews are performed and highly privileged user account activity is logged and monitored evidence of review is maintained.
Transitioning of services to outsourced service providers can be improved. Our 2016–17 audits identified one high risk issue relating to Property NSW's outsourcing of property and facility management services to the private sector. While a high risk issue was identified in 2015–16 from the Department of Finance, Services and Innovation's outsourcing of transactional and information technology services to GovConnect there has been an improvement in GovConnect's internal control environment throughout 2016–17.	Outsourcing services can lead to better outcomes, which may include lower transaction costs and improved services, but it also introduces new risks. The transition needs to be carefully managed and requires thorough planning and effective project governance. This should be supported by oversight and direction from senior management and independent project assurance.
2.5 Human Resources
The percentage of full‑time equivalent staff with annual leave greater than 30 days in the Finance, Services and Innovation, Premier and Cabinet and the Treasury clusters is 7.9 per cent, 17.1 per cent and 18.4 per cent respectively.	Agencies have strategies in place to reduce annual leave balances that are greater than 30 days. The effectiveness of these strategies will need to be monitored to ensure they are helping to achieve the desired outcome.

This chapter outlines our audit observations, conclusions and recommendations relating to service delivery for 2016–17.

Observation	Conclusion or recommendation
3.1 Premier and State priorities
The Department of Premier and Cabinet monitors the achievement of targets and the implementation of initiatives to deliver the 12 Premier’s Priorities. Responsible ministers and agencies manage the 18 State Priorities. A comprehensive report of performance against the 18 State Priorities is yet to be published.	While some measures are publicly reported through agency annual reports or other sources, a comprehensive report of performance against the 18 State Priorities would ensure all State Priorities are publicly reported, provide a single and easily accessible source of reference and improve transparency. Where possible, independent sources are used to measure performance, however without independent assurance there is an increased risk that the target measures are inaccurate, not relevant or do not fairly represent actual performance.
Performance against the State Priority to make NSW the easiest state to start a business is not currently published. A key aspect of making NSW the easiest state to start a business is making regulatory obligations easier to understand and implement.	Initiatives, such as easy to do business and red tape reduction are in place to help achieve this priority. The regulatory policy framework is under review following an October 2016 performance audit on ‘Red tape reduction’ that found the regulatory burden of legislation had increased.
3.2 Financial management
Revenue NSW earned record crown revenue of $30.0 billion in 2016–17 to support the state's finances.	Record crown revenue has been driven by the sustained increase in duties revenue, which has increased by 93.7 per cent over the last five years. This is a consequence of the continued strength in the property market over this time and large one off NSW Government business asset sales and leases.
3.3 ICT and digital government
The Digital Government Strategy (the Strategy) was released in May 2017 to build on reforms set out in previous ICT strategies.	The Strategy’s priorities and enablers aim to support digital innovation. Targets and measures will need to be set to assess and monitor progress against the Strategy.
The Digital Information Security Policy (DISP) is a key tool that helps ensure a minimum set of information security controls are implemented across NSW Government agencies. A review of 2016 annual reports found 15 agencies (13 in 2015) did not attest to compliance with the DISP and of the agencies that attested to compliance, 34 reported issues associated with their compliance.	The Strategy’s priorities and enablers aim to support digital innovation. Targets and measures will need to be set to assess and monitor progress against the Strategy. Failure to comply with the DISP increases the risk of noncompliance with legislation, information security breaches and difficulty restoring data or maintaining business continuity in the event of a disaster or disruption.
3.4 Property and asset utilisation
Property NSW's performance reporting could be improved. M2012-20 'Government Property NSW and Government Property Principles' required Property NSW to set key performance indicators to measure property and asset utilisation performance.	Property NSW's performance reporting would be enhanced by developing and reporting on customer satisfaction, reporting against set targets and benchmarking cost of service to the private sector.

This chapter outlines our audit observations, conclusions and recommendations specific to NSW Government agencies providing financial services.

Observation	Conclusion or recommendation
4.1 Key issues
The SAS Trustee Corporation (STC) Pooled Fund and the Parliamentary Contributory Superannuation (PCS) Fund are not required to comply with the prudential and reporting standards issued by the Australian Prudential Regulation Authority (APRA). Amendments to relevant legislation allows the Minister for Finance, Services and Property to prescribe applicable prudential standards and audit requirements.	Structured and comprehensive prudential oversight of these funds remains important as they operate in a specialised, complex and continuously changing investment market sector, have over 106,000 members and manage investments of more than $42.4 billion. Recommendation: The Treasury should liaise with the respective Trustees to implement appropriate prudential standards and oversight arrangements for the exempt public sector superannuation funds.
Currently, Green Slips in NSW are the most expensive in Australia. Average premiums for Sydney Metropolitan vehicles increased by 10.4 per cent between 1 January 2016 and 31 December 2016.	CTP reforms are expected to reduce the cost of Green Slips. The State Insurance Regulatory Authority will need to ensure it has appropriate processes in place to track and report against the expected benefits.
4.2 Financial performance and sustainability
Net unfunded superannuation liabilities were $15.0 billion at 30 June 2017. Under the Fiscal Responsibility Act 2012, the NSW Government’s target is to eliminate unfunded superannuation liabilities by 2030.	The superannuation funds’ strategic asset allocation and investment strategies are monitored and adjusted to help achieve a fully funded position by 2030.
The Home Warranty Scheme commenced in 2011. Over this time total premiums collected have not been sufficient to cover expected claim costs.	Funding arrangements introduced during 2016–17 allow the Home Building Compensation Fund to apply to the Crown for reimbursement of unfunded realised losses from under-pricing of premiums. Other reforms are planned to address the long term sustainability of the home building compensation scheme.
4.3 Investment performance
The NSW Government’s main superannuation funds have maintained the management expense ratio (MER) at consistent levels over the past two years. The Parliamentary Contributory Superannuation (PCS) Fund does not set an MER target.	MER is an industry recognised ratio to measure the performance of funds and investment managers. Recommendation: The Fund Secretary for the PCS Fund, in conjunction with the Trustee, should consider establishing an appropriate management expense ratio target to measure performance.

Appendix one - List of 2017 recommendations

Appendix two - Status of 2016 recommendations

Appendix three - Agencies selected for this volume

Appendix four - Timeliness of financial reporting and audit reporting

Appendix five - Financial audit reporting

Appendix six - Financial analysis

Audit progress

Sector

Year

Report type

Topic

Reports

Conclusion

There are weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce Customer Relationship Management (CRM) system, which holds the personal information of over four million NSW residents.

Lines of responsibility for meeting privacy obligations are not clearly drawn between Service NSW and its client agencies.

Service NSW carries out privacy impact assessments for major new projects but does not routinely review existing processes and systems.

1. Key findings

Service NSW identifies privacy risks, but the controls and processes it put in place to mitigate these privacy risks were not adequate to prevent or limit the extent of the data breach that occurred in March 2020

There are weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce CRM system, which holds the personal information of over four million customers

Lines of responsibility for meeting privacy obligations are unclear between Service NSW and its client agencies

Service NSW's privacy management plan has not been updated to include new programs and governance changes

Service NSW routinely conducts privacy impact assessments for new initiatives, though privacy risks remain in legacy systems and processes

Service NSW's significant and rapid growth has outpaced the establishment of a robust control environment which has exacerbated privacy risks

2. Recommendations

As a matter of urgency, Service NSW should:

By March 2021, Service NSW should:

By June 2021, Service NSW should:

By December 2021, Service NSW should:

Conclusion

1. Internal control trends

2. Information technology controls

3. Business continuity and disaster recovery planning

4. Procurement, including emergency procurement

5. Delegations

6. Status of 2019 recommendations

Conclusion

Conclusion

Conclusion

Conclusion

1. Overall trends

2. Information Technology

3. Asset Management

4. Governance

5. Ethics and Conduct

6. Risk Management

This new report offers strategic insight on the public sector as a whole

2.1 IT security

2.2 Cyber Security

2.3 Other IT systems

3.1 Capital investment

3.2 Capital projects

3.3. Asset disposals

4.1 Governance arrangements

4.2 Shared services

5.1 Ethical framework

5.2 Potential conflicts of interest

6.1 Risk management maturity

6.2 Risk management elements

1. Financial reporting and controls

2. Service Delivery

2.1 Quality of financial reporting

2.2 Timeliness of financial reporting

2.3 Financial and sustainability analysis

2.5 Internal controls

3.1 Premier's and State priorities

3.2 Planning

3.3. Environment and Heritage

3.4 Water

3.5 Arts and culture